CEH v11 Study Notes https://github.com/undergroundwires/CEH-in-bullet-points Module 01 introduction ICT information and communication technology InfoWar information warfare including: C2 warfare intelligence based warfare electronic warfare psyops hacker warfare economic warfare cyberwarfare Defensive vs Offensive infowar Cyber Kill Chain recon weaponization delivery exploitation installation C2 Actions on objectives Adversary Behavioral Identification internal recon Powershell Proxy activities Command Line Interface HTTP User Agent C2 DNS Tunneling Web Shell Data Staging IOC Types atom indicator computed indicator behavioral indicator IOC Categories Email Network Host-based Behavioral Information Assurance (IA) Information Risk Management (IRM) Level of Risk = consequence x likelihood Incident Handling Preparation Incident recording and assignment Triage Notification Containment Evidence gathering and forensics Eradication Recovery Post Incident Activities Vunerability Management Lifecycle Discover Prioritize Asses Report Remediate Verify Module 02 Footprinting and reconnaissance Netcraft for finding subdomains and website footprinting TheHarvester for finding LinkedIn information BuzzSumo for social media sites Infoga for email data from public sources Netcraft for type of web server ZoomInfo for public information about companies and employees Factiva for news aggregation and archiving InstantRecon uses Shodan to find open port info Bluto for DNS enumeration uses Alexa Top 1 million dnsenum is DNS enumeration tool using a Perl script SubBrute is DNS enumerator that recursively crawls DNS records Firewall Bypass Tools Super Network Tunnel - HTTP port 80 NSTX - DNS port 53 Bitvise - SSH port 23 Loki - ICMP Module 3 Scanning Networks nbtstat -a hostname -A IP address NetBIOS code Type Description <00> Unique Host name <00> Group Domain Name <03> Unique Messenger service <1B> unique Domain master browser(PDC) <1C> Group Domian controller <1D> Group Master browser <20> Server service nmap -A agressive scanning -PA TCP ACK scan -PU UDP ping scan -PR ARP scan -PS TCP SYN scan -PE ICMP Echo scan -PP ICMP Timestamp Ping -PM Address Mask Ping -PS TCP SYN ping scan -sC enable Nmap Scripting Engine for advanced discovery -sI idle scan -sF FIN scan -sM Maimon scan (FIN/ACK) -sn ping scan icmp -sN null scan no flags -sS stealth scan SYN scan half open (hides from logs) -sT TCP Connect Full Open scan (checks all ports, leaves tracks) -sX Xmas or Inverse TCP Flag scan set FIN PSH URG flags -O operating system discovery -6 -O OS discovery IPv6 fingerprinting --script smb-os-discovery.nse OS discovery --enip-info - device type, vendor ID, serial number, IP address --smb-os-discovery - OS machine name, domain name, netbios, workgroup. system time. --netbus-info connects to a Netbus server for applications, user ID, password, email address SNMP WINS.MIB - Windows WINS info HOSTMIB.MIB - Hosts on the network MIB_II.MIB - TCP/IP information about network hosts LMMIB2.MIB - workstation and server services and SNMP config BASH .bash_profile - commands and environmental variables .bash_logout - config commands on logout .bashrc - automatic config on loading BASH .bash_history - short history of recent commands LDAP Browsing JXplorer - Java Luma - Python (Linux) Gawor's LDAP - Java Coral Directory - Windows Module 3 Scanning Networks hping Commands pages 267 to 269 hping3 -1 10.0.0.25 - ICMP ping scan hping3 -A 10.0.0.25 -p 80 - ACK scan on port 80 hping3 -2 10.0.0.25 -p 80 - UDP scan on port 80 Scanning tools nmap hping3 Metasploit Unicornscan SolarWinds Port Scanner PRTG Network Monitor OmniPeek Network Protocol Analyzer Scanners for mobile IP Scanner for iOS Fing for iOS and Android Network Scanner for Android Host Discovery arp ping scan udp ping scan icmp ping scan icmp ECHO ping (nmap -PE) icmp ECHO ping sweep icmp Timestamp ping (stateful firewalls) (nmap -PP) icmp Address Mask Ping (nmap -PM) TCP Ping Scan TCP SYN (-PS) TCP ACK (-PA) IP Protocol Scan Ping Sweep Tools Angry IP Scanner Solar Winds Engineer's Toolset Colasoft Ping Tool Visual Ping Tester Port and Service Discovery OS Discovery and Banner Grabbing nmap -O - operating system discovery namp -6 -O OS discovery IPv6 fingerprinting Direct TTL Probes when the attacker is on a different subnet from the victim MODULE 4 ENUMERATION MODULE 5 VULNERABILITY ANALYSIS Module 6 SYSTEM HACKING Filtered by Stateful Firewall ACK Scan -sA no reply - filtered (closed) ICMP error - filtered (closed) RST - unfiltered (open) Port 48101 Mirai used by infected IoT devices to find others to infect Port 989/990 for FTPS provides TLS encrypted link Docker Commands docker d - Docker daemon processes API requests docker client - provides a CLI to issues commands docker run - starts container docker build - new image from Docker file docker images - lists all local images docker pull - pulls image from Registry docker push - pushes image to registry docker search - search Docker Hub for image docker tag - assign tag to existing image Container Technology Architecture Developer systems - images created and sent for testing Testing and accredation systems - image tested and sent to Registry Registries - images stored and distributed to orchestrator Orchestrators - images converted to containers and deployed to host Hosts - containers are run or stopped by orchestrator PHP Errors php.ini file error_log determines path and file name of the log log_errors - determines whether error message will be written to a log file display_errors display in a browser error_reporting determines which error to report iPhone Jailbreaking Tethered - jailbroken once only attaker needs to redo jailbreak Will reboot normally Semi-tethered - remains jailbroken but requires connect to computer for jailbreak extensions Semi-untethered - boots normally, but jailbreak over many reboots with sideloaded app Untethered - permanently jailbroken for every reboot Vulnerability Assessment Solutions: Service-based - mimics attacker perspective, multi-vendor solution managed by third-party Product-based - single vendor solution, locally managed Technologies: Tree-based use lists of vulnerabilities and tests for everything Inference-based us intelligence gathering to determine which test to run against each host.