[ CEH Training ] :: [ Day 3 ]

Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:
https://hashes.org/crackers.php

Password dictionaries:
https://wiki.skullsecurity.org/Passwords

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”
https://www.youtube.com/watch?v=eAn8dYdn1eY

Exercises

  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt

Hashcat

Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:
http://www.adeptus-mechanicus.com/codex/crkpass/crkpass.php

“HOW TO CRACK MD5 HASHES USING HASHCAT”:
https://www.4armed.com/blog/hashcat-crack-md5-hashes/

Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:
https://www.4armed.com/blog/hashcat-rule-based-attack/

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:
https://hashcat.net/wiki/doku.php?id=mask_attack

And see this page for examples (halfway down the page):
https://www.4armed.com/blog/perform-mask-attack-hashcat/

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions:
http://adeptus-mechanicus.com/codex/linkhap/linkhap.php

https://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit

[ CEH Training ] :: [ Day 2 ]

Cryptography: A Starter Lesson

Symmetric, asymmetric, signatures etc.

Stage 1 of a Hack: Footprinting (formerly “Reconnaisance”)

Chapter 4
  • “Phone book” information
  • Employee names and info
  • Company/facility info
  • IP address ranges
  • Job information

Google Hacking and Google Dorking p.108 ff.

Open Source Intelligence: OSINT

Tools:

Google: Advanced Search Operators

The Google Hacking Database

Archive.org (The Wayback Machine)

Netcraft

Email tools

COMP INT tools

Command line:

nslookup

dig

whois

p0f

Maltego, of course

Stage 2 of a Hack: Scanning

  • Pings and ping sweeps
  • Port scanning
  • traceroute
Chapter 5

Port scans

Network scans

Vulnerability scans

TCP and UDP scans

nmap – https://nmap.org/, http://scanme.nmap.org/

NBname vulnerability and exploit:
http://www.cultdeadcow.com/tools/nbname.html

Videos:

“Nmap Tutorial for Beginners – 1”
https://www.youtube.com/watch?v=5MTZdN9TEO4

Note the switches: -A, -v

–> Perform the lookup exercise starting at 6:30 in the video.

“Nmap Tutorial For Beginners – 2”
https://www.youtube.com/watch?v=VFJLMOk6daQ

“Nmap Tutorial For Beginners – 3”
https://www.youtube.com/watch?v=OUQkCAHdX_g

–> Practice with the following:

-F

-sV

–open

Grep-able output:

nmap -oG - 192.168.1.0-255 -vv > results.txt

Tools:

nmap

hping3 p. 134 ff.

Angry IP

Nessus

Nexpose

Banner grabbing

Exercises

  1. Perform nmap TCP, SYN, XMAS, FIN, NULL and ACK scans against the designated target.
  2. Perform UDP scans against the target’s ports.
  3. Scan several hosts to perform OS fingerprinting on them.
  4. Perform banner grabbing on the target using first telnet, then netcat.
Chapter 6

Stage 3 of a hack: Enumeration

  • Users and Groups
  • Shares and other network services
  • Routing tables
  • DNS and machine names
  • Applications and  banners
  • Determining what auditing is in place

Tools

Command line in Windows and Linux

PsTools

Sparta – http://sparta.secforce.com/

https://tools.kali.org/information-gathering/sparta

OpenVAS: https://www.kali.org/news/kali-linux-20171-release/

Exercises

  1. Attempt a null session connection to the designated target.
  2. Attempt a zone transfer from the designated target.
  3. Find JXplorer. There is a practice server (that is usually up) at http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ . Can you figure out how to connect?
  4. Perform Exercise 7.7 on page 215: Using netcat
  5. Install Sparta on Kali. Be sure to watch the two short videos. Unleash it on the designated targets.

Homework

  1. Watch or re-watch the nmap videos above.
  2. Perform several types of scans on scanme.nmap.org. Do all scans reveal the same thing?
  3. Look closely at the nmap switches. For instance, what does the -s switch always need, and always specify?
  4. Practice forming packets with hping3. Create a Ping of Death packet.

[ CEH Training ] :: [ Day 1 ]

Introductions

Short bios and description of experience

Assessment test

Some discussion of the CEH:
http://www.techexams.net/forums/ec-council-ceh-chfi/116310-passed-my-ceh-resit-some-thoughts-cert-ec-council-3.html

Chapter 1

Hacking in theory and practice

  1. Origins and definitions
  2. “Hacking as it was done in 1998”
  3. Deeper hacking methodology
  4. EC-Council’s definitions
  5. The role of contracts

Colors of Hats

Colors of Boxes

Scope, Terms of Engagement, etc.

Hackable Websites

Hackthissite.org: Take them up on this offer! A great learning site. https://www.hackthissite.org/

Root-me.org: There are challenges in several categories, and they’re quite good. There is no clear pathway through, though, so it’s up to your hackerly curiosity to explore your interests.
https://www.root-me.org/?lang=en

Shellterlabs: Work through a series of lessons to gain competencies in one area after another. The challenges are truly challenging. https://shellterlabs.com/en/

Chapter 2

TCP/IP models, important ports, proxies and firewalls

Chapter 3

Crypto

In-Class Exercise:

Maltego: activation and configuration

Official training videos: https://www.youtube.com/watch?v=sP-Pl_SRQVo&list=PLC9DB3E7C258CD215

Homework:

  1. Begin a Maltego investigation (graph) of yourself. Start with the Person object and expand outward to work information, email addresses etc. Every single particle of information you can gather about yourself, anyone else can too.While this kind of scanning is perfectly legal in many parts of the world (think about what ad agencies know about you), remember this critical hacker principal: Don’t attract unneeded attention.
  2. Take your first reading pass through Chapters 1, 2 and 3. Highlight liberally. Plan for using special markers in locations that directly discuss test topics (i.e. questions).

[ Certified Ethical Hacker Training ] :: [ Syllabus ]

 SYLLABUS

Text:

CEH v9: Certified Ethical Hacker Version 9 Study Guide 3rd Edition, by Sean-Philip Oriyano

ISBN-10: 1119252245

ISBN-13: 978-1119252245

Learning Objectives

Successful preparation to pass the EC-Council Certified Ethical Hacker exam.

Gaining a thorough familiarity with hacking tools and techniques.

Day 1

Hacking in theory and practice

Open-source intelligence research with Maltego

 

Tools:

Google

Command line

Maltego

Day 2

Stage 1 of a hack: Footprinting

Google Hacking and Google Dorking

Open Source Intelligence: OSINT

Stage 2 of a hack: Scanning

Tools:

Nmap

Hping3

Banner grabbing

Vulnerability scanning

Network mapping

Day 3

Stage 3 of a hack: Enumeration

Tools:

Command line in Windows and Linux

PsTools

Sparta

OpenVAS

Day 4

Stage 4 of a hack: System Hacking

Password cracking

Cracking cryptography

Tools:

HashCat and sample hash dumps

Day 5

Malware

Constructing trojans

Covert channels

Sniffing on the wire

Social engineering

DoS

Tools:

Wireshark

Sample VOIP capture

Tcpdump

Hping3

Day 6

Session hijacking

-LAN

-Online

-Wifi

Tools:

Ettercap

Cain & Abel

OWASP suite

Burp Suite

Day 7

SQL injection

Wifi cracking

Firewall running

Tools:

Hackthissite.org

Root-me.org

Aircrack-ng

Nmap