[ CEH Training ] :: [ Day 3 ]

This entry is part 5 of 10 in the series [ Certified Ethical Hacker Training ]
Chapter 7: System Hacking

Stage 4 of a hack: Exploitation

Cracking for Fun and System Penetration

Hash-cracking communities:

Password dictionaries:

I will supply you with several wordlists and hash lists.

John the Ripper

Kali’s built-in wordlists: /usr/share/wordlists/rockyou.txt.gz etc.

“How to crack passwords using john the ripper in kali linux”


  • Create a simple text file with a hashed password (which is “password”):
echo -n "password" | md5sum | tr -d " -" >> /root/testhash.txt

Now use the RockYou wordlist to crack the password:

john --format=raw-md5 /usr/share/wordlists/rockyou.txt.gz /root/testhash.txt


Requires 4 arguments:

-m or –hash-type (use –help to list hash types; use -m 1000 for Windows NT hashes
Example hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

-a or –attack-mode (method: dictionary, brute-force; use -a 0 to use a dictionary attack)

[filename|hash] (hashes to crack, e.g. ./hashes/ntlm.txt; you can supply a single hash directly)

[dictionary|mask|directory] (A wordlist, mask or directory containing wordlist(s), e.g. rockyou.txt)

See this really excellent step-by-step example:


Exercise: Dictionary Attack

  • Hashcat doesn’t support compressed lists, so unzip Kali’s supplied RockYou wordlist,  /usr/share/wordlists/rockyou.txt.gz:
gunzip  /usr/share/wordlists/rockyou.txt.gz

I will supply you with a hash file called win.hash. In your (root’s) home directory (/root), create a folder called hashlists and place the file inside it.

  • Now run hashcat to crack these hashes, using the RockYou wordlist:
hashcat -m 1000 -a 0 --force ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Cracked hashes go into hashcat.potfile in the user’s home directory, in a folder named .hashcat.

Exercise: Rule Set Permutations

Rule Sets allow permutations like “Airplane1 to Airplane59”.

For deep details see this page:

Rule Set rules are in /usr/share/hashcat/rules/, for example the best64.rule rule list.

  • Use this command to crash the hashes in win.hash:
hashcat -m 1000 -a 0 --force --show ./hashlists/win.hash /usr/share/wordlists/rockyou.txt

Exercise: Mask Attack

See this explanation straight from the Hashcat people:

And see this page for examples (halfway down the page):

You will need at least these four options for hashcat:

hashcat-binary attack-mode hash-file mask

For instance:

hashcat -a 3 hash.file ?a?a?a

?d Digit (repeat 5 times for 5 places)

?l lowercase letter

?u uppercase letter

?s special char

?a all character sets

For example, look for all three-character passwords:

hashcat -m 1000 -a 3 ./testhash.txt ?a?a?a

Up to 7 chars is reasonable, 8 takes days, 9 takes years (on generic hardware).

  • What would the command be to look for all five-character passwords?

Exercise: Combinator Attacks

Use two wordlists, or the same wordlist twice, and try all possible combinations:

hashcat -m 1000 -a 1 ./testhash.txt [wordlist1] [wordlist2]

The LinkedIn hashdump and more instructions:


[ CEH Training: Course 1 ] :: [ Day 1 ]

This entry is part 3 of 10 in the series [ Certified Ethical Hacker Training ]


Short bios and description of experience

Assessment test:

Some discussion of the CEH:

Study Guide: Modules 1 and 2

Stage 1 of a Hack: Footprinting / Reconnaisance

  • “Phone book” information
  • Employee names and info
  • Company/facility info
  • IP address ranges
  • Job information


Google: Advanced Search Operators

The Google Hacking Database

Archive.org (The Wayback Machine)


Maltego, of course

Command line:





Critical vocabulary: threat, vulnerability, attack, exploit, payload etc.

