Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Version Change Document

Ethical Hacking and Countermeasures

Version Comparison

CEHv11 CEHv12
Total Number of Modules 20 20
Total Number of Slides 1640 1676
Total Number of Labs 200 220
Total Number of New Labs 92 33
Attack Techniques 420 519
MITRE ATT&CK Framework,
Diamond Model of Intrusion
OT Technology, Serverless Analysis, Techniques for
Computing, WPA3 Encryption, Establishing Persistence,
New Technology Added
APT, Fileless Malware, Web Evading NAC and Endpoint
API, and Web Shell Security, Fog Computing, Edge
Computing, and Grid
Computing
Windows 10, Windows Server Windows 11, Windows Server
2019, Windows Server 2016, 2022, Windows Server 2019,
OS Used for Labs
Parrot Security, Android, Parrot Security, Android,
Ubuntu Linux Ubuntu Linux
Exam 125 Questions (MCQ) 125 Questions (MCQ)
Exam Duration 4 Hours 4 Hours
Exam Delivery VUE / ECCEXAM VUE / ECCEXAM
NICE Compliance Final NICE 2.0 Framework Final NICE 2.0 Framework

Page | 1 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

CEHv12 Change Summary

1. The Module 06: System Hacking module includes establishing persistence techniques in
CEHv12
2. The Module 07: Malware Threats module includes malware analysis for latest malware
in CEHv12
3. The Module 12: Evading IDS, Firewalls, and Honeypots includes evading NAC and
endpoint security in CEHv12
4. The Module 14: Hacking Web Applications module includes OWASP Top 10 Application
Security Risks - 2021 in CEHv12
5. The Module 19: Cloud Computing module includes fog computing, edge computing, grid
computing, cloud security controls, and cloud access security broker (CASB) in CEHv12
6. Update information as per the latest developments with a proper flow
7. Latest OS covered and a patched testing environment
8. All the tool screenshots are replaced with the latest version
9. All the tool listing slides are updated with the latest tools
10. All the countermeasure slides are updated

Page | 2 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module Comparison

CEHv11 CEHv12

Module 01: Introduction to Ethical Hacking Module 01: Introduction to Ethical Hacking
Module 02: Footprinting and Module 02: Footprinting and
Reconnaissance Reconnaissance
Module 03: Scanning Networks Module 03: Scanning Networks
Module 04: Enumeration Module 04: Enumeration
Module 05: Vulnerability Analysis Module 05: Vulnerability Analysis
Module 06: System Hacking Module 06: System Hacking
Module 07: Malware Threats Module 07: Malware Threats
Module 08: Sniffing Module 08: Sniffing
Module 09: Social Engineering Module 09: Social Engineering
Module 10: Denial-of-Service Module 10: Denial-of-Service
Module 11: Session Hijacking Module 11: Session Hijacking
Module 12: Evading IDS, Firewalls, and Module 12: Evading IDS, Firewalls, and
Honeypots Honeypots
Module 13: Hacking Web Servers Module 13: Hacking Web Servers
Module 14: Hacking Web Applications Module 14: Hacking Web Applications
Module 15: SQL Injection Module 15: SQL Injection
Module 16: Hacking Wireless Networks Module 16: Hacking Wireless Networks
Module 17: Hacking Mobile Platforms Module 17: Hacking Mobile Platforms
Module 18: IoT and OT Hacking Module 18: IoT and OT Hacking
Module 19: Cloud Computing Module 19: Cloud Computing
Module 20: Cryptography Module 20: Cryptography

Page | 3 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Courseware Content Comparison

The notations used:
1. Red points are new slides in CEHv12
2. Blue points are substantially modified in CEHv12
3. Striked points are removed from CEHv11
4. Striked points are moved to self study module in CEHv12

CEHv11 CEHv12
Module 01: Introduction to Ethical Hacking Module 01: Introduction to Ethical Hacking
Information Security Overview Information Security Overview
▪ Elements of Information Security ▪ Elements of Information Security
▪ Motives, Goals, and Objectives of Information ▪ Motives, Goals, and Objectives of Information
Security Attacks Security Attacks
▪ Classification of Attacks ▪ Classification of Attacks
▪ Information Warfare ▪ Information Warfare
Cyber Kill Chain Concepts Hacking Methodologies and Frameworks
▪ Cyber Kill Chain Methodology ▪ CEH Hacking Methodology (CHM)
▪ Tactics, Techniques, and Procedures (TTPs) ▪ Cyber Kill Chain Methodology
▪ Adversary Behavioral Identification ▪ Tactics, Techniques, and Procedures (TTPs)
▪ Indicators of Compromise (IoCs) ▪ Adversary Behavioral Identification
o Categories of Indicators of Compromise ▪ Indicators of Compromise (IoCs)
Hacking Concepts o Categories of Indicators of Compromise
▪ What is Hacking? ▪ MITRE ATT&CK Framework
▪ Who is a Hacker? ▪ Diamond Model of Intrusion Analysis
▪ Hacker Classes Hacking Concepts
▪ Hacking Phases ▪ What is Hacking?
o Reconnaissance ▪ Who is a Hacker?
o Scanning ▪ Hacker Classes
o Gaining Access Ethical Hacking Concepts
o Maintaining Access ▪ What is Ethical Hacking?
o Clearing Tracks ▪ Why Ethical Hacking is Necessary
Ethical Hacking Concepts ▪ Scope and Limitations of Ethical Hacking
▪ What is Ethical Hacking? ▪ Skills of an Ethical Hacker
▪ Why Ethical Hacking is Necessary Information Security Controls
▪ Scope and Limitations of Ethical Hacking ▪ Information Assurance (IA)
▪ Skills of an Ethical Hacker ▪ Continual/Adaptive Security Strategy
Information Security Controls ▪ Defense-in-Depth

Page | 4 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Information Assurance (IA) ▪ What is Risk?

▪ Defense-in-Depth ▪ Risk Management
▪ What is Risk? ▪ Cyber Threat Intelligence
o Risk Management o Threat Intelligence Lifecycle
▪ Cyber Threat Intelligence ▪ Threat Modeling
▪ Threat Modeling ▪ Incident Management
▪ Incident Management o Incident Handling and Response
o Incident Handling and Response ▪ Role of AI and ML in Cyber Security
▪ Role of AI and ML in Cyber Security o How Do AI and ML Prevent Cyber Attacks?
o How Do AI and ML Prevent Cyber Attacks? Information Security Laws and Standards
▪ Payment Card Industry Data Security Standard
Information Security Laws and Standards
(PCI DSS)
▪ Payment Card Industry Data Security Standard ▪ ISO/IEC 27001:2013
(PCI DSS)
▪ Health Insurance Portability and Accountability
▪ ISO/IEC 27001:2013
Act (HIPAA)
▪ Health Insurance Portability and Accountability ▪ Sarbanes Oxley Act (SOX)
Act (HIPAA)
▪ Sarbanes Oxley Act (SOX) ▪ The Digital Millennium Copyright Act (DMCA)
▪ The Federal Information Security Management
▪ The Digital Millennium Copyright Act (DMCA)
Act (FISMA)
▪ The Federal Information Security Management Act ▪ General Data Protection Regulation (GDPR)
(FISMA)
▪ Cyber Law in Different Countries ▪ Data Protection Act 2018 (DPA)
▪ Cyber Law in Different Countries

Module 02: Footprinting and Reconnaissance Module 02: Footprinting and Reconnaissance
Footprinting Concepts Footprinting Concepts
▪ What is Footprinting? ▪ What is Footprinting?
Footprinting through Search Engines ▪ Information Obtained in Footprinting
▪ Footprinting through Search Engines ▪ Footprinting Methodology
▪ Footprint Using Advanced Google Hacking
Footprinting through Search Engines
Techniques

▪ Google Hacking Database ▪ Footprinting through Search Engines

▪ VoIP and VPN Footprinting through Google ▪ Footprint Using Advanced Google Hacking
Hacking Database Techniques
▪ Other Techniques for Footprinting through Search
▪ Google Hacking Database
Engines
o Gathering Information Using Google Advanced ▪ VPN Footprinting through Google Hacking
Search and Advanced Image Search Database

Page | 5 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Gathering Information Using Reverse Image ▪ Other Techniques for Footprinting through Search
Search Engines
o Gathering Information Using Video Search
o Google Advanced Search
Engines
o Gathering Information Using Meta Search
o Advanced Image Search
Engines
o Gathering Information Using FTP Search
o Reverse Image Search
Engines
o Gathering Information Using IoT Search
o Video Search Engines
Engines
Footprinting through Web Services o Meta Search Engines
▪ Finding a Company’s Top-Level Domains (TLDs)
o FTP Search Engines
and Sub-domains
▪ Finding the Geographical Location of the Target o IoT Search Engines
▪ People Search on Social Networking Sites and
Footprinting through Web Services
People Search Services
▪ Finding a Company’s Top-Level Domains (TLDs)
▪ Gathering Information from LinkedIn
and Sub-domains
▪ Harvesting Email Lists ▪ Finding the Geographical Location of the Target
▪ People Search on Social Networking Sites and
▪ Gather Information from Financial Services
People Search Services
▪ Footprinting through Job Sites ▪ Gathering Information from LinkedIn
▪ Deep and Dark Web Footprinting ▪ Harvesting Email Lists
▪ Determining the Operating System ▪ Footprinting through Job Sites
▪ VoIP and VPN Footprinting through SHODAN ▪ Deep and Dark Web Footprinting
▪ Competitive Intelligence Gathering ▪ Determining the Operating System
o Competitive Intelligence - When Did this
▪ VoIP and VPN Footprinting through SHODAN
Company Begin? How Did it Develop?
o Competitive Intelligence - What Are the
▪ Competitive Intelligence Gathering
Company's Plans?
o Competitive Intelligence - What Expert ▪ Other Techniques for Footprinting through Web
Opinions Say About the Company Services
▪ Other Techniques for Footprinting through Web o Finding the Geographical Location of the
Services Target
o Information Gathering Using Business Profile
o Gathering Information from Financial Services
Sites
o Gathering Information from Business Profile
o Monitoring Target Using Alerts
Sites
o Tracking Online Reputation of the Target o Monitoring Targets Using Alerts
o Information Gathering Using Groups, Forums,
o Tracking the Online Reputation of the Target
and Blogs
o Information Gathering Using NNTP Usenet o Gathering Information from Groups, Forums,
Newsgroups and Blogs

Page | 6 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Gathering Information from NNTP Usenet

Footprinting through Social Networking Sites
Newsgroups
▪ Collecting Information through Social Engineering o Gathering Information from Public Source-
on Social Networking Sites Code Repositories
▪ General Resources for Locating Information from
Footprinting through Social Networking Sites
Social Media Sites
▪ Collecting Information through Social Engineering
▪ Conducting Location Search on Social Media Sites
on Social Networking Sites
▪ Tools for Footprinting through Social Networking ▪ General Resources for Locating Information from
Sites Social Media Sites
Website Footprinting ▪ Conducting Location Search on Social Media Sites
▪ Website Footprinting ▪ Constructing and Analyzing Social Network Graphs
▪ Tools for Footprinting through Social Networking
▪ Website Footprinting using Web Spiders
Sites
▪ Mirroring Entire Website Website Footprinting
▪ Extracting Website Information from
▪ Website Footprinting
https://archive.org
▪ Extracting Website Links ▪ Website Footprinting using Web Spiders
▪ Gathering Wordlist from the Target Website ▪ Mirroring Entire Website
▪ Extracting Website Information from
▪ Extracting Metadata of Public Documents
https://archive.org
▪ Other Techniques for Website Footprinting ▪ Other Techniques for Website Footprinting
o Monitoring Web Pages for Updates and
o Extracting Website Links
Changes
o Searching for Contact Information, Email
o Gathering the Wordlist from the Target
Addresses and Telephone Numbers from
Website
Company Website
o Searching for Web Pages Posting Patterns and
o Extracting Metadata of Public Documents
Revision Numbers
o Monitoring Web Pages for Updates and
o Monitoring Website Traffic of Target Company
Changes
o Searching for Contact Information, Email
Email Footprinting Addresses, and Telephone Numbers from
Company Website
o Searching for Web Pages Posting Patterns and
▪ Tracking Email Communications
Revision Numbers
o Monitoring Website Traffic of the Target
▪ Email Tracking Tools
Company
Whois Footprinting Email Footprinting
▪ Whois Lookup ▪ Tracking Email Communications
▪ Finding IP Geolocation Information ▪ Email Tracking Tools
DNS Footprinting Whois Footprinting
▪ Extracting DNS Information ▪ Whois Lookup

Page | 7 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Reverse DNS Lookup ▪ Finding IP Geolocation Information

Network Footprinting DNS Footprinting
▪ Locate the Network Range ▪ Extracting DNS Information
▪ Traceroute ▪ Reverse DNS Lookup
▪ Traceroute Analysis Network Footprinting
▪ Traceroute Tools ▪ Locate the Network Range
Footprinting through Social Engineering ▪ Traceroute
▪ Footprinting through Social Engineering ▪ Traceroute Analysis
▪ Collect Information Using Eavesdropping,
Shoulder Surfing, Dumpster Diving, and ▪ Traceroute Tools
Impersonation
Footprinting Tools Footprinting through Social Engineering
▪ Maltego ▪ Footprinting through Social Engineering
▪ Collect Information Using Eavesdropping,
▪ Recon-ng Shoulder Surfing, Dumpster Diving, and
Impersonation
▪ FOCA Footprinting Tools
▪ OSRFramework ▪ Footprinting Tools: Maltego and Recon-ng
▪ OSINT Framework ▪ Footprinting Tools: FOCA and OSRFramework
▪ Recon-Dog ▪ Footprinting Tools: OSINT Framework
▪ BillCipher ▪ Footprinting Tools: Recon-Dog and BillCipher
Footprinting Countermeasures ▪ Footprinting Tools: Spyse
▪ Footprinting Countermeasures Footprinting Countermeasures
▪ Footprinting Countermeasures

Module 03: Scanning Networks Module 03: Scanning Networks

Network Scanning Concepts Network Scanning Concepts
▪ Overview of Network Scanning ▪ Overview of Network Scanning
▪ TCP Communication Flags ▪ TCP Communication Flags
▪ TCP/IP Communication ▪ TCP/IP Communication
Scanning Tools Scanning Tools
▪ Nmap ▪ Scanning Tools: Nmap
▪ Hping2/Hping3 ▪ Scanning Tools: Hping3
o Hping Commands o Hping Commands
▪ Scanning Tools ▪ Scanning Tools
▪ Scanning Tools for Mobile ▪ Scanning Tools for Mobile
Host Discovery Host Discovery
▪ Host Discovery Techniques ▪ Host Discovery Techniques
o ARP Ping Scan and UDP Ping Scan o ARP Ping Scan

Page | 8 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o ICMP ECHO Ping Scan o UDP Ping Scan

o ICMP ECHO Ping Sweep o ICMP ECHO Ping Scan
• Ping Sweep Tools o ICMP ECHO Ping Sweep
• Ping Sweep Countermeasures o ICMP Timestamp Ping Scan
o Other Host Discovery Techniques o ICMP Address Mask Ping Scan
• ICMP Timestamp and Address Mask
o TCP SYN Ping Scan
Ping Scan
• TCP Ping Scan o TCP ACK Ping Scan
✓ TCP SYN Ping Scan o IP Protocol Ping Scan
✓ TCP ACK Ping Scan o Ping Sweep Tools
• IP Protocol Ping Scan Port and Service Discovery
Port and Service Discovery ▪ Port Scanning Techniques
▪ Port Scanning Techniques o TCP Scanning
o TCP Scanning • TCP Connect/Full Open Scan
• TCP Connect/Full Open Scan • Stealth Scan (Half-open Scan)
• Stealth Scan (Half-open Scan) • Inverse TCP Flag Scan
• Inverse TCP Flag Scan ✓ Xmas Scan
• Xmas Scan ✓ FIN Scan
• TCP Maimon Scan ✓ NULL Scan
• ACK Flag Probe Scan ✓ TCP Maimon Scan
• IDLE/IPID Header Scan • ACK Flag Probe Scan
o UDP Scanning ✓ TTL-Based Scan
o SCTP Scanning ✓ Window-Based Scan
• SCTP INIT Scanning • IDLE/IPID Header Scan
• SCTP COOKIE ECHO Scanning o UDP Scan
o SSDP and List Scanning o SCTP INIT Scan
o IPv6 Scanning o SCTP COOKIE ECHO Scan
▪ Service Version Discovery o SSDP and List Scan
▪ Nmap Scan Time Reduction Techniques o IPv6 Scan
▪ Port Scanning Countermeasures ▪ Service Version Discovery
OS Discovery (Banner Grabbing/OS Fingerprinting) ▪ Nmap Scan Time Reduction Techniques
▪ OS Discovery/Banner Grabbing OS Discovery (Banner Grabbing/OS Fingerprinting)
▪ How to Identify Target System OS ▪ OS Discovery/Banner Grabbing
o OS Discovery using Wireshark ▪ How to Identify Target System OS
o OS Discovery using Nmap and Unicornscan o OS Discovery using Wireshark
o OS Discovery using Nmap Script Engine o OS Discovery using Nmap and Unicornscan
o OS Discovery using IPv6 Fingerprinting o OS Discovery using Nmap Script Engine
▪ Banner Grabbing Countermeasures o OS Discovery using IPv6 Fingerprinting

Page | 9 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Scanning Beyond IDS and Firewall Scanning Beyond IDS and Firewall
▪ IDS/Firewall Evasion Techniques ▪ IDS/Firewall Evasion Techniques
o Packet Fragmentation o Packet Fragmentation
o Source Routing o Source Routing
o Source Port Manipulation o Source Port Manipulation
o IP Address Decoy o IP Address Decoy
o IP Address Spoofing o IP Address Spoofing
• IP Spoofing Detection Techniques: Direct
o MAC Address Spoofing
TTL Probes
• IP Spoofing Detection Techniques: IP
o Creating Custom Packets
Identification Number
• IP Spoofing Detection Techniques: TCP Flow o Randomizing Host Order and Sending Bad
Control Method Checksums
• IP Spoofing Countermeasures o Proxy Servers
o Creating Custom Packets • Proxy Chaining
• Using Packet Crafting Tools • Proxy Tools
• Appending Custom Binary Data • Proxy Tools for Mobile
• Appending Custom String o Anonymizers
• Censorship Circumvention
• Appending Random Data
Tools: Alkasir and Tails
o Randomizing Host Order and Sending Bad
Network Scanning Countermeasures
Checksums
o Proxy Servers ▪ Ping Sweep Countermeasures
• Proxy Chaining ▪ Port Scanning Countermeasures
• Proxy Tools ▪ Banner Grabbing Countermeasures
• Proxy Tools for Mobile ▪ IP Spoofing Detection Techniques
o Anonymizers o Direct TTL Probes
• Censorship Circumvention
o IP Identification Number
Tools: Alkasir and Tails
• Anonymizers o TCP Flow Control Method
• Anonymizers for Mobile ▪ IP Spoofing Countermeasures
Draw Network Diagrams ▪ Scanning Detection and Prevention Tools
▪ Drawing Network Diagrams
▪ Network Discovery and Mapping Tools
▪ Network Discovery Tools for Mobile

Module 04: Enumeration Module 04: Enumeration

Enumeration Concepts Enumeration Concepts
▪ What is Enumeration? ▪ What is Enumeration?

