CEHv11 Ethical Hacking
nmap -f [Target IP Address]
-f switch is used to split the IP packet into tiny fragment packets.
nmap -sA -v [Target IP Address]
-sA: performs the ACK flag probe scan and -v: enables the verbose output (include all hosts and ports in the output).
nmap -sM -v [Target IP Address]
-sM: performs the TCP Maimon scan and -v: enables the verbose output (include all hosts and ports in the output).
nmap -sS -v [Target IP Address]
-sS: performs the stealth scan/TCP half-open scan and -v: enables the verbose output (include all hosts and ports in the output).
nmap -sX -v [Target IP Address]
-sX: performs the Xmas scan and -v: enables the verbose output (include all hosts and ports in the output).
nmap -v
-v: enables the verbose output (include all hosts and ports in the output).
hping3 -2 [Target IP Address] -p 80 -c 5
UDP scan
Unicornscan
Unicornscan is a Linux-based command line-oriented network information-gathering and reconnaissance tool. It is an asynchronous TCP and UDP port scanner and banner grabber that enables you to discover open ports, services, TTL values, etc. running on the target machine. In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result.
Proxy Servers
Use a chain of proxy servers to hide the actual source of a scan and evade certain IDS/firewall restrictions
Anonymizers
Use anonymizers that allow them to bypass Internet censors and evade certain IDS and firewall rules
Website Footprinting
Website footprinting is a technique used to collect information regarding the target organization's website. Website footprinting can provide sensitive information associated with the website such as registered names and addresses of the domain owner, domain names, host of the sites, OS details, IP details, registrar details, emails, filenames, etc.
IDS (Intrusion Detection System)
An Intrusion Detection System (IDS) and firewall are the security mechanisms intended to prevent an unauthorized person from accessing a network. However, even IDSs and firewalls have some security limitations. Firewalls and IDSs intend to avoid malicious traffic (packets) from entering into a network, but certain techniques can be used to send intended packets to the target and evade IDSs/firewalls.
Anonymizer
An anonymizer is an intermediate server placed between you as the end user and the website to access the website on your behalf and make your web surfing activities untraceable.
Availability
Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users.
L0phtCrack
Audit system passwords using L0phtCrack. L0phtCrack is a tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks. It can also be used to check the strength of a password. User account passwords that are cracked in a short amount of time are weak, meaning that you need to take certain measures to strengthen them.
BGP: Border Gateway Protocol (BGP)
BGP is a routing protocol used to exchange routing and reachability information between different autonomous systems (AS) present on the Internet.
Banner grabbing, or OS fingerprinting
Banner grabbing, or OS fingerprinting, is a method used to determine the OS that is running on a remote target system.
Buffer Overflow
Buffer overflow or overrun is a common vulnerability in an applications or programs that accepts more data than the allocated buffer.
IP Address Spoofing
Change source IP addresses so that the attack appears to be coming in as someone else
hping3 -1 [Target Subnet] --rand-dest -I eth0
Entire subnet scan for live host
Hping2/Hping3 uses
Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Using Hping, you can study the behavior of an idle host and gain information about the target such as the services that the host offers, the ports supporting the services, and the OS of the target.
In Parrot Terminal window, nmap -g 80 [Target IP Address]
In this command, you can use the -g or --source-port option to perform source port manipulation. Source port manipulation refers to manipulating actual port numbers with common port numbers to evade IDS/firewall: this is useful when the firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc.
Active Banner Grabbing
Specially crafted packets are sent to the remote OS, and the responses are noted, which are then compared with a database to determine the OS. Responses from different OSes vary, because of differences in the TCP/IP stack implementation.
Source Routing
Specifies the routing path for the malformed packet to reach the intended target
ping
The ping command sends an ICMP echo request to the target host and waits for an ICMP response. During this request-response process, ping measures the time from transmission to reception, known as round-trip time, and records any loss of packets.
stealth scan
The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
open TCP ports along with a TTL value of 64.
The ttl value acquired after the scan is 64; hence, the OS is possibly a Linux-based machine (Google Linux, Ubuntu, Parrot, or Kali).
snort -W
This command lists your machine's physical address, IP address, and Ethernet Drivers, but all are disabled by default.
Passive Banner Grabbing
This depends on the differential implementation of the stack and the various ways an OS responds to packets. Passive banner grabbing includes banner grabbing from error messages, sniffing the network traffic, and banner grabbing from page extensions.
Go to the C:\Snort\log\10.10.10.10 folder and open the ICMP_ECHO.ids file with Notepad++. You see that all the log entries are saved in the ICMP_ECHO.ids file. The folder name 10.10.10.10 might vary in your lab environment, depending on the IP address of the Windows 10 machine.
This means that whenever an attacker attempts to connect or communicate with the machine, Snort immediately triggers an alarm This will make you aware of the intrusion and can thus take certain security measures to disconnect the lines of communication with the attacker's machine.
Application used to evaluate which machine is responding to the ARP packet.
When ARP packet is broadcasted in the network, the active machines receive the packet, and a few start responding with an ARP reply. To evaluate which machine is responding to the ARP packet, you need to observe packets captured by the Wireshark tool. In the Wireshark window, click on the Filter field, type arp and press Enter. The ARP packets will be displayed, as shown in the screenshot.
