What You Will Learn
Course Overview
Learn everything you need to know to pass the Certified Ethical Hacker exam in under 10 hours. Understand the basics of network and Internet accessible application technologies, common discovery, and analysis techniques as well as more advanced security concepts such as malware and cryptography.
Description
The Certified Ethical Hacker (CEH) Course provides a complete overview of the topics contained in the IIEC Blueprint for the CEH exam. With 5 modules containing more than 10 hours of training, this course covers all concepts in the objectives so you can master the knowledge you need to pass the exam. The course begins with a general overview of security essentials. You then explore system, network, and web services security before diving into wireless and Internet security. This course provides the breadth of coverage necessary to learn the full security concepts behind the CEH exam. It also helps prepare you for a career as a security professional.
Topics include
Module:
- Ethical Hacking Foundations
- Systems Security
- Network Security
- Web Services Security
- Wireless and Internet Security
Course Requirements
Anyone interested in earning a Certified Ethical Hacker (CEH) certification.
Introduction to Ethical Hacking
Ethical Hacking
Hacking is illegally exploiting vulnerabilities to gather information for whatever reason.
Ethical Hacking: use the same tools to validate the system security.
Confidentiality | Integrity | Availability | Authenticity | Non-Repudiation |
The data is only readable by those authorized. | The data has not changed. | Data is accessible when needed. | The data source is valid. | The data source cannot deny its creation. |
Attack vectors
Attack vectors: path by which a hacker can gain access to a host in order to deliver a payload or malicious malware.
Ethical Hacking: Attack Phases
Attack Types
Classified into 4 buckets:
- Operating System: access exploiting a flaw in the operating system
- Application Attacks: access exploiting a flaw in an application on a
- Shrinkwrap Code: attack a system by using a vulnerability in a product directly after the it’s been
- Misconfiguration: gaining access to a system by exploiting a misconfiguration.
Footprinting and Recon
The goal of footprinting is gathering information about:
- Network (DNS, IP, systems, IDS, protocols)
- Organization (structure, websites, names)
- Hosts (ports, using OS)
How to gather information:
Search engines
- google, use google search operators, wikipedia, google maps for geo-info
Finding people
- LinkedIn is an excellent tool for finding people in a company; from the name you can then find phone-numbers, websites, addresses, social network pages
Competitive intelligence
- Gain info from victim competitors
Websites analysis
- Using packet sniffer and developer tools, hacker can gain info about content types, OS, software version and cookies
Email tracking
- Tools: YesWare, HubSpot, BananaTag, GetNotify, ReadNotify, WhoReadMe, MsgTag, DidTheyReadIt
Network discovery
Items to discover:
- IP addresses → discover the IPs of an organization
- In Kali: host apple.com
- Then more info on the RIR (ARIN for North America, RIPE NCC for Europe)
- Host OS → info about host Operating System using:
- Netcraft (app online)
- Shodan (app online)
- Nmap (to scan yourself)
- in Kali: nmap -A -TS scanme.nmap.org
- Routing Paths → to know the packet route through a network
- UDP trace route (*nix systems): traceroute 8.8.8
- ICMP trace route (windows): tracert 8.8.8.8
- TCP trace route: tctrace
- Graphical Applications: OPEN VISUAL TRACE ROUTE, VISUAL ROUTE
DNS/Whois
- Info about a domain: dig ANY google.com
- More domain info: whois google.com
Social engineering
- Gather info from a target through the act of physical or verbal interaction: e.g using trick questions
Employees online activities
- Analysis of social networks: employees love sharing & analysis of online company info: open positions, services, …
Footprinting tools
Tools | Website |
Maltego | https://www.maltego.com |
Domain Name Analyzer Pro | https://domainpunch.com |
Web Extractor | http://www.webextractor.com |
dig / whois | Shell |
tctrace | Shell |
Robtex | https://www.robtex.com |
DNS Digger | https://www.epideme.com/digger/ |
Sam Spade | https://www.majorgeeks.com |
Spiderzilla | http://spiderzilla.mozdev.org |
Binging | https://blueinfy.com |
Netmask Autonomous System Scanner (ASS) | http://www.phenoelit.org/irpas/docu.html |
Dig Web Interface | https://www.digwebinterface.com |
Footprinting countermeasures
- Disable unnecessary services
- Approach the system(s) as an attacker to determine what info in exposed
- Consider using a Host Intrusion Prevention System
- Use IPSec VPN when outside enterprise network
- Have a security policy
- Audit yourself
- Educate employees
Footprinting steps
Scanning Networks
Network scanning is the use of a computer system to systematically probe a target network to gather information regarding system.
