FM-AA-CIA-15 Rev.

01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

FINAL EXAM LABORATORY

PRACTICAL ETHICAL HACKING

MODULE OVERVIEW

Ethical hacking is the practice of performing security assessments using

the same techniques that hackers use, but with proper approvals and
authorization from the organization you're hacking into. The goal is to use
cybercriminals’ tactics, techniques, and strategies to locate potential
weaknesses and reinforce an organization’s protection from data and security
breaches.
Ethical hacking, also known as penetration testing or white-hat hacking,
involves assessing the security of computer systems, networks, and
applications to identify vulnerabilities and weaknesses that could be exEthical
hacking, also known as penetration testing or white-hat hacking, involves
assessing the security of computer systems, networks, and applications to
identify vulnerabilities and weaknesses that could be exploited by malicious
hackers. There are several types of assessments used in ethical hacking, each
with its own focus and objectives.ploited by malicious hackers. There are
several types of assessments used in ethical hacking, each with its own focus
and objectives.
Effective notetaking is a personal skill, and what works best for one
person may not work for another. Experiment with different approaches, adapt
to your needs, and continuously refine your note-taking process to make it as
effective as possible.
IP address is a unique numerical label assigned to devices on a
network, allowing them to communicate with each other and be reached over
the internet. Understanding IP addresses is fundamental to computer
networking and internet communication.

MODULE LEARNING OUTCOMES

Upon completion of this module of Practical Ethical Hacking, learners
should be able to:
● To develop proficient ethical hacking skills and knowledge to identify,
assess, and mitigate security vulnerabilities within computer systems,
networks, and applications.
● To understand and proficiently apply various types of assessment
methodologies in ethical hacking.
● To develop and implement effective notetaking using different software

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

application.
● To develop and implement effective screenshot using green shot and
flameshot application.
● To learn the fundamental concepts of IP addresses.
● To learn the fundamental concepts of MAC address.

Blockchain Technology

What is Ethical Hacking?

- Companies will hire you to try to hack into their organizations.
- Unlike malicious hacker, ethical hackers have a permission and approval
of the organization which they are hacking into.

A Pen tester’s Day to Day

 Roll out of Bed.
 Perform an Assessment.
 Write a Report.
 Give a Debrief.

Different Types of Assessment

1. External Network Assessment
o the most common types of penetration testing. These
penetration testing are the most straightforward. And
something that a junior could take on and work through and
build up some experience and or confidence as they go
through their process.
o External pen test is an organization’s security from the outside.
External pen tests tend to be a little bit cheaper than the other
pen tests.
o The methodology for external pen tests focused on heavily on
what’s called Open-Source Intelligence Gathering (OSINT)
o These pen tests tend to last around 32 to 40 hours.
2. Internal Network Assessment

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

o This is assessing and organization security from the inside of

the network. Somehow, we can breaches the perimeter.
o The methodology for an Internal penetration test focuses
heavily on active directory.
o Active Directory is by far the most widely used directory
service. It’s widely reported that 95 percent of the Fortune 100
companies use Active Directory.
o It is imperative that organizations are aware of the most
common ways that attackers can compromise Active
Directory, which is explained below.[1]

1) Kerberoasting
Kerberoasting attacks focus on service accounts
within Active Directory by leveraging the
ServicePrincipalName (SPN) property on user
objects. Service providers register their Service
Principal Names (SPNs) with Active Directory
(AD) objects during the authentication process.
Malicious actors may attempt to compromise
these service accounts and modify the SPN

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

values to their advantage, particularly if the

account has privileged access. Organizations
need to consistently check user objects for
abnormal alterations made to SPN values, and
service accounts should be safeguarded with
robust passwords.

