[ CEH Training ] :: [ Day 7 ]

This entry is part 9 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 15

Wifi cracking

BSSID, SSID, ESSID

WEP cracking with Kali: p. 420

WPS cracking with Kali

Chapter 16

Mobile pentesting

Applications and tools

Chapter 17

Evasion, firewall running, honeypots

Exercises

  • Firewalking with Kali: p. 472
  • Nmap with the Firewalk script
  • Fragmentation with Nmap

Tools

Aircrack-ng

nmap

firewalk

[ CEH Training ] :: [ Day 6 ]

This entry is part 8 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 13

Web server vulnerabilities and exploits

DDos

SYN flooding

Banner grabbing

XSS

Wikto: a website vulnerability tool:
http://sectools.org/tool/wikto/

Tools

Burp Suite

“Brute Force a Website Login Page with Burp Suite”:
https://www.youtube.com/watch?v=25cazx5D_vw

“Brute force attack (form, ssh, ftp) using burp suite and hydra”:
https://www.youtube.com/watch?v=y3Oh54BUN0U

“Brute Force Router Password using BurpSuite”:
https://www.youtube.com/watch?v=gSVM65_pLfA

Chapter 14

SQL injection

SQL Injection with Burp Suite and Sqlmap”:
https://www.youtube.com/watch?v=2C2G6P9xrGQ

Cheat sheet:
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

OWASP guide:
https://www.owasp.org/index.php/SQL_Injection

Dumping a complete database:
http://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/

 

[ CEH Training ] :: [ Day 3 ]

This entry is part 5 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:
https://hashes.org/crackers.php

Password dictionaries:
https://wiki.skullsecurity.org/Passwords

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”
https://www.youtube.com/watch?v=eAn8dYdn1eY

Exercises

  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

Hashcat

Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:
http://www.adeptus-mechanicus.com/codex/crkpass/crkpass.php

“HOW TO CRACK MD5 HASHES USING HASHCAT”:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/

Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:
https://www.4armed.com/blog/hashcat-rule-based-attack/

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:
https://hashcat.net/wiki/doku.php?id=mask_attack

And see this page for examples (halfway down the page):
https://www.4armed.com/blog/perform-mask-attack-hashcat/

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions:
http://adeptus-mechanicus.com/codex/linkhap/linkhap.php

https://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit

[ CEH Training ] :: [ Day 2 ]

This entry is part 4 of 10 in the series [ Certified Ethical Hacker Training ]

Cryptography: A Starter Lesson

Symmetric, asymmetric, signatures etc.

Stage 1 of a Hack: Footprinting (formerly “Reconnaisance”)

Chapter 4
  • “Phone book” information
  • Employee names and info
  • Company/facility info
  • IP address ranges
  • Job information

Google Hacking and Google Dorking p.108 ff.

Open Source Intelligence: OSINT

Tools:

Google: Advanced Search Operators

The Google Hacking Database

Archive.org (The Wayback Machine)

Netcraft

Email tools

COMP INT tools

Command line:

nslookup

dig

whois

p0f

Maltego, of course

Stage 2 of a Hack: Scanning

  • Pings and ping sweeps
  • Port scanning
  • traceroute
Chapter 5

Port scans

Network scans

Vulnerability scans

TCP and UDP scans

nmap – https://nmap.org/, http://scanme.nmap.org/

NBname vulnerability and exploit:
http://www.cultdeadcow.com/tools/nbname.html

Videos:

“Nmap Tutorial for Beginners – 1”
https://www.youtube.com/watch?v=5MTZdN9TEO4

Note the switches: -A, -v

–> Perform the lookup exercise starting at 6:30 in the video.

“Nmap Tutorial For Beginners – 2”
https://www.youtube.com/watch?v=VFJLMOk6daQ

“Nmap Tutorial For Beginners – 3”
https://www.youtube.com/watch?v=OUQkCAHdX_g

–> Practice with the following:

-F

-sV

–open

Grep-able output:

nmap -oG - 192.168.1.0-255 -vv > results.txt

Tools:

nmap

hping3 p. 134 ff.

Angry IP

Nessus

Nexpose

Banner grabbing

Exercises

  1. Perform nmap TCP, SYN, XMAS, FIN, NULL and ACK scans against the designated target.
  2. Perform UDP scans against the target’s ports.
  3. Scan several hosts to perform OS fingerprinting on them.
  4. Perform banner grabbing on the target using first telnet, then netcat.
Chapter 6

Stage 3 of a hack: Enumeration

  • Users and Groups
  • Shares and other network services
  • Routing tables
  • DNS and machine names
  • Applications and  banners
  • Determining what auditing is in place

Tools

Command line in Windows and Linux

PsTools

Sparta – http://sparta.secforce.com/

https://tools.kali.org/information-gathering/sparta

OpenVAS: https://www.kali.org/news/kali-linux-20171-release/

Exercises

  1. Attempt a null session connection to the designated target.
  2. Attempt a zone transfer from the designated target.
  3. Find JXplorer. There is a practice server (that is usually up) at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ . Can you figure out how to connect?
  4. Perform Exercise 7.7 on page 215: Using netcat
  5. Install Sparta on Kali. Be sure to watch the two short videos. Unleash it on the designated targets.

Homework

  1. Watch or re-watch the nmap videos above.
  2. Perform several types of scans on scanme.nmap.org. Do all scans reveal the same thing?
  3. Look closely at the nmap switches. For instance, what does the -s switch always need, and always specify?
  4. Practice forming packets with hping3. Create a Ping of Death packet.