Hacker - CEH
https://www.safaribooksonline.com/library/view/learning-path-certified/9780134677552/
1
Table of contents
2
Lesson 1: Course Overview
Learn everything you need to know to pass the Certified Ethical Hacker exam in under
10 hours. Understand the basics of network and Internet accessible application
technologies, common discovery, and analysis techniques as well as more advanced
security concepts such as malware and cryptography.
Description
The Certified Ethical Hacker (CEH) Complete Video Course provides a complete
overview of the topics contained in the EC-Council Blueprint for the CEH exam. With 5
modules containing more than 10 hours of training, this course covers all concepts in
the objectives so you can master the knowledge you need to pass the exam. The
course begins with a general overview of security essentials. You then explore system,
network, and web services security before diving into wireless and Internet security.
This course provides the breadth of coverage necessary to learn the full security
concepts behind the CEH exam. It also helps prepare you for a career as a security
professional.
Topics include
Module 1: Security Essentials
Module 2: Systems Security
Module 3: Network Security
Module 4: Web Services Security
Module 5: Wireless and Internet Security
Course Requirements
Anyone interested in earning a Certified Ethical Hacker (CEH) certification must attend
training through EC-Council or show that they have 5 years of information security
experience in each of the 5 CCISO domains via the application form. Please go to the
EC-Council website for more information.
3
Areas of focus
4
Lesson 2: Introduction to Ethical Hacking
2.2 Attack vectors: path by which a hacker can gain access to a host in order to deliver
a payload or malicious malware.
5
2.4 Ethical Hacking: Attack Phases
6
Lesson 3: Footprinting and Recon
- 3.4 Search engines (google, use google search operators, wikipedia, google
maps for geo-info)
- 3.7 Websites analysis (using packet sniffer and developer tools, hacker can
gain info about content types, OS, software version and cookies)
7
Shodan (app online)
Nmap (to scan yourself)
in Kali: nmap -A -TS scanme.nmap.org
- Routing Paths → to know the packet route through a network
UDP trace route (*nix systems): traceroute 8.8.8.8
ICMP trace route (windows): tracert 8.8.8.8
TCP trace route: tctrace
Graphical Applications: OPEN VISUAL TRACE ROUTE, VISUAL
ROUTE
- 3.10 DNS/Whois
Info about a domain: dig ANY google.com
More domain info: whois google.com
- 3.11 Social engineering (gather info from a target through the act of physical or
verbal interaction: e.g using trick questions)
- 3.12 Employees online activities (analysis of social networks: employees love
sharing & analysis of online company info: open positions, services, ..)
8
3.14 Footprinting countermeasures
- Disable unnecessary services
- Approach the system(s) as an attacker to determine what info in exposed
- Consider using a Host Intrusion Prevention System
- Use IPSec VPN when outside enterprise network
- Have a security policy
- Audit yourself
- Educate employees
9
Lesson 4: Scanning Networks
10
Discover Open Ports:
In order to establish a connection and exchange data using TCP, host must first
complete a three-way handshake (to synchronize sequence numbers): SYN/SYN-
ACK/ACK
4.4 & 4.5 TCP scan techniques
11
4.5 Countermeasures
- Use stateful firewalls
- Update Intrusion Detection Systems/ Intrusion Prevention Systems
- Scan your assets, from inside and outside
- Filter ICMP
- Employ HIPS with behaviour monitoring
In the exam you don’t have to use them but you must be aware of they exist and their
names.
4.11 Proxies
A proxy is someone who is forwarding for you. Proxies are used to hide the source IP.
Chaining proxies consists on using several successive proxies in order to obfuscate
more the source.
Tools:
- Proxy Workbench
- Proxifier
- Proxy Switcher
- TOR project (onion routing)
Other tools:
13
In kali: ssh -L 5900:10.1.1.20:5900 nick@10.1.1.10
In Windows: Bitvise, Putty
4.13 Anonymizers
For hiding SRC traffic
For the exam, you should just be aware that they exist (you don’t have to use them).
