Contents

CEH V12

Good to know

Buffer Overflow

Metasploit

Netcat

CEH v12 Training Modules

Module 1: Introduction to Ethical Hacking

Module 2: Footprinting and Reconnisance

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Module 6: System Hacking

Module 7: Malware Threats

Module 8: Sniffing

Module 9: Social Engineering

Module 10: Denial of Service

Module 11: Session Hijacking

Module 12: Evading IDS, Firewalls, and Honeypots

Module 13: Hacking Web Servers

Module 14: Hacking Web Applications

Module 15: SQL Injection

Module 16: Hacking Wireless Networks

Module 17: Hacking Mobile Platforms

Module 18: IoT and OT Hacking

Module 19: Cloud Computing

Module 20: Cryptography

Tools

  • sites like netcraft.com - list website details along with their subdomains. peekyou.com search for people.

  • theHarverstor: searches for sub domains, emails, links etc.. in the specified search website. theHarvestor –d Microsoft –l 100 –b baidu (searches for all Microsoft information in baidu search portal and lists top 100 results).

  • Sherlock: find all websites that the specified name has an account as username. Python3 sherlock username ( searches for username in all public sites).

  • web data extractor and winhttrack are windows softwares for mirroring a website and get the directory structure, links etc..

  • Photon: pulls internal urls, external urls, and file urls for a website. Python3 photon –u http://www.google.com

  • grecon: collects subdomains, login pages, directory listings, documents and wordpress entries. Python3 grecon.py – This will run and prompt you to enter website.

  • Cewl: generates unique words from the website you enter. cewl -d 2 -m 5 https://www.google.comand press Enter. Note: -d represents the depth to spider the website (here, 2) and -m represents minimum word length (here, 5).

  • Dnsrecon.py is for reverse lookup using an ip address. Dnsrecon.py –r IPAddrRange

  • Recon-ng: you can perform network discovery, reconnaissance, exploitation etc by loading required modules. Create workspace, install all modules, modules search modulename, module load modulepath, run.

  • Maltego – graphical mapping of a website, its sub domains, employees, dns lookups etc..

  • Domainfy – osrframework tool for gathering domsins, usernames, dns lookups, deep web search and more. Domainfy –n techwithchay –t all

  • Searchfy for searching usernames: searchfy –q “Tim cook”. There are few other osrframework tools like

    • usufy - Gathers registered accounts with given usernames.

    • mailfy – Gathers information about email accounts

    • phonefy – Checks for the existence of a given series of phones

    • entify – Extracts entities using regular expressions from provided URLs

  • FOCA – FOCA (Fingerprinting Organizations with Collected Archives) is a tool that reveals metadata and hidden information in scanned documents.

  • BillCypher – Provides you list of options like dns, ip, reverse lookup, subdomains, geo ip,email, admin login page and lot more.. collects website or ip address details. python3 billcypher.py

  • Osint framework website

  • SX Tool: used to perform ARP scans, ICMP scans, TCP SYN scans, UDP scans and application scans such as SOCS5 scan, Docker scan and Elasticsearch scan.

  • ping –j router1IP router2ip router3ip TargetIP - source routing

  • HPing3 -S 192.168.80.4 –a 7.7.7.7 - ip address spoofing, Hping3 -A target ip - sends arp packets.

  • Megaping, netscantools pro – port scanner softwares

  • nmap network mapper

  • Angry ip scanner - scans one or range of servers for open ports.

  • Metaping - system scanner for ports and lot more.

  • Hping3, wireshark

  • OS detection: Nmap –O and nmap –script=smb-os-discovery (linux) and nmap –script smb-os-discovery (zenmap and windows command line)

  • Unicorn

  • Colasoft packet builder – used for creating custom tcp packets.

  • Metasploit scanning – create database, run nmap commands, save that data to db and import it as per the formatting.

  • Nbtstat is for viewing local and remote netbios information. -a is for remote machine netbios information and -c is for local machine cache.

  • Netbios enumerator - windows software to enumerate netbios information.

  • nmap script nbstat.nse for netbios enumeration.

  • Global network inventory, advanced ip scanner are windows tools for Netbios enumeration.

  • snmp-check TargetIP - if snmp port 161 is open, it retrieves ports, services. file system info, device information etc from within the system.

  • soft perfect ip scanner is a windows tool for retrieving system information using SNMP.

  • pstools - psgetsid and psloggedon

  • net view - viewing shares on local and remote machines.

  • snmpwalk and snmpget - tools to get system info using snmp. snmpwalk -v1 -c public targetip or snmpwalk -V2c -C public targetip

  • AD explorer - windows sysinternals tool for retrieving AD information.

  • nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=lab,dc=com"' TargetIP LDAP nmap script.

  • ldapsearch is a command line tool in linux for retrieving LDAP information.

  • rpcscan.py - linux tool for scanning remote machine for shares(NFS enumeration). python3 rpc-scan.py TargetIP --rpc

  • superenum - linux tool for scanning remote machine for shares(NFS enumeration). Create a text file with your target machines ip addresses and run superenum. When prompted, enter the text file name.