Port scanning: search for available services
Vulnerability scanning: check if the system is actually vulnerable
Network scanning techniques
There are 2 main scanning techniques:
Discover Live Systems
To discover an alive host: ping 10.1.1.1
Not only ping, also ECHO REQUEST & ECHO REPLY PING SWEEP to ping an entire network, using nmap command:
nmap -sP IP NET ADDRESS /NETMASK
Discover Open Ports
In order to establish a connection and exchange data using TCP, host must first complete a three-way handshake (to synchronize sequence numbers): SYN/SYN- ACK/ACK
TCP scan techniques
Network scanning – tools:
Network Tools Pro Netifera
Nmap SoftPerfect Network Scanner PRTG Network Monitor Advanced port Scanner
NMAP (scanning tool)
nmap -sT IP-ADDRESS → -sT stays for TCP-Connect Scan
nmap -sT -p 1-2000 -P0 IP-ADDRESS → -p 1-2000 to scan only this range of ports
– P0 to not ping each address (by default it does ping)
nmap -V -A IP-ADDRESS → -A for OS detection
e.g. try: nmap -V -A scanme.nmap.org
Countermeasures
- Use stateful firewalls
- Update Intrusion Detection Systems/ Intrusion Prevention Systems
- Scan your assets, from inside and outside
- Filter ICMP
- Employ HIPS with behaviour monitoring
IDS Evasion
- Packet fragmentation
- IP spoofing (e.g. IDLE scan)
- Use proxy server → still detected, source concealed
- Source Routing → still detected, source concealed
Banner Grabbing
Active → probe the system (nmap, telnet, netcat) Passive → find info from other source (netcraft)
Vulnerability Scanning
Checking for the existence of vulnerabilities in a system. Several tools:
- Saint (comercial)
- Nessus (comercial)
- GFI LanGuard (comercial) Other tools:
In the exam you don’t have to use them but you must be aware of they exist and their names.
Network diagramming
Drawing the network is a crucial step for understanding deeply the target.
Tools:
Tool | Website |
Solarwinds (comercial) | https://www.solarwinds.com |
ManageEngine (comercial) | https://www.manageengine.com |
NetBrain | https://www.netbraintech.com |
LANState | https://www.10-strike.com/lanstate/ |
Spiceworks | https://www.spiceworks.com |
NetMapper | https://support.riverbed.com/content/support/software/steelcentral-npm/it-netmapper.html |
Microfocus Network Node Manager (formerly HP NNM) | https://www.microfocus.com/en-us/products/network-node-manager-i-network-management-software/overview |
IPsonar | https://www.firemon.com/products/lumeta/ |
Proxies
A proxy is someone who is forwarding for you. Proxies are used to hide the source IP. Chaining proxies consists on using several successive proxies in order to obfuscate more the source.
Tools:
- Proxy Workbench
- Proxifier
- Proxy Switcher
- TOR project (onion routing)
- The Dude (free)
TOR project (onion routing)
In kali: ssh -L 5900:10.1.1.20:5900 nick@10.1.1.10
In Windows: Bitvise, Putty
Anonymizers
For hiding SRC traffic
For the exam, you should just be aware that they exist (you don’t have to use them).
Tools:
Tools | Website |
Psiphon | http://www.psiphon3.com https://s3.amazonaws.com/0ubz-2q11-gi9y/en.html |
Your Freedom | http://www.your-freedom.net |
Privacy Pro | http://privacy-pro.com |
Hide My Ass! | https://hidemyass.com |
Zenmate | https://zenmate.com |
Anonymizer Universal | https://anonymizer.com |
Tor | https://torproject.org |
I2P | https://geti2p.net |
IP Spoofing
IP Spoofing is the technique of modifying the source IP address of a packet to appear to be a different host.
Spoofing source IPs is easy, getting a response is hard..
How to detect spoofing:
- Time To Live (TTL) check
- IP ID check
- TCP flow control
Scanning steps