Tools:
- Psiphon
- Your Freedom
Other tools:
4.14 IP Spoofing
IP Spoofing is the technique of modifying the source IP address of a packet to appear
to be a different host.
Spoofing source IPs is easy, getting a response is hard..
14
4.15 Scanning steps
15
Lesson 5: Enumeration
After footprinting and the scanning phase, a hacker has to gain more specific
information about hosts and devices in the network. → ENUMERATION.
Enumeration techniques:
- Default passwords
- User group extraction
- Username from email
- SNMP walking
- Active directory
- DNS zone transfer
Hacker can get information from the NetBIOS (commonly running on Windows system)
using the following tools:
There are tools which are able to gather info from remote hosts (for example which
application are running). One of this is PsExec.
16
Routers often have default passwords configured: a good method to find these
passwords is just google them.
SNMP runs on network devices and it is a protocol for managing and monitoring
network devices. The protocol is used for both gather info about configuration and
change this configuration.
The command used to obtain info is snmpwalk: with this you can gather information
about the device (which is running SNMP!).
For example with this command you can get the version of the OS running on a
particular device:
snmpwalk -v2c -c public IP-ADDRESS | grep Version
17
Enum4linux -v IP → Enum4linux is a script for Linux that automatically run all the
previous commands (and other commands as well)
Countermeasures:
- Authenticate queries to only domain users
- Use LDAPS
- Disable File/Printer Sharing
Countermeasures:
- Silently ignore unknown recipients
- Disable relay for other domains
18
- Don’t use personal names when registering domains
19
Lesson 6: System Hacking
20
6.3 KeyLoggers and Anti-KeyLoggers
- PC/BIOS
- Keyboard
- External
21
Keylogger Defense (Hardware-based):
Tools:
23
Escalation defense:
Goals:
- Gather more information (spyware: video, audio, USB-launched, GPS)
- Create backdoors
- Launch additional attacks
Execution tools (you get access to the system and then install them to have remote
access):
- PsExec
- Remote-Exec
- PDQ Deploy
- Dame-ware
Rootkit is a software that allows the attacker to have further advantages after the attack
is accomplished:
- Gain admin privileges
- Gain additional data
- Monitor network traffic
- Launch attacks to other hosts
24
Defense against Rootkits:
- Avoid untrusted downloads
- Use Firewalls
- Verify all software before installing (install only the necessary one)
- Choose antivirus that protects from Rootkits
25
6.10 Steganography
It’s the art of hiding a message or information within another data
(doc,txt,img,audio,video...).
It’s used when the attacker accesses the information and he won’t make use that info
right-away: so he hides it for further use.
On the other hand, steganalysis is the art of discovering these hidden messages and is
typical done by statistical analysis of files.
Tools for steganalysis:
26
6.11 Covering tracks
Tools:
- clearlogs.exe
- meterpreter
- CCleaner
- MRU-Blaster
- BleachBit
- ClearProg
2) Escalate privilege
27
3) Execute applications
4) Hide files
5) Cover tracks
28
Lesson 7: Malware threats
- Worm
29
- Adware (advertising products)
- Backdoor (allow the attacker to get access in the future by other ways)
- Spyware
- Botnet (it’s not software)
- Crypter (use encryption technology for bad purposes)
- Rootkit (provide more access to an already compromised system)
Malware actions:
30
7.3 Common Ports for Malware
The range of ports (0-66535) is divided in 3 main blocks:
- WELL-KNOWN PORTS (0-1023) → basic services from a long time
- REGISTERED PORTS (1024-49151) → assigned to other services but you could
use them for other services
- PRIVATE PORTS (49152-66535) → not assigned to any specific service
Port scanning tools can be used to determine open ports: once infected, a host may
open additional ports.
At www.anti-trojan.org/port_opened.html you can find a list of Trojans and the ports that
they use for attacking.
