CEH Notes
CEH Notes
1/47
Networking
Networking is used to communicate between 2 or other 2 difference network.
There are some network topology..
1) Star Topology : It is used for Broadcasting. HUB are use in star topology.
2) Mesh Topology : In mesh topology all network are connected to each other. And it
cost more.
3) Hybrid Topology : It is a collection of 2 or more topology. And it cost more.
4) Ring Topology : It allows more device to br atteched to a single central hub, does it's
incress the distance that is travel by signal to come to the divices.
( It use Token system ).
5) Tree Topology : It use as a child parents. It use HUB for the long distance and it cost
more.
6) Bus Topology : All network are connected to the single line. If one network fail then
all the network fails.
2/47
IP Address
IP Address :
An IP Address is a 32bit sequence of 1 & 0 ( Binary). An IP Address is a way to identify
machin on a network. It is a unique identifier.
IP Uses :
It is used to connect to the other computer. It allows transfer of the file and e-mail.
Internet Protocol is used for communication data between the network over the network.
Class B : Reserve for big and medium company. It support 65,000 host on each 16,000
network.
( 128.0.0.0 - 191.255.255.255 )
128.0.0.0 = 128.0 Is Network & 0.0 Is Host.
Class C : Reserve for the medium or small company or small network. It support 254 host.
( 192.0.0.0 - 233.255.255.255 )
192.0.0.0. = 192.0.0 Is Network & 0 IS Host.
127.0.0.1 is look back internet address as a local host that is used to esatblish an IP
connection to the same machin or the computer being use by the end user.
3/47
4/47
MAC Address
• Stands for "Media Access Control Address," and no, it is not related Apple Macintosh
computers. A MAC address is a hardware identification number that uniquely identifies each
device on a network. The MAC address is manufactured into every network card, such as an
Ethernet card or Wi-Fi card, and therefore cannot be changed.
• Because there are millions of networkable devices in existence, and each device needs to
have a unique MAC address, there must be a very wide range of possible addresses. For this
reason, MAC addresses are made up of six two-digit hexadesimal numbers, separated by colons.
For example, an Ethernet card may have a MAC address of 00:0d:83:b1:c0:8e. Fortunately,
you do not need to know this address, since it is automatically recognized by most networks.
5/47
TCP & UDP Protocol
There are two logical protocol. TCP & UDP
TCP : Transmission Contol Protocol.
TCP is connection orianted protocol. It provide extensive error cheacking machanizam.
TCP is comparivatively slow than UDP. TCP is relaible as it garenty delivery of data to the
destination.
There are 65,535 TCP & UDP port. Port are use for connecting to the server like HTTP,FTP
6/47
Types Of Ports & No
Verious type of port & there No.
7/47
OSI Model
OSI Model : The Open System Interconnection
It is created by International orgination for standatization ( ISO ). The OSI provide standard
computer system to be able to communicate with each other. OSi is referance model.
There are seven layer of OSI model, on each layer has it's own responsiblity.
Appliction layer ( 7th layer ) : Human computer interaction layer where application can
access the network services.
Presentation layer ( 6th layer ) : Insure that data is in a usable format and it's where
increption occur.
Session layer ( 5th layer ) : Maintain connection & is responsible for controlling port and
session.
Transport layer ( 4th layer ) : Transmit data using transmission protocol, including TCP &
UDP.
Netwoork layer ( 3rd layer ) : Network layer assign IP Address & deside which path the
data will take.
Data link llayer ( 2nd layer ) : Defone the format of the data on the network, error
detection and the error correction happen in this layer.
Phycial layer ( 1st layer ) : Transmt raw bit streem over the phycial medium.
2) Transport layer
3) Internet layer
8/47
Network Devices
1) HUB : It is used to broadcast data.
3) Router : It is a device like a switch that routs data packet base on their IP Address.
5) DNS : Domain name system. ( DNS Qury , DNS Return ) ( C-D , D-C )
6) IDS : Intrusion detection system . It detect attack on network & alert the system.
7) IPS : Intrusion prevent system . It detect the attack and prevent the attack.
8) Firewall : Firewall is a device or software which prevent unauthorise attack and unauthorise
access. It has is own rule accordingly to our requirement and known as access control list ( ACL
).
9/47
File Permission
Three Type Of Permission :
1) Read = r - 4
2) Write = w - 2
3) Execute = x - 1
10/47
IMP Info.Sec
There are 5 Phase Of Ethical Hacking.
2) Scanning : To check vulnarability of a system or a network and cheacking all the ports of
a network or system.
3) Ganning Access : To enter the system using information and the scanning through the
open port or other vulnarability.
5) Cover Track : Removeing log from the system to avoid the over flow in the system.
11/47
12/47
Terminology
Terminology Of Ethicl Hacking :
2) Exploit : Taking advantage of the vulnerability and exploiting system or the network.
3) Payload : Paylode is the part of an exploit code that perform malicious action , such as
distroing , creating backdoor & hijcking computer.
4) Zero Day Attack : An attack that exploit computer application using vulnarability before
the software developer relese the patch for the vulnarability.