Page | 10 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Techniques for Enumeration ▪ Techniques for Enumeration

▪ Services and Ports to Enumerate ▪ Services and Ports to Enumerate
NetBIOS Enumeration NetBIOS Enumeration
▪ NetBIOS Enumeration ▪ NetBIOS Enumeration
▪ NetBIOS Enumeration Tools ▪ NetBIOS Enumeration Tools
▪ Enumerating User Accounts ▪ Enumerating User Accounts
▪ Enumerating Shared Resources Using Net View ▪ Enumerating Shared Resources Using Net View
SNMP Enumeration SNMP Enumeration
▪ SNMP (Simple Network Management Protocol) ▪ SNMP (Simple Network Management Protocol)
Enumeration Enumeration
▪ Working of SNMP ▪ Working of SNMP
▪ Management Information Base (MIB) ▪ Management Information Base (MIB)
▪ SNMP Enumeration Tools ▪ Enumerating SNMP using SnmpWalk
LDAP Enumeration ▪ Enumerating SNMP using Nmap
▪ LDAP Enumeration ▪ SNMP Enumeration Tools
▪ LDAP Enumeration Tools LDAP Enumeration
NTP and NFS Enumeration ▪ LDAP Enumeration
▪ NTP Enumeration ▪ Manual and Automated LDAP Enumeration
▪ NTP Enumeration Commands ▪ LDAP Enumeration Tools
▪ NTP Enumeration Tools NTP and NFS Enumeration
▪ NFS Enumeration ▪ NTP Enumeration
▪ NFS Enumeration Tools ▪ NTP Enumeration Commands
SMTP and DNS Enumeration ▪ NTP Enumeration Tools
▪ SMTP Enumeration ▪ NFS Enumeration
▪ SMTP Enumeration Tools ▪ NFS Enumeration Tools
▪ DNS Enumeration Using Zone Transfer SMTP and DNS Enumeration
▪ DNS Cache Snooping ▪ SMTP Enumeration
▪ DNSSEC Zone Walking ▪ SMTP Enumeration using Nmap
Other Enumeration Techniques ▪ SMTP Enumeration using Metasploit
▪ IPsec Enumeration ▪ SMTP Enumeration Tools
▪ VoIP Enumeration ▪ DNS Enumeration Using Zone Transfer
▪ RPC Enumeration ▪ DNS Cache Snooping
▪ Unix/Linux User Enumeration ▪ DNSSEC Zone Walking
▪ Telnet Enumeration ▪ DNS and DNSSEC Enumeration using Nmap
▪ SMB Enumeration Other Enumeration Techniques
▪ FTP Enumeration ▪ IPsec Enumeration
▪ TFTP Enumeration ▪ VoIP Enumeration
▪ IPv6 Enumeration ▪ RPC Enumeration
▪ BGP Enumeration ▪ Unix/Linux User Enumeration
Page | 11 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Enumeration Countermeasures ▪ Telnet and SMB Enumeration

▪ Enumeration Countermeasures ▪ FTP and TFTP Enumeration
▪ IPv6 Enumeration
▪ BGP Enumeration
Enumeration Countermeasures
▪ Enumeration Countermeasures
▪ DNS Enumeration Countermeasures

Module 05: Vulnerability Analysis Module 05: Vulnerability Analysis

Vulnerability Assessment Concepts Vulnerability Assessment Concepts
▪ Vulnerability Research ▪ What is Vulnerability?
▪ Resources for Vulnerability Research o Examples of Vulnerabilities
▪ What is Vulnerability Assessment? ▪ Vulnerability Research
▪ Vulnerability Scoring Systems and Databases ▪ Resources for Vulnerability Research
o Common Vulnerability Scoring System (CVSS) ▪ What is Vulnerability Assessment?
o Common Vulnerabilities and Exposures (CVE) ▪ Vulnerability Scoring Systems and Databases
o National Vulnerability Database (NVD) ▪ Vulnerability-Management Life Cycle
o Common Weakness Enumeration (CWE) o Pre-Assessment Phase
▪ Vulnerability-Management Life Cycle o Vulnerability Assessment Phase
o Pre-Assessment Phase o Post Assessment Phase
o Vulnerability Assessment Phase Vulnerability Classification and Assessment Types
o Post Assessment Phase ▪ Vulnerability Classification
Vulnerability Classification and Assessment Types o Misconfigurations/Weak Configurations
▪ Vulnerability Classification o Application Flaws
▪ Types of Vulnerability Assessment o Poor Patch Management
Vulnerability Assessment Solutions and Tools o Design Flaws
▪ Comparing Approaches to Vulnerability
o Third-Party Risks
Assessment
▪ Characteristics of a Good Vulnerability Assessment
o Default Installations/Default Configurations
Solution
▪ Working of Vulnerability Scanning Solutions o Operating System Flaws
▪ Types of Vulnerability Assessment Tools o Default Passwords
▪ Choosing a Vulnerability Assessment Tool o Zero-Day Vulnerabilities
▪ Criteria for Choosing a Vulnerability Assessment
o Legacy Platform Vulnerabilities
Tool
▪ Best Practices for Selecting Vulnerability
o System Sprawl/Undocumented Assets
Assessment Tools
▪ Vulnerability Assessment Tools o Improper Certificate and Key Management
o Qualys Vulnerability Management ▪ Types of Vulnerability Assessment

Page | 12 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Nessus Professional Vulnerability Assessment Tools

▪ Comparing Approaches to Vulnerability
o GFI LanGuard
Assessment
▪ Characteristics of a Good Vulnerability Assessment
o OpenVAS
Solution
o Nikto ▪ Working of Vulnerability Scanning Solutions
o Other Vulnerability Assessment Tools ▪ Types of Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools for Mobile ▪ Choosing a Vulnerability Assessment Tool
▪ Criteria for Choosing a Vulnerability Assessment
Vulnerability Assessment Reports
Tool
▪ Best Practices for Selecting Vulnerability
▪ Vulnerability Assessment Reports
Assessment Tools
▪ Vulnerability Assessment Tools: Qualys
▪ Analyzing Vulnerability Scanning Report
Vulnerability Management
▪ Vulnerability Assessment Tools: Nessus
Professional and GFI LanGuard
▪ Vulnerability Assessment Tools: OpenVAS and
Nikto
▪ Other Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools for Mobile
Vulnerability Assessment Reports
▪ Vulnerability Assessment Reports
▪ Components of a Vulnerability Assessment Report

Module 06: System Hacking Module 06: System Hacking

System Hacking Concepts Gaining Access
▪ CEH Hacking Methodology (CHM) ▪ Cracking Passwords
▪ System Hacking Goals o Microsoft Authentication
o How Hash Passwords Are Stored in Windows
Gaining Access
SAM?
▪ Cracking Passwords o NTLM Authentication Process
o Microsoft Authentication o Kerberos Authentication
o How Hash Passwords Are Stored in Windows o Password Cracking
SAM?
o NTLM Authentication Process o Types of Password Attacks
o Kerberos Authentication • Non-Electronic Attacks
o Password Cracking • Active Online Attacks
✓ Dictionary, Brute-Force, and Rule-based
o Types of Password Attacks
Attack
✓ Password Spraying Attack and Mask
• Non-Electronic Attacks
Attack

Page | 13 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

• Active Online Attacks ✓ Password Guessing

✓ Dictionary, Brute-Force and Rule-based ✓ Default Passwords
Attack
✓ Password Guessing ✓ Trojans/Spyware/Keyloggers
✓ Hash Injection/Pass-the-Hash (PtH)
✓ Default Passwords
Attack
✓ Trojans/Spyware/Keyloggers ✓ LLMNR/NBT-NS Poisoning
✓ Hash Injection/Pass-the-Hash (PtH) ✓ Internal Monologue Attack
Attack
✓ LLMNR/NBT-NS Poisoning ✓ Cracking Kerberos Password
✓ Internal Monologue Attack ✓ Pass the Ticket Attack
✓ Cracking Kerberos Password ✓ Other Active Online Attacks
✓ Pass the Ticket Attack ➢ GPU-based Attack
✓ Other Active Online Attacks • Passive Online Attacks
➢ Combinator Attack ✓ Wire Sniffing
✓ Man-in-the-Middle/Manipulator-in-the-
➢ Fingerprint Attack
Middle and Replay Attacks
➢ PRINCE Attack • Offline Attacks
➢ Toggle-Case Attack ✓ Rainbow Table Attack
➢ Markov Chains Attack ✓ Distributed Network Attack
• Passive Online Attacks o Password Recovery Tools
✓ Wire Sniffing o Tools to Extract the Password Hashes
o Password Cracking using Domain Password
✓ Man-in-the-Middle and Replay Attacks
Audit Tool (DPAT)
o Password-Cracking Tools: L0phtCrack and
• Offline Attacks
ophcrack
✓ Rainbow Table Attack o Password-Cracking Tools
✓ Distributed Network Attack o Password Salting
o Password Recovery Tools o How to Defend against Password Cracking
o How to Defend against LLMNR/NBT-NS
o Tools to Extract the Password Hashes
Poisoning
o Password Cracking Tools o Tools to Detect LLMNR/NBT-NS Poisoning
o Password Salting ▪ Vulnerability Exploitation
o How to Defend against Password Cracking o Exploit Sites
o How to Defend against LLMNR/NBT-NS
o Buffer Overflow
Poisoning
• Types of Buffer Overflow: Stack-Based
o Tools to Detect LLMNR/NBT-NS Poisoning
Buffer Overflow
• Types of Buffer Overflow: Heap-Based
▪ Vulnerability Exploitation
Buffer Overflow
o Exploit Sites • Simple Buffer Overflow in C

Page | 14 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Buffer Overflow • Windows Buffer Overflow Exploitation

• Types of Buffer Overflow o Return-Oriented Programming (ROP) Attack
✓ Stack-Based Buffer Overflow o Exploit Chaining
o Active Directory Enumeration Using
✓ Heap-Based Buffer Overflow
PowerView
o Domain Mapping and Exploitation with
• Simple Buffer Overflow in C
Bloodhound
o Identifying Insecurities Using GhostPack
• Windows Buffer Overflow Exploitation
Seatbelt
✓ Perform Spiking o Buffer Overflow Detection Tools
✓ Perform Fuzzing o Defending against Buffer Overflows
✓ Identify the Offset Escalating Privileges
✓ Overwrite the EIP Register ▪ Privilege Escalation
✓ Identify Bad Characters ▪ Privilege Escalation Using DLL Hijacking
✓ Identify the Right Module ▪ Privilege Escalation by Exploiting Vulnerabilities
✓ Generate Shellcode and Gain Shell
▪ Privilege Escalation Using Dylib Hijacking
Access
▪ Privilege Escalation Using Spectre and Meltdown
• Buffer Overflow Detection Tools
Vulnerabilities
▪ Privilege Escalation Using Named Pipe
• Defending against Buffer Overflows
Impersonation
▪ Privilege Escalation by Exploiting Misconfigured
Escalating Privileges
Services
▪ Privilege Escalation ▪ Pivoting and Relaying to Hack External Machines
▪ Privilege Escalation Using DLL Hijacking ▪ Privilege Escalation Using Misconfigured NFS
▪ Privilege Escalation by Exploiting Vulnerabilities ▪ Privilege Escalation Using Windows Sticky Keys
▪ Privilege Escalation by Bypassing User Account
▪ Privilege Escalation Using Dylib Hijacking
Control (UAC)
▪ Privilege Escalation using Spectre and Meltdown ▪ Privilege Escalation by Abusing Boot or Logon
Vulnerabilities Initialization Scripts
▪ Privilege Escalation using Named Pipe
▪ Privilege Escalation by Modifying Domain Policy
Impersonation
▪ Privilege Escalation by Exploiting Misconfigured ▪ Retrieving Password Hashes of Other Domain
Services Controllers Using DCSync Attack
o Unquoted Service Paths ▪ Other Privilege Escalation Techniques
o Service Object Permissions o Parent PID Spoofing
o Unattended Installs o Abusing Accessibility Features
▪ Pivoting and Relaying to Hack External Machines o SID-History Injection
▪ Other Privilege Escalation Techniques o COM Hijacking
▪ Privilege Escalation Tools o Scheduled Tasks in Linux
▪ How to Defend Against Privilege Escalation ▪ Privilege Escalation Tools

Page | 15 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Tools for Defending against DLL and Dylib

o FullPowers
Hijacking
o Defending against Spectre and Meltdown
o PEASS-ng
Vulnerabilities
o Tools for Detecting Spectre and Meltdown
▪ How to Defend Against Privilege Escalation
Vulnerabilities
o Tools for Defending against DLL and Dylib
Maintaining Access
Hijacking
o Defending against Spectre and Meltdown
▪ Executing Applications
Vulnerabilities
o Tools for Detecting Spectre and Meltdown
o Remote Code Execution Techniques
Vulnerabilities
• Tools for Executing Applications Maintaining Access
o Keylogger ▪ Executing Applications
• Types of Keystroke Loggers o Remote Code Execution Techniques
• Hardware Keyloggers • Tools for Executing Applications
• Keyloggers for Windows o Keylogger
• Keyloggers for Mac • Types of Keystroke Loggers
o Spyware • Remote Keylogger Attack Using Metasploit
• Spyware: Spytech SpyAgent and Power Spy • Hardware Keyloggers
• Desktop and Child Monitoring Spyware • Keyloggers for Windows
• USB Spyware • Keyloggers for macOS
• Audio Spyware o Spyware
• Spyware Tools: Spytech SpyAgent and
• Video Spyware
Power Spy
• Telephone/Cellphone Spyware • Spyware Tools
• GPS Spyware o How to Defend Against Keyloggers
o How to Defend Against Keyloggers • Anti-Keyloggers
• Anti-Keyloggers o How to Defend Against Spyware
o How to Defend Against Spyware • Anti-Spyware
• Anti-Spyware ▪ Hiding Files
▪ Hiding Files o Rootkits
o Rootkits • Types of Rootkits
• Types of Rootkits • How a Rootkit Works
• How a Rootkit Works • Popular Rootkits
• Popular Rootkits ✓ Purple Fox Rootkit
✓ LoJax ✓ MoonBounce
✓ Scranos ✓ Dubbed Demodex Rootkit
✓ Horse Pill • Detecting Rootkits

Page | 16 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

✓ Necurs • Steps for Detecting Rootkits

• Detecting Rootkits • How to Defend against Rootkits
• Steps for Detecting Rootkits • Anti-Rootkits
• How to Defend against Rootkits o NTFS Data Stream
• Anti-Rootkits • How to Create NTFS Streams
o NTFS Data Stream • NTFS Stream Manipulation
• How to Create NTFS Streams • How to Defend against NTFS Streams
• NTFS Stream Manipulation • NTFS Stream Detectors
• How to Defend against NTFS Streams o What is Steganography?
• NTFS Stream Detectors • Classification of Steganography
• Types of Steganography based on Cover
o What is Steganography?
Medium
• Classification of Steganography ✓ Whitespace Steganography
• Types of Steganography based on Cover
✓ Image Steganography
Medium
✓ Whitespace Steganography ➢ Image Steganography Tools
✓ Image Steganography ✓ Document Steganography
➢ Image Steganography Tools ✓ Video Steganography
✓ Document Steganography ✓ Audio Steganography
✓ Video Steganography ✓ Folder Steganography
✓ Audio Steganography ✓ Spam/Email Steganography
✓ Folder Steganography ✓ Other Types of Steganography
✓ Spam/Email Steganography • Steganography Tools for Mobile Phones
• Steganography Tools for Mobile Phones • Steganalysis
• Steganalysis Methods/Attacks on
• Steganalysis
Steganography
• Steganalysis Methods/Attacks on • Detecting Steganography (Text, Image,
Steganography Audio, and Video Files)
• Detecting Steganography (Text, Image,
• Steganography Detection Tools
Audio, and Video Files)
• Steganography Detection Tools ▪ Establishing Persistence
o Maintaining Persistence by Abusing Boot or
Clearing Logs
Logon Autostart Executions
▪ Covering Tracks o Domain Dominance through Different Paths
▪ Disabling Auditing: Auditpol • Remote Code Execution
▪ Clearing Logs • Abusing DPAPI
▪ Manually Clearing Event Logs • Malicious Replication
▪ Ways to Clear Online Tracks • Skeleton Key Attack
▪ Covering BASH Shell Tracks • Golden Ticket Attack

Page | 17 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Covering Tracks on a Network • Silver Ticket Attack

o Maintain Domain Persistence Through
▪ Covering Tracks on an OS
AdminSDHolder
o Maintaining Persistence Through WMI Event
▪ Delete Files using Cipher.exe
Subscription
▪ Disable Windows Functionality o Overpass-the-Hash Attack
o Disabling the Last Access Timestamp o Linux Post Exploitation
o Disabling Windows Hibernation o Windows Post Exploitation
o Disabling Windows Virtual Memory (Paging
o How to Defend against Persistence Attacks
File)
o Disabling System Restore Points Clearing Logs
o Disabling Windows Thumbnail Cache ▪ Covering Tracks
o Disabling Windows Prefetch Feature ▪ Disabling Auditing: Auditpol
▪ Track-Covering Tools ▪ Clearing Logs
▪ Defending against Covering Tracks ▪ Manually Clearing Event Logs
▪ Ways to Clear Online Tracks
▪ Covering BASH Shell Tracks
▪ Covering Tracks on a Network
▪ Covering Tracks on an OS
▪ Delete Files using Cipher.exe
▪ Disable Windows Functionality
▪ Hiding Artifacts in Windows, Linux, and macOS
▪ Track-Covering Tools
▪ Defending against Covering Tracks

Module 07: Malware Threats Module 07: Malware Threats

Malware Concepts Malware Concepts
▪ Introduction to Malware ▪ Introduction to Malware
▪ Different Ways for Malware to Enter a System ▪ Different Ways for Malware to Enter a System
▪ Common Techniques Attackers Use to Distribute ▪ Common Techniques Attackers Use to Distribute
Malware on the Web Malware on the Web
▪ Components of Malware o RTF Injection
APT Concepts ▪ Components of Malware
▪ Potentially Unwanted Application or Applications
▪ What are Advanced Persistent Threats?
(PUAs)
▪ Characteristics of Advanced Persistent Threats o Adware
▪ Advanced Persistent Threat Lifecycle APT Concepts
Trojan Concepts ▪ What are Advanced Persistent Threats?
▪ What is a Trojan? ▪ Characteristics of Advanced Persistent Threats

Page | 18 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ How Hackers Use Trojans ▪ Advanced Persistent Threat Lifecycle

▪ Common Ports used by Trojans Trojan Concepts
▪ Types of Trojans ▪ What is a Trojan?
o Remote Access Trojans ▪ How Hackers Use Trojans
o Backdoor Trojans ▪ Common Ports used by Trojans
o Botnet Trojans ▪ Types of Trojans
o Rootkit Trojans o Remote Access Trojans
o E-banking Trojans o Backdoor Trojans
• Working of E-banking Trojans o Botnet Trojans
• E-banking Trojan: Dreambot o Rootkit Trojans
o Point-of-Sale Trojans o E-banking Trojans
o Defacement Trojans • Working of E-banking Trojans
o Service Protocol Trojans • E-banking Trojan: Dreambot
o Mobile Trojans o Point-of-Sale Trojans
o IoT Trojans o Defacement Trojans
o Other Trojans o Service Protocol Trojans
• Security Software Disabler Trojans o Mobile Trojans
• Destructive Trojans o IoT Trojans
• DDoS Trojans o Security Software Disabler Trojans
• Command Shell Trojans o Destructive Trojans
▪ How to Infect Systems Using a Trojan o DDoS Trojans
o Creating a Trojan o Command Shell Trojans
o Employing a Dropper or Downloader ▪ How to Infect Systems Using a Trojan
o Employing a Wrapper o Creating a Trojan
o Employing a Crypter o Employing a Dropper or Downloader
o Propagating and Deploying a Trojan o Employing a Wrapper
• Deploy a Trojan through Emails o Employing a Crypter
• Deploy a Trojan through Covert Channels o Propagating and Deploying a Trojan
• Deploy a Trojan through Proxy Servers o Exploit Kits
• Deploy a Trojan through USB/Flash Drives Virus and Worm Concepts
• Evading Anti-Virus Software ▪ Introduction to Viruses
o Exploit Kits ▪ Stages of Virus Lifecycle
Virus and Worm Concepts ▪ Working of Viruses
▪ Introduction to Viruses o How does a Computer Get Infected by Viruses?
▪ Stages of Virus Lifecycle ▪ Types of Viruses
▪ Working of Viruses o System or Boot Sector Viruses
o How does a Computer Get Infected by Viruses? o File Viruses
▪ Types of Viruses o Multipartite Viruses