31
7.5 How to detect
Scan for suspicious:
1) Open ports
Port scanner: CurrPorts, nmap, TCPView
2) Processes
Process scanner: HijackThis, Security task Manager, Microsoft Process Explorer,
Autoruns, OpManager, YAPM
3) Registry entries
Registry scanners: Registry Viewer, Alie Registry Viewer, Active Registry
Monitor, RegScanner
4) Startup programs
Startup Program Scanners: WinPatrol, Startup Manager, Startup Booster,
ActiveStartup
5) Services
Windows service scanners: Process Hacker, Service+, Nagios XI, SMART,
ServiWin, SrvMan
6) Drivers
Drivers scanner: Driver Reviver, My Drivers, Driver-View, Driver-Easy
7) Folder & Files
Folder & File scanners: Tripwire, FastSum, FCIV, SIGVERIF, WinMD5
8) Network activity
32
7.9 Countermeasures
33
Lesson 8: Sniffing
Sniffing is about watching traffic on the network for both legitimate and illegitimate uses.
Wiretapping is also considered a sniffing technique.
Packets can be sniffed for law-purposes (an authorization is needed).
ACTIVE SNIFFING: it’s primarily used on networks that use Layer 2 switches where the
attacker poisons protocols to redirect traffic to himself. This kind of sniffing is detectable
on a network.
Switches are different from Hubs because they do an intelligent routing looking at MAC
addresses.
Active sniffing techniques → MAC flood, MAC duplication, ARP spoof, DHCP starvation
Sniffing packets is crucial for a hacker background: he can see what’s going on the
network but he can also steel a lot of sensitive information. Many protocols provide
usernames and passwords in clear text → Telnet, POP, IMAP, SMTP, HTTP, NNTP,
FTP.
34
8.5 DHCP attacks
DHCP can be used to influence a switch/host to send traffic to us. The method consists
on spoofing a DHCP offer by “winning the race” with the DHCP server when a request is
sent. If the attackers anticipate the server with the reply, he can set himself as the
default gateway and receive all traffic by that particular switch/host.
DHCP starvation is another method for DoS attacks. We spoof the src address and ask
for many addresses with the goal of finishing the available IPs addresses. This is not a
sniffing technique.
Tools: Technitium MAC Address Changer, used for modifying the MAC address
35
- Use IDS and firewalls
- Use host protection software
- Use DNSSEC → DNS security with authenticated requests and responses
36
8.11 Penetration testing
37
Lesson 9: Social Engineering
Target: everyone!
Common targets:
38
9.3 Techniques
There are 3 primary types:
- Computer-based
- Human-based
- Mobile-based
39
9.4 Social engineering sites
Social sites allow to collect user data.
1) Facebook (fake companies pages, fake group pages, fake profiles)
2) Twitter
3) Linkedin
4) Google+
9.6 Countermeasures
40
41
Lesson 10: Denial-of-Service (DoS)
42
10.3 Botnet
Network of compromised hosts running software that automates tasks through remote
Command&Control.
- Protect “zombies”
- Neutralize Handlers
- Detect Potential Attacks
- Deflect Attack (honeypots)
- Mitigate Attacks (bandwidth increase during the attack)
43
- Forensics (after DoS)
- Protect devices from botnet
- Perimeter Security
- Contact IPS
- Hardware (several vendors offer DDoS mitigation appliances)
44
Lesson 11: Session Hijacking
The purpose of session hijacking is to compromise a valid session between a client and
a server (also called TCP session hijacking).
There are many techniques for hijacking: brute force, application level hijacking, MiTM,
predict session ID, session ID replay, reset, blind injection.
These techniques are classified as:
- ACTIVE when the hacker takes over the session; the victim is then “frozen” and
he knows something is wrong;
- PASSIVE when the hacker just watches; the session is recorded and the victim is
unaware of the attack.
The session IDs are alphanumeric strings (that should be randomly generated) used to
establish a stateful connection. These IDs are typically stored in cookies, in URLs or in
hidden fields. When the ID is compromised, the attacker can gain access to the session.
SESSION FIXATION → the attacker uses an established connection with the server
trying to get victim to use this connection. In this way the client’s traffic passes through
the attacker.
