Review: EC-Council’s iLabs Platform

Glenn Norman

I’ve been trying to bring “hacker” training to UNM for over ten years without much success. Only in the past two semesters have I been able to run an Ethical Hacking class based on the CEH, but where my past efforts didn’t bring students, the CEH did.

Red Team work has long interested me, likely because years of managing high-traffic websites left me with lots of scars and an urge to fight back. There are some interesting programs: the OSCP, GIAC certifications, and the CEH probably make up the short list. I’m highly interested in the GIAC certs, but man are they expensive. The OSCP from Offensive Security is the real hardcore hacker’s cert, even if most HR people haven’t figured that out yet. The CEH, on the other hand, is widely recognized by HR but doesn’t enjoy quite the same purists’ esteem.

So I approached Jay Bavisi online, and he connected me with ECC VP Eric Lopez and ECC University VP David Oxenhandler. Eric and David met with me to talk about marketing ECC courses and materials to UNM administration, and gave me a stack of books two feet high – and an account on ECC’s online training platform, iLabs 2.0. I’ll have more to say about specific books and certs, but here I’m going to talk about iLabs itself.

By now almost every teacher has dealt with a few learning management systems (LMSs). My list includes build-it-yourself platforms like Blackboard, Moodle and WordPress LMS; ready-to-go courses on sites like Udemy and Coursera; and some great pre-built platforms for building tests and courses like Mettl and Braincert. They all have a lot in common in terms of features and interfaces: videos or scenarios to play, guided exercises, mostly textual interactions (if any) with the instructor and other students.

I’ve also been spending a lot of time on hacking sites like and HacktheBox, which are very different from the LMSs. The best of them fire up virtual machines for students to practice on, which is a lot more realistic than the guided walk-throughs most LMSs offer.

iLabs merges these two models. ECC has given me permission to share screenshots from that environment, so let’s do a walkthrough, starting from the login page.

iLabs Login
iLabs Login

I received a welcome email with instructions on setting up my account and using an Access Key to start running the course materials. My key got me into the CEHv9 course. Remember that the CEH is transitioning to version 10, so there will be some differences in the newer version.

iLabs Tab: My Training
iLabs Tab: My Training

From here I had four tabs to choose from: My Training (the current screen), My Transcript, Courses and Contact.

iLabs Tab: My Transcript
iLabs Tab: My Transcript

My Transcript showed that at the moment, I had basically completed no training (at least on this platform). No surprise. I can see this being useful once I’ve studied a few more certs.

iLabs Tab: More Courses
iLabs Tab: More Courses

The Courses tab takes us to a Course Catalog that will immediately made my mouth water: Advanced Penetration Testing, Incident Handler, Forensics Investigator. It’s a lineup that’s grown dramatically, and seems aimed directly at GIAC. Yes, I tried getting into other courses (hacker!) and that wasn’t possible, at least without making myself a nuisance instead of a guest. But now I have an appetite for more.

Going back to the Courses tab, I clicked on the Certified Ethical Hacker – CEH v9 link, and arrived at the summary page for the program.

CEH Course Activities List
CEH Course Activities List

These are the familiar sections of the CEHv9 training. Clicking the Launch button takes us to a preliminary test of our system, then lets us launch the actual test lab. Clicking the button opens a new window while our test environment is launched.

iLabs: Starting the Lab Environment
iLabs: Starting the Lab Environment

Module 1 is all about learning to use the iLabs platform, and provides a walkthrough of the interface’s features. It’s an information-intensive environment, so pay close attention at this stage. There are a couple of places on every screen that may offer tips; learning where to look helps a lot once we’re doing active work.

iLabs: Lab Orientation
iLabs: Lab Orientation

Next, in this and all Modules, comes a couple of screens of information: Objectives and the lesson Scenario.

iLabs: Module Instructions
iLabs: Module Instructions

Clicking through the Information screens takes us to the first virtual machine we’ll use, a Windows Server 2012 instance. Choose the Machines tab and click on Windows Server 2012, if it’s not already selected.

iLabs: Virtual Machine Ready
iLabs: Virtual Machine Ready

We’ll need to locate the Commands menu at the top of the screen in order to log into the VM. It’s not clearly labeled; look for the lightning bolt at the top of the scroll bar on the right. It pops open a dialog where we can send a Ctrl-Alt-Delete to get a login form.

We’ve got an amusing choice here: use the Commands menu, click Type Text, then click Type Username; or click in the Machines tab on the username; or type it into the form ourselves. Do aspiring hackers really need this much hand-holding? Probably not, but this feature is also likely just an element of the LMS. Choose a method, and enter the username and password.

The next screen comes up every time we open this VM, which is just a result of starting an absolutely fresh installation. Obviously we don’t need to set up the whole server, so simply cancel the dialog.

iLabs: Server Setup
iLabs: Server Setup

Notice that the bottom of the VM’s screen is cut off on my 15″ laptop monitor (1366×768). Checking the available resolutions, I found it’s already at its lowest option, 1024×768. While this isn’t a big deal, it is a bit annoying to have to scroll to see everything. I couldn’t find a setting to resize the VM window, but the interface is complex enough that I may have missed it. (Let me know below if you find it.)

iLabs: Starting Firefox
iLabs: Starting Firefox

Next comes opening Firefox. This requires telling Firefox that we don’t want to update to the latest version. Why? Because the VM is running an older version that supports the outdated Firebug plugin. I expect that the version 10 course will use a newer utility that works in current versions of Firefox (as I mentioned, this is the now-retired version 9).

Note the instructions in the blue box at the bottom of the screen, which direct us to enter the target website’s URL (which is not an actual online domain).