  • DNS zone transfer: dig and nslookup

  • netscantools pro - SMB and RPC enumeration.

  • smtp - telnet to smtp server machine and run VRFY, EXPN and RCPT TO commands.

  • dnsrecon - dns zone walking - dnsrecon -d www.domain.com -z - used to enumerate dns zones

  • Enum4linux - enumerating different OS specific information from windows and samba machines.

  • OpenVAS and Nessus - softwares for performing vulnerability scans on windows and linux machines.

  • nikto - h https://www.domain.com -Tuning x performs scan on the website. you can also use -Cdirsall parameter to include all CGI directories in the output. nikto -h https://www.domain.com -Cgidirs all

  • Responder.py -I NetworkInterfaceName Ex: Responder.py -I ens33 - Responds to Netbios Name server requests and LLMNR requests on the network.

  • l0phtcrack - password cracking software for windows GUI.

  • john the ripper - password cracking utility in linux.

  • Privilege escalation metasploit: beRoot.exe, seatbelt.exe.

    • Dump hashes: smart_hashdump

    • bypassuac: bypassuac_fodhelper.

    • idletime - display amount of time user is idle on the remote machine.

  • Meterpreter:keyscan_start - capture keys after exploitation. keyscan_dump - view the keystrokes user typed.

  • Whitespace steganography, Image Steganography (OpenStego) and Document Steganography (StegoStick) are some of the windows steganography tools.

  • cipher /w:DriveLetter: Ex: cipher /w:C: reclaims unused space in C drive.

  • Cain password craker utility - Windows GUI for resolving hashes to password.

  • Beast and njRAT are softwares for remotely connecting to other windows machines and hack them remotely.

  • Internet worm maker thing is an open source tool for creating worms.

  • nbtstat -anb shows list of ports with their associated programs. TCPView, CurrPorts and nbtstat are for viewing ports and their details.

  • MacOf is a linux tool for mac flooding in switches by flooding the switch with random mac and ip addresses. So switch will act as hub.

  • Yersinia is linux tool for DHCP starvation attack. It sends multiple requests to dhcp servers for IP address.

  • ArpSpoof, Habu, EtterCAP and BetterCAP are some of the tools for ARP poisoning.

  • OmniPeek Network Analyzer software analyzes the packets and gives a detailed analysis of the packets.

  • High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC) are tools for performing DDoS attack. Raven storm (rst) is one of the tools for detecting DDoS attack.

  • Dirbuster - Software in linux to directory brute force using a wordlist and checks if it gets a 200 response code which means that the directory exists on the webserver. DirBuster is a tool used for brute-force discovery of directories and files on web servers. It helps in finding hidden content by trying various combinations of common directory and file names. Dirhunt is a similar linux tool for the same.

  • Brutus is a software to brute force web server passwords from a list of usernames and passwords.

  • Using tools like wafw00f, we can determine if a website has waf. Nmap also has waf detection scripts.

  • dig and lbd tools are used to determine load balancers for a website.

  • Use tools such as Netcraft (https://www.netcraft.com), SmartWhois (https://www.tamos.com), WHOIS Lookup (https://whois.domaintools.com), and Batch IP Converter (http://www.sabsoft.com) to perform the Whois lookup.

  • Use tools such as, DNSRecon (https://github.com), and DNS Records (https://network-tools.com), Domain Dossier (https://centralops.net) to perform DNS interrogation.

  • pwnxss - open source XSS scanner to detect XSS vulnerabilities in websites.

  • DVWA - Damn vulnerable web application - Vulnerable web app where security professionals can practice their hacking skills.

  • sqlmap - It is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.

  • Mole - Mole is a SQL injection detection and exploitation tool used in cybersecurity. It is designed to automate the process of identifying and exploiting SQL injection vulnerabilities in web applications.

  • Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner that supports GET and POST parameters. DSSS scans web applications for various SQL injection vulnerabilities. Ex: python3 dsss.py -u “http://example.com” –cookie=“sessionid=xxxx”

  • Owasp zap, bettercap, hetty, Burp suite, netool toolkit, websploit, sslstrip and JHijack are some of the session hijacking tools. USM anywhere and wireshark are tools for detecting session hijacks.

  • Use clickJackPoc.py file for clickjacking. Create a text file with your domain name and run python3 clickjackpoc.py -f filename.txt command. creates a html file with the domain name you add in the filename.

  • Snort: Snort is a widely used open-source Intrusion Detection System (IDS) that is capable of performing real-time traffic analysis and packet logging on IP networks. It is highly flexible and can be used for a variety of purposes, including network traffic analysis, intrusion detection, and prevention.

  • sqlmap and mole are open-source penetration testing tools that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.

Websites

  • exploit-db.com - to the top left click on 3 lines and click Search EDB option. You’ll have advanced search options.
  • Along with exploit-db.com, you can also use other exploit sites such as VulDB (https://vuldb.com), MITRE CVE (https://cve.mitre.org), Vulners (https://vulners.com), and CIRCL CVE Search (https://cve.circl.lu) to find target system vulnerabilities.
  • shodan.io
  • censys search
  • NIST Framework
  • OWASP

Buffer Overflow Malware disassembly