Wireshark
Wireshark is a network protocol analyzer that allows capturing and interactively browsing the traffic running on a computer network. It is used to identify the target OS through sniffing/capturing the response generated from the target machine to the request-originated machine. Further, you can observe the TTL and TCP window size fields in the captured TCP packet. Using these values, the target OS can be determined.
XMAS Scan
Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
network discovery tools
You can also use other network discovery tools such as OpManager (https://www.manageengine.com), The Dude (https://mikrotik.com), NetSurveyor (http://nutsaboutnets.com), NetBrain (https://www.netbraintech.com), and Spiceworks Network Mapping Tool (https://www.spiceworks.com) to draw network diagram of the target network.
On a Parrot Security machine. In the Parrot Terminal window, first press Control+C and type hping3 -S [Target IP Address] -p 80 -c 5
Here, -S specifies the TCP SYN request on the target machine, -p specifies assigning the port to send the traffic, and -c is the count of the packets sent to the target machine. In the result, it is indicated that five packets were sent and received through port 80.
Type nmap -Pn -sS -A -oX Test 10.10.10.0/24 and hit Enter to scan the subnet
Here, we are scanning the whole subnet 10.10.10.0/24 for active hosts.
ping www.testsite.com -i 2 -n 1
Here, we set the TTL value to 2 and the -n value to 1 to check the life span of the packet. -n specifies the number of echo requests to be sent to the target.
nmap -O [Target IP Address]
-O: performs the OS discovery. The scan results appear, displaying information about open ports, respective services running on the open ports, and the name of the OS running on the target system.
nmap --script smb-os-discovery.nse [Target IP Address]
--script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). The scan results appear, displaying the target OS, computer name, NetBIOS computer name, etc. details under the Host script results section.
nmap -A [Target IP Address]
-A: to perform an aggressive scan. The scan takes aprroximately 10 minutes to complete. The scan results appear, displaying the open ports and running services along with their versions and target details such as OS, computer name, NetBIOS computer name, etc. under the Host script results section.
in a Parrot Terminal: hping3 [Target IP Address] --udp --rand-source --data 500
Here, --udp specifies sending the UDP packets to the target host, --rand-source enables the random source mode and --data specifies the packet body size.
Type sudo ./Responder.py -I eth0 and press Enter. In the password for ubuntu field, type toor and press Enter to run Responder tool.
The password that you type will not be visible. -I: specifies the interface (here, eth0).
ARP Spoofing Attack
ARP spoofing involves constructing many forged ARP request and reply packets to overload the switc
ARP Spoofing Attack
ARP spoofing involves constructing many forged ARP request and reply packets to overload the switch.
There are two types of OS discovery or banner grabbing techniques:
Active Banner Grabbing Passive Banner Grabbing
Active Attacks
Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured syste
Active Sniffing
Active sniffing involves injecting Address Resolution Packets (ARP) into the network to flood the switch's Content Addressable Memory (CAM) table, which keeps track of host-port connection.
Agent Smith Attack
Agent Smith attacks are carried out by luring victims into downloading and installing malicious apps designed and published by attackers in the form of games, photo editors, or other attractive tools from third-party app stores such as 9App
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures. It is used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a category system for software vulnerabilities and weaknesses. It has numerous categories of weaknesses that means that CWE can be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts. Further, CWE has an advanced search technique with which you can search and view the weaknesses based on research concepts, development concepts, and architectural concepts.
Find Vulnerabilities on Exploit Sites
Exploit sites contain the details of the latest vulnerabilities of various OSes, devices, and applications. You can use these sites to find relevant vulnerabilities about the target system based on the information gathered, and further download the exploits from the database and use exploitation tools such as Metasploit, to gain remote access.
IP Address Decoy
Generate or manually specify IP addresses of the decoys so that the IDS/firewall cannot determine the actual IP address
hping3 -1 [Target IP Address] -p 80 -c 5
ICMP scan
FIN, PUSH, and URG scan the port on the target IP address
If a port is open on the target, you will receive a response. If the port is closed, Hping will return an RST response.
TTL value of 128
If the ttl values acquired after the scan are 128; hence, the OS is possibly Microsoft Windows (Windows 7/8/8.1/10 or Windows Server 2008/12/16).
Maimon scan
In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.