2) Password Spraying
This is the method in which the attacker use a
catalog of previously obtained passwords and
their corresponding hashes to forcefully gain
unauthorized access to an account. Given that
the majority of authentication systems use a
lockout mechanism that blocks users after
repeated unsuccessful login attempts, the
attacker would systematically attempt various
combinations of usernames until they discover a
successful match. It is advisable to ensure that
staff utilize intricate passwords and, if feasible,
adopt multi-factor authentication to thwart
password spraying assaults. An effective
approach to identifying abnormal login attempts
is to implement a solution that includes a list of
previously hacked passwords and their
corresponding hashes.
3) Local Loop Multicast Name Resolution (LLMNR)
Local Loop Multicast Name Resolution (LLMNR) is a
networking feature in Windows that poses a security
threat to Active Directory. LLMNR enables name
resolution without the need for a DNS server.
Multicast packets are disseminated around the
network, requesting the IP address associated with a
specific hostname. Adversaries have the capability
to intercept these packets and assert that the IP
address is associated with their hostname. This
functionality is redundant if the Domain Name System
(DNS) is correctly setup. Therefore, the most
effective approach to address this danger would be to
completely deactivate LLMNR.
4) Pass-the-hash with Mimikatz
Pass-the-hash is a method employed to illicitly acquire login
credentials from Active Directory and enables the unauthorized
traversal within the system. Mimikatz is a program utilized by
attackers to exploit the NTLM authentication protocol. This tool
enables them to mimic a user and extract credential hashes
from the computer's memory. Organizations must take
measures to prevent the storage of privileged account hashes

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

in widely accessible locations. In addition, it is advisable for

them to enable LSA Protection and utilize Restricted Admin
mode for Remote Desktops.
5) Default Credentials
Companies frequently neglect to modify the default
passwords on devices/systems, which creates an
opportunity for attackers to exploit these
devices/systems and gain unauthorized access to
your network. Organizations must prioritize the task
of changing the default passwords and maintaining
an accurate record of all network gear. It may be
beneficial to consider implementing a system that
generates random passwords for both line-of-
business users and devices.
6) Hard-coded Credentials

In some cases, software developers will hard-

code credentials into scripts, which is obviously a
security risk, especially if the credentials provide
privileged access. The developers may have
hard-coded the credentials in order to test the
functionality of the script and then forgot to
remove them. Regardless of the reason,
attackers will try to find scripts that contain hard-
coded credentials, which they can exploit.
Administrators must keep a close eye on all user
accounts to ensure that they are being used for
their intended purposes.
7) Privilege Escalation
Cybercriminals commonly attempt to obtain
unauthorized access to a regular user account by
taking advantage of weak password habits. Upon
obtaining access, they will endeavor to enhance their
privileges by social engineering, exploiting
software/hardware vulnerabilities, misconfigurations,
and installing malware, among other methods.
Organizations are required to keep a current
inventory of accounts that have access to certain
resources, particularly those that are crucial.
Accounts should be assigned the minimum level of
rights necessary for their designated purpose, and all
activities performed by privileged accounts must be
consistently monitored, with immediate notifications
delivered to the administrator.
8) LDAP Reconnaissance
Once adversaries have successfully infiltrated your
Active Directory infrastructure, they can employ
LDAP queries to get further information about the

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

environment. By employing this approach, they may

identify and ascertain the existence of users, groups,
and computers, so facilitating their strategic decision-
making process. Preventing LDAP reconnaissance
can be challenging due to the default accessibility of
much information in Active Directory to all users.
Therefore, it is imperative to diligently observe LDAP
traffic for any irregularities and verify that all accounts
are granted the minimum necessary privileges to
fulfill their respective responsibilities.
9) BloodHound Reconnaissance
BloodHound is a software application that assists
malicious actors in identifying and displaying the
routes taken during attacks on Active Directory
networks. The program functions by generating a
comprehensive map that delineates the accessibility
of computers to certain users, as well as identifying
the user credentials that can be illicitly obtained from
memory. Organizations may using BloodHound to
find and rectify vulnerabilities in their system, while
also gaining valuable insights on how to allocate the
suitable amount of user access.
10) NTDS.dit Extraction
Domain controllers store all Active Directory data in a
file known as ntds.dit, commonly referred to as "the
dit". The default location of this file is as follows:
The file path is located at C:\Windows\NTDS\. In the
event that an attacker successfully infiltrates Active
Directory, they will be able to obtain the ntds.dit file.
Alternatively, they may penetrate the organization's
backup system and retrieve the ntds.dit file from the
backup. In order to thwart potential attackers from
obtaining the ntds.dit file, it is advisable to reduce the
number of accounts with login privileges on domain
controllers, regulate access to the physical domain
controller computers, and implement all the required
measures to strengthen the security of your Active
Directory infrastructure.