MAN-IN-THE-MIDDLE attacks (11.4) → the attacker is in between the client and the
server forcing all the traffic through him/her. Man-in-The-Browser is a variation: the
malicious entity is not a separate system, but a client-side program used for capturing
data or inserting scripts into web-pages.
45
11.6 Network Level Hijacking
TCP/IP hijacking happens after the second message of the 3-way handshake (SYN &
ACK & ISN): the attacker responds to the server instead of the client with the 3rd
message.
RESET or RST hijacking → RST packet is sent from the server to the client for reset the
connection: the attacker can send this packet to the client who re-authenticate himself
but with the attacker.
Others attacks with TCP/IP:
UDP hijacking → UDP is connection-less and UDP requests can contain DNS queries.
If the attacker wins the race with the server to respond to an UDP request, he can also
respond to a DNS query with a fake web-server.
46
11.7 Session Hijacking Tools
SURF JACK → hijack HTTP connections to steal cookies (works on both ethernet and
wifi)
COOKIE CATCHER → for Cross-Site Scripting
FIRESHEEP → HTTP sessions hijacking
WHATSUP GOLD ENGINEER TOOL → it’s a network diagnostic tool
ZAPROXY → it’s a penetration testing tool that searches for vulnerabilities on web
applications
Additional tools:
47
About network security, use secure networks with firewalls, limit incoming connections,
minimize remote access, use HTTPS and not HTTP, send encrypted data, utilize
Certification Authorities.
48
Lesson 12: Hacking webservers
Why hacking a webserver? → accessible via internet, several attack vectors available,
gain access to user accounts
Results of a successful web hack → access to sensitive data and to user account,
defacement of web site, launch secondary attacks, compromise other systems
49
Footprinting Tools →
- Mirroring:
Tools → wget, HTTrack, rsync, BlackWindow, WebCopier
- Vulnerability Scanning:
Tools → Scan My Server, SUCURI, Detectify, Web Inspector, SiteGuarding
- Session Hijacking:
Techniques → Cross-site scripting, Sidejacking, Fixation, Malware
Examples → Firesheep, WhatsApp sniffer, CookieCadger
Tools → Firesheep, CookieCatcher, Wireshark, Burp Suite, JHijack
- Password Hacking
12.4 Countermeasures
- Mainteing patches
- Securing the Web Server
- Monitor web server for changes (use tool as WebsiteCDS)
- General policies → pay attention to permissions for your file, audit your system
(look log files), look session ID tracking, make use of ACL, tray to make your
machine stand alone, be careful with script, have a secure DB
50
12.5 System patch management
Patching Policies:
Tools to patch your system: GFI LanGuard, Secunia CSI, MaaS360 Patch Analyzer,
Security manager Plus, Prism Suite, Microsoft Baseline Security Analyzer
51
Lesson 13: Hacking Web Applications
A web application injection provides attacker with access to “back end” of web
application. There are several types: LDAP, File, XML, XPath, OS Command, HTML
and SQL injection.
Some additional web application attacks: CSRF, DoS, Cookie poisoning, session
poisoning, session fixation, buffer overflow, storage, error handling, transport layer,
redirects, CAPTCHA and Authentication.
52
to: steal or modify data or block access to the DB itself.
Methods:
- connection pool DoS (block the access)
- connection string injection (pass info into the DB in order to have access to DB)
- connection string parameter pollution (modify existing parameters in DB)
- Client (try to attack the client side)
- Services
3) Other tools: x5s, SPIKE Proxy, Ratproxy, Web Site Security Audit, VampireScan,
N-Stalker
53
Lesson 14: SQL injection
SQLi is when the attacker executes malicious SQL statements to your database: these
statements are also called “malicious payload”.
