CEH V12
Good to know
CEH v12 Training Modules
Module 1: Introduction to Ethical Hacking
Module 2: Footprinting and Reconnisance
Module 3: Scanning Networks
Module 4: Enumeration
Module 5: Vulnerability Analysis
Module 6: System Hacking
Module 7: Malware Threats
Module 8: Sniffing
Module 9: Social Engineering
Module 10: Denial of Service
Module 11: Session Hijacking
Module 12: Evading IDS, Firewalls, and Honeypots
Module 13: Hacking Web Servers
Module 14: Hacking Web Applications
Module 15: SQL Injection
Module 16: Hacking Wireless Networks
Module 17: Hacking Mobile Platforms
Module 18: IoT and OT Hacking
Module 19: Cloud Computing
Module 20: Cryptography
Tools
-
sites like
netcraft.com
- list website details along with their subdomains.peekyou.com
search for people. -
theHarverstor
: searches for sub domains, emails, links etc.. in the specified search website.theHarvestor –d Microsoft –l 100 –b baidu
(searches for all Microsoft information in baidu search portal and lists top 100 results). -
Sherlock
: find all websites that the specified name has an account as username.Python3 sherlock username
( searches for username in all public sites). -
web data extractor and winhttrack are windows softwares for mirroring a website and get the directory structure, links etc..
-
Photon
: pulls internal urls, external urls, and file urls for a website.Python3 photon –u http://www.google.com
-
grecon
: collects subdomains, login pages, directory listings, documents and wordpress entries.Python3 grecon.py
– This will run and prompt you to enter website. -
Cewl
: generates unique words from the website you enter.cewl -d 2 -m 5 https://www.google.com
and press Enter. Note: -d represents the depth to spider the website (here, 2) and -m represents minimum word length (here, 5). -
Dnsrecon.py
is for reverse lookup using an ip address.Dnsrecon.py –r IPAddrRange
-
Recon-ng
: you can perform network discovery, reconnaissance, exploitation etc by loading required modules. Create workspace, install all modules, modules search modulename, module load modulepath, run. -
Maltego
– graphical mapping of a website, its sub domains, employees, dns lookups etc.. -
Domainfy
– osrframework tool for gathering domsins, usernames, dns lookups, deep web search and more. Domainfy –n techwithchay –t all -
Searchfy
for searching usernames:searchfy –q “Tim cook”
. There are few other osrframework tools like-
usufy - Gathers registered accounts with given usernames.
-
mailfy – Gathers information about email accounts
-
phonefy – Checks for the existence of a given series of phones
-
entify – Extracts entities using regular expressions from provided URLs
-
-
FOCA
– FOCA (Fingerprinting Organizations with Collected Archives) is a tool that reveals metadata and hidden information in scanned documents. -
BillCypher
– Provides you list of options like dns, ip, reverse lookup, subdomains, geo ip,email, admin login page and lot more.. collects website or ip address details.python3 billcypher.py
-
Osint framework website
-
SX Tool: used to perform ARP scans, ICMP scans, TCP SYN scans, UDP scans and application scans such as SOCS5 scan, Docker scan and Elasticsearch scan.
-
ping –j router1IP router2ip router3ip TargetIP
- source routing -
HPing3 -S 192.168.80.4 –a 7.7.7.7
- ip address spoofing,Hping3 -A target ip
- sends arp packets. -
Megaping
,netscantools pro
– port scanner softwares -
nmap
network mapper -
Angry ip scanner - scans one or range of servers for open ports.
-
Metaping - system scanner for ports and lot more.
-
Hping3, wireshark
-
OS detection: Nmap –O and nmap –script=smb-os-discovery (linux) and nmap –script smb-os-discovery (zenmap and windows command line)
-
Unicorn
-
Colasoft packet builder
– used for creating custom tcp packets. -
Metasploit scanning
– create database, run nmap commands, save that data to db and import it as per the formatting. -
Nbtstat
is for viewing local and remote netbios information. -a is for remote machine netbios information and -c is for local machine cache. -
Netbios enumerator
- windows software to enumerate netbios information. -
nmap script nbstat.nse for netbios enumeration.
-
Global network inventory, advanced ip scanner are windows tools for Netbios enumeration.
-
snmp-check
TargetIP - if snmp port 161 is open, it retrieves ports, services. file system info, device information etc from within the system. -
soft perfect ip scanner
is a windows tool for retrieving system information using SNMP. -
pstools
- psgetsid and psloggedon -
net view
- viewing shares on local and remote machines. -
snmpwalk
andsnmpget
- tools to get system info using snmp.snmpwalk -v1 -c public targetip
orsnmpwalk -V2c -C public targetip
-
AD explorer
- windows sysinternals tool for retrieving AD information. -
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=lab,dc=com"' TargetIP
LDAP nmap script. -
ldapsearch
is a command line tool in linux for retrieving LDAP information. -
rpcscan.py
- linux tool for scanning remote machine for shares(NFS enumeration).python3 rpc-scan.py TargetIP --rpc
-
superenum
- linux tool for scanning remote machine for shares(NFS enumeration). Create a text file with your target machines ip addresses and run superenum. When prompted, enter the text file name. -
DNS zone transfer:
dig
andnslookup
-
netscantools pro
- SMB and RPC enumeration. -
smtp - telnet to smtp server machine and run VRFY, EXPN and RCPT TO commands.