Page | 19 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o System and File Viruses o Macro Viruses

o Multipartite and Macro Viruses o Cluster Viruses
o Cluster and Stealth Viruses o Stealth Viruses/Tunneling Viruses
o Encryption and Sparse Infector Viruses o Encryption Viruses
o Polymorphic Viruses o Sparse Infector Viruses
o Metamorphic Viruses o Polymorphic Viruses
o Overwriting File or Cavity Viruses o Metamorphic Viruses
o Companion/Camouflage and Shell Viruses o Overwriting File or Cavity Viruses
o File Extension Viruses o Companion/Camouflage Viruses
o FAT and Logic Bomb Viruses o Shell Viruses
o Other Viruses o File Extension Viruses
• Web Scripting Viruses o FAT Viruses
• E-mail Viruses o Logic Bomb Viruses
• Armored Viruses o Web Scripting Virus
• Add-on Viruses o E-mail Viruses
• Intrusive Viruses o Armored Viruses
• Direct Action or Transient Viruses o Add-on Viruses
• Terminate and Stay Resident (TSR) Viruses o Intrusive Viruses
o Ransomware o Direct Action or Transient Viruses
▪ How to Infect Systems Using a Virus o Terminate and Stay Resident (TSR) Viruses
o Creating a Virus o Ransomware
o Propagating and Deploying a Virus • BlackCat
• Virus Hoaxes • BlackMatter
▪ How to Infect Systems Using a Virus: Creating a
• Fake Antiviruses
Virus
▪ How to Infect Systems Using a Virus: Propagating
▪ Computer Worms
and Deploying a Virus
▪ Worm Makers ▪ Computer Worms
Fileless Malware Concepts o Worm Makers
▪ What is Fileless Malware? Fileless Malware Concepts
▪ Taxonomy of Fileless Malware Threats ▪ What is Fileless Malware?
▪ How does Fileless Malware Work? ▪ Taxonomy of Fileless Malware Threats
▪ Launching Fileless Malware through Document
▪ How does Fileless Malware Work?
Exploits and In-Memory Exploits
▪ Launching Fileless Malware through Script-based ▪ Launching Fileless Malware through Document
Injection Exploits and In-Memory Exploits
▪ Launching Fileless Malware by Exploiting System ▪ Launching Fileless Malware through Script-based
Admin Tools Injection
▪ Launching Fileless Malware by Exploiting System
▪ Launching Fileless Malware through Phishing
Admin Tools

Page | 20 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Maintaining Persistence with Fileless Techniques ▪ Launching Fileless Malware through Phishing
▪ Fileless Malware ▪ Maintaining Persistence with Fileless Techniques
▪ Fileless Malware Obfuscation Techniques to
▪ Fileless Malware
Bypass Antivirus
Malware Analysis o LemonDuck
▪ Fileless Malware Obfuscation Techniques to
▪ What is Sheep Dip Computer?
Bypass Antivirus
▪ Antivirus Sensor Systems Malware Analysis
▪ Introduction to Malware Analysis ▪ What is Sheep Dip Computer?
▪ Malware Analysis Procedure: Preparing Testbed ▪ Antivirus Sensor Systems
▪ Static Malware Analysis ▪ Introduction to Malware Analysis
o File Fingerprinting ▪ Malware Analysis Procedure: Preparing Testbed
o Local and Online Malware Scanning ▪ Static Malware Analysis
o Performing Strings Search o File Fingerprinting
o Identifying Packing/Obfuscation Methods o Local and Online Malware Scanning
o Finding the Portable Executables (PE)
o Performing Strings Search
Information
o Identifying File Dependencies o Identifying Packing/Obfuscation Methods
• Identifying Packing/Obfuscation Method of
o Malware Disassembly
ELF Malware
▪ Dynamic Malware Analysis • Detect It Easy (DIE)
o Finding the Portable Executables (PE)
o Port Monitoring
Information
o Process Monitoring o Identifying File Dependencies
o Registry Monitoring o Malware Disassembly
o Windows Services Monitoring • Ghidra
o Startup Programs Monitoring • x64dbg
o Event Logs Monitoring/Analysis o Analyzing ELF Executable Files
o Analyzing Mach Object (Mach-O) Executable
o Installation Monitoring
Files
o Files and Folders Monitoring o Analyzing Malicious MS Office Documents
o Device Drivers Monitoring • Finding Suspicious Components
o Network Traffic Monitoring/Analysis • Finding Macro Streams
o DNS Monitoring/Resolution • Dumping Macro Streams
o API Calls Monitoring • Identifying Suspicious VBA Keywords
▪ Virus Detection Methods ▪ Dynamic Malware Analysis
▪ Trojan Analysis: Emotet o Port Monitoring
Emotet Malware Attack Phases: o Process Monitoring
Infection Phase o Registry Monitoring
Maintaining Persistence Phase o Windows Services Monitoring

Page | 21 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

System Compromise Phase o Startup Programs Monitoring

Network Propagation Phase o Event Logs Monitoring/Analysis
▪ Virus Analysis: SamSam Ransomware o Installation Monitoring
SamSam Ransomware Attack Stages o Files and Folders Monitoring
▪ Fileless Malware Analysis: Astaroth Attack o Device Drivers Monitoring
Countermeasures o Network Traffic Monitoring/Analysis
▪ Trojan Countermeasures o DNS Monitoring/Resolution
▪ Backdoor Countermeasures o API Calls Monitoring
▪ Virus and Worm Countermeasures o System Calls Monitoring
▪ Fileless Malware Countermeasures ▪ Virus Detection Methods
Anti-Malware Software ▪ Trojan Analysis: ElectroRAT
▪ Anti-Trojan Software o ElectroRAT Malware Attack Phases
▪ Antivirus Software • Initial propagation and Infection
▪ Fileless Malware Detection Tools • Deploying Malware
▪ Fileless Malware Protection Tools • Exploitation
• Maintaining Persistence
▪ Virus Analysis: REvil Ransomware
o REvil Ransomware Attack Stages
• Initial Access
• Download and Execution
• Exploitation
• Lateral Movement / Defense Evasion and
Discovery
• Credential Access and Exfiltration /
Command and Control
▪ Fileless Malware Analysis: SockDetour
o SockDetour Fileless Malware Attack Stages
• Pre-exploitation
• Initial infection
• Exploitation
• Post-exploitation
• Client Authentication and C2
Communication After Exploitation
• Plugin Loading Feature
Malware Countermeasures
▪ Trojan Countermeasures
▪ Backdoor Countermeasures
▪ Virus and Worm Countermeasures
▪ Fileless Malware Countermeasures

Page | 22 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Anti-Malware Software
▪ Anti-Trojan Software
▪ Antivirus Software
▪ Fileless Malware Detection Tools
▪ Fileless Malware Protection Tools

Module 08: Sniffing Module 08: Sniffing

Sniffing Concepts Sniffing Concepts
▪ Network Sniffing ▪ Network Sniffing
▪ Types of Sniffing ▪ Types of Sniffing
▪ How an Attacker Hacks the Network Using Sniffers ▪ How an Attacker Hacks the Network Using Sniffers
▪ Protocols Vulnerable to Sniffing ▪ Protocols Vulnerable to Sniffing
▪ Sniffing in the Data Link Layer of the OSI Model ▪ Sniffing in the Data Link Layer of the OSI Model
▪ Hardware Protocol Analyzers ▪ Hardware Protocol Analyzers
▪ SPAN Port ▪ SPAN Port
▪ Wiretapping ▪ Wiretapping
▪ Lawful Interception ▪ Lawful Interception
Sniffing Technique: MAC Attacks Sniffing Technique: MAC Attacks
▪ MAC Address/CAM Table ▪ MAC Address/CAM Table
▪ How CAM Works ▪ How CAM Works
▪ What Happens When a CAM Table Is Full? ▪ What Happens When a CAM Table Is Full?
▪ MAC Flooding ▪ MAC Flooding
▪ Switch Port Stealing ▪ Switch Port Stealing
▪ How to Defend against MAC Attacks ▪ How to Defend against MAC Attacks
Sniffing Technique: DHCP Attacks Sniffing Technique: DHCP Attacks
▪ How DHCP Works ▪ How DHCP Works
▪ DHCP Request/Reply Messages ▪ DHCP Request/Reply Messages
▪ DHCP Starvation Attack ▪ DHCP Starvation Attack
▪ Rogue DHCP Server Attack ▪ Rogue DHCP Server Attack
▪ How to Defend Against DHCP Starvation and ▪ How to Defend Against DHCP Starvation and
Rogue Server Attacks Rogue Server Attacks
o MAC Limiting Configuration on Juniper
Sniffing Technique: ARP Poisoning
Switches
▪ What Is Address Resolution Protocol (ARP)? o Configuring DHCP Filtering on a Switch
▪ ARP Spoofing Attack Sniffing Technique: ARP Poisoning
▪ Threats of ARP Poisoning ▪ What Is Address Resolution Protocol (ARP)?
▪ ARP Poisoning Tools ▪ ARP Spoofing Attack
▪ How to Defend Against ARP Poisoning ▪ Threats of ARP Poisoning
▪ Configuring DHCP Snooping and Dynamic ARP ▪ ARP Poisoning Tools

Page | 23 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Inspection on Cisco Switches

▪ ARP Spoofing Detection Tools o Habu
Sniffing Technique: Spoofing Attacks ▪ How to Defend Against ARP Poisoning
▪ Configuring DHCP Snooping and Dynamic ARP
▪ MAC Spoofing/Duplicating
Inspection on Cisco Switches
▪ MAC Spoofing Technique: Windows ▪ ARP Spoofing Detection Tools
▪ MAC Spoofing Tools Sniffing Technique: Spoofing Attacks
▪ IRDP Spoofing ▪ MAC Spoofing/Duplicating
▪ VLAN Hopping ▪ MAC Spoofing Technique: Windows
o Switch Spoofing ▪ MAC Spoofing Tools
o Double Tagging ▪ IRDP Spoofing
▪ STP Attack ▪ VLAN Hopping
▪ How to Defend Against MAC Spoofing ▪ STP Attack
▪ How to Defend Against VLAN Hopping ▪ How to Defend Against MAC Spoofing
▪ How to Defend Against STP Attacks ▪ How to Defend Against VLAN Hopping
Sniffing Technique: DNS Poisoning ▪ How to Defend Against STP Attacks
▪ DNS Poisoning Techniques Sniffing Technique: DNS Poisoning
o Intranet DNS Spoofing ▪ DNS Poisoning Techniques
o Internet DNS Spoofing o Intranet DNS Spoofing
o Proxy Server DNS Poisoning o Internet DNS Spoofing
o DNS Cache Poisoning o Proxy Server DNS Poisoning
▪ DNS Poisoning Tools o DNS Cache Poisoning
▪ How to Defend Against DNS Spoofing • SAD DNS Attack
Sniffing Tools ▪ DNS Poisoning Tools
▪ Sniffing Tool: Wireshark ▪ How to Defend Against DNS Spoofing
o Follow TCP Stream in Wireshark Sniffing Tools
o Display Filters in Wireshark ▪ Sniffing Tool: Wireshark
o Additional Wireshark Filters o Follow TCP Stream in Wireshark
▪ Sniffing Tools o Display Filters in Wireshark
▪ Packet Sniffing Tools for Mobile Phones o Additional Wireshark Filters
Countermeasures ▪ Sniffing Tools
▪ How to Defend Against Sniffing o RITA (Real Intelligence Threat Analytics)
Sniffing Detection Techniques ▪ Packet Sniffing Tools for Mobile Phones
▪ How to Detect Sniffing Sniffing Countermeasures
▪ Sniffer Detection Techniques ▪ How to Defend Against Sniffing
o Ping Method ▪ How to Detect Sniffing
o DNS Method ▪ Sniffer Detection Techniques
o ARP Method o Ping Method
▪ Promiscuous Detection Tools o DNS Method

Page | 24 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o ARP Method
▪ Promiscuous Detection Tools

Module 09: Social Engineering Module 09: Social Engineering

Social Engineering Concepts Social Engineering Concepts
▪ What is Social Engineering? ▪ What is Social Engineering?
▪ Phases of a Social Engineering Attack ▪ Phases of a Social Engineering Attack
Social Engineering Techniques Social Engineering Techniques
▪ Types of Social Engineering ▪ Types of Social Engineering
▪ Human-based Social Engineering ▪ Human-based Social Engineering
o Impersonation o Impersonation
o Impersonation (Vishing) o Impersonation (Vishing)
o Eavesdropping o Eavesdropping
o Shoulder Surfing o Shoulder Surfing
o Dumpster Diving o Dumpster Diving
o Reverse Social Engineering o Reverse Social Engineering
o Piggybacking o Piggybacking
o Tailgating o Tailgating
o Diversion Theft o Diversion Theft
o Honey Trap o Honey Trap
o Baiting o Baiting
o Quid Pro Quo o Quid Pro Quo
o Elicitation o Elicitation
▪ Computer-based Social Engineering ▪ Computer-based Social Engineering
o Phishing o Phishing
• Examples of Phishing Emails • Examples of Phishing Emails
• Types of Phishing • Types of Phishing
• Phishing Tools ✓ Spear Phishing
▪ Mobile-based Social Engineering ✓ Whaling
o Publishing Malicious Apps ✓ Pharming
o Repackaging Legitimate Apps ✓ Spimming
o Fake Security Applications ✓ Angler Phishing
o SMiShing (SMS Phishing) ✓ Catfishing Attack
Insider Threats ✓ Deepfake Attacks
▪ Insider Threats/Insider Attacks o Phishing Tools
▪ Types of Insider Threats ▪ Mobile-based Social Engineering
▪ Behavioral Indications of an Insider Threat o Publishing Malicious Apps
Impersonation on Social Networking Sites o Repackaging Legitimate Apps

Page | 25 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Social Engineering through Impersonation on

o Fake Security Applications
Social Networking Sites
▪ Impersonation on Facebook o SMiShing (SMS Phishing)
▪ Social Networking Threats to Corporate Networks Insider Threats
Identity Theft ▪ Insider Threats/Insider Attacks
▪ Identity Theft ▪ Types of Insider Threats
Countermeasures o Accidental Insider
▪ Social Engineering Countermeasures ▪ Behavioral Indications of an Insider Threat
▪ Detecting Insider Threats Impersonation on Social Networking Sites
▪ Social Engineering through Impersonation on
▪ Insider Threats Countermeasures
Social Networking Sites
▪ Identity Theft Countermeasures ▪ Impersonation on Facebook
▪ How to Detect Phishing Emails? ▪ Social Networking Threats to Corporate Networks
▪ Anti-Phishing Toolbar Identity Theft
▪ Common Social Engineering Targets and Defense
▪ Identity Theft
Strategies
▪ Social Engineering Tools Social Engineering Countermeasures
▪ Audit Organization's Security for Phishing Attacks
▪ Social Engineering Countermeasures
using OhPhish
▪ How to Defend against Phishing Attacks?
▪ Detecting Insider Threats
▪ Insider Threats Countermeasures
▪ Identity Theft Countermeasures
▪ How to Detect Phishing Emails?
▪ Anti-Phishing Toolbar
▪ Common Social Engineering Targets and Defense
Strategies
▪ Social Engineering Tools
▪ Audit Organization's Security for Phishing Attacks
using OhPhish

Module 10: Denial-of-Service Module 10: Denial-of-Service

DoS/DDoS Concepts DoS/DDoS Concepts
▪ What is a DoS Attack? ▪ What is a DoS Attack?
▪ What is a DDoS Attack? ▪ What is a DDoS Attack?
DoS/DDoS Attack Techniques Botnets
▪ Basic Categories of DoS/DDoS Attack Vectors ▪ Organized Cyber Crime: Organizational Chart
o Volumetric Attacks ▪ Botnets
• UDP Flood Attack ▪ A Typical Botnet Setup
• ICMP Flood Attack ▪ Botnet Ecosystem

Page | 26 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Scanning Methods for Finding Vulnerable

• Ping of Death and Smurf Attacks
Machines
• Pulse Wave and Zero-Day DDoS Attacks ▪ How Does Malicious Code Propagate?
o Protocol Attacks DoS/DDoS Attack Techniques
• SYN Flood Attack ▪ Basic Categories of DoS/DDoS Attack Vectors
• Fragmentation Attack o Volumetric Attacks
• Spoofed Session Flood Attack • UDP Flood Attack
o Application Layer Attacks • ICMP Flood Attack
• HTTP GET/POST and Slowloris Attacks • Ping of Death and Smurf Attacks
• UDP Application Layer Flood Attack • Pulse Wave and Zero-Day DDoS Attacks
▪ Multi-Vector Attack o Protocol Attacks
▪ Peer-to-Peer Attack • SYN Flood Attack
▪ Permanent Denial-of-Service Attack • Fragmentation Attack
▪ Distributed Reflection Denial-of-Service (DRDoS)
• Spoofed Session Flood Attack
Attack
Botnets o Application Layer Attacks
▪ Organized Cyber Crime: Organizational Chart • HTTP GET/POST and Slowloris Attacks
▪ Botnets • UDP Application Layer Flood Attack
▪ A Typical Botnet Setup ▪ Multi-Vector Attack
▪ Botnet Ecosystem ▪ Peer-to-Peer Attack
▪ Scanning Methods for Finding Vulnerable
▪ Permanent Denial-of-Service Attack
Machines
▪ How Does Malicious Code Propagate? ▪ TCP SACK Panic
▪ Distributed Reflection Denial-of-Service (DRDoS)
DDoS Case Study
Attack
▪ DDoS Attack ▪ DDoS Extortion/Ransom DDoS (RDDoS) Attack
▪ Hackers Advertise Links for Downloading Botnets ▪ DoS/DDoS Attack Tools
▪ Use of Mobile Devices as Botnets for Launching
▪ DoS and DDoS Attack Tools for Mobiles
DDoS Attacks
▪ DDoS Case Study: DDoS Attack on GitHub DDoS Case Study
DoS/DDoS Attack Tools ▪ DDoS Attack
▪ DoS/DDoS Attack Tools ▪ Hackers Advertise Links for Downloading Botnets
▪ Use of Mobile Devices as Botnets for Launching
▪ DoS and DDoS Attack Tools for Mobiles
DDoS Attacks
Countermeasures ▪ DDoS Case Study: DDoS Attack on Microsoft Azure
▪ Detection Techniques DoS/DDoS Attack Countermeasures
▪ DoS/DDoS Countermeasure Strategies ▪ Detection Techniques
▪ DDoS Attack Countermeasures ▪ DoS/DDoS Countermeasure Strategies
o Protect Secondary Victims ▪ DDoS Attack Countermeasures
o Detect and Neutralize Handlers o Protect Secondary Victims
Page | 27 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Prevent Potential Attacks o Detect and Neutralize Handlers

o Deflect Attacks o Prevent Potential Attacks
o Mitigate Attacks o Deflect Attacks
o Post-Attack Forensics o Mitigate Attacks
▪ Techniques to Defend against Botnets o Post-Attack Forensics
▪ Additional DoS/DDoS Countermeasures ▪ Techniques to Defend against Botnets
▪ DoS/DDoS Protection at ISP Level ▪ Additional DoS/DDoS Countermeasures
▪ Enabling TCP Intercept on Cisco IOS Software ▪ DoS/DDoS Protection at ISP Level
DoS/DDoS Protection Tools ▪ Enabling TCP Intercept on Cisco IOS Software
▪ Advanced DDoS Protection Appliances ▪ Advanced DDoS Protection Appliances
▪ DoS/DDoS Protection Tools ▪ DoS/DDoS Protection Tools
▪ DoS/DDoS Protection Services ▪ DoS/DDoS Protection Services

Module 11: Session Hijacking Module 11: Session Hijacking

Session Hijacking Concepts Session Hijacking Concepts
▪ What is Session Hijacking? ▪ What is Session Hijacking?
▪ Why is Session Hijacking Successful? ▪ Why is Session Hijacking Successful?
▪ Session Hijacking Process ▪ Session Hijacking Process
▪ Packet Analysis of a Local Session Hijack ▪ Packet Analysis of a Local Session Hijack
▪ Types of Session Hijacking ▪ Types of Session Hijacking
▪ Session Hijacking in OSI Model ▪ Session Hijacking in OSI Model
▪ Spoofing vs. Hijacking ▪ Spoofing vs. Hijacking
Application-Level Session Hijacking Application-Level Session Hijacking
▪ Application-Level Session Hijacking ▪ Application-Level Session Hijacking
▪ Compromising Session IDs using Sniffing and by ▪ Compromising Session IDs using Sniffing and by
Predicting Session Token Predicting Session Token
o How to Predict a Session Token o How to Predict a Session Token
▪ Compromising Session IDs Using Man-in-the- ▪ Compromising Session IDs Using Man-in-the-
Middle Attack Middle/Manipulator-in-the-Middle Attack
▪ Compromising Session IDs Using Man-in-the- ▪ Compromising Session IDs Using Man-in-the-
Browser Attack Browser/Manipulator-in-the-Browser Attack
o Steps to Perform Man-in-the-Browser Attack o Steps to Perform Man-in-the-Browser Attack
▪ Compromising Session IDs Using Client-side ▪ Compromising Session IDs Using Client-side
Attacks Attacks
▪ Compromising Session IDs Using Client-side ▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Script Attack Attacks: Cross-site Script Attack
▪ Compromising Session IDs Using Client-side ▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Request Forgery Attack Attacks: Cross-site Request Forgery Attack
▪ Compromising Session IDs Using Session Replay ▪ Compromising Session IDs Using Session Replay
Attacks Attacks