o These typically last 32-40 hours, though they can run a lot longer.

3. Web Application Pentest

o This is the probably second most common.
o The methodology focuses heavily on web-based attacks and the
OWASP testing guidelines.
o OWASP stand for Open Web Application Security Project. OWASP
provides a basis for testing web application technical security
controls and also provides developers with a list of requirements for
secure development.

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

o These engagements last typically 32 to 40 hours.

o There are three new categories, four categories with naming and
scoping changes, and some consolidation in the Top 10 for 2021.
We've changed names when necessary to focus on the root cause
over the symptom.[2]

1) A01:2021-Broken Access Control Rises from fifth place to become

the group with the highest level of web application security risk. The
data provided shows that, on average, 3.81% of tested apps had one or
more instances of Common Weakness Enumerations (CWEs) under
this risk category, with over 318k occurrences of CWEs. The 34
Common Weakness Enumerations (CWEs) that were associated with
Broken Access Control were found to have a higher frequency of
occurrences in applications compared to any other category.
2) A02:2021-Cryptographic Failures The position has been shifted up
to #2, previously referred to as A3:2017-Sensitive Data Exposure. This
position is now recognized as a wide symptom rather than a
fundamental cause. The revised name specifically emphasizes the
shortcomings associated with encryption, as it has done implicitly in
the past. This category frequently results in the disclosure of sensitive
data or breach of the system.
3) A03:2021-Injection Descends to the third place. Out of all the apps,
94% underwent testing for injection vulnerabilities. The maximum
occurrence rate of these vulnerabilities was 19%, while the average
occurrence rate was 3.37%. The category of injection vulnerabilities
includes 33 Common Weakness Enumerations (CWEs), which have
the second highest number of occurrences in applications, with a total
of 274,000 instances. Cross-site Scripting has been included in this
category in the current edition.
4) A04:2021-Insecure Design In 2021, a new category has been
introduced that specifically addresses hazards associated with design
defects. In order to truly embrace a more progressive direction as an
industry, it is imperative that we prioritize the implementation of threat
modeling, safe design patterns and principles, as well as reference
designs. A flawed design cannot be remedied by flawless execution,
as by its very nature, necessary security measures were never
established to protect against specific threats.