TCP stealth scan
In the TCP stealth scan, the TCP packets are sent to the target host; if a SYN+ACK response is received, it indicates that the ports are open.
hping3 --scan 0-100 -S [Target IP Address]
In this command, --scan specifies the port range to scan, 0-100 specifies the range of ports to be scanned, and -S specifies setting the SYN flag.
hping3 -8 0-100 -S [Target IP Address] -V
In this command, -8 specifies a scan mode, -p specifies the range of ports to be scanned (here, 0-100), and -V specifies the verbose mode.
hping3 -A [Target IP Address] -p 80 -c 5
In this command, -A specifies setting the ACK flag, -p specifies the port to be scanned (here, 80), and -c specifies the packet count (here, 5).
nmap -D RND:10 [Target IP Address]
In this command, -D: performs a decoy scan and RND: generates a random and non-reserved IP addresses. The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewall. This technique makes it difficult for the IDS/firewall to determine which IP address was actually scanning the network and which IP addresses were decoys. By using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IP addresses.
hping3 -F -P -U [Target IP Address] -p 80 -c 5
In this command, -F specifies setting the FIN flag, -P specifies setting the PUSH flag, -U specifies setting the URG flag, -c specifies the packet count (here, 5), and -p specifies the port to be scanned (here, 80).
type unicornscan [Target IP Address] -Iv
In this command, -I specifies an immediate mode and v specifies a verbose mode.
nmap -mtu 8 [Target IP Address]
In this command, -mtu: specifies the number of Maximum Transmission Unit (MTU) (here, 8 bytes of packets). Using MTU, smaller packets are transmitted instead of sending one complete packet at a time. This technique evades the filtering and detection mechanism enabled in the target machine.
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service)
LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows OSes that are used to perform name resolution for hosts present on the same link. These services are enabled by default in Windows OSes and can be used to extract the password hashes from a user.
Source Port Manipulation
Manipulate the actual source port with the common source port to evade IDS/firewall
Packet Crafting Tools
NetScanTools Pro (https://www.netscantools.com) Ostinato (https://www.ostinato.org) WAN Killer (https://www.solarwinds.com) Can be used to build custom packets to evade security mechanisms.
Network Topology Mapper
Network Topology Mapper discovers a network and produces a comprehensive network diagram that integrates OSI Layer 2 and Layer 3 topology data. It automatically detects new devices and changes to network topology, simplifies inventory management for hardware and software assets, and addresses reporting needs for PCI compliance and other regulatory requirements
In the Command field, type the command nmap --badsum [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
Nmap uses --badsum to send the packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rulesets. The scan results appear, demonstrating that all ports are filtered, indicating that there is no response or the packets are dropped, and thus it can be inferred that the system is configured.
In Nmap - Zenmap GUI, in the Command field, type the command nmap [Target IP Address] --data 0xdeadbeef
Nmap uses --data [hex string] (here, 0xdeadbeef) to send the binary data (o's and 1's) as payloads in the sent packets to scan beyond firewalls
Using Nmap, in the Command field, type the command nmap --data-length 5 [Target IP Address]
Nmap uses --data-length [len] (here, 5) to append the number of random data bytes to most of the packets sent without any protocol-specific payloads. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.
In Nmap, in the Command field, type the command nmap [Target IP Address] --data-string "Ph34r my l33t skills"
Nmap uses --data-string [string] (here, "Ph34r my l33t skills") to send a regular string as payloads in the sent packets to the target machine for scanning beyond the firewall. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.
In the Command field, type the command nmap --randomize-hosts [Target IP Address]
Nmap uses --randomize-hosts to scan the number of hosts in the target network in random order to scan the intended target that is beyond the firewall. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.
network discovery tools
OpManager (https://www.manageengine.com), The Dude (https://mikrotik.com), NetSurveyor (http://nutsaboutnets.com), NetBrain (https://www.netbraintech.com), and Spiceworks Network Mapping Tool (https://www.spiceworks.com) to draw network diagram of the target network.
TTL and TCP window size
Parameters such as TTL and TCP window size in the IP header of the first packet in a TCP session plays an important role in identifying the OS running on the target machine.
Randomizing Host Order
Scan the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall
Creating Custom Packets
Send custom packets to scan the intended target beyond the firewalls
Packet Fragmentation
Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, IDSs and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU consumption as well as network resources, the configuration of most of IDSs makes it skip fragmented packets during port scans.
Sending Bad Checksums
Send the packets with bad or bogus TCP/UPD checksums to the intended target
snort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii (replace X with your device index number)
Snort starts running in IDS mode. It first initializes output plug-ins, preprocessors, plug-ins, loads dynamic preprocessors libraries, rule chains of Snort, and then logs all signatures. If you receive a fatal error, you should first verify that you have typed all modifications correctly into the snort.conf file, and then search through the file for entries matching your fatal error message. If you receive an error stating "Could not create the registry key," then run the command prompt as Administrator. If you have entered all command information correctly, you receive a comment stating Commencing packet processing (pid=xxxx) (the value of xxxx may be any number)
ACK flag probe scan
The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
ACK Scan hping
The ACK scan sends an ACK probe packet to the target host; no response means that the port is filtered. If an RST response returns, this means that the port is closed.
SYN scan
The SYN scan principally deals with three of the flags: SYN, ACK, and RST. You can use these three flags for gathering illegal information from servers during the enumeration process.
The TTL field in the IPv4 packet protocol:
The TTL field determines the maximum time a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values differ for different OSes.
ping www.testsite.com -f -l 1473
ping www.certifiedhacker.com -f -l 1473 replies with Packet needs to be fragmented but DF set, and ping www.certifiedhacker.com -f -l 1472 replies with a successful ping. It indicates that 1472 bytes are the maximum frame size on this machine's network.
snort -dev -i 1
snort -W gives 1 as Ethernet Driver index number command enables the Ethernet Driver