SQLi attacks are used for:
- Bypass authentication
- Retrieve DB contents
- Modify DB contents
- Deface websites
54
14.3 Methodology
Steps:
1) Gather Information: probe application for DB connection, attempt SQLi to
generate errors (with these you can determine DB engine, functionalities,
acceptable commands, data types and structure), insert string when numeric is
requested, try to use UNION statements
2) Launch simple attacks: try UNION statements, stored procedure, try to bypass
logins, blind SQLi
3) Launch advanced attacks: data enumeration, create accounts, gather
passwords, execute OS commands, access the file system
Other tools:
55
- Use hashed passwords in the DB
Others:
56
Lesson 15: Hacking Wireless
Wireless Local Area Networks (WLAN) are based on the 802.11 standard.
Different security algorithms have been used for WLANs: WEP (not secure), WPA (not
secure), WPA2 (more secure and used today).
WEP is a stream cipher which uses a key and a random initialization vector of 24 bit. It’s
very un-secure because the number of bits is too low: there is the 50% probability of
repeating the IV in 4096 frames.
It’s very easy to break, but there still exist wireless networks using it.
There is a tool designed to break WEP → Wifite
WPA and WPA2 use a block encryption instead and brought a lot of security
improvements.
57
15.4 Wireless attack methods
Footprinting → it’s basically scanning the air with antennas searching for available
wireless networks. Several tools give you more detailed information on used channels,
frequency, received power etc. (airodump-ng,inSSIDer, NetStambler, Vistumbler).
MAC spoofing attack → it’s using someone’s else MAC address. It has not so much to
do with wireless itself, but there is a command in Linux to impersonate the victim
configuring its MAC address:
ifconfig wlan0 down
ifconfig wlan0 hw aa:bb:cc:dd:ee:ff
ifconfig wlan0 up
Evil Twin attack → a laptop is going to impersonate the AP and then proxy all the traffic
The attacks to bluetooth are not very common, but they still exist.
These are the attack types:
- BLUEJACKING, sending a message over bluetooth and gain info on the
response back;
- BLUESNIFF, “watch the air” for bluetooth data
- BLUESNARF, stealing info from a device through bluetooth technology
- BLUESMACKING, DoS sending random packets.
Tools:
58
15.6 Wireless Attack Defense
- Scan the air for APs (don’t forget you have neighbours!)
- Providers often offer Rogue AP detection capabilities
- Change SSID from the default one and remember this is not a password
- Change username/password from the default
- Use WPA2 and not WEP
- IPsec for data encryption
59
Lesson 16: IDS, Firewalls and Honeypots
60
- Determine purpose of your honeypot
- Features
Highly rated honeypot:
- HoneyBOT (Windows-based)
- LaBrea (multiple platform)
- Google Hack Honeypot (multiple platform, protect against social engineer
attacks)
- Kojoney (multiple platform, written in Python)
- CONPOT (multiple platform, Python-based)
61
- too many port = suspicious.
You should be aware of how different honeypot software works, use detection tools
(nessus or check list of proxies) and seek for unusual responses.
62
Lesson 17: Cloud Computing
One of the most popular cloud computer platform is Amazon Web Service.
Other providers:
- Microsoft Azure
- Google Compute Engine
- IBM Cloud
- DigitalOcean
- VMware vCloud
17.3 Detection
How does an attacker know if the target is hosted in a public cloud?
- DNS names can reveal use of a public cloud
- IP Addresses for cloud providers will be registered (use ARIN to gather info)
63
Lesson 18: Cryptography
18.2 Algorithms
The cryptography algorithms use a very complex math where the main goal is having a
good cipher for encryption and decryption. A block cipher works on blocks (or chunks)
of data, while a stream cipher operates on streams of data.
18.3 Tools
Advanced Encryption Package 2016 is a good tool for encryption.
In Linux, you can generate hash of contents using md5sum, sha1sum, sha256sum
commands.
Other tools:
64
18.4 Public Key Infrastructure
The goal of PKI is to create and manage certificates used for authentication.
The PKI components are:
- Certification Authority → it’s the certificate issuer;
- Registration Authority → accept the certificate request and validate identity of
requester;
- Certificate → CA issued, authenticity validated. It’s tied to a private/public key
pair;
- Users → the certificate holders.
65
66