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

5) A05:2021-Security Misconfiguration Rising from the 6th position in

the previous edition, 90% of applications underwent testing for various
types of misconfiguration. The average rate of occurrence was 4.5%,
resulting in almost 208,000 instances of CWEs associated with this
particular risk category. Given the increasing adoption of highly
customizable software, it is unsurprising to observe the upward
movement of this category. The previous classification for A4:2017-
XML External Entities (XXE) has been included into this risk
category.
6) A06:2021-Vulnerable and Outdated Components Previously named
"Using Components with Known Vulnerabilities," this topic ranked
second in the Top 10 community survey. Additionally, it gathered
sufficient data to secure a position in the Top 10 through data analysis.
This category has improved its ranking from #9 in 2017. However, it
remains a challenging issue for us to test and evaluate the associated
risks. The category in question is unique in that it does not have any
Common Vulnerability and Exposures (CVEs) associated with the
included CWEs. As a result, a standard exploit and impact weight of
5.0 is automatically considered in their scores.
7) A07:2021-Identification and Authentication Failures Previously
known as Broken Authentication, the vulnerability has dropped from
the second place and now encompasses CWEs that are mostly
associated with identity issues. This category remains a fundamental
component of the Top 10, although the growing accessibility of
standardized frameworks appears to be beneficial.
8) A08:2021-Software and Data Integrity Failures Introducing a novel
category for 2021, which centers around making presumptions
regarding software upgrades, vital data, and CI/CD pipelines without
ensuring their integrity. One of the most significant consequences,
based on the weightage assigned, derived from the Common
Vulnerability and Exposures/Common Vulnerability Scoring System
(CVE/CVSS) data, is associated with the 10 CWEs under this
category. The inclusion of Insecure Deserialization in the A8:2017
category has been established.
9) A09:2021-Security Logging and Monitoring Failures Previously,
the vulnerability was classified as A10:2017-Insufficient Logging &
Monitoring. It has been included in the Top 10 community survey (#3),
moving up from its prior position at #10. This category has been
broadened to encompass a wider range of failures, which are difficult
to test for and are not well reflected in the CVE/CVSS data.
Nevertheless, deficiencies in this classification can directly influence
the level of visibility, the ability to report incidents, and the process of
gathering evidence.
10)A10:2021-Server-Side Request Forgery Is included from the Top 10
community survey, ranked as number one. The data indicates a
comparatively low frequency of occurrence, along with testing
coverage that is higher than the norm. Additionally, the scores for
Exploit and Impact potential are above average. This category
pertains to situations where the members of the security community

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

emphasize the significance of an issue, despite the absence of

supporting evidence in the current data.
4. Wireless Pentest
o Also known as wireless network pen test.
o Assessing an organization’s wireless network security ‘
o The methodology will vary depending on what type of wireless
network being used.
o These typically last about 4 to 8 hours per SSID
5. Physical Pentest & Social Engineering
o We are assessing an organization’s physical security.
o Our methodology depends on task and goals.
6. Other Assessment
o Mobile Penetration Testing
o IoT Penetration Testing
o Red Team Engagements
o Purple Team Engagements

Report Writing
o A report is typically delivered within a week after the engagements ends
o Report should highlight both non-technical and technical findings.
o Recommendations should be clear to both executives and technical staff.

Debrief
o A debrief walks through your report findings. This can be with technical and non-
technical staff present.
o It gives and opportunity for the client to ask questions and address any concern
before a final report is released.

EFFECTIVE NOTEKEEPING

 Notion - is a note-taking app that works using a system

of blocks. Each piece of content in Notion, whether it's a
text, image, or file, is housed in its block. This allows for a
high degree of flexibility and customization in organizing
and structuring your information.[3]

 Keep Note – not recommended and outdated. Not

safe to use.[4]

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

 Joplin - is an open source note-taking app. Capture your

thoughts and securely access them from any device.[5]

 Obsidian - is a personal knowledge base and note-

taking software application that operates on Markdown files[6]

EFFECTIVE TOOL FOR SCREENSHOT

 GREENSHOT – the most awesome tool for making

screenshots you can get on your Windows PC.[7]

 FLAMESHOT - is a free
and open-source, cross-
platform tool to take
screenshots with many
built-in features to save
you time.

IP ADDRESS
 a unique address that identifies a device on the internet or a local network. IP
stands for "Internet Protocol," which is the set of rules governing the format of data
sent via the internet or local network.[8]
 is a string of numbers separated by periods. IP addresses are expressed as a set
of four numbers — an example address might be 192.158.1.38. Each number in the
set can range from 0 to 255.