-
dnsrecon - dns zone walking -
dnsrecon -d www.domain.com -z
- used to enumerate dns zones -
Enum4linux
- enumerating different OS specific information from windows and samba machines. -
OpenVAS and Nessus - softwares for performing vulnerability scans on windows and linux machines.
-
nikto - h https://www.domain.com -Tuning x
performs scan on the website. you can also use -Cdirsall parameter to include all CGI directories in the output.nikto -h https://www.domain.com -Cgidirs all
-
Responder.py -I NetworkInterfaceName
Ex:Responder.py -I ens33
- Responds to Netbios Name server requests and LLMNR requests on the network. -
l0phtcrack - password cracking software for windows GUI.
-
john the ripper - password cracking utility in linux.
-
Privilege escalation metasploit: beRoot.exe, seatbelt.exe.
-
Dump hashes: smart_hashdump
-
bypassuac: bypassuac_fodhelper.
-
idletime - display amount of time user is idle on the remote machine.
-
-
Meterpreter:keyscan_start - capture keys after exploitation. keyscan_dump - view the keystrokes user typed.
-
Whitespace steganography, Image Steganography (OpenStego) and Document Steganography (StegoStick) are some of the windows steganography tools.
-
cipher /w:DriveLetter:
Ex:cipher /w:C:
reclaims unused space in C drive. -
Cain password craker utility - Windows GUI for resolving hashes to password.
-
Beast and njRAT are softwares for remotely connecting to other windows machines and hack them remotely.
-
Internet worm maker thing is an open source tool for creating worms.
-
nbtstat -anb
shows list of ports with their associated programs.TCPView
,CurrPorts
and nbtstat are for viewing ports and their details. -
MacOf
is a linux tool for mac flooding in switches by flooding the switch with random mac and ip addresses. So switch will act as hub. -
Yersinia is linux tool for DHCP starvation attack. It sends multiple requests to dhcp servers for IP address.
-
ArpSpoof, Habu, EtterCAP and BetterCAP are some of the tools for ARP poisoning.
-
OmniPeek Network Analyzer software analyzes the packets and gives a detailed analysis of the packets.
-
High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC) are tools for performing DDoS attack. Raven storm (rst) is one of the tools for detecting DDoS attack.
-
Dirbuster - Software in linux to directory brute force using a wordlist and checks if it gets a 200 response code which means that the directory exists on the webserver. DirBuster is a tool used for brute-force discovery of directories and files on web servers. It helps in finding hidden content by trying various combinations of common directory and file names.
Dirhunt
is a similar linux tool for the same. -
Brutus is a software to brute force web server passwords from a list of usernames and passwords.
-
Using tools like
wafw00f
, we can determine if a website has waf. Nmap also has waf detection scripts. -
dig
andlbd
tools are used to determine load balancers for a website. -
Use tools such as Netcraft (https://www.netcraft.com), SmartWhois (https://www.tamos.com), WHOIS Lookup (https://whois.domaintools.com), and Batch IP Converter (http://www.sabsoft.com) to perform the Whois lookup.
-
Use tools such as, DNSRecon (https://github.com), and DNS Records (https://network-tools.com), Domain Dossier (https://centralops.net) to perform DNS interrogation.
-
pwnxss - open source XSS scanner to detect XSS vulnerabilities in websites.
-
DVWA - Damn vulnerable web application - Vulnerable web app where security professionals can practice their hacking skills.
-
sqlmap - It is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
-
Mole - Mole is a SQL injection detection and exploitation tool used in cybersecurity. It is designed to automate the process of identifying and exploiting SQL injection vulnerabilities in web applications.
-
Damn Small SQLi Scanner (DSSS) is a fully functional SQL injection vulnerability scanner that supports GET and POST parameters. DSSS scans web applications for various SQL injection vulnerabilities. Ex: python3 dsss.py -u “http://example.com” –cookie=“sessionid=xxxx”
-
Owasp zap, bettercap, hetty, Burp suite, netool toolkit, websploit, sslstrip and JHijack are some of the session hijacking tools. USM anywhere and wireshark are tools for detecting session hijacks.
-
Use clickJackPoc.py file for clickjacking. Create a text file with your domain name and run
python3 clickjackpoc.py -f filename.txt
command. creates a html file with the domain name you add in the filename. -
Snort: Snort is a widely used open-source Intrusion Detection System (IDS) that is capable of performing real-time traffic analysis and packet logging on IP networks. It is highly flexible and can be used for a variety of purposes, including network traffic analysis, intrusion detection, and prevention.
-
sqlmap and mole are open-source penetration testing tools that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
Websites
- exploit-db.com - to the top left click on 3 lines and click Search EDB option. You’ll have advanced search options.
- Along with exploit-db.com, you can also use other exploit sites such as VulDB (https://vuldb.com), MITRE CVE (https://cve.mitre.org), Vulners (https://vulners.com), and CIRCL CVE Search (https://cve.circl.lu) to find target system vulnerabilities.
- shodan.io
- censys search
- NIST Framework
- OWASP
Buffer Overflow Malware disassembly