CEH Practical Notes
Module 02: Enumeration
    ping www.moviescope.com –f –l 1500 -> Frame size
    tracert www.moviescope.com -> Determining hop count
Enumeration using Metasploit :
    msfdb init
    service postgresql start
    msf > db_status
    nmap -Pn -sS -A -oX Test
    db_import Test
    hosts -> To show all available hosts in the subnet
    db_nmap -sS -A -> To extract services of particular machine
    services -> to get all available services in a subnet
SMB Version Enumeration using MSF
    use scanner/smb/smb_version
    set RHOSTS
    set THREADS 100
    hosts -> now exact os_flavor information has been updated
Module 03 : Scanning Networks
    Port Scanning using Hping3: hping3 --scan 1-3000 -S --scan parameter defines the port range to scan and –S represents SYN flag.
    Pinging the target using HPing3: hping3 -c 3 -c 3 means that we only want to send three packets to the target machine.
    UDP Packet Crafting hping3 --udp --rand-source --data 500
    TCP SYN request hping3 -S -p 80 -c 5
    -S will perform TCP SYN request on the target machine, -p will pass the traffic through which port is assigned, and -c is the count of the packets sent to the Target machine.
    HPing flood hping3 --flood
Module 04 : Enumeration
SNMP Enumeration (161) :
    nmap –sU –p 161
    nmap -sU -p 161 --script=snmp-brute
    use auxiliary/scanner/snmp/snmp_login
    set RHOSTS and exploit
    use auxiliary/scanner/snmp/snmp_enum
    set RHOSTS and exploit
NetBIOS Enumeration (139) :
    nbtstat –A
    net use
    net use \\e ““\user:””
    net use \\e ““/user:””
    NetBIOS Enumerator
Enum4Linux Wins Enumeration :
    enum4linux -u martin -p apple -U -> Users Enumeration
    enum4linux -u martin -p apple -o -> OS Enumeration
    enum4linux -u martin -p apple -P -> Password Policy Information
    enum4linux -u martin -p apple -G -> Groups Information
    enum4linux -u martin -p apple -S -> Share Policy Information (SMB Shares Enumeration
Active Directory LDAP Enumeration : ADExplorer
Module 05 : Vulnerability Analysis
    nikto -h http://www.goodshopping.com -Tuning 1
    Nessus runs on https://localhost:8834
      Username: admin
      Password: password
    Nessus -> Policies > Advanced scan
    Discovery > Host Discovery > Turn off Ping the remote host
    Port Scanning > check the Verify open TCP ports found by local port enumerators
      Max number of TCP sessions per host and = unlimited
      Max number of TCP sessions per scan = unlimited
    Credentials > Windows > Username & Password
    Save policy > Create new scan > User Defined
    Enter name & Target
    Schedule tab > Turn of Enabled
    Hit launch from drop-down of save.
Module 06: System Hacking
NTLM Hash crack :
    responder -I eth0
    usr\share\responder\logs --> Responder log location
    john /usr/share/responder/logs/ntlm.txt
Rainbow table crack using Winrtgen :
    Open winrtgen and add new table
    Select ntlm from Hash dropdown list.
    Set Min Len as 4, Max Len as 6 and Chain Count 4000000
    Select loweralpha from Charset dropdown list (it depends upon Password).
    rcrack_gui.exe to crack hash with rainbow table
Hash dump with Pwdump7 and crack with ophcrack :
    wmic useraccount get name,sid --> Get user acc names and SID
    PwDump7.exe > c:\hashes.txt
    Replace boxes in hashes.txt with relevant usernames from step 1.
    Ophcrack.exe -> load -> PWDUMP File
    Tables -> Vista free -> select the table directory -> crack
Module 08: Sniffing
    http.request.method == “POST” -> Wireshark filter for filtering HTTP POST request
    Capture traffic from remote interface via wireshark
      Capture > Options > Manage Interfaces
      Remote Interface > Add > Host & Port (2002)
      Username & password > Start
Module 13: Hacking Web Servers
    FTP Bruteforce with Hydra
      hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt
Module 14: Hacking Web Applications
      wpscan --url --enumerate u
    WP password bruteforce
      use auxiliary/scanner/http/wordpress_login_enum
      ping | hostname | net user
Module 15: SQL Injection
Last modified 6mo ago
Copy link