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

IPV4
 are 32-bit integers which will be expressed in decimal notation. [10]
IPV6
 is a newer version of the internet protocol with longer addresses containing both
numbers and letters.[11]

MAC Address
is a 12-digit hexadecimal number that is most often displayed with a colon or
hyphen separating every two digits (an octet), making it easier to read.[12]

SUMMARY

In conclusion, ethical hacking, also known as penetration testing or white-hat hacking, plays
a crucial role in enhancing cybersecurity. By simulating potential cyber threats and
vulnerabilities, ethical hackers help organizations identify and remediate security
weaknesses before malicious actors can exploit them. By maintaining well-structured notes
and efficiently capturing and organizing screenshots, individuals can streamline information
retrieval, improve task management, and boost overall efficiency. Ip Adress is a unique
address that identifies a device on the internet or a local network. IP stands for "Internet
Protocol," which is the set of rules governing the format of data sent via the internet or local
network. MAC Address 12-digit hexadecimal number that is most often displayed with
a colon or hypen separating every two digits (an octet),

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1

 FM-AA-CIA-15 Rev. 01 14-October-2023

Study Guide in URD_EL3_SNA in CpE PRACTICAL HACKING

REFERENCES

[1]
Robinson, P. (2023, July 26). Top 10 active directory attack Methods. LepideBlog: A Guide to IT Security,
Compliance and IT Operations. https://www.lepide.com/blog/top-10-active-directory-attack-methods/
#:~:text=Most%20Common%20Active%20Directory%20Attack%20Methods%201%201.,. . .
%208%208.%20LDAP%20Reconnaissance%20. . .%20More%20items
[2]
OWASP Top 10:2021. (n.d.). https://owasp.org/Top10/
[3]
Shaikh, F. (2023, February 15). How To Take Notes in Notion [Complete Guide]. notionzen.
https://notionzen.com/how-to-take-notes-in-notion/
[4]
KeepNote: Note taking and organization. (n.d.). http://keepnote.org/
[5]
Joplin website. (n.d.). https://joplinapp.org/
[6]
Wikipedia contributors. (2023). Obsidian (software). Wikipedia.
https://en.wikipedia.org/wiki/Obsidian_(software)
[7]
Wikipedia contributors. (2023a). Greenshot. Wikipedia. https://en.wikipedia.org/wiki/Greenshot
[8]
What is an IP Address – Definition and Explanation. (2023, June 30). www.kaspersky.com.
https://www.kaspersky.com/resource-center/definitions/what-is-an-ip-address
[9]
private ip address - Bing. (n.d.). Bing. https://www.bing.com/images/search?view=detailV2&ccid=VU
%2b6FIc8&id=EA939991C7FA6A96BB9208675CEEC99C6DEB1FC3&thid=OIP.VU-6FIc8FDU-
4uwxlp5-tAHaFj&mediaurl=https%3a%2f%2fth.bing.com%2fth%2fid
%2fR.554fba14873c14353ee2ec31969e7eb4%3frik%3dwx%252frbZzJ7lxnCA%26riu%3dhttp%253a
%252f%252f66.media.tumblr.com%252f02a533c1d55ca0ba83e0176168df06ec
%252ftumblr_inline_o4m1taQugo1u4ytoo_1280.jpg%26ehk
%3d7xqOVMVX0UiRQR7xSKFy42mnjzJnbU3ScUM3A6GiPog%253d%26risl%3d%26pid
%3dImgRaw%26r
%3d0&exph=720&expw=960&q=private+ip+address&simid=608047570171408244&FORM=IRPRST
&ck=BE80175D7375A4107978B576B0F396AE&selectedIndex=0&ajaxhist=0&ajaxserp=0
[10]
GeeksforGeeks. (2022). What is IPv4. GeeksforGeeks. https://www.geeksforgeeks.org/what-is-ipv4/
[11]
Bogna, J. (2023). IPv4 vs. IPv6: What Are the Differences? How-To Geek.
https://www.howtogeek.com/901201/ipv4-vs-ipv6/
[12]
What’s a MAC Address and how do I find it? (n.d.). https://slts.osu.edu/articles/whats-a-mac-address-and-
how-do-i-find-it/

PANGASINAN STATE UNIVERSITY PAGE \* MERGEFORMAT 1