Motivations: money, status, terror, revenge, ideology, fun


Laws for Dread and Comfort


theHarvester, Metagoofil, Nikto, Parsero

Google, Shodan, social media, job sites

Echosec, Maltego

THP3: Intro and Chapter 1

Pentester vs. Red Team

MITRE ATT&CK, @cyberops, PenTesters Framework (PTF)

Cobalt Strike/Armitage

PowerShell Empire, p0wnedShell, Pupy Shell, PoshC2, Merlin, Nishang

Virtual Machines

We’ll be using Kali Linux as a virtual machine. Setting up a hacking VM, updating, configuring and customizing it is a critical hacker skill.

Hackable Websites

Hackthissite.org: Take them up on this offer! A great learning site. https://www.hackthissite.org/

Root-me.org: There are challenges in several categories, and they’re quite good. There is no clear pathway through, though, so it’s up to your hackerly curiosity to explore your interests.

Shellterlabs: Work through a series of lessons to gain competencies in one area after another. The challenges are truly challenging. https://shellterlabs.com/en/

HackTheBox.eu: You’ll have to hack your way in even to use this site. Bonus: they’ll help you get pentesting gigs if you prove your skillz. https://www.hackthebox.eu/

In-Class Exercise:

Maltego: activation and configuration

Official training videos: https://www.youtube.com/watch?v=sP-Pl_SRQVo&list=PLC9DB3E7C258CD215


  1. Begin a Maltego investigation (graph) of yourself. Start with the Person object and expand outward to work information, email addresses etc. Every single particle of information you can gather about yourself, anyone else can too.While this kind of scanning is perfectly legal in many parts of the world (think about what ad agencies know about you), remember this critical hacker principal: Don’t attract unneeded attention.
  2. Take your first reading pass through Chapters 1, 2 and 3. Highlight liberally. Plan for using special markers in locations that directly discuss test topics (i.e. questions).

[ Certified Ethical Hacker Training: Course 1 ] :: [ Syllabus ]

This entry is part 2 of 10 in the series [ Certified Ethical Hacker Training ]



CEHv10 Study Guide, by Sean-Philip Oriyano (provided by UNM)

The Hacker Playbook 3, by Peter Kim (optional and student-bought, but encouraged)

Past texts:

# Certified Ethical Hacker Exam Guide, Third Edition, by Matt Walker

# CEH v9: Certified Ethical Hacker Version 9 Study Guide 3rd Edition, by Sean-Philip Oriyano

Learning Objectives

Gaining a thorough familiarity with hacking tools and techniques.

Successful preparation to pass the EC-Council Certified Ethical Hacker exam.

About This Course

This course is the first of two. Together these two courses cover the vocabulary, tools, topics and current events that are covered in the C|EH version 10 (henceforth CEH).

The CEH covers a huge area of topics, and textbooks struggle to keep up with EC-Council’s own materials. The short books are forced to assume that you already know quite a lot, and the long books are … huge, but cover things a lot more deeply.

This time around, we’re going to use a big book, a large-format 600-page behemoth that display’s author Oriano’s broad understanding of the CEH test. He’s been writing about it for a long time, and knows his stuff, but his books tend to be thick with typographical errors, and this one is no exception. We’ll generally refer to this as they Study Guide, and cover the first 300 pages in this course, the rest in the second course.

We’ll also use The Hacker Playbook 3, which comes at the same subject from a much more hackerly perspective. It’s a short, clear book that will give us some good exercise for our hacking muscles. We’ll refer to this book as THP3.

Day 1

Hacking in Theory and Practice

Stage 1 of a hack: Footprinting

Google Hacking and Google Dorking

Open Source Intelligence: OSINT

Day 2

Stage 2 of a hack: Scanning and Enumerating

ping, hping3, nmap

Scan types and their results: SYN, TCP, ACK, FIN etc.

Day 3

Stage 3 of a hack: Enumeration

Day 4

Stage 4 of a hack: System Hacking

Day 5

Day 6

Day 7

Day 8