5) Doxing : Publishing the personal identification inforamtion about that individual collect
from the publical available database & social media.
6) Bot : Bot is the software application that can be control remotaly to execute or automate
pre-define task.
7) Daisy Chaining : It involve gainning access to one network / computer and using the
same inforamtion to gain access to multiple network of computer.
8) Hack Value : It is the notation amoung the hacker that some thing is worth doing or
intrestting.
13/47
Element
Element Of Information System. ( CIA )
1) Confidentiality : Assure that the information is accessiable only to those who has
authorise access .
3) Availblity : Resourse or data should be avalable to user where user wants to access the
data.
5) Non-Repudiation : Guarantee that the sender of the message cannot letter deny having
send the message & the recipient cannot deny havent recive the message.
14/47
Attack Vector
Top Information Security Attack Vector.
2) Advance persistance thrate : Stelling informstion from the victim machine without
knowing the victim and user awair of it.
4) Malware / Ramsonware : Encrypt the information in the file that human can't read it.
5) Mobile Threat.
6) Bot Net : A bot net is a network of the compromise system used by attack to perfom
verious malicious attacking.
15/47
Type Of Hacker & Policy
Type Of Hacker:
1) Black Hat .
2) Whitr Hat.
3) Gray Hat.
4) Sucide Hacker.
5) Script Kiddie.
6) Cyber Terrorist.
7) State Sponcer Hacker.
8) Hacktivist.
Type Of Policy :
2) Permissive Policy : The permission policy restric only widly known dangerously attack or
behavior.
3) Prudent policy : The prudent policy ensure maximum & strongest security amoung
them , however it allows known , necessory risk , blocking services but individual enable services.
16/47
Risk & Incident
Risk & Risk Management :
17/47
VAPT And Security
VA & PT : To find the vulnerablity loophole and do testing on it.
Phase Of VAPT :
Security:
Security Audit : To check all the security for update and check for up-to-date.
Security Standerd :
3) SOX : Sarbanes - Oxley Act. : To protect shareholder & the general public from
accounting error & frodulent. ( To improve corporate governance & accountablity. )
18/47
Model 2.
1) Footprinting & Reconnaissance.
19/47
Footprinting & Reconnaissance
Footprinting & Reconnaissance :
1) Shodan.io
2) Netcraft.com
3) Osintframework.com
4) web.archive.org
5) virustotal.com
6) haveibeenpwaned.com
20/47
Module 3
21/47
.
22/47
Nmap
6) nmap -sT 192.168.0.1 - For TCP scan / full open scan / connect scan.
7) nmap -sS 192.168.0.1 - Stealth scan / Half open scan. [ (C) Sin - (S) Sin+Ack - (C)
Rst ] = Port is open.
12) nmap -sU 192.168.0.1 - For UDP scan [ No responce = Port is poen , Rst flage =
Port is close ]
23/47
Counter Measure :
24/47
Banner Grabbing
Banner Grabbing:
Banner Grabbing or OS finger printing is the meathod to determine the operating system
running on a remote target system.
Looking for an extension in the URL may assisting determine the application version.
eg: nc -vv www.cybervaultsec.com [ nc = netcat ( Used for listen) , -vv for verbous
mode ]
Counter Measure :
25/47
26/47
.
27/47
Proxy,Anonymizer&Spoofing
Proxy Server :
• Proxy server is an application that can search as a intermediate for connecting with other
communication.
• To hide the source IP Address, to mask the actual source of the attack by a fake source
address of the proxy.
• To remotely access intranet & other website resources that are normaly off limit.
• To inturept all the request send by a user & transmit them to a third destination , hence
victim will only be able to identify the proxy server address.
Proxy Chainning :
• User request a source from destination.
• Proxy client hide the user system, connect to the proxy server, & passes thr request through
proxy server.
• The proxy server strick the user identification information & passes thr request to the next
proxy server.
• The process repeted by all the proxy server in the chain.
• At the end un-encrypted request pass through the server.
Anonymizer :
• An anonymizer remove all identifing information from the user computer while the user surf
the internet.
• Anonymizer make activity on internet untraceable.
• Anonymizer all cover you to bypass internet sensor.
Ingress Filtering :
Use router & firewall at your network paraater to filter in comming packet that appears to
come from an internal IP Address.
Egress Filtering :
Filter all outgoing packet with an invalid local IP Address at source add.
28/47
29/47
.
30/47
Module 4 (E-Num)
E-Numarition :
In the fase of e-numarition , An attacker innitiate active connection with the target system.
Ones attacker discover attack point it can gain unauthorise access using this collected
information to reach assets.
:~# cd /usr/share/nmap/scripts/
enum4linux -a 192.168.0.1
Password Cracking :
hydra -P test.txt 192.168.0.1 snmp [ P = Password ]
31/47
.
32/47
Module 5 ( Vulnerability)
Vulnerability Analysis :
• Vulnerability assisment is an examination of the abality of a system or application, including
current security procedure & control to with stand assault.
• It recognise measure & classified security vulnerability in the computer system , network &
communication channel.
1) Active Assessment : Uses network scanner to find host services and vulnerability.
2) Passive Assessment : ( Sniffing ) : Technique use to sniff the network traffic to find out
active system , network services , application & vulnerability present.
3) External Assessment : Access the network from hacker point of view to find out what
exploit & vulnerability are accessible to outside world.
4) Internal Assessment : A technique to scan the internal infrastructure to find out exploit
& vulnerability.
5) Host Based Assessment : Determine the vulnerability in s specific work station or server
by performing configuration level check to the command line.
6) Network Assessment : Determine the possible network security attacks, that may
occure on the orginization system.
7) Application Assessment : Test the web infrastructure for any miss-configuration &
known vulnerability.
9) Web Assessment : Static & Dynamic [ ( Static - No input ) & ( Dynamic - Input) ]
4) Remeadition : Tell them to take action and applay patch and other thing.
33/47
6) Monitoring : To check IDS , Impliment policy.
34/47
.
35/47
Module 6 ( System Hacking )
2) Escalating Privilege :
- Vertical Privilege : Gainnig higher level access.
- Horizontal Privilege : Any access ( Same level )
36/47
.
37/47
Password Attack
Password Attack :
3) Passive Online Attack : Wire sniffing , Packet sniffing , MiM attack , Bittercup.
5) Offline Attack : (Rainbow table ) : MD2 , MD4 , MD5 , SHA1 , SHA256 , SHA384 ,
SHA512 & other hashing format.
6) USB Attack.
8) NTLM : New Technology LAN Manager : Use different encryption for username &
password.
To Start Metasploit :
1. search (--/--) [ (--/--) = For specific port , protocol ,service version and
other ]
2. use (--/--)
3. show options
38/47
.
39/47
Payloads
4. msfconsole
5. use exploit/multi/handler
7. set lhost
8. set lport
- Go to the victim browser, type in the url our ip address : SimpleHTTPServer port NO.
-Download the payload in the victim machin , and execute payload in the victim machin.
9. Enter exploit or run in the msfconsole or msf framework after installing payload in victim
machin.
40/47
.
41/47
Executing Application
Executing Applications:
After gaining unauthorised access to the system, attacker may perform or execute following
activity.
Hiding Files :
Rootkit:
Types of rootkit:
Detecting Rootkit :
• Intigrating based rootkit : It compare snapshot of the file system boot record or memory
with a non-trusted base line.
• Signiture base detection : The technique compair charastristic of all system process &
executiable file with a database of a non-rootkit fingureprint.
• Heuristic / Behaviour base detection : Any division in the system normal activity or
behaviour amy indicate the presence of rootkit.
• Runtime executing path profiling : This technique compair runtime execution path of all
system process an executiable file before and after rootkit infection.
• Cross view base detection : Immunirate key element in the computer system such as file
system, process & registry keys & compair them to an algorithm use to
generate similer data set that dosenot rely on the common
API.
Any dispensory this two data set indicate the presence of
rootkit.
Counter Measure :
Update time to time , Use strong firewall and antivirus etc.
42/47
43/47
Stegnography & NTFS Data Stream
Stegnagrophy :
It is a technique of hiding a secrate message within an ordinary message & extracting it at
the destination to maintain confidentialiaty of data.
#:- steghide embes -ef (text file) -cf (image) -sf (output file name ) -p
(password) [ To Hide ]
• NTFS ADS ( Alternet Data Stream ) is a windows hidden stream which contain meta-
datafor the file, such as attribute , wordcount , authentication or name.
• ADS is the abality to fourk data into existing file without changing or altering their
functionality size or diaplay to file brousing utility.
• ADS allow an attacker to inject melicious code in the file an accessiable system & execute
them without being detected by user.
44/47
.
45/47
Module 7 ( Malware )
Malware :
Malware is a melicious software that damage or desiable copmuter system & gives limited
or full control of the system to the malware creater for the purpose of theft or froud.
Types Of Malware :
• Virus.
• Trojen Horse.
• Worms.
• Rootkit.
• Ransomeware.
• Botnet. and so on
Types Of Trojen :
• Botnet.
• E-Banking trojen.
• Proxy server trojen.
• Defesment trojen.
• Mobile trojrn.
• IOT trojen.
Stages Of Viruses :
46/47
Types Of Virus & Indication
Indication Of Virus :
Types Of Viruese :
1) System / Boot Sector Virus : Boot sector virus moves MBR to anathor location on the hard
disk and copyes it's self to the orignal location of MBR.
2) File Virus : File virus infect files which are executed or interpreted in the system.
3) Multipartite Virus : Multipartite virus infect the system boot sector & the executiable file at
the same time.
4) Micro Virus : It will infect the file through microsoft exel , word , and other microsoft file.
5) Cluster Virus : It modify directory table entry so that it's point user or system process to
the virus code insted of the actual progremme.
6) Stealth / Tunneling Virus : This viruses avoid the anti-virus software by interpreted it's
request to th OS.
7) Polymorfic Virus : Polymorfic code is a code that mutates file keeping the orignal algorithm
intact.
8) Metamorfic Virus : Metamorfic viruses rewrite themself completly each time they are to
infect new executiable.
47/47