Page | 28 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Compromising Session IDs Using Session Fixation ▪ Compromising Session IDs Using Session Fixation
▪ Session Hijacking Using Proxy Servers ▪ Session Hijacking Using Proxy Servers
▪ Session Hijacking Using CRIME Attack ▪ Session Hijacking Using CRIME Attack
▪ Session Hijacking Using Forbidden Attack ▪ Session Hijacking Using Forbidden Attack
▪ Session Hijacking Using Session Donation Attack ▪ Session Hijacking Using Session Donation Attack
Network Level Session Hijacking ▪ PetitPotam Hijacking
▪ Network Level Session Hijacking Network-Level Session Hijacking
▪ TCP/IP Hijacking ▪ Network Level Session Hijacking
▪ IP Spoofing: Source Routed Packets ▪ TCP/IP Hijacking
▪ RST Hijacking ▪ IP Spoofing: Source Routed Packets
▪ Blind Hijacking ▪ RST Hijacking
▪ UDP Hijacking ▪ Blind and UDP Hijacking
▪ MiTM Attack Using Forged ICMP and ARP Spoofing ▪ MiTM Attack Using Forged ICMP and ARP Spoofing
Session Hijacking Tools Session Hijacking Tools
▪ Session Hijacking Tools ▪ Session Hijacking Tools
▪ Session Hijacking Tools for Mobile Phones o Hetty
Countermeasures ▪ Session Hijacking Tools for Mobile Phones
▪ Session Hijacking Detection Methods Session Hijacking Countermeasures
▪ Protecting against Session Hijacking ▪ Session Hijacking Detection Methods
▪ Web Development Guidelines to Prevent Session
▪ Protecting against Session Hijacking
Hijacking
▪ Web Development Guidelines to Prevent Session
▪ Web User Guidelines to Prevent Session Hijacking
Hijacking
▪ Session Hijacking Detection Tools ▪ Web User Guidelines to Prevent Session Hijacking
▪ Approaches Causing Vulnerability to Session
▪ Session Hijacking Detection Tools
Hijacking and their Preventative Solutions
▪ Approaches Causing Vulnerability to Session
▪ Approaches to Prevent Session Hijacking
Hijacking and their Preventative Solutions
▪ Approaches to Prevent MITM Attacks ▪ Approaches to Prevent Session Hijacking
▪ IPSec o HTTP Referrer Header
o IPsec Authentication and Confidentiality ▪ Approaches to Prevent MITM Attacks
▪ Session Hijacking Prevention Tools o DNS over HTTPS
o Password Manager
o Zero-trust Principles
▪ IPsec
o IPsec Authentication and Confidentiality
▪ Session Hijacking Prevention Tools

Page | 29 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 12: Evading IDS, Firewalls, and Module 12: Evading IDS, Firewalls, and
Honeypots Honeypots
IDS, IPS, Firewall, and Honeypot Concepts IDS, IPS, Firewall, and Honeypot Concepts
▪ Intrusion Detection System (IDS) ▪ Intrusion Detection System (IDS)
o How an IDS Detects an Intrusion? o How an IDS Detects an Intrusion?
o General Indications of Intrusions o General Indications of Intrusions
o Types of Intrusion Detection Systems o Types of Intrusion Detection Systems
o Types of IDS Alerts o Types of IDS Alerts
▪ Intrusion Prevention System (IPS) ▪ Intrusion Prevention System (IPS)
▪ Firewall ▪ Firewall
o Firewall Architecture o Firewall Architecture
o Demilitarized Zone (DMZ) o Demilitarized Zone (DMZ)
o Types of Firewalls o Types of Firewalls
o Firewall Technologies o Firewall Technologies
• Packet Filtering Firewall • Packet Filtering Firewall
• Circuit-Level Gateway Firewall • Circuit-Level Gateway Firewall
• Application-Level Firewall • Application-Level Firewall
• Stateful Multilayer Inspection Firewall • Stateful Multilayer Inspection Firewall
• Application Proxy • Application Proxy
• Network Address Translation (NAT) • Network Address Translation (NAT)
• Virtual Private Network • Virtual Private Network
o Firewall Limitations o Firewall Limitations
▪ Honeypot ▪ Honeypot
o Types of Honeypots o Types of Honeypots
IDS, IPS, Firewall, and Honeypot Solutions IDS, IPS, Firewall, and Honeypot Solutions
▪ Intrusion Detection Tools ▪ Intrusion Detection using YARA Rules
o Snort ▪ Intrusion Detection Tools
• Snort Rules o Snort
• Snort Rules: Rule Actions and IP Protocols • Snort Rules
• Snort Rules: The Direction Operator and IP
• Snort Rules: Rule Actions and IP Protocols
Addresses
• Snort Rules: The Direction Operator and IP
• Snort Rules: Port Numbers
Addresses
o Intrusion Detection Tools • Snort Rules: Port Numbers
o Intrusion Detection Tools for Mobile Devices • Intrusion Detection Tools
▪ Intrusion Prevention Tools o Intrusion Detection Tools for Mobile Devices
▪ Firewalls ▪ Intrusion Prevention Tools
o Firewalls for Mobile Devices ▪ Firewalls
▪ Honeypot Tools o Firewalls for Mobile Devices
Page | 30 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Evading IDS ▪ Honeypot Tools

▪ IDS Evasion Techniques Evading IDS
o Insertion Attack ▪ IDS Evasion Techniques
o Evasion o Insertion Attack
o Denial-of-Service Attack (DoS) o Evasion
o Obfuscating o Denial-of-Service Attack (DoS)
o False Positive Generation o Obfuscating
o Session Splicing o False Positive Generation
o Unicode Evasion Technique o Session Splicing
o Fragmentation Attack o Unicode Evasion Technique
o Overlapping Fragments o Fragmentation Attack
o Time-To-Live Attacks o Overlapping Fragments
o Invalid RST Packets o Time-To-Live Attacks
o Urgency Flag o Invalid RST Packets
o Polymorphic Shellcode o Urgency Flag
o ASCII Shellcode o Polymorphic Shellcode
o Application-Layer Attacks o ASCII Shellcode
o Desynchronization o Application-Layer Attacks
o Other Types of Evasion o Desynchronization
Evading Firewalls o Other Types of Evasion
▪ Firewall Evasion Techniques Evading Firewalls
o Firewall Identification ▪ Firewall Evasion Techniques
o IP Address Spoofing o Firewall Identification
o Source Routing o IP Address Spoofing
o Tiny Fragments o Source Routing
o Bypass Blocked Sites Using an IP Address in
o Tiny Fragments
Place of a URL
o Bypass Blocked Sites Using Anonymous o Bypass Blocked Sites Using an IP Address in
Website Surfing Sites Place of a URL
o Bypass a Firewall Using a Proxy Server o Bypass Blocked Sites Using Anonymous
Website Surfing Sites
o Bypassing Firewalls through the ICMP
o Bypass a Firewall Using a Proxy Server
Tunneling Method
o Bypassing Firewalls through the ACK Tunneling o Bypassing Firewalls through the ICMP
Method Tunneling Method
o Bypassing Firewalls through the HTTP o Bypassing Firewalls through the ACK Tunneling
Tunneling Method Method
o Bypassing Firewalls through the HTTP
• Why do I Need HTTP Tunneling?
Tunneling Method
• HTTP Tunneling Tools • Why do I Need HTTP Tunneling?

Page | 31 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Bypassing Firewalls through the SSH Tunneling

• HTTP Tunneling Tools
Method
• SSH Tunneling Tools: Bitvise and Secure o Bypassing Firewalls through the SSH Tunneling
Pipes Method
o Bypassing Firewalls through the DNS Tunneling • SSH Tunneling Tools: Bitvise and Secure
Method Pipes
o Bypassing Firewalls through the DNS Tunneling
o Bypassing Firewalls through External Systems
Method
o Bypassing Firewalls through MITM Attacks o Bypassing Firewalls through External Systems
o Bypassing Firewalls through Content o Bypassing Firewalls through MITM Attacks
o Bypassing the WAF using an XSS Attack o Bypassing Firewalls through Content
IDS/Firewall Evading Tools o Bypassing the WAF using an XSS Attack
IDS/Firewall Evading Tools o Other Techniques for Bypassing WAF
Packet Fragment Generator Tools • Using HTTP Header Spoofing
Detecting Honeypots • Using Blacklist Detection
▪ Detecting Honeypots • Using Fuzzing/Bruteforcing
o Detecting and Defeating Honeypots • Abusing SSL/TLS ciphers
▪ Honeypot Detection Tools: Send-Safe Honeypot
o Bypassing Firewalls through HTML Smuggling
Hunter
IDS/Firewall Evasion Countermeasures o Bypassing Firewalls through Windows BITS
▪ How to Defend Against IDS Evasion Evading NAC and Endpoint Security
▪ How to Defend Against Firewall Evasion ▪ Bypassing NAC using VLAN Hopping
▪ Bypassing NAC using Pre-authenticated Device
▪ Bypassing Endpoint Security using Ghostwriting
▪ Bypassing Endpoint Security using Application
Whitelisting
▪ Bypassing Endpoint Security using XLM
Weaponization
▪ Bypassing Endpoint Security by Dechaining
Macros
▪ Bypassing Endpoint Security by Clearing Memory
Hooks
▪ Bypassing Antivirus using Metasploit Templates
▪ Bypassing Symantec Endpoint Protection
▪ Other Techniques for Bypassing Endpoint Security
o Hosting Phishing Sites
o Passing Encoded Commands
o Fast Flux DNS Method
o Timing-based Evasion
o Signed Binary Proxy Execution

Page | 32 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

IDS/Firewall Evading Tools

▪ IDS/Firewall Evading Tools
▪ Packet Fragment Generator Tools
Detecting Honeypots
▪ Detecting Honeypots
o Detecting and Defeating Honeypots
▪ Honeypot Detection Tools: Send-Safe Honeypot
Hunter
IDS/Firewall Evasion Countermeasures
▪ How to Defend Against IDS Evasion
▪ How to Defend Against Firewall Evasion

Module 13: Hacking Web Servers Module 13: Hacking Web Servers
Web Server Concepts Web Server Concepts
▪ Web Server Operations ▪ Web Server Operations
▪ Web Server Security Issues ▪ Web Server Security Issues
▪ Why are Web Servers Compromised? ▪ Why are Web Servers Compromised?
Web Server Attacks Web Server Attacks
▪ DoS/DDoS Attacks ▪ DNS Server Hijacking
▪ DNS Server Hijacking ▪ DNS Amplification Attack
▪ DNS Amplification Attack ▪ Directory Traversal Attacks
▪ Directory Traversal Attacks ▪ Website Defacement
▪ Man-in-the-Middle/Sniffing Attack ▪ Web Server Misconfiguration
▪ Phishing Attacks ▪ HTTP Response-Splitting Attack
▪ Website Defacement ▪ Web Cache Poisoning Attack
▪ Web Server Misconfiguration ▪ SSH Brute Force Attack
▪ HTTP Response-Splitting Attack o Web Server Password Cracking
▪ Web Cache Poisoning Attack ▪ Other Web Server Attacks
▪ SSH Brute Force Attack o DoS/DDoS Attacks
▪ Web Server Password Cracking o Man-in-the-Middle Attack
▪ Server-Side Request Forgery (SSRF) Attack o Phishing Attacks
▪ Web Application Attacks o Web Application Attacks
Web Server Attack Methodology Web Server Attack Methodology
▪ Information Gathering ▪ Information Gathering
o Information Gathering from Robots.txt File o Information Gathering from Robots.txt File
▪ Web Server Footprinting/Banner Grabbing ▪ Web Server Footprinting/Banner Grabbing
o Web Server Footprinting Tools o Web Server Footprinting Tools
o Enumerating Web Server Information Using o Enumerating Web Server Information Using
Nmap Nmap

Page | 33 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Website Mirroring ▪ Website Mirroring

o Finding Default Credentials of Web Server o Finding Default Credentials of Web Server
o Finding Default Content of Web Server o Finding Default Content of Web Server
o Finding Directory Listings of Web Server o Finding Directory Listings of Web Server
▪ Vulnerability Scanning • Dirhunt
o Finding Exploitable Vulnerabilities ▪ Vulnerability Scanning
▪ Session Hijacking o Finding Exploitable Vulnerabilities
▪ Web Server Password Hacking ▪ Session Hijacking
▪ Using Application Server as a Proxy ▪ Web Server Password Hacking
Web Server Attack Tools ▪ Using Application Server as a Proxy
▪ Metasploit ▪ Web Server Attack Tools
o Metasploit Exploit Module o Metasploit
o Metasploit Payload and Auxiliary Modules • Metasploit Exploit Module
o Metasploit NOPS Module • Metasploit Payload and Auxiliary Modules
▪ Web Server Attack Tools • Metasploit NOPS Module
Countermeasures o Web Server Attack Tools
▪ Place Web Servers in Separate Secure Server
Web Server Attack Countermeasures
Security Segment on Network
▪ Place Web Servers in Separate Secure Server
▪ Countermeasures
Security Segment on Network
o Patches and Updates ▪ Countermeasures
o Protocols and Accounts o Patches and Updates
o Files and Directories o Protocols and Accounts
▪ Detecting Web Server Hacking Attempts o Files and Directories
▪ How to Defend Against Web Server Attacks ▪ Detecting Web Server Hacking Attempts
▪ How to Defend against HTTP Response-Splitting
▪ How to Defend Against Web Server Attacks
and Web Cache Poisoning
▪ How to Defend against HTTP Response-Splitting
▪ How to Defend against DNS Hijacking
and Web Cache Poisoning
Patch Management ▪ How to Defend against DNS Hijacking
▪ Patches and Hotfixes ▪ Web Server Security Tools
▪ What is Patch Management? o Web Application Security Scanners
▪ Installation of a Patch o Web Server Security Scanners
o Web Server Malware Infection Monitoring
▪ Patch Management Tools
Tools
Web Server Security Tools o Web Server Security Tools
▪ Web Application Security Scanners o Web Server Pen Testing Tools
▪ Web Server Security Scanners Patch Management
▪ Web Server Malware Infection Monitoring Tools ▪ Patches and Hotfixes

Page | 34 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Web Server Security Tools ▪ What is Patch Management?

▪ Web Server Pen Testing Tools ▪ Installation of a Patch
▪ Patch Management Tools

Module 14: Hacking Web Applications Module 14: Hacking Web Applications
Web Application Concepts Web Application Concepts
▪ Introduction to Web Applications ▪ Introduction to Web Applications
▪ Web Application Architecture ▪ Web Application Architecture
▪ Web Services ▪ Web Services
▪ Vulnerability Stack ▪ Vulnerability Stack
Web Application Threats Web Application Threats
▪ OWASP Top 10 Application Security Risks – 2017 ▪ OWASP Top 10 Application Security Risks - 2021
o A1 - Injection Flaws o A01 - Broken Access Control
o A02 - Cryptographic Failures/Sensitive Data
• SQL Injection Attacks
Exposure
• Command Injection Attacks o A03 - Injection Flaws
✓ Command Injection Example • SQL Injection Attacks
• File Injection Attack • Command Injection Attacks
• LDAP Injection Attacks • Command Injection Example
• Other Injection Attacks • File Injection Attack
✓ Server-Side JS Injection • LDAP Injection Attacks
✓ Server-Side Include Injection • Other Injection Attacks
✓ Server-Side Template Injection ✓ JNDI Injection
✓ Log Injection • Cross-Site Scripting (XSS) Attacks
✓ Cross-Site Scripting Attack Scenario:
✓ HTML Injection
Attack via Email
✓ CRLF Injection ✓ XSS Attack in Blog Posting
o A2 - Broken Authentication ✓ XSS Attack in Comment Field
o A3 - Sensitive Data Exposure o A04 - Insecure Design
o A4 - XML External Entity (XXE) o A05 - Security Misconfiguration
o A5 - Broken Access Control • XML External Entity (XXE)
o A06 - Vulnerable and Outdated
o A6 - Security Misconfiguration Components/Using Components with Known
Vulnerabilities
o A07 - Identification and Authentication
o A7 - Cross-Site Scripting (XSS) Attacks
Failures/Broken Authentication
• Cross-Site Scripting Attack Scenario: Attack
o A08 - Software and Data Integrity Failures
via Email
• XSS Attack in Blog Posting • Insecure Deserialization

Page | 35 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o A09 - Security Logging and Monitoring

• XSS Attack in Comment Field
Failures/Insufficient Logging and Monitoring
o A8 - Insecure Deserialization o A10 - Server-Side Request Forgery (SSRF)
o A9 - Using Components with Known • Types of Server-Side Request Forgery (SSRF)
Vulnerabilities Attack
o A10 - Insufficient Logging and Monitoring ✓ Injecting SSRF payload
▪ Other Web Application Threats ✓ Cross-Site Port Attack (XSPA)
o Directory Traversal ▪ Other Web Application Threats
o Unvalidated Redirects and Forwards o Directory Traversal
o Watering Hole Attack o Unvalidated Redirects and Forwards
o Cross-Site Request Forgery (CSRF) Attack • Open Redirection
o Cookie/Session Poisoning • Header-Based Open Redirection
o Web Service Attack • JavaScript-Based Open Redirection
o Web Service Footprinting Attack o Watering Hole Attack
o Web Service XML Poisoning o Cross-Site Request Forgery (CSRF) Attack
o Hidden Field Manipulation Attack o Cookie/Session Poisoning
o Web-based Timing Attacks o Web Service Attack
o MarioNet Attack o Web Service Footprinting Attack
o Clickjacking Attack o Web Service XML Poisoning
o DNS Rebinding Attack o Hidden Field Manipulation Attack
Web Application Hacking Methodology o Web-based Timing Attacks
▪ Web Application Hacking Methodology o MarioNet Attack
▪ Footprint Web Infrastructure o Clickjacking Attack
o Server Discovery o DNS Rebinding Attack
o Service Discovery o Same-Site Attack
o Server Identification/Banner Grabbing o Pass-the-cookie Attack
o Detecting Web App Firewalls and Proxies on
Web Application Hacking Methodology
Target Site
o Hidden Content Discovery ▪ Web Application Hacking Methodology
o Detect Load Balancers ▪ Footprint Web Infrastructure
▪ Analyze Web Applications o Server Discovery
o Identify Entry Points for User Input o Service Discovery
o Identify Server-Side Technologies o Server Identification/Banner Grabbing
o Detecting Web App Firewalls and Proxies on
o Identify Server-Side Functionality
Target Site
o Identify Files and Directories o Hidden Content Discovery
o Identify Web Application Vulnerabilities o Detect Load Balancers
o Map the Attack Surface ▪ Analyze Web Applications
▪ Bypass Client-side Controls o Identify Entry Points for User Input

Page | 36 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Attack Hidden Form Fields o Identify Server-Side Technologies

o Attack Browser Extensions o Identify Server-Side Functionality
o Perform Source Code Review o Identify Files and Directories
o Evade XSS Filters o Identify Web Application Vulnerabilities
▪ Attack Authentication Mechanism o Map the Attack Surface
o Design and Implementation Flaws in
▪ Bypass Client-side Controls
Authentication Mechanism
o Username Enumeration o Attack Hidden Form Fields
o Password Attacks: Password Functionality
o Attack Browser Extensions
Exploits
o Password Attacks: Password Guessing and
• Attack Google Chrome Browser Extensions
Brute-forcing
o Password Attacks: Attack Password Reset
o Perform Source Code Review
Mechanism
o Session Attacks: Session ID Prediction/Brute-
o Evade XSS Filters
forcing
o Cookie Exploitation: Cookie Poisoning ▪ Attack Authentication Mechanism
o Bypass Authentication: Bypass SAML-based o Design and Implementation Flaws in
SSO Authentication Mechanism
▪ Attack Authorization Schemes o Username Enumeration
o Password Attacks: Password Functionality
o Authorization Attack: HTTP Request Tampering
Exploits
o Authorization Attack: Cookie Parameter o Password Attacks: Password Guessing and
Tampering Brute-forcing
o Password Attacks: Attack Password Reset
▪ Attack Access Controls
Mechanism
o Session Attacks: Session ID Prediction/Brute-
▪ Attack Session Management Mechanism
forcing
o Attacking Session Token Generation
o Cookie Exploitation: Cookie Poisoning
Mechanism
o Attacking Session Tokens Handling Mechanism: o Bypass Authentication: Bypass SAML-based
Session Token Sniffing SSO
▪ Perform Injection/Input Validation Attacks ▪ Attack Authorization Schemes
o Perform Local File Inclusion (LFI) o Authorization Attack: HTTP Request Tampering
o Authorization Attack: Cookie Parameter
▪ Attack Application Logic Flaws
Tampering
▪ Attack Shared Environments ▪ Attack Access Controls
▪ Attack Database Connectivity ▪ Attack Session Management Mechanism
o Attacking Session Token Generation
o Connection String Injection
Mechanism
o Connection String Parameter Pollution (CSPP) o Attacking Session Tokens Handling Mechanism:
Attacks Session Token Sniffing

Page | 37 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Connection Pool DoS ▪ Perform Injection/Input Validation Attacks

▪ Attack Web Application Client o Perform Local File Inclusion (LFI)
▪ Attack Web Services ▪ Attack Application Logic Flaws
o Web Services Probing Attacks ▪ Attack Shared Environments
o Web Service Attacks: SOAP Injection ▪ Attack Database Connectivity
o Web Service Attacks: SOAPAction Spoofing o Connection String Injection
o Connection String Parameter Pollution (CSPP)
o Web Service Attacks: WS-Address Spoofing
Attacks
o Web Service Attacks: XML Injection o Connection Pool DoS
o Web Services Parsing Attacks ▪ Attack Web Application Client
o Web Service Attack Tools ▪ Attack Web Services
▪ Additional Web Application Hacking Tools o Web Services Probing Attacks
Web API, Webhooks, and Web Shell o Web Service Attacks: SOAP Injection
▪ What is Web API? o Web Service Attacks: SOAPAction Spoofing
o Web Services APIs o Web Service Attacks: WS-Address Spoofing
▪ What are Webhooks? o Web Service Attacks: XML Injection
o Webhooks Vs. APIs o Web Services Parsing Attacks
▪ OWASP Top 10 API Security Risks o Web Service Attack Tools
▪ API Vulnerabilities ▪ Additional Web Application Hacking Tools
▪ Web API Hacking Methodology o TIDoS-Framework
o Identify the Target Web API, Webhooks, and Web Shell
o Detect Security Standards ▪ What is Web API?
o Identify the Attack Surface o Web Services APIs
o Launch Attacks ▪ What are Webhooks?
• Fuzzing ▪ OWASP Top 10 API Security Risks
• Invalid Input Attacks ▪ API Vulnerabilities
• Malicious Input Attacks ▪ Web API Hacking Methodology
• Injection Attacks o Identify the Target
• Exploiting Insecure Configurations o Detect Security Standards
✓ Insecure SSL Configuration o Identify the Attack Surface
✓ Insecure Direct Object References
• Analyze Web API Requests and Responses
(IDOR)
✓ Insecure Session/Authentication
o Launch Attacks
Handling
• Login/ Credential Stuffing Attacks • Fuzzing and Invalid Input Attacks
• API DDoS Attacks • Malicious Input Attacks
• Authorization Attacks on API: OAuth
• Injection Attacks
Attacks
• Other Techniques to Hack an API • Exploiting Insecure Configurations

Page | 38 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

✓ Reverse Engineering • Login/ Credential Stuffing Attacks

✓ User Spoofing • API DDoS Attacks
• Authorization Attacks on API: OAuth
✓ Man-in-the-Middle Attack
Attacks
✓ SSRF using Dynamic Client Registration
✓ Session Replay Attack
endpoint
✓ Social Engineering ✓ WebFinger User Enumeration
o REST API Vulnerability Scanning ✓ Exploit Flawed Scope Validation
o Bypassing IDOR via Parameter Pollution • Other Techniques to Hack an API
▪ Web Shells o REST API Vulnerability Scanning
o Web Shell Tools o Bypassing IDOR via Parameter Pollution
▪ Gaining Backdoor Access via Web Shell ▪ Web Shells
▪ How to Prevent Installation of a Web Shell o Web Shell Tools
▪ Web Shell Detection Tools ▪ How to Prevent Installation of a Web Shell
▪ Secure API Architecture ▪ Web Shell Detection Tools
▪ API Security Risks and Solutions ▪ Secure API Architecture
▪ Best Practices for API Security o Implementing Layered Security in an API
▪ Best Practices for Securing Webhooks ▪ API Security Risks and Solutions
Web Application Security ▪ Best Practices for API Security
▪ Web Application Security Testing ▪ Best Practices for Securing Webhooks
o Manual Web App Security Assessment Web Application Security
o Automated Web App Security Assessment ▪ Web Application Security Testing
o Static Application Security Testing (SAST) ▪ Web Application Fuzz Testing
o Dynamic Application Security Testing (DAST) ▪ Source Code Review
▪ Web Application Fuzz Testing ▪ Encoding Schemes
▪ Source Code Review ▪ Whitelisting vs. Blacklisting Applications
▪ Encoding Schemes o Application Whitelisting and Blacklisting Tools
▪ Whitelisting vs. Blacklisting Applications ▪ How to Defend Against Injection Attacks
o Application Whitelisting and Blacklisting Tools ▪ Web Application Attack Countermeasures
▪ How to Defend Against Injection Attacks ▪ How to Defend Against Web Application Attacks
▪ Web Application Attack Countermeasures ▪ RASP for Protecting Web Servers
▪ How to Defend Against Web Application Attacks ▪ Bug Bounty Programs
▪ RASP for Protecting Web Servers ▪ Web Application Security Testing Tools
▪ Bug Bounty Programs ▪ Web Application Firewalls
▪ Web Application Security Testing Tools
▪ Web Application Firewalls

Page | 39 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 15: SQL Injection Module 15: SQL Injection

SQL Injection Concepts SQL Injection Concepts
▪ What is SQL Injection? ▪ What is SQL Injection?
▪ SQL Injection and Server-side Technologies ▪ SQL Injection and Server-side Technologies
▪ Understanding HTTP POST Request ▪ Understanding HTTP POST Request
▪ Understanding Normal SQL Query ▪ Understanding Normal SQL Query
▪ Understanding an SQL Injection Query ▪ Understanding an SQL Injection Query
▪ Understanding an SQL Injection Query – Code ▪ Understanding an SQL Injection Query – Code
Analysis Analysis
▪ Example of a Web Application Vulnerable to SQL ▪ Example of a Web Application Vulnerable to SQL
Injection: BadProductList.aspx Injection: BadProductList.aspx
▪ Example of a Web Application Vulnerable to SQL ▪ Example of a Web Application Vulnerable to SQL
Injection: Attack Analysis Injection: Attack Analysis
▪ Examples of SQL Injection ▪ Examples of SQL Injection
Types of SQL Injection Types of SQL Injection
▪ Types of SQL injection ▪ Types of SQL injection
o In-Band SQL Injection o In-Band SQL Injection
• Error Based SQL Injection • Error Based SQL Injection
• Union SQL Injection • Union SQL Injection
o Blind/Inferential SQL Injection o Blind/Inferential SQL Injection
• Blind SQL Injection: No Error Message • Blind SQL Injection: No Error Message
Returned Returned
• Blind SQL Injection: WAITFOR DELAY (YES or • Blind SQL Injection: WAITFOR DELAY (YES or
NO Response) NO Response)
• Blind SQL Injection: Boolean Exploitation • Blind SQL Injection: Boolean Exploitation
and Heavy Query and Heavy Query
o Out-of-Band SQL injection o Out-of-Band SQL injection
SQL Injection Methodology SQL Injection Methodology
▪ Information Gathering and SQL Injection ▪ Information Gathering and SQL Injection
Vulnerability Detection Vulnerability Detection
o Information Gathering o Information Gathering
o Identifying Data Entry Paths o Identifying Data Entry Paths
o Extracting Information through Error Messages o Extracting Information through Error Messages
o SQL Injection Vulnerability Detection: Testing o SQL Injection Vulnerability Detection: Testing
for SQL Injection for SQL Injection
o Additional Methods to Detect SQL Injection o Additional Methods to Detect SQL Injection
o SQL Injection Black Box Pen Testing o SQL Injection Black Box Pen Testing
o Source Code Review to Detect SQL Injection o Source Code Review to Detect SQL Injection
Vulnerabilities Vulnerabilities
o Testing for Blind SQL Injection Vulnerability in o Testing for Blind SQL Injection Vulnerability in
MySQL and MSSQL MySQL and MSSQL

Page | 40 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Launch SQL Injection Attacks ▪ Launch SQL Injection Attacks

o Perform Union SQL Injection o Perform Union SQL Injection
o Perform Error Based SQL Injection o Perform Error Based SQL Injection
o Perform Error Based SQL Injection using Stored o Perform Error Based SQL Injection using Stored
Procedure Injection Procedure Injection
o Bypass Website Logins Using SQL Injection o Bypass Website Logins Using SQL Injection
o Perform Blind SQL Injection – Exploitation o Perform Blind SQL Injection – Exploitation
(MySQL) (MySQL)
o Blind SQL Injection - Extract Database User o Blind SQL Injection - Extract Database User
o Blind SQL Injection - Extract Database Name o Blind SQL Injection - Extract Database Name
o Blind SQL Injection - Extract Column Name o Blind SQL Injection - Extract Column Name
o Blind SQL Injection - Extract Data from ROWS o Blind SQL Injection - Extract Data from ROWS
o Perform Double Blind SQL Injection – Classical o Perform Double Blind SQL Injection – Classical
Exploitation (MySQL) Exploitation (MySQL)
o Perform Blind SQL Injection Using Out-of-Band o Perform Blind SQL Injection Using Out-of-Band
Exploitation Technique Exploitation Technique
o Exploiting Second-Order SQL Injection o Exploiting Second-Order SQL Injection
o Bypass Firewall using SQL Injection o Bypass Firewall using SQL Injection
o Perform SQL Injection to Insert a New User and o Perform SQL Injection to Insert a New User and
Update Password Update Password
o Exporting a Value with Regular Expression o Exporting a Value with Regular Expression
Attack Attack
▪ Advanced SQL Injection ▪ Advanced SQL Injection
o Database, Table, and Column Enumeration o Database, Table, and Column Enumeration
o Advanced Enumeration o Advanced Enumeration
o Features of Different DBMSs o Features of Different DBMSs
o Creating Database Accounts o Creating Database Accounts
o Password Grabbing o Password Grabbing
o Grabbing SQL Server Hashes o Grabbing SQL Server Hashes
o Transfer Database to Attacker's Machine o Transfer Database to Attacker's Machine
o Interacting with the Operating System o Interacting with the Operating System
o Interacting with the File System o Interacting with the File System
o Network Reconnaissance Using SQL Injection o Network Reconnaissance Using SQL Injection
o Network Reconnaissance Full Query o Network Reconnaissance Full Query
o Finding and Bypassing Admin Panel of a o Finding and Bypassing Admin Panel of a
Website Website
o PL/SQL Exploitation o PL/SQL Exploitation
o Creating Server Backdoors using SQL Injection o Creating Server Backdoors using SQL Injection
o HTTP Header-Based SQL Injection o HTTP Header-Based SQL Injection
o DNS Exfiltration using SQL Injection o DNS Exfiltration using SQL Injection

Page | 41 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Case Study: SQL Injection Attack and Defense o MongoDB Injection/NoSQL Injection Attack
SQL Injection Tools o Case Study: SQL Injection Attack and Defense
▪ SQL Injection Tools SQL Injection Tools
▪ SQL Injection Tools for Mobile Devices ▪ SQL Injection Tools
Evasion Techniques ▪ SQL Injection Tools for Mobile Devices
▪ Evading IDS Evasion Techniques
▪ Types of Signature Evasion Techniques ▪ Evading IDS
o In-line Comment ▪ Types of Signature Evasion Techniques
o Char Encoding o In-line Comment and Char Encoding
o String Concatenation o String Concatenation and Obfuscated Code
o Obfuscated Codes o Manipulating White Spaces and Hex Encoding
o Manipulating White Spaces o Sophisticated Matches and URL Encoding
o Hex Encoding o Null Byte and Case Variation
o Sophisticated Matches o Declare Variables and IP Fragmentation
o URL Encoding o Variation
o Null Byte SQL Injection Countermeasures
o Case Variation ▪ How to Defend Against SQL Injection Attacks
o Declare Variables o Use Type-Safe SQL Parameters
o IP Fragmentation o Defenses in the Application
o Variations • LIKE Clauses
• Wrapping Parameters with QUOTENAME()
Countermeasures
and REPLACE()
▪ How to Defend Against SQL Injection Attacks ▪ Detecting SQL Injection Attacks
o Use Type-Safe SQL Parameters ▪ SQL Injection Detection Tools
o OWASP ZAP and Damn Small SQLi Scanner
o Defenses in the Application
(DSSS)
• Input Validation o Snort
• Output Encoding o SQL Injection Detection Tools
• Enforcing Least Privilege
▪ Detecting SQL Injection Attacks
▪ SQL Injection Detection Tools
o OWASP ZAP
o Damn Small SQLi Scanner (DSSS)
o Snort
o SQL Injection Detection Tools

Module 16: Hacking Wireless Networks Module 16: Hacking Wireless Networks
Wireless Concepts Wireless Concepts
▪ Wireless Terminology ▪ Wireless Terminology

Page | 42 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Wireless Networks ▪ Wireless Networks

▪ Wireless Standards ▪ Wireless Standards
▪ Service Set Identifier (SSID) ▪ Service Set Identifier (SSID)
▪ Wi-Fi Authentication Modes ▪ Wi-Fi Authentication Modes
▪ Wi-Fi Authentication Process Using a Centralized ▪ Wi-Fi Authentication Process Using a Centralized
Authentication Server Authentication Server
▪ Types of Wireless Antennas ▪ Types of Wireless Antennas
Wireless Encryption Wireless Encryption
▪ Types of Wireless Encryption ▪ Types of Wireless Encryption
o Wired Equivalent Privacy (WEP) Encryption o Wired Equivalent Privacy (WEP) Encryption
o Wi-Fi Protected Access (WPA) Encryption o Wi-Fi Protected Access (WPA) Encryption
o WPA2 Encryption o WPA2 Encryption
o WPA3 Encryption o WPA3 Encryption
▪ Comparison of WEP, WPA, WPA2, and WPA3 ▪ Comparison of WEP, WPA, WPA2, and WPA3
▪ Issues in WEP, WPA, and WPA2 ▪ Issues in WEP, WPA, and WPA2
Wireless Threats Wireless Threats
▪ Wireless Threats ▪ Wireless Threats
o Rogue AP Attack o Rogue AP Attack
o Client Mis-association o Client Mis-association
o Misconfigured AP Attack o Misconfigured AP Attack
o Unauthorized Association o Unauthorized Association
o Ad-Hoc Connection Attack o Ad-Hoc Connection Attack
o Honeypot AP Attack o Honeypot AP Attack
o AP MAC Spoofing o AP MAC Spoofing
o Denial-of-Service Attack o Denial-of-Service Attack
o Key Reinstallation Attack (KRACK) o Key Reinstallation Attack (KRACK)
o Jamming Signal Attack o Jamming Signal Attack
• Wi-Fi Jamming Devices • Wi-Fi Jamming Devices
o aLTEr Attack o aLTEr Attack
o Wormhole Attack o Wormhole and Sinkhole Attacks
o Inter-Chip Privilege Escalation/Wireless Co-
o Sinkhole Attack
Existence Attack
Wireless Hacking Methodology o GNSS Spoofing
▪ Wireless Hacking Methodology Wireless Hacking Methodology
▪ Wi-Fi Discovery ▪ Wireless Hacking Methodology
o Wireless Network Footprinting ▪ Wi-Fi Discovery
o Finding Wi-Fi Networks in Range to Attack o Wireless Network Footprinting
o Finding WPS-Enabled APs o Finding Wi-Fi Networks in Range to Attack
o Wi-Fi Discovery Tools o Finding WPS-Enabled APs

Page | 43 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Mobile-based Wi-Fi Discovery Tools o Wi-Fi Discovery Tools

▪ GPS Mapping o Mobile-based Wi-Fi Discovery Tools
o GPS Mapping Tools ▪ GPS Mapping
o Wi-Fi Hotspot Finder Tools o GPS Mapping Tools
o Wi-Fi Network Discovery Through WarDriving o Wi-Fi Hotspot Finder Tools
▪ Wireless Traffic Analysis o Wi-Fi Network Discovery Through WarDriving
o Choosing the Optimal Wi-Fi Card ▪ Wireless Traffic Analysis
o Sniffing Wireless Traffic o Choosing the Optimal Wi-Fi Card
o Perform Spectrum Analysis o Sniffing Wireless Traffic
▪ Launch of Wireless Attacks o Perform Spectrum Analysis
o Aircrack-ng Suite ▪ Launch of Wireless Attacks
o Detection of Hidden SSIDs o Aircrack-ng Suite
o Fragmentation Attack o Detection of Hidden SSIDs
o MAC Spoofing Attack o Fragmentation Attack
o Denial-of-Service: Disassociation and De-
o MAC Spoofing Attack
authentication Attacks
o Denial-of-Service: Disassociation and De-
o Man-in-the-Middle Attack
authentication Attacks
o MITM Attack Using Aircrack-ng o Man-in-the-Middle Attack
o Wireless ARP Poisoning Attack o MITM Attack Using Aircrack-ng
• ARP Poisoning Attack Using Ettercap o Wireless ARP Poisoning Attack
o Rogue APs • ARP Poisoning Attack Using Ettercap
• Creation of a Rogue AP Using MANA Toolkit o Rogue APs
o Evil Twin • Creation of a Rogue AP Using MANA Toolkit
• Set Up of a Fake Hotspot (Evil Twin) o Evil Twin
o aLTEr Attack • Set Up of a Fake Hotspot (Evil Twin)
o Wi-Jacking Attack o aLTEr Attack
▪ Wi-Fi Encryption Cracking o Wi-Jacking Attack
o WEP Encryption Cracking o RFID Cloning Attack
o Cracking WEP Using Aircrack-ng ▪ Wi-Fi Encryption Cracking
o WPA/WPA2 Encryption Cracking o WEP Encryption Cracking
o Cracking WPA-PSK Using Aircrack-ng o Cracking WEP Using Aircrack-ng
o Cracking WPA/WPA2 Using Wifiphisher o WPA/WPA2 Encryption Cracking
o Cracking WPS Using Reaver o Cracking WPA-PSK Using Aircrack-ng
o WPA3 Encryption Cracking o Cracking WPA/WPA2 Using Wifiphisher
o WEP Cracking and WPA Brute Forcing Using
o Cracking WPS Using Reaver
Wesside-ng and Fern Wifi Cracker
Wireless Hacking Tools o WPA3 Encryption Cracking
▪ WEP/WPA/WPA2 Cracking Tools o WEP Cracking and WPA Brute Forcing Using

Page | 44 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Wesside-ng and Fern Wifi Cracker

▪ WEP/WPA/WPA2 Cracking Tools for Mobile Wireless Hacking Tools
▪ Wi-Fi Packet Sniffers ▪ WEP/WPA/WPA2 Cracking Tools
▪ Wi-Fi Traffic Analyzer Tools ▪ WEP/WPA/WPA2 Cracking Tools for Mobile
▪ Other Wireless Hacking Tools ▪ Wi-Fi Packet Sniffers
Bluetooth Hacking ▪ Wi-Fi Traffic Analyzer Tools
▪ Bluetooth Stack ▪ Other Wireless Hacking Tools
▪ Bluetooth Hacking Bluetooth Hacking
▪ Bluetooth Threats ▪ Bluetooth Stack
▪ Bluejacking ▪ Bluetooth Hacking
▪ Bluetooth Reconnaissance Using Bluez ▪ Bluetooth Threats
▪ Btlejacking Using BtleJack ▪ Bluejacking
▪ Bluetooth Hacking Tools ▪ Bluetooth Reconnaissance Using Bluez
Countermeasures ▪ Btlejacking Using BtleJack
▪ Wireless Security Layers ▪ Cracking BLE Encryption Using crackle
▪ Defense Against WPA/WPA2/WPA3 Cracking ▪ Bluetooth Hacking Tools
▪ Defense Against KRACK Attacks Wireless Attack Countermeasures
▪ Defense Against aLTEr Attacks ▪ Wireless Security Layers
▪ Detection and Blocking of Rogue APs ▪ Defense Against WPA/WPA2/WPA3 Cracking
▪ Defense Against Wireless Attacks ▪ Defense Against KRACK and aLTEr Attacks
▪ Defense Against Bluetooth Hacking ▪ Detection and Blocking of Rogue APs
Wireless Security Tools ▪ Defense Against Wireless Attacks
▪ Wireless Intrusion Prevention Systems ▪ Defense Against Bluetooth Hacking
▪ WIPS Deployment Wireless Security Tools
▪ Wi-Fi Security Auditing Tools ▪ Wireless Intrusion Prevention Systems
▪ Wi-Fi IPSs ▪ WIPS Deployment
▪ Wi-Fi Predictive Planning Tools ▪ Wi-Fi Security Auditing Tools
▪ Wi-Fi Vulnerability Scanning Tools ▪ Wi-Fi IPSs
▪ Bluetooth Security Tools ▪ Wi-Fi Predictive Planning Tools
▪ Wi-Fi Security Tools for Mobile ▪ Wi-Fi Vulnerability Scanning Tools
▪ Bluetooth Security Tools
▪ Wi-Fi Security Tools for Mobile

Module 17: Hacking Mobile Platforms Module 17: Hacking Mobile Platforms
Mobile Platform Attack Vectors Mobile Platform Attack Vectors
▪ Vulnerable Areas in Mobile Business Environment ▪ Vulnerable Areas in Mobile Business Environment
▪ OWASP Top 10 Mobile Risks – 2016 ▪ OWASP Top 10 Mobile Risks – 2016
▪ Anatomy of a Mobile Attack ▪ Anatomy of a Mobile Attack

Page | 45 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ How a Hacker can Profit from Mobile Devices that ▪ How a Hacker can Profit from Mobile Devices that
are Successfully Compromised are Successfully Compromised
▪ Mobile Attack Vectors and Mobile Platform ▪ Mobile Attack Vectors and Mobile Platform
Vulnerabilities Vulnerabilities
▪ Security Issues Arising from App Stores ▪ Security Issues Arising from App Stores
▪ App Sandboxing Issues ▪ App Sandboxing Issues
▪ Mobile Spam ▪ Mobile Spam
▪ SMS Phishing Attack (SMiShing) (Targeted Attack ▪ SMS Phishing Attack (SMiShing) (Targeted Attack
Scan) Scan)
o SMS Phishing Attack Examples o SMS Phishing Attack Examples
▪ Pairing Mobile Devices on Open Bluetooth and ▪ Pairing Mobile Devices on Open Bluetooth and
Wi-Fi Connections Wi-Fi Connections
▪ Agent Smith Attack ▪ Agent Smith Attack
▪ Exploiting SS7 Vulnerability ▪ Exploiting SS7 Vulnerability
▪ Simjacker: SIM Card Attack ▪ Simjacker: SIM Card Attack
▪ OTP Hijacking/Two-Factor Authentication
Hacking Android OS
Hijacking
▪ Android OS ▪ Camera/Microphone Capture Attacks
o Android Device Administration API o Camfecting Attack
▪ Android Rooting o Android Camera Hijack Attack
o Rooting Android Using KingoRoot Hacking Android OS
o Android Rooting Tools ▪ Android OS
▪ Hacking Android Devices o Android Device Administration API
o Blocking Wi-Fi Access Using NetCut ▪ Android Rooting
o Identifying Attack Surfaces Using drozer o Rooting Android Using KingoRoot
o Hacking with zANTI and Network Spoofer o Android Rooting Tools
o Launch DoS Attack using Low Orbit Ion Cannon
▪ Hacking Android Devices
(LOIC)
o Session Hijacking Using DroidSheep o Blocking Wi-Fi Access Using NetCut
o Hacking with Orbot Proxy o Identifying Attack Surfaces Using drozer
o Exploiting Android Device through ADB Using
o Hacking with zANTI and Network Spoofer
PhoneSploit
o Launch DoS Attack using Low Orbit Ion Cannon
o Android-based Sniffers
(LOIC)
o Launching Man-in-the-Disk Attack o Session Hijacking Using DroidSheep
o Launching Sphearphone Attack o Hacking with Orbot Proxy
o Exploiting Android Device through ADB Using
o Other Techniques for Hacking Android Devices
PhoneSploit
• Advanced SMS Phishing o Android-based Sniffers
• Bypass SSL Pinning o Launching Man-in-the-Disk Attack
• Tap ’n Ghost Attack o Launching Sphearphone Attack

Page | 46 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Android Trojans o Exploiting Android Devices Using Metasploit

▪ Android Hacking Tools o Other Techniques for Hacking Android Devices
▪ Securing Android Devices o Android Trojans
▪ Android Security Tools ▪ OTP Hijacking Tools
o Android Device Tracking Tools: Google Find My
▪ Camera/Microphone Hijacking Tools
Device
o Android Device Tracking Tools ▪ Android Hacking Tools
o Android Vulnerability Scanners ▪ Securing Android Devices
o Online Android Analyzers ▪ Android Security Tools
o Android Device Tracking Tools: Google Find My
Hacking iOS
Device
▪ Apple iOS o Android Device Tracking Tools
▪ Jailbreaking iOS o Android Vulnerability Scanners
o Jailbreaking Techniques o Online Android Analyzers
o Jailbreaking of iOS 13.2 Using Cydia Hacking iOS
o Jailbreaking of iOS 13.2 Using Hexxa Plus ▪ Apple iOS
o Jailbreaking Tools ▪ Jailbreaking iOS
▪ Hacking iOS Devices o Jailbreaking Techniques
o Hacking using Spyzie o Jailbreaking iOS Using Hexxa Plus
o Hacking Network using Network Analyzer Pro o Jailbreaking Tools
o iOS Trustjacking ▪ Hacking iOS Devices
o iOS Malware o Hacking using Spyzie
o iOS Hacking Tools o Hacking Network using Network Analyzer Pro
▪ Securing iOS Devices o iOS Trustjacking
▪ iOS Device Security Tools o Analyzing and Manipulating iOS Applications
• Manipulating an iOS Application Using
▪ iOS Device Tracking Tools
cycript
Mobile Device Management • iOS Method Swizzling
▪ Mobile Device Management (MDM) • Extracting Secrets Using Keychain Dumper
• Analyzing an iOS Application Using
▪ Mobile Device Management Solutions
objection
o IBM MaaS360 o iOS Malware
o Citrix Endpoint Management o iOS Hacking Tools
▪ Bring Your Own Device (BYOD) ▪ Securing iOS Devices
o BYOD Risks ▪ iOS Device Security Tools
o BYOD Policy Implementation ▪ iOS Device Tracking Tools
o BYOD Security Guidelines Mobile Device Management
Mobile Security Guidelines and Tools ▪ Mobile Device Management (MDM)
▪ OWASP Top 10 Mobile Controls ▪ Mobile Device Management Solutions: IBM

Page | 47 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

MaaS360
▪ General Guidelines for Mobile Platform Security o Mobile Device Management Solutions
▪ Mobile Device Security Guidelines for
▪ Bring Your Own Device (BYOD)
Administrator
▪ SMS Phishing Countermeasures o BYOD Risks
▪ Reverse Engineering Mobile Applications o BYOD Policy Implementation
▪ Mobile Security Tools o BYOD Security Guidelines
o Source Code Analysis Tools Mobile Security Guidelines and Tools
o Reverse Engineering Tools ▪ OWASP Top 10 Mobile Controls
o App Repackaging Detector ▪ General Guidelines for Mobile Platform Security
▪ Mobile Device Security Guidelines for
o Mobile Protection Tools
Administrator
o Mobile Anti-Spyware ▪ SMS Phishing Countermeasures
o Mobile Pen Testing Toolkit: ImmuniWeb® ▪ Critical Data Storage in Android and iOS: KeyStore
MobileSuite and Keychain Recommendations
▪ Mobile Security Tools
o Source Code Analysis Tools
o Reverse Engineering Tools
o App Repackaging Detector
o Mobile Protection Tools
o Mobile Anti-Spyware
o Mobile Pen Testing Toolkit: ImmuniWeb®
MobileSuite

Module 18: IoT and OT Hacking Module 18: IoT and OT Hacking
IoT Hacking IoT Hacking
IoT Concepts IoT Concepts
▪ What is the IoT? ▪ What is the IoT?
▪ How the IoT Works ▪ How the IoT Works
▪ IoT Architecture ▪ IoT Architecture
▪ IoT Application Areas and Devices ▪ IoT Application Areas and Devices
▪ IoT Technologies and Protocols ▪ IoT Technologies and Protocols
▪ IoT Communication Models ▪ IoT Communication Models
▪ Challenges of IoT ▪ Challenges of IoT
▪ Threat vs Opportunity ▪ Threat vs Opportunity
IoT Attacks IoT Attacks
▪ IoT Security Problems ▪ IoT Security Problems
▪ OWASP Top 10 IoT Threats ▪ OWASP Top 10 IoT Threats
▪ OWASP IoT Attack Surface Areas ▪ OWASP IoT Attack Surface Areas

Page | 48 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ IoT Vulnerabilities ▪ IoT Vulnerabilities

▪ IoT Threats ▪ IoT Threats
▪ Hacking IoT Devices: General Scenario ▪ Hacking IoT Devices: General Scenario
▪ IoT Attacks ▪ IoT Attacks
o DDoS Attack o DDoS Attack
o Exploit HVAC o Exploit HVAC
o Rolling Code Attack o Rolling Code Attack
o BlueBorne Attack o BlueBorne Attack
o Jamming Attack o Jamming Attack
o Hacking Smart Grid/Industrial Devices: Remote o Hacking Smart Grid/Industrial Devices: Remote
Access using Backdoor Access using Backdoor
o SDR-Based Attacks on IoT o SDR-Based Attacks on IoT
o Identifying and Accessing Local IoT Devices o Identifying and Accessing Local IoT Devices
o Fault Injection Attacks o Fault Injection Attacks
o Other IoT Attacks o Other IoT Attacks
▪ IoT Attacks in Different Sectors ▪ IoT Attacks in Different Sectors
▪ Case Study: Dyn Attack ▪ Case Study: Enemybot
IoT Hacking Methodology IoT Hacking Methodology
▪ What is IoT Device Hacking? ▪ What is IoT Device Hacking?
▪ IoT Hacking Methodology ▪ IoT Hacking Methodology
o Information Gathering Using Shodan o Information Gathering Using Shodan
o Information Gathering using MultiPing o Information Gathering using MultiPing
o Information Gathering using FCC ID Search o Information Gathering using FCC ID Search
o Discovering IoT Devices with Default o Discovering IoT Devices with Default
Credentials using IoTSeeker Credentials using IoTSeeker
o Vulnerability Scanning using Nmap o Vulnerability Scanning using Nmap
o Vulnerability Scanning using RIoT Vulnerability o Vulnerability Scanning using RIoT Vulnerability
Scanner Scanner
o Sniffing using Foren6 o Sniffing using Foren6
o Sniffing using Wireshark o Sniffing using Wireshark
o Analyzing Spectrum and IoT Traffic o Analyzing Spectrum and IoT Traffic
o Rolling code Attack using RFCrack o Rolling code Attack using RFCrack
o Hacking Zigbee Devices with Attify Zigbee o Hacking Zigbee Devices with Attify Zigbee
Framework Framework
o BlueBorne Attack Using HackRF One o BlueBorne Attack Using HackRF One
o Replay Attack using HackRF One o Replay Attack using HackRF One
o SDR-Based Attacks using RTL-SDR and GNU o SDR-Based Attacks using RTL-SDR and GNU
Radio Radio
o Side Channel Attack using ChipWhisperer o Side Channel Attack using ChipWhisperer
o Gaining Remote Access using Telnet o Identifying IoT Communication Buses and

Page | 49 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Interfaces
o Maintain Access by Exploiting Firmware o NAND Glitching
o Firmware Analysis and Reverse Engineering o Gaining Remote Access using Telnet
IoT Hacking Tools o Maintain Access by Exploiting Firmware
▪ Information-Gathering Tools • Firmware Analysis and Reverse Engineering
▪ Sniffing Tools ✓ Emulate Firmware for Dynamic Testing
▪ Vulnerability-Scanning Tools ▪ IoT Hacking Tools
▪ Tools to Perform SDR-Based Attacks o Information-Gathering Tools
▪ IoT Hacking Tools o Sniffing Tools
Countermeasures o Vulnerability-Scanning Tools
▪ How to Defend Against IoT Hacking o Tools to Perform SDR-Based Attacks
▪ General Guidelines for IoT Device Manufacturing
o IoT Hacking Tools
Companies
▪ OWASP Top 10 IoT Vulnerabilities Solutions IoT Attack Countermeasures
▪ IoT Framework Security Considerations ▪ How to Defend Against IoT Hacking
▪ General Guidelines for IoT Device Manufacturing
▪ IoT Device Management
Companies
▪ IoT Security Tools ▪ OWASP Top 10 IoT Vulnerabilities Solutions
OT Hacking ▪ IoT Framework Security Considerations
OT Concepts ▪ IoT Hardware Security Best Practices
▪ What is OT? ▪ IoT Device Management
▪ Essential Terminology ▪ IoT Security Tools
▪ IT/OT Convergence (IIOT) OT Hacking
▪ The Purdue Model OT Concepts
▪ Challenges of OT ▪ What is OT?
▪ Introduction to ICS ▪ Essential Terminology
▪ Components of an ICS ▪ IT/OT Convergence (IIOT)
o Distributed Control System (DCS) ▪ The Purdue Model
o Supervisory Control and Data Acquisition
▪ Challenges of OT
(SCADA)
o Programmable Logic Controller (PLC) ▪ Introduction to ICS
o Basic Process Control System (BPCS) ▪ Components of an ICS
o Safety Instrumented Systems (SIS) o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition
▪ OT Technologies and Protocols
(SCADA)
OT Attacks o Programmable Logic Controller (PLC)
▪ OT Vulnerabilities o Basic Process Control System (BPCS)
▪ OT Threats o Safety Instrumented Systems (SIS)
▪ OT Attacks ▪ OT Technologies and Protocols

Page | 50 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o HMI-based Attacks OT Attacks

o Side-Channel Attacks ▪ OT Vulnerabilities
• Timing Analysis ▪ MITRE ATT&CK for ICS
• Power Analysis ▪ OT Threats
o Hacking Programmable Logic Controller (PLC) ▪ OT Attacks
o Hacking Industrial Systems through RF Remote
o HMI-based Attacks
Controllers
• Replay Attack o Side-Channel Attacks
• Command Injection o Hacking Programmable Logic Controller (PLC)
o Hacking Industrial Systems through RF Remote
• Re-pairing with Malicious RF controller
Controllers
• Malicious Reprogramming Attack o OT Malware
o OT Malware ▪ OT Malware Analysis: INDUSTROYER.V2
▪ OT Malware Analysis: LockerGoga Ransomware OT Hacking Methodology
OT Hacking Methodology ▪ What is OT Hacking?
▪ What is OT Hacking? ▪ OT Hacking Methodology
▪ OT Hacking Methodology o Identifying ICS/SCADA Systems using Shodan
o Identifying ICS/SCADA Systems using Shodan o Gathering Default Passwords using CRITIFENCE
o Gathering Default Passwords using CRITIFENCE o Scanning ICS/SCADA Systems using Nmap
o Scanning ICS/SCADA Systems using Nmap o Vulnerability Scanning using Nessus
o Enumerating Slave Controllers using SCADA o Vulnerability Scanning using Skybox
Shutdown Tool Vulnerability Control
o Vulnerability Scanning using Nessus o Fuzzing ICS Protocols
o Vulnerability Scanning using Skybox
o Sniffing using NetworkMiner
Vulnerability Control
o Sniffing using NetworkMiner o Analyzing Modbus/TCP Traffic Using Wireshark
o Discovering ICS/SCADA Network Topology
o Analyzing Modbus/TCP Traffic Using Wireshark
using GRASSMARLIN
o Discovering ICS/SCADA Network Topology
o Hacking ICS Hardware
using GRASSMARLIN
o Hacking ICS Hardware o Hacking Modbus Slaves using Metasploit
o Hacking Modbus Slaves using Metasploit o Hacking PLC using modbus-cli
o Hacking PLC using modbus-cli o Gaining Remote Access using DNP3
o Gaining Remote Access using DNP3 ▪ OT Hacking Tools
OT Hacking Tools o Information-Gathering Tools
▪ Information-Gathering Tools o Sniffing and Vulnerability-Scanning Tools
▪ Sniffing and Vulnerability-Scanning Tools o OT Hacking Tools
▪ OT Hacking Tools OT Attack Countermeasures
Countermeasures ▪ How to Defend Against OT Hacking
▪ How to Defend Against OT Hacking ▪ OT Vulnerabilities and Solutions

Page | 51 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ OT Vulnerabilities and Solutions ▪ How to Secure an IT/OT Environment

▪ How to Secure an IT/OT Environment ▪ Implementing a Zero-Trust Model for ICS/SCADA
▪ International OT Security Organizations and
▪ International OT Security Organizations
Frameworks
▪ OT Security Solutions o OTCSA
▪ OT Security Tools o OT-ISAC
o NERC
o Industrial Internet Security Framework (IISF)
o ISA/IEC-62443
▪ OT Security Solutions
▪ OT Security Tools

Module 19: Cloud Computing Module 19: Cloud Computing

Cloud Computing Concepts Cloud Computing Concepts
▪ Introduction to Cloud Computing ▪ Introduction to Cloud Computing
▪ Types of Cloud Computing Services ▪ Types of Cloud Computing Services
▪ Separation of Responsibilities in Cloud o Infrastructure-as-a-Service (IaaS)
▪ Cloud Deployment Models o Platform-as-a-Service (PaaS)
▪ NIST Cloud Deployment Reference Architecture o Software-as-a-Service (SaaS)
▪ Cloud Storage Architecture o Identity-as-a-Service (IDaaS)
▪ Role of AI in Cloud Computing o Security-as-a-Service (SECaaS)
▪ Virtual Reality and Augmented Reality on Cloud o Container-as-a-Service (CaaS)
▪ Cloud Service Providers o Function-as-a-Service (FaaS)
Container Technology o Anything-as-a-Service (XaaS)
▪ What is a Container? o Firewalls-as-a-Service (FWaaS)
o Container Technology Architecture o Desktop-as-a-Service (DaaS)
▪ Containers Vs. Virtual Machines o Mobile Backend-as-a-Service (MBaaS)
▪ What is Docker? o Machines-as-a-Service (MaaS) Business Model
o Docker Engine ▪ Separation of Responsibilities in Cloud
o Docker Architecture ▪ Cloud Deployment Models
o Microservices Vs. Docker o Public Cloud
o Docker Networking o Private Cloud
▪ Container Orchestration o Community Cloud
▪ What is Kubernetes? o Hybrid Cloud
o Kubernetes Cluster Architecture o Multi Cloud
o Kubernetes Vs. Docker o Distributed Cloud
▪ Container Security Challenges o Poly Cloud
▪ Container Management Platforms ▪ NIST Cloud Deployment Reference Architecture

Page | 52 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Kubernetes Platforms ▪ Cloud Storage Architecture

Serverless Computing ▪ Role of AI in Cloud Computing
▪ What is Serverless Computing? ▪ Virtual Reality and Augmented Reality on Cloud
▪ Serverless Vs. Containers ▪ Fog Computing
▪ Serverless Computing Frameworks ▪ Edge Computing
Cloud Computing Threats ▪ Cloud vs. Fog Computing vs. Edge Computing
▪ OWASP Top 10 Cloud Security Risks ▪ Cloud Computing vs. Grid Computing
▪ OWASP Top 10 Serverless Security Risks ▪ Cloud Service Providers
▪ Cloud Computing Threats Container Technology
▪ Container Vulnerabilities ▪ What is a Container?
▪ Kubernetes Vulnerabilities ▪ Containers Vs. Virtual Machines
▪ Cloud Attacks ▪ What is Docker?
o Service Hijacking using Social Engineering o Microservices Vs. Docker
o Service Hijacking using Network Sniffing o Docker Networking
o Side-Channel Attacks or Cross-guest VM
▪ Container Orchestration
Breaches
o Wrapping Attack ▪ What is Kubernetes?
o Man-in-the-Cloud (MITC) Attack o Kubernetes Vs. Docker
o Cloud Hopper Attack ▪ Clusters and Containers
o Cloud Cryptojacking ▪ Container Security Challenges
o Cloudborne Attack ▪ Container Management Platforms
o Other Cloud Attacks ▪ Kubernetes Platforms
Cloud Hacking Serverless Computing
▪ What is Cloud Hacking? ▪ What is Serverless Computing?
▪ Hacking Cloud ▪ Serverless Vs. Containers
o Container Vulnerability Scanning using Trivy ▪ Serverless Computing Frameworks
o Kubernetes Vulnerability Scanning using Sysdig Cloud Computing Threats
o Enumerating S3 Buckets ▪ OWASP Top 10 Cloud Security Risks
• Inspecting HTML ▪ OWASP Top 10 Serverless Security Risks
• Brute-Forcing URL ▪ Cloud Computing Threats
• Finding Subdomains ▪ Container Vulnerabilities
• Reverse IP Search ▪ Kubernetes Vulnerabilities
• Advanced Google Hacking ▪ Cloud Attacks
o Identifying Open S3 Buckets using S3Scanner o Service Hijacking using Social Engineering
o Enumerating Kubernetes etcd o Service Hijacking using Network Sniffing
o Side-Channel Attacks or Cross-guest VM
o Enumerating AWS Account IDs
Breaches
o Enumerating IAM Roles o Wrapping Attack
o Enumerating Bucket Permissions using o Man-in-the-Cloud (MITC) Attack

Page | 53 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

S3Inspector
o Exploiting Amazon Cloud Infrastructure using
o Cloud Hopper Attack
Nimbostratus
o Exploiting Misconfigured AWS S3 Buckets o Cloud Cryptojacking
o Compromising AWS IAM Credentials o Cloudborne Attack
o Hijacking Misconfigured IAM Roles using Pacu o Instance Metadata Service (IMDS) Attack
o Cache Poisoned Denial of Service
o Cracking AWS Access Keys using
(CPDoS)/Content Delivery Network (CDN)
DumpsterDiver
Cache Poisoning Attack
o Exploiting Docker Containers on AWS using
o Cloud Snooper Attack
Cloud Container Attack Tool (CCAT)
o Exploiting Docker Remote API o Golden SAML Attack
o Hacking Container Volumes o Other Cloud Attacks
o CloudGoat AWS – Vulnerable by Design ▪ Cloud Malware
o Gaining Access by Exploiting SSRF Vulnerability Cloud Hacking
o AWS IAM Privilege Escalation Techniques ▪ What is Cloud Hacking?
o Escalating Privileges of Google Storage Buckets
▪ Hacking Cloud
using GCPBucketBrute
o Backdooring Docker Images using dockerscan o Container Vulnerability Scanning using Trivy
o Maintaining Access and Covering Tracks on
AWS Cloud Environment by Manipulating o Kubernetes Vulnerability Scanning using Sysdig
CloudTrial Service
▪ AWS Hacking Tool: AWS pwn o Enumerating S3 Buckets
Cloud Security o Identifying Open S3 Buckets using S3Scanner
▪ Cloud Security Control Layers o Enumerating AWS Account IDs
▪ Cloud Security is the Responsibility of both Cloud
o Enumerating IAM Roles
Provider and Consumer
o Enumerating Bucket Permissions using
▪ Cloud Computing Security Considerations
S3Inspector
▪ Placement of Security Controls in the Cloud o Enumerating Kubernetes etcd
o Enumerating Azure Active Directory (AD)
▪ Best Practices for Securing Cloud
Accounts
▪ NIST Recommendations for Cloud Security o Gathering Cloud Keys Through IMDS Attack
o Exploiting Amazon Cloud Infrastructure using
▪ Kubernetes Vulnerabilities and Solutions
Nimbostratus
▪ Serverless Security Risks and Solutions o Exploiting Misconfigured AWS S3 Buckets
▪ Best Practices for Container Security o Compromising AWS IAM Credentials
▪ Best Practices for Docker Security o Hijacking Misconfigured IAM Roles using Pacu
o Cracking AWS Access Keys using
▪ Best Practices for Kubernetes Security
DumpsterDiver
o Exploiting Docker Containers on AWS using
▪ Best Practices for Serverless Security
Cloud Container Attack Tool (CCAT)

Page | 54 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Zero Trust Networks o Serverless-Based Attacks on AWS Lambda

▪ Organization/Provider Cloud Security Compliance
o Exploiting Shadow Admins in AWS
Checklist
▪ International Cloud Security Organizations o Exploiting Docker Remote API
▪ Cloud Security Tools o Hacking Container Volumes
o CloudGoat 2 – Vulnerable by Design AWS
▪ Container Security Tools
Deployment Tool
▪ Kubernetes Security Tools o Gaining Access by Exploiting SSRF Vulnerability
▪ Serverless Application Security Solutions o AWS IAM Privilege Escalation Techniques
o Escalating Privileges of Google Storage Buckets
using GCPBucketBrute
o Privilege Escalation Using Misconfigured User
Accounts in Azure AD
o Creating Backdoor Accounts in AWS
o Backdooring Docker Images using dockerscan
o Maintaining Access and Covering Tracks on
AWS Cloud Environment by Manipulating
CloudTrial Service
▪ AWS Hacking Tool: AWS pwn
Cloud Security
▪ Cloud Security Control Layers
▪ Cloud Security is the Responsibility of both Cloud
Provider and Consumer
▪ Cloud Computing Security Considerations
▪ Placement of Security Controls in the Cloud
▪ Best Practices for Securing Cloud
▪ NIST Recommendations for Cloud Security
▪ Security Assertion Markup Language (SAML)
▪ Cloud Network Security
o Virtual Private Cloud (VPC)
o Public and Private Subnets
o Transit Gateways
o VPC Endpoint
▪ Cloud Security Controls
o Cloud Application Security
o High Availability Across Zones
o Cloud Integration and Auditing
o Security Groups
o Instance Awareness
▪ Kubernetes Vulnerabilities and Solutions

Page | 55 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Serverless Security Risks and Solutions

▪ Best Practices for Container Security
▪ Best Practices for Docker Security
▪ Best Practices for Kubernetes Security
▪ Best Practices for Serverless Security
▪ Zero Trust Networks
▪ Organization/Provider Cloud Security Compliance
Checklist
▪ International Cloud Security Organizations
▪ Shadow Cloud Asset Discovery Tools
▪ Cloud Security Tools
▪ Container Security Tools
▪ Kubernetes Security Tools
▪ Serverless Application Security Solutions
▪ Cloud Access Security Broker (CASB)
o CASB Solutions
• Forcepoint CASB
▪ Next-Generation Secure Web Gateway (NG SWG)
o NG SWG Solutions

Module 20: Cryptography Module 20: Cryptography

Cryptography Concepts Cryptography Concepts
▪ Cryptography ▪ Cryptography
o Types of Cryptography ▪ Government Access to Keys (GAK)
▪ Government Access to Keys (GAK) Encryption Algorithms
Encryption Algorithms ▪ Ciphers
▪ Data Encryption Standard (DES) and Advanced
▪ Ciphers
Encryption Standard (AES)
▪ Data Encryption Standard (DES) ▪ RC4, RC5, and RC6 Algorithms
▪ Advanced Encryption Standard (AES) ▪ Twofish and Threefish
▪ RC4, RC5, and RC6 Algorithms ▪ Serpent and TEA
▪ Twofish ▪ CAST-128
▪ Threefish ▪ GOST Block Cipher and Camellia
▪ Serpent ▪ DSA and Related Signature Schemes
▪ TEA ▪ Rivest Shamir Adleman (RSA)
▪ CAST-128 ▪ Diffie-Hellman
▪ GOST Block Cipher ▪ YAK
▪ Camellia ▪ Message Digest (One-Way Hash) Functions
▪ DSA and Related Signature Schemes o Message Digest Function: MD5 and MD6

Page | 56 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

o Message Digest Function: Secure Hashing

▪ Rivest Shamir Adleman (RSA)
Algorithm (SHA)
▪ Diffie-Hellman o RIPEMD – 160 and HMAC
▪ YAK ▪ Other Encryption Techniques
▪ Message Digest (One-Way Hash) Functions o Post-quantum Cryptography
o Message Digest Function: MD5 and MD6 o Lightweight Cryptography
o Message Digest Function: Secure Hashing
▪ Comparison of Cryptographic Algorithms
Algorithm (SHA)
o RIPEMD - 160 ▪ Cipher Modes of Operation
o HMAC o Electronic Code Book (ECB) Mode
▪ Other Encryption Techniques o Cipher Block Chaining (CBC) Mode
o Elliptic Curve Cryptography o Cipher Feedback (CFB) Mode
o Quantum Cryptography o Counter Mode
o Homomorphic Encryption ▪ Modes of Authenticated Encryption
o Authenticated Encryption with Message
o Hardware-Based Encryption
Authentication Code (MAC)
o Authenticated Encryption with Associated Data
▪ Comparison of Cryptographic Algorithms
(AEAD)
Cryptography Tools ▪ Applications of Cryptography - Blockchain
▪ MD5 and MD6 Hash Calculators o Types of Blockchain
▪ Hash Calculators for Mobile Cryptography Tools
▪ Cryptography Tools ▪ MD5 and MD6 Hash Calculators
▪ Cryptography Tools for Mobile ▪ Hash Calculators for Mobile
Public Key Infrastructure (PKI) ▪ Cryptography Tools
▪ Public Key Infrastructure (PKI) ▪ Cryptography Tools for Mobile
o Certification Authorities Public Key Infrastructure (PKI)
o Signed Certificate (CA) Vs. Self Signed
▪ Public Key Infrastructure (PKI)
Certificate
Email Encryption o Certification Authorities
o Signed Certificate (CA) Vs. Self Signed
▪ Digital Signature
Certificate
▪ Secure Sockets Layer (SSL) Email Encryption
▪ Transport Layer Security (TLS) ▪ Digital Signature
▪ Cryptography Toolkits ▪ Secure Sockets Layer (SSL)
▪ Pretty Good Privacy (PGP) ▪ Transport Layer Security (TLS)
▪ GNU Privacy Guard (CPG) ▪ Cryptography Toolkits
▪ Web of Trust (WOT) ▪ Pretty Good Privacy (PGP)
▪ Email Encryption Tools ▪ GNU Privacy Guard (CPG)
Disk Encryption ▪ Web of Trust (WOT)
▪ Disk Encryption ▪ Encrypting Email Messages in Outlook

Page | 57 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

▪ Disk Encryption Tools: VeraCrypt and Symantec

o S/MIME Encryption
Drive Encryption
▪ Disk Encryption Tools o Microsoft 365 Message Encryption
Cryptanalysis ▪ Signing/Encrypting Email Messages on Mac
▪ Encrypting/Decrypting Email Messages Using
▪ Cryptanalysis Methods
OpenPGP
o Linear Cryptanalysis ▪ Email Encryption Tools
o Differential Cryptanalysis Disk Encryption
o Integral Cryptanalysis ▪ Disk Encryption
▪ Disk Encryption Tools: VeraCrypt and Symantec
▪ Code Breaking Methodologies
Drive Encryption
▪ Cryptography Attacks ▪ Disk Encryption Tools
o Brute-Force Attack ▪ Disk Encryption Tools for Linux
o Birthday Attack ▪ Disk Encryption Tools for macOS
o Birthday Paradox: Probability Cryptanalysis
o Meet-in-the-Middle Attack on Digital Signature
▪ Cryptanalysis Methods
Schemes
o Side-Channel Attack o Quantum Cryptanalysis
o Hash Collision Attack ▪ Code Breaking Methodologies
o DUHK Attack ▪ Cryptography Attacks
o Rainbow Table Attack o Brute-Force Attack
o Related-Key Attack o Birthday Attack
o Padding Oracle Attack o Birthday Paradox: Probability
o Meet-in-the-Middle Attack on Digital Signature
o DROWN Attack
Schemes
▪ Cryptanalysis Tools o Side-Channel Attack
▪ Online MD5 Decryption Tools o Hash Collision Attack
Countermeasures o DUHK Attack
▪ How to Defend Against Cryptographic Attacks o Rainbow Table Attack
▪ Key Stretching o Related-Key Attack
o PBKDF2 o Padding Oracle Attack
o Bcrypt o DROWN Attack
▪ Cryptanalysis Tools
▪ Online MD5 Decryption Tools
Cryptography Attack Countermeasures
▪ How to Defend Against Cryptographic Attacks
▪ Key Stretching

Page | 58 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Labs Comparison
The notations used:
1. Red points are new labs in CEHv12
2. Blue points are substantially modified labs in CEHv12
3. Striked labs are removed from CEHv11

CEHv11 CEHv12
Module 01: Introduction to Ethical Hacking Module 01: Introduction to Ethical Hacking

Module 02: Footprinting and Reconnaissance Module 02: Footprinting and Reconnaissance
1. Perform Footprinting Through Search Engines 1. Perform Footprinting Through Search Engines
1.1 Gather Information using Advanced Google 1.1 Gather Information using Advanced Google
Hacking Techniques Hacking Techniques
1.2 Gather Information from Video Search 1.2 Gather Information from Video Search
Engines Engines
1.3 Gather Information from FTP Search 1.3 Gather Information from FTP Search
Engines Engines
1.4 Gather Information from IoT Search 1.4 Gather Information from IoT Search
Engines Engines
2. Perform Footprinting Through Web Services 2. Perform Footprinting Through Web Services
2.1 Find the Company’s Domains and Sub- 2.1 Find the Company’s Domains and Sub-
domains using Netcraft domains using Netcraft
2.2 Gather Personal Information using PeekYou 2.2 Gather Personal Information using PeekYou
Online People Search Service Online People Search Service
2.3 Gather an Email List using theHarvester 2.3 Gather an Email List using theHarvester
2.4 Gather Information using Deep and Dark 2.4 Gather Information using Deep and Dark
Web Searching Web Searching
2.5 Determine Target OS Through Passive 2.5 Determine Target OS Through Passive
Footprinting Footprinting
3. Perform Footprinting Through Social 3. Perform Footprinting Through Social
Networking Sites Networking Sites
3.1 Gather Employees’ Information from 3.1 Gather Employees’ Information from
LinkedIn using theHarvester LinkedIn using theHarvester
3.2 Gather Personal Information from Various 3.2 Gather Personal Information from Various
Social Networking Sites using Sherlock Social Networking Sites using Sherlock
3.3 Gather Information using Followerwonk 3.3 Gather Information using Followerwonk
4. Perform Website Footprinting 4. Perform Website Footprinting
4.1 Gather Information About a Target Website 4.1 Gather Information About a Target Website
using Ping Command Line Utility using Ping Command Line Utility
4.2 Gather Information About a Target Website 4.2 Gather Information of a Target Website
using Website Informer using Photon

Page | 59 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

4.3 Extract a Company’s Data using Web Data 4.3 Gather information about a target website
Extractor using Central Ops
4.4 Mirror a Target Website using HTTrack Web 4.4 Extract a Company’s Data using Web Data
Site Copier Extractor
4.5 Gather a Wordlist from the Target Website 4.5 Mirror a Target Website using HTTrack Web
using CeWL Site Copier
4.6 Gather Information About a Target Website
5. Perform Email Footprinting
using GRecon
5.1 Gather Information About a Target by 4.7 Gather a Wordlist from the Target Website
Tracing Emails using eMailTrackerPro using CeWL
6. Perform Whois Footprinting 5. Perform Email Footprinting
5.1 Gather Information About a Target by
6.1 Perform Whois Lookup using DomainTools
Tracing Emails using eMailTrackerPro
7. Perform DNS Footprinting 6. Perform Whois Footprinting
7.1 Gather DNS Information using nslookup
6.1 Perform Whois Lookup using DomainTools
Command Line Utility and Online Tool
7.2 Perform Reverse DNS Lookup using Reverse
7. Perform DNS Footprinting
IP Domain Check and DNSRecon
7.1 Gather DNS Information using nslookup
8. Perform Network Footprinting
Command Line Utility and Online Tool
7.2 Perform Reverse DNS Lookup using Reverse
8.1 Locate the Network Range
IP Domain Check and DNSRecon
8.2 Perform Network Tracerouting in Windows 7.3 Gather Information of Subdomain and DNS
and Linux Machines Records using SecurityTrails
8.3 Perform Advanced Network Route Tracing
8. Perform Network Footprinting
using Path Analyzer Pro
9. Perform Footprinting using Various Footprinting
8.1 Locate the Network Range
Tools
8.2 Perform Network Tracerouting in Windows
9.1 Footprinting a Target using Recon-ng
and Linux Machines
8.3 Perform Advanced Network Route Tracing
9.2 Footprinting a Target using Maltego
using Path Analyzer Pro
9. Perform Footprinting using Various Footprinting
9.3 Footprinting a Target using OSRFramework
Tools
9.4 Footprinting a Target using FOCA 9.1 Footprinting a Target using Recon-ng
9.5 Footprinting a Target using BillCipher 9.2 Footprinting a Target using Maltego
9.6 Footprinting a Target using OSINT
9.3 Footprinting a Target using OSRFramework
Framework
9.4 Footprinting a Target using FOCA
9.5 Footprinting a Target using BillCipher
9.6 Footprinting a Target using OSINT
Framework

Page | 60 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 03: Scanning Networks Module 03: Scanning Networks

1. Perform Host Discovery 1. Perform Host Discovery
1.1 Perform Host Discovery using Nmap 1.1 Perform Host Discovery using Nmap
1.2 Perform Host Discovery using Angry IP 1.2 Perform Host Discovery using Angry IP
Scanner Scanner
2. Perform Port and Service Discovery 2. Perform Port and Service Discovery
2.1 Perform Port and Service Discovery using 2.1 Perform Port and Service Discovery using
MegaPing MegaPing
2.2 Perform Port and Service Discovery using 2.2 Perform Port and Service Discovery using
NetScanTools Pro NetScanTools Pro
2.3 Explore Various Network Scanning
2.3 Perform Port Scanning using sx Tool
Techniques using Nmap
2.4 Explore Various Network Scanning 2.4 Explore Various Network Scanning
Techniques using Hping3 Techniques using Nmap
2.5 Explore Various Network Scanning
3. Perform OS Discovery
Techniques using Hping3
3.1 Identify the Target System’s OS with Time-
to-Live (TTL) and TCP Window Sizes using 3. Perform OS Discovery
Wireshark
3.1 Identify the Target System’s OS with Time-
3.2 Perform OS Discovery using Nmap Script
to-Live (TTL) and TCP Window Sizes using
Engine (NSE)
Wireshark
3.2 Perform OS Discovery using Nmap Script
3.3 Perform OS Discovery using Unicornscan
Engine (NSE)
4. Scan beyond IDS and Firewall 3.3 Perform OS Discovery using Unicornscan
4.1 Scan beyond IDS/Firewall using various
4. Scan beyond IDS and Firewall
Evasion Techniques
4.2 Create Custom Packets using Colasoft 4.1 Scan beyond IDS/Firewall using various
Packet Builder to Scan beyond IDS/Firewall Evasion Techniques
4.3 Create Custom UDP and TCP Packets using 4.2 Create Custom Packets using Colasoft
Hping3 to Scan beyond IDS/Firewall Packet Builder to Scan beyond IDS/Firewall
4.4 Create Custom Packets using Nmap to Scan 4.3 Create Custom UDP and TCP Packets using
beyond IDS/Firewall Hping3 to Scan beyond IDS/Firewall
4.5 Browse Anonymously using Proxy Switcher 4.4 Browse Anonymously using Proxy Switcher
4.6 Browse Anonymously using CyberGhost 4.5 Browse Anonymously using CyberGhost
VPN VPN
5. Perform Network Scanning using Various
5. Draw Network Diagrams
Scanning Tools
5.1 Draw Network Diagrams using Network
5.1 Scan a Target Network using Metasploit
Topology Mapper
6. Perform Network Scanning using Various
Scanning Tools
6.1 Scan a Target Network using Metasploit

Page | 61 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 04: Enumeration Module 04: Enumeration

1. Perform NetBIOS Enumeration 1. Perform NetBIOS Enumeration
1.1 Perform NetBIOS Enumeration using 1.1 Perform NetBIOS Enumeration using
Windows Command-Line Utilities Windows Command-Line Utilities
1.2 Perform NetBIOS Enumeration using 1.2 Perform NetBIOS Enumeration using
NetBIOS Enumerator NetBIOS Enumerator
1.3 Perform NetBIOS Enumeration using an NSE 1.3 Perform NetBIOS Enumeration using an
Script NSE Script
2. Perform SNMP Enumeration 2. Perform SNMP Enumeration
2.1 Perform SNMP Enumeration using snmp- 2.1 Perform SNMP Enumeration using snmp-
check check
2.2 Perform SNMP Enumeration using 2.2 Perform SNMP Enumeration using
SoftPerfect Network Scanner SoftPerfect Network Scanner
2.3 Perform SNMP Enumeration using
3. Perform LDAP Enumeration
SnmpWalk
3.1 Perform LDAP Enumeration using Active
2.4 Perform SNMP Enumeration using Nmap
Directory Explorer (AD Explorer)
4. Perform NFS Enumeration 3. Perform LDAP Enumeration
4.1 Perform NFS Enumeration using RPCScan 3.1 Perform LDAP Enumeration using Active
and SuperEnum Directory Explorer (AD Explorer)
3.2 Perform LDAP Enumeration using Python
5. Perform DNS Enumeration
and Nmap
5.1 Perform DNS Enumeration using Zone
3.3 Perform LDAP Enumeration using ldapsearch
Transfer
5.2 Perform DNS Enumeration using DNSSEC
4. Perform NFS Enumeration
Zone Walking
4.1 Perform NFS Enumeration using RPCScan
6. Perform RPC, SMB, and FTP Enumeration
and SuperEnum
6.1 Perform RPC and SMB Enumeration using
5. Perform DNS Enumeration
NetScanTools Pro
6.2 Perform RPC, SMB, and FTP Enumeration 5.1 Perform DNS Enumeration using Zone
using Nmap Transfer
7. Perform Enumeration using Various 5.2 Perform DNS Enumeration using DNSSEC
Enumeration Tools Zone Walking
7.1 Enumerate Information using Global
5.3 Perform DNS Enumeration using Nmap
Network Inventory
7.2 Enumerate Network Resources using
6. Perform SMTP Enumeration
Advanced IP Scanner
7.3 Enumerate Information from Windows and
6.1 Perform SMTP Enumeration using Nmap
Samba Hosts using Enum4linux
7. Perform RPC, SMB, and FTP Enumeration
7.1 Perform RPC and SMB Enumeration using

Page | 62 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

NetScanTools Pro
7.2 Perform RPC, SMB, and FTP Enumeration
using Nmap
8. Perform Enumeration using Various
Enumeration Tools
8.1 Enumerate Information using Global
Network Inventory
8.2 Enumerate Network Resources using
Advanced IP Scanner
8.3 Enumerate Information from Windows and
Samba Hosts using Enum4linux

Module 05: Vulnerability Analysis Module 05: Vulnerability Analysis

1. Perform Vulnerability Research with 1. Perform Vulnerability Research with
Vulnerability Scoring Systems and Databases Vulnerability Scoring Systems and Databases
1.1 Perform Vulnerability Research in Common 1.1 Perform Vulnerability Research in Common
Weakness Enumeration (CWE) Weakness Enumeration (CWE)
1.2 Perform Vulnerability Research in Common 1.2 Perform Vulnerability Research in Common
Vulnerabilities and Exposures (CVE) Vulnerabilities and Exposures (CVE)
1.3 Perform Vulnerability Research in National 1.3 Perform Vulnerability Research in National
Vulnerability Database (NVD) Vulnerability Database (NVD)
2. Perform Vulnerability Assessment using Various 2. Perform Vulnerability Assessment using Various
Vulnerability Assessment Tools Vulnerability Assessment Tools
2.1 Perform Vulnerability Analysis using 2.1 Perform Vulnerability Analysis using
OpenVAS OpenVAS
2.2 Perform Vulnerability Scanning using 2.2 Perform Vulnerability Scanning using
Nessus Nessus
2.3 Perform Vulnerability Scanning using GFI 2.3 Perform Vulnerability Scanning using GFI
LanGuard LanGuard
2.4 Perform Web Servers and Applications 2.4 Perform Web Servers and Applications
Vulnerability Scanning using CGI Scanner Vulnerability Scanning using CGI Scanner
Nikto Nikto

Module 06: System Hacking Module 06: System Hacking

1. Gain Access to the System 1. Gain Access to the System
1.1 Perform Active Online Attack to Crack the 1.1 Perform Active Online Attack to Crack the
System’s Password using Responder System’s Password using Responder
1.2 Audit System Passwords using L0phtCrack 1.2 Audit System Passwords using L0phtCrack
1.3 Find Vulnerabilities on Exploit Sites 1.3 Find Vulnerabilities on Exploit Sites
1.4 Exploit Client-Side Vulnerabilities and 1.4 Exploit Client-Side Vulnerabilities and
Establish a VNC Session Establish a VNC Session
1.5 Gain Access to a Remote System using 1.5 Gain Access to a Remote System using
Armitage Armitage

Page | 63 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

1.6 Hack a Windows Machine with a Malicious 1.6 Gain Access to a Remote System using
Office Document using TheFatRat Ninja Jonin
1.7 Perform Buffer Overflow Attack to Gain 1.7 Perform Buffer Overflow Attack to Gain
Access to a Remote System Access to a Remote System
2. Perform Privilege Escalation to Gain Higher
Privileges
2.1 Escalate Privileges using Privilege
2. Perform Privilege Escalation to Gain Higher
Escalation Tools and Exploit Client-Side
Privileges
Vulnerabilities
2.2 Hack a Windows Machine using Metasploit 2.1 Escalate Privileges using Privilege
and Perform Post-Exploitation using Escalation Tools and Exploit Client-Side
Meterpreter Vulnerabilities
2.2 Hack a Windows Machine using Metasploit
3. Maintain Remote Access and Hide Malicious
and Perform Post-Exploitation using
Activities
Meterpreter
3.1 User System Monitoring and Surveillance 2.3 Escalate Privileges by Exploiting
using Power Spy Vulnerability in pkexec
3.2 User System Monitoring and Surveillance 2.4 Escalate Privileges in Linux Machine by
using Spytech SpyAgent Exploiting Misconfigured NFS
2.5 Escalate Privileges by Bypassing UAC and
3.3 Hide Files using NTFS Streams
Exploiting Sticky Keys
3.4 Hide Data using White Space 2.6 Escalate Privileges to Gather Hashdump
Steganography using Mimikatz
3. Maintain Remote Access and Hide Malicious
3.5 Image Steganography using OpenStego
Activities
3.1 User System Monitoring and Surveillance
3.6 Covert Channels using Covert_TCP
using Power Spy
3.2 User System Monitoring and Surveillance
4. Clear Logs to Hide the Evidence of Compromise
using Spytech SpyAgent
4.1 View, Enable, and Clear Audit Policies using
3.3 Hide Files using NTFS Streams
Auditpol
4.2 Clear Windows Machine Logs using Various 3.4 Hide Data using White Space
Utilities Steganography
4.3 Clear Linux Machine Logs using the BASH 3.5 Image Steganography using OpenStego and
Shell StegOnline
4.4 Clear Windows Machine Logs using 3.6 Maintain Persistence by Abusing Boot or
CCleaner Logon Autostart Execution
3.7 Maintain Domain Persistence by Exploiting
Active Directory Objects
3.8 Privilege Escalation and Maintain
Persistence using WMI
3.9 Covert Channels using Covert_TCP
4. Clear Logs to Hide the Evidence of Compromise
4.1 View, Enable, and Clear Audit Policies using

Page | 64 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Auditpol
4.2 Clear Windows Machine Logs using Various
Utilities
4.3 Clear Linux Machine Logs using the BASH
Shell
4.4 Hiding Artifacts in Windows and Linux
Machines
4.5 Clear Windows Machine Logs using
CCleaner

Module 07: Malware Threats Module 07: Malware Threats

1. Gain Access to the Target System using Trojans 1. Gain Access to the Target System using Trojans
1.1 Gain Control over a Victim Machine using 1.1 Gain Control over a Victim Machine using
the njRAT RAT Trojan the njRAT RAT Trojan
1.2 Hide a Trojan using SwayzCryptor and Make 1.2 Hide a Trojan using SwayzCryptor and Make
it Undetectable to Various Anti-Virus it Undetectable to Various Anti-Virus
Programs Programs
1.3 Create a Trojan Server using Theef RAT
1.3 Create a Server using the ProRat Tool
Trojan
1.4 Create a Trojan Server using Theef RAT
2. Infect the Target System using a Virus
Trojan
2.1 Create a Virus using the JPS Virus Maker
2. Infect the Target System using a Virus
Tool and Infect the Target System
2.1 Create a Virus using the JPS Virus Maker
3. Perform Static Malware Analysis
Tool and Infect the Target System
3.1 Perform Malware Scanning using Hybrid
3. Perform Static Malware Analysis
Analysis
3.1 Perform Online Malware Scanning using
3.2 Perform a Strings Search using BinText
VirusTotal
3.3 Identify Packaging and Obfuscation
3.2 Perform a Strings Search using BinText
Methods using PEid
3.3 Identify Packaging and Obfuscation 3.4 Analyze ELF Executable File using Detect It
Methods using PEid Easy (DIE)
3.4 Find the Portable Executable (PE) 3.5 Find the Portable Executable (PE)
Information of a Malware Executable File Information of a Malware Executable File
using PE Explorer using PE Explorer
3.5 Identify File Dependencies using 3.6 Identify File Dependencies using
Dependency Walker Dependency Walker
3.6 Perform Malware Disassembly using IDA 3.7 Perform Malware Disassembly using IDA
and OllyDbg and OllyDbg
4. Perform Dynamic Malware Analysis 3.8 Perform Malware Disassembly using Ghidra
4.1 Perform Port Monitoring using TCPView
4. Perform Dynamic Malware Analysis
and CurrPorts
4.2 Perform Process Monitoring using Process 4.1 Perform Port Monitoring using TCPView

Page | 65 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Monitor and CurrPorts

4.3 Perform Registry Monitoring using Regshot 4.2 Perform Process Monitoring using Process
and jv16 PowerTools Monitor
4.4 Perform Windows Services Monitoring 4.3 Perform Registry Monitoring using Reg
using Windows Service Manager (SrvMan) Organizer
4.5 Perform Startup Programs Monitoring using 4.4 Perform Windows Services Monitoring
Autoruns for Windows and WinPatrol using Windows Service Manager (SrvMan)
4.6 Perform Installation Monitoring using 4.5 Perform Startup Programs Monitoring using
Mirekusoft Install Monitor Autoruns for Windows and WinPatrol
4.7 Perform Files and Folder Monitoring using 4.6 Perform Installation Monitoring using
PA File Sight Mirekusoft Install Monitor
4.8 Perform Device Drivers Monitoring using 4.7 Perform Files and Folder Monitoring using
DriverView and Driver Booster PA File Sight
4.9 Perform DNS Monitoring using 4.8 Perform Device Driver Monitoring using
DNSQuerySniffer DriverView and Driver Reviver
4.9 Perform DNS Monitoring using
DNSQuerySniffer

Module 08: Sniffing Module 08: Sniffing

1. Perform Active Sniffing 1. Perform Active Sniffing
1.1 Perform MAC Flooding using macof 1.1 Perform MAC Flooding using macof
1.2 Perform a DHCP Starvation Attack using 1.2 Perform a DHCP Starvation Attack using
Yersinia Yersinia
1.3 Perform ARP Poisoning using arpspoof 1.3 Perform ARP Poisoning using arpspoof
1.4 Perform an Man-in-the-Middle (MITM) 1.4 Perform an Man-in-the-Middle (MITM)
Attack using Cain & Abel Attack using Cain & Abel
1.5 Spoof a MAC Address using TMAC and 1.5 Spoof a MAC Address using TMAC and
SMAC SMAC
2. Perform Network Sniffing using Various Sniffing 1.6 Spoof a MAC Address of Linux Machine
Tools using macchanger
2. Perform Network Sniffing using Various Sniffing
2.1 Perform Password Sniffing using Wireshark
Tools
2.2 Analyze a Network using the Capsa
2.1 Perform Password Sniffing using Wireshark
Network Analyzer
2.3 Analyze a Network using the Omnipeek 2.2 Analyze a Network using the Omnipeek
Network Protocol Analyzer Network Protocol Analyzer
2.4 Analyze a Network using the SteelCentral 2.3 Analyze a Network using the SteelCentral
Packet Analyzer Packet Analyzer
3. Detect Network Sniffing 3. Detect Network Sniffing
3.1 Detect ARP Poisoning in a Switch-Based 3.1 Detect ARP Poisoning and Promiscuous
Network Mode in a Switch-Based Network
3.2 Detect ARP Poisoning using the Capsa
3.2 Detect ARP Attacks using Xarp
Network Analyzer

Page | 66 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

3.3 Detect Promiscuous Mode using Nmap and

NetScanTools Pro

Module 09: Social Engineering Module 09: Social Engineering

1. Perform Social Engineering using Various 1. Perform Social Engineering using Various
Techniques Techniques
1.1 Sniff Users’ Credentials using the Social- 1.1 Sniff Credentials using the Social-Engineer
Engineer Toolkit (SET) Toolkit (SET)
1.2 Perform Phishing using ShellPhish 2. Detect a Phishing Attack
2. Detect a Phishing Attack 2.1 Detect Phishing using Netcraft
2.1 Detect Phishing using Netcraft 2.2 Detect Phishing using PhishTank
3. Audit Organization's Security for Phishing
2.2 Detect Phishing using PhishTank
Attacks
3. Audit Organization's Security for Phishing 3.1 Audit Organization's Security for Phishing
Attacks Attacks using OhPhish
3.1 Audit Organization's Security for Phishing
Attacks using OhPhish

Module 10: Denial-of-Service Module 10: Denial-of-Service

1. Perform DoS and DDoS Attacks using Various 1. Perform DoS and DDoS Attacks using Various
Techniques Techniques
1.1 Perform a DoS Attack (SYN Flooding) on a 1.1 Perform a DoS Attack (SYN Flooding) on a
Target Host using Metasploit Target Host using Metasploit
1.2 Perform a DoS Attack on a Target Host 1.2 Perform a DoS Attack on a Target Host
using hping3 using hping3
1.3 Perform a DDoS Attack using HOIC 1.3 Perform a DoS Attack using Raven-storm
1.4 Perform a DDoS Attack using LOIC 1.4 Perform a DDoS Attack using HOIC
2. Detect and Protect Against DoS and DDoS
1.5 Perform a DDoS Attack using LOIC
Attacks
2.1 Detect and Protect against DDoS Attack 2. Detect and Protect Against DoS and DDoS
using Anti DDoS Guardian Attacks
2.1 Detect and Protect against DDoS Attack
using Anti DDoS Guardian

Module 11: Session Hijacking Module 11: Session Hijacking

1. Perform Session Hijacking 1. Perform Session Hijacking
1.1 Hijack a Session using Zed Attack Proxy 1.1 Hijack a Session using Zed Attack Proxy
(ZAP) (ZAP)
1.2 Intercept HTTP Traffic using bettercap 1.2 Intercept HTTP Traffic using bettercap
2. Detect Session Hijacking 1.3 Intercept HTTP Traffic using Hetty
2.1 Detect Session Hijacking using Wireshark 2. Detect Session Hijacking
2.1 Detect Session Hijacking using Wireshark

Page | 67 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 12: Evading IDS, Firewalls, and Module 12: Evading IDS, Firewalls, and
Honeypots Honeypots
1. Perform Intrusion Detection using Various Tools 1. Perform Intrusion Detection using Various Tools
1.1 Detect Intrusions using Snort 1.1 Detect Intrusions using Snort
1.2 Detect Malicious Network Traffic using 1.2 Detect Malicious Network Traffic using
ZoneAlarm FREE FIREWALL 2019 ZoneAlarm FREE FIREWALL
1.3 Detect Malicious Network Traffic using 1.3 Detect Malicious Network Traffic using
HoneyBOT HoneyBOT
2. Evade Firewalls using Various Evasion 2. Evade Firewalls using Various Evasion
Techniques Techniques
2.1 Bypass Windows Firewall using Nmap 2.1 Bypass Windows Firewall using Nmap
Evasion Techniques Evasion Techniques
2.2 Bypass Firewall Rules using HTTP/FTP 2.2 Bypass Firewall Rules using HTTP/FTP
Tunneling Tunneling
2.3 Bypass Antivirus using Metasploit
Templates

Module 13: Hacking Web Servers Module 13: Hacking Web Servers
1. Footprint the Web Server 1. Footprint the Web Server
1.1 Information Gathering using Ghost Eye 1.1 Information Gathering using Ghost Eye
1.2 Perform Web Server Reconnaissance using 1.2 Perform Web Server Reconnaissance using
Skipfish Skipfish
1.3 Footprint a Web Server using the httprecon 1.3 Footprint a Web Server using the httprecon
Tool Tool
1.4 Footprint a Web Server using ID Serve 1.4 Footprint a Web Server using ID Serve
1.5 Footprint a Web Server using Netcat and 1.5 Footprint a Web Server using Netcat and
Telnet Telnet
1.6 Enumerate Web Server Information using 1.6 Enumerate Web Server Information using
Nmap Scripting Engine (NSE) Nmap Scripting Engine (NSE)
1.7 Uniscan Web Server Fingerprinting in 1.7 Uniscan Web Server Fingerprinting in
Parrot Security Parrot Security
2. Perform a Web Server Attack 2. Perform a Web Server Attack
2.1 Crack FTP Credentials using a Dictionary 2.1 Crack FTP Credentials using a Dictionary
Attack Attack

Module 14: Hacking Web Applications Module 14: Hacking Web Applications
1. Footprint the Web Infrastructure 1. Footprint the Web Infrastructure
1.1 Perform Web Application Reconnaissance
1.1 Perform Web Application Reconnaissance
using Nmap and Telnet
1.2 Perform Web Application Reconnaissance 1.2 Perform Web Application Reconnaissance
using WhatWeb using WhatWeb

Page | 68 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

1.3 Perform Web Spidering using OWASP ZAP 1.3 Perform Web Spidering using OWASP ZAP
1.4 Detect Load Balancers using Various Tools 1.4 Detect Load Balancers using Various Tools
1.5 Identify Web Server Directories using
1.5 Identify Web Server Directories
Various Tools
1.6 Perform Web Application Vulnerability 1.6 Perform Web Application Vulnerability
Scanning using Vega Scanning using Vega
1.7 Identify Clickjacking Vulnerability using 1.7 Identify Clickjacking Vulnerability using
iframe ClickjackPoc
2. Perform Web Application Attacks 2. Perform Web Application Attacks
2.1 Perform a Brute-force Attack using Burp 2.1 Perform a Brute-force Attack using Burp
Suite Suite
2.2 Perform Parameter Tampering using Burp 2.2 Perform Parameter Tampering using Burp
Suite Suite
2.3 Exploit Parameter Tampering and XSS 2.3 Identifying XSS Vulnerabilities in Web
Vulnerabilities in Web Applications Applications using PwnXSS
2.4 Perform Cross-Site Request Forgery (CSRF) 2.4 Exploit Parameter Tampering and XSS
Attack Vulnerabilities in Web Applications
2.5 Enumerate and Hack a Web Application 2.5 Perform Cross-Site Request Forgery (CSRF)
using WPScan and Metasploit Attack
2.6 Exploit a Remote Command Execution
2.6 Enumerate and Hack a Web Application
Vulnerability to Compromise a Target Web
using WPScan and Metasploit
Server
2.7 Exploit a Remote Command Execution
2.7 Exploit a File Upload Vulnerability at
Vulnerability to Compromise a Target Web
Different Security Levels
Server
2.8 Gain Backdoor Access via a Web Shell using 2.8 Exploit a File Upload Vulnerability at
Weevely Different Security Levels
3. Detect Web Application Vulnerabilities using 2.9 Gain Access by exploiting Log4j
Various Web Application Security Tools Vulnerability
3.1 Detect Web Application Vulnerabilities
3. Detect Web Application Vulnerabilities using
using N-Stalker Web Application Security
Various Web Application Security Tools
Scanner
3.1 Detect Web Application Vulnerabilities
using N-Stalker Web Application Security
Scanner

Module 15: SQL Injection Module 15: SQL Injection

1. Perform SQL Injection Attacks 1. Perform SQL Injection Attacks
1.1 Perform an SQL Injection Attack on an 1.1 Perform an SQL Injection Attack on an
MSSQL Database MSSQL Database
1.2 Perform an SQL Injection Attack Against 1.2 Perform an SQL Injection Attack Against
MSSQL to Extract Databases using sqlmap MSSQL to Extract Databases using sqlmap
2. Detect SQL Injection Vulnerabilities using 2. Detect SQL Injection Vulnerabilities using
Various SQL Injection Detection Tools Various SQL Injection Detection Tools

Page | 69 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

2.1 Detect SQL Injection Vulnerabilities using 2.1 Detect SQL Injection Vulnerabilities using
DSSS DSSS
2.2 Detect SQL Injection Vulnerabilities using 2.2 Detect SQL Injection Vulnerabilities using
OWASP ZAP OWASP ZAP

Module 16: Hacking Wireless Networks Module 16: Hacking Wireless Networks
1. Footprint a Wireless Network 1. Footprint a Wireless Network
1.1 Find Wi-Fi Networks in Range using 1.1 Find Wi-Fi Networks in Range using
NetSurveyor NetSurveyor
2. Perform Wireless Traffic Analysis 2. Perform Wireless Traffic Analysis
2.1 Find Wi-Fi Networks and Sniff Wi-Fi Packets 2.1 Find Wi-Fi Networks and Sniff Wi-Fi Packets
using Wash and Wireshark using Wash and Wireshark
3. Perform Wireless Attacks 3. Perform Wireless Attacks
3.1 Find Hidden SSIDs using Aircrack-ng 3.1 Find Hidden SSIDs using Aircrack-ng
3.2 Crack a WEP Network using Wifiphisher 3.2 