Once we’re on the Moviescope site, open the Firebug console. Firebug, by the way, has since merged into the Firefox Developer Tools. In the lab, some Firebug features won’t work, but clicking through the interface tabs does for the most part. And of course the functions Firebug offered are still available in Firefox, so in real life you don’t have to stick to an old version of the browser.

iLabs: Firebug Error
iLabs: Firebug Error

The instructions steer us to the HTML inspector in Firesheep, and into the scripts present on the page.

iLabs: The Debugging Environment
iLabs: The Debugging Environment

Click to expand one of the scripts and it gives up its code.

iLabs: Moviescope Javascripts
iLabs: Moviescope Javascripts

After taking this quick look at the scripts the lab points out that these visible scripts are ripe for the plucking. Then the Module starts us into another software installation.

CEH Tools
CEH Tools

The CEH has a heavy concentration in hacking tools, and candidates are expected to be familiar with the functions of quite a few of them. This is where this LMS shines: we get to set up, run and see the output of these tools on a live VM system. When I studied for the CEH, everything I worked with was text and slideshows. I’m a geek and an instructor, so I went out and got, installed and tried out every tool that was mentioned (this took a LONG time), so it’s nice to see that this course puts the tools right in my hands.

Drive E: has a tasty little stash of software we’ll be using. In this case, we’re steered to the Web Data extractor, which we install and run.

Web Data Extractor
Web Data Extractor

“Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data.” –

Our target web site is small, so the scan completes quickly. When it’s done it lets us know.

Web Data Extractor - scan complete
Web Data Extractor – scan complete

Now we can dig through the results, which are excellent for Reconnaissance-stage hacking: one scan saves us the trouble of digging around for the target’s email addresses, phone numbers etc.

Web Data Extractor - scan results
Web Data Extractor – scan results

After some discussion, we’re led to another installation, this time of the WinHTTrack Website Copier.

iLabs: Installing WinHTTrack Website Copier
iLabs: Installing WinHTTrack Website Copier

“HTTrack … allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site’s relative link-structure. Simply open a page of the “mirrored” website in your browser, and you can browse the site from link to link, as if you were viewing it online.” –

iLabs: Starting WinHTTrack Website Copier
iLabs: Starting WinHTTrack Website Copier

Once we’ve chosen a project name, we can review the configuration.

iLabs: Configuring WinHTTrack Website Copier
iLabs: Configuring WinHTTrack Website Copier

So bang, click OK and turn it loose. When it’s done it’s not completely clear what you’re supposed to do. From the Index of Projects page, click on the only one: our Test Project

iLabs: Scan Results WinHTTrack Website Copier
iLabs: Scan Results WinHTTrack Website Copier

Now we can click through pages and examine code without waiting for the live site to load them for us.

iLabs: Examining the Copied Site
iLabs: Examining the Copied Site

After some discussion and examination, we’re shown out the door to this Module and back to our summary screen: Status Complete. From here we can scroll down and launch Module 2, Scanning Networks. We can’t, however, skip ahead. We’ll have to run the Modules in order. After doing each one, we can go back and review.

iLabs: Post-Module Summary
iLabs: Post-Module Summary

This is only the top of the page…

iLabs: 17 Modules
iLabs: 17 Modules

…there are a total of 17 Modules to work through. Most of them run between a half hour and 1.5 hours.

iLabs: CEHv9 Module 2
iLabs: CEHv9 Module 2

Going forward, we get to use more real VMs, not just Server 2012. Module 2 takes us straight into doing network scans in Kali (oh fun!). We’re not playing with a simulation, either. This is live practice on real machines.

Learn On Demand Systems
Learn On Demand Systems

By now it should be pretty clear that I really like the environment. If ECC had built it themselves I’d be amazed, because it’s such a large-scale project. Fortunately they did what any smart IT person does, namely finding the best and latest tech that currently exists. (You don’t try to re-create YouTube when you want to stream videos, do you?)

The ECC iLabs system is an instance of the Learn On Demand Systems ( environment. They bill their product as “Experiential Learning Solutions,” and the name fits. This LMS isn’t just boring slide shows and droning videos; it’s real hands-on practice.

I should point out that iLabs is just one part of an ECC training course. ECC also provides a huge stack of printed material for the CEH and their other courses. But I’ll review that in another article and tie this review up for now.

Let me end by suggesting that this is a whole new game for the Certified Ethical Hacker credential. ECC has put huge work into updating the cert, as I’ve seen from brief looks at v10 materials. And the CEH is the pen testing/auditing cert that’s most recognized, and most requested, by the recruiters who are looking for my students. I feel pretty good about the prospects for bringing this cert to UNM, and attracting both current CS/MIS students and adult professionals. You’ll hear how it works out right here. Good luck!

[ CEH Training ] :: [ Day 7 ]

This entry is part 9 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 15

Wifi cracking


WEP cracking with Kali: p. 420

WPS cracking with Kali

Chapter 16

Mobile pentesting

Applications and tools

Chapter 17

Evasion, firewall running, honeypots


  • Firewalking with Kali: p. 472
  • Nmap with the Firewalk script
  • Fragmentation with Nmap





[ CEH Training ] :: [ Day 6 ]

This entry is part 8 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 13

Web server vulnerabilities and exploits


SYN flooding

Banner grabbing


Wikto: a website vulnerability tool:


Burp Suite

“Brute Force a Website Login Page with Burp Suite”:

“Brute force attack (form, ssh, ftp) using burp suite and hydra”:

“Brute Force Router Password using BurpSuite”:

Chapter 14

SQL injection

SQL Injection with Burp Suite and Sqlmap”:

Cheat sheet:

OWASP guide:

Dumping a complete database:


[ CEH Training ] :: [ Day 3 ]

This entry is part 5 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:

Password dictionaries:

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”


  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt


Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes:

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:


Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:

And see this page for examples (halfway down the page):

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions: