Guide-CEH-Practical-Master

Exame Details

Exam Title: Certified Ethical Hacker (Practical)
Number of Practical Challenges: 20
Duration: 6 hours
Availability: Aspen – iLabs
Test Format: Cyber Range
Passing Score: Min 15 Questions

Exam Tips

Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc;
System hacking, steganography;
Network scanning to identify live and vulnerable machines in a network;
OS banner grabbing, service, and user enumeration;
Different types of cryptography attacks;
SQL injection attacks;
Packet sniffing;
Computer Forensic;

Format

Realized Test with Web Browser CyberQ
One ParrotOS to perform the pentest and Windows 11 Machine
Five machines to compromise on an isolated network from the internet
Search in Google? (Yes!)
Talk to someone during the race? (No!)
Proctored Monitor

Tools

Nmap
Hydra
Sqlmap
Wpscan
Nikto
John
Hashcat
Metasploit
Responder LLMNR
Wireshark or Tcpdump
Steghide
OpenStego
QuickStego
Dirb
OleView
Dcomcnf
RpcDump
Gacutil
Searchsploit
sandfly-entropyscan
Strings
FTK Imager
Malwoverview
GDB or IDA
Crunch
Cewl
LinPeas
Aircrack-ng
GTFOBINS
Veracrypt
Hashcalc
Rainbow Crack
Radare2
Rockyou and SecList

Helps

Reddit Exam Reviews
Medium Exam Reviews
Professionals Certificate
Hack The Box (Challenges Steganography and Web) (https://www.hackthebox.eu/)
Vulnhub (Machines Easy to Medium) (https://www.vulnhub.com/)
Labs PenTest Brazil (CEH Course made in Major Eder ft ACADI-TI) (https://acaditi.com.br/ceh-v10-treinamento-certified-ethical-hacker/)
TryHackMe (https://tryhackme.com/) / https://tryhackme.com/room/wirectf / https://tryhackme.com/room/wirectf / https://tryhackme.com/room/hydra / https://tryhackme.com/room/sqli / https://tryhackme.com/room/crackthehash / https://medium.com/@kyryloren/jack-writeup-by-kyryloren-tryhackme-e41cff4e1c55
iLabs CEH (https://ilabs.eccouncil.org/ethical-hacking-exercises/)
CEH Exam Guide (https://medium.com/techiepedia/certified-ethical-hacker-practical-exam-guide-dce1f4f216c9)

Examples Questions (There are the real issues)

What is the IP of the Windows X machine?
What is the version of the Linux Kernel?
How many Windows machines are there?
What is the password for user X of the FTP server?
What is user X's IBAN number?
Which user X's phone number?
What is the password hidden in the .jpeg file?
Rogue AP suspect, crack your password using capture.cap
Discovery RAT in Network and acess computer to recovery secret.txt
Identify IoT Message using capture.cap
Identify FQDN of Domain Controller
Perform deep scan on the elf and obtain hash of the file with highest entropy value.
Find the executable's Entry point (Address)

Attacks Vector

https://www.upguard.com/blog/attack-vector

https://searchsecurity.techtarget.com/definition/attack-vector

https://www.balbix.com/insights/attack-vectors-and-breach-methods/

https://attack.mitre.org/

https://searchsecurity.techtarget.com/definition/attack-vector#:~:text=An%20attack%20vector%20is%20a,vulnerabilities%2C%20including%20the%20human%20element.

https://www.youtube.com/watch?v=LsuoJb7n3co

https://www.youtube.com/watch?v=rcB4EZLfi7I

https://www.youtube.com/watch?v=dz7Ntp7KQGA

Network Scanning

https://nmap.org/man/pt_BR/index.html

https://nmap.org/docs.html

https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

https://hackertarget.com/nmap-tutorial/

https://www.stationx.net/nmap-cheat-sheet/

https://media.x-ra.de/doc/NmapCheatSheetv1.1.pdf

https://www.100security.com.br/netdiscover

https://kalilinuxtutorials.com/netdiscover-scan-live-hosts-network/

https://www.youtube.com/watch?v=PS677owUk-c

https://www.stationx.net/nmap-cheat-sheet/

https://redteamtutorials.com/2018/10/14/nmap-cheatsheet/

https://resources.infosecinstitute.com/nmap-cheat-sheet/#gref

https://medium.com/@infosecsanyam/nmap-cheat-sheet-nmap-scanning-types-scanning-commands-nse-scripts-868a7bd7f692

https://resources.infosecinstitute.com/network-discovery-tool/#gref

Enumeration

Brute Force

https://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux

https://securitytutorials.co.uk/brute-forcing-passwords-with-thc-hydra/

https://redteamtutorials.com/2018/10/25/hydra-brute-force-https/

https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-passwords-with-tamper-data-thc-hydra-0155374/

https://laconicwolf.com/2018/09/29/hashcat-tutorial-the-basics-of-cracking-passwords-with-hashcat/

https://medium.com/@sc015020/how-to-crack-passwords-with-john-the-ripper-fdb98449ff1

https://www.varonis.com/blog/john-the-ripper/

Wordlists

http://www.phenoelit.org/dpl/dpl.html

https://datarecovery.com/rd/default-passwords/

https://github.com/Dormidera/WordList-Compendium

https://github.com/danielmiessler/SecLists

https://www.kaggle.com/wjburns/common-password-list-rockyoutxt

SQL Injection

Types of SQL Injection

Union-based SQLi: This technique involves using the UNION SQL operator to combine the results of the original query with the results of an attacker-controlled query.

Error-based SQLi: This technique involves forcing the database to generate an error, which can reveal information about the database structure.

Blind SQLi: In this type of SQLi, the attacker doesn't get the results of the SQL query in the HTTP response. The attacker has to send a payload, and based on the application's response, he can infer if the payload was executed successfully or not.

Time-based Blind SQLi: This is a type of blind SQLi where the attacker can infer if the payload was executed successfully or not based on the time the server takes to respond.

Out-of-Band SQLi: In this type of SQLi, the attacker doesn't get the results of the SQL query in the HTTP response. Instead, the results are sent to an external server controlled by the attacker.

Second Order SQLi: In this type of SQLi, the payload is not directly injected into the SQL query, but it is stored by the application and used in a later SQL query.

Stored Procedure Attacks: This involves calling stored procedures from the SQL injection point.

Function Call Payloads: This involves calling database functions from the SQL injection point.

Boolean-based SQLi: This involves sending a SQL query that will return a different result depending on whether the condition in the query is true or false.

Content-based SQLi: This involves sending a SQL query that will return a different result depending on the content of the HTTP response.

Tools

SQLMap: SQLMap is a popular open-source penetration testing tool that automates the process of detecting and exploiting SQL Injection vulnerabilities.

Havij: Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities.

jSQL Injection: jSQL Injection is a lightweight application used to find database information from a distant server.

BBQSQL: BBQSQL is a blind SQL injection framework written in Python.

NoSQLMap: NoSQLMap is an open-source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases.

SQLNinja: SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

SQLiX: SQLiX is a SQL Injection scanner written in Perl.

SQLSentinel: SQLSentinel is an application-level firewall for MySQL that prevents SQL Injection attacks.

MyBatis: MyBatis is a Java persistence framework that includes a built-in SQL Injection scanner.

Blisqy: Blisqy is a tool to aid Web Security researchers to find Time-based Blind SQL injection on HTTP Headers and also exploitation of the same vulnerability.

Malware Analysis

Static Analysis:

Header Examination: Look at the headers of the executable file. Common executable file formats include PE (Portable Executable) for Windows and ELF (Executable and Linkable Format) for Linux. Disassembly: Disassemble the binary code using a disassembler such as IDA Pro, Ghidra, or Radare2. These tools can help you navigate the assembly code and identify the entry point.

Dynamic Analysis:

Debugger: Use a debugger like OllyDbg, WinDbg, or GDB to run the executable in a controlled environment. Set breakpoints and step through the code until you reach the entry point. Monitoring Tools: Use tools like Process Monitor (ProcMon) on Windows or strace on Linux to monitor system calls and identify when the executable is loaded and starts executing. Strings and Signatures:

String Analysis: Look for strings within the executable that may indicate the entry point. Some malware authors leave identifiable strings. Signature-Based Detection: Use antivirus or anti-malware tools that might have signature databases to identify known malware and their entry points. Code Emulation and Analysis:

Sandboxing: Execute the executable in a controlled environment, often called a sandbox, and monitor its behavior. Analyze the log or output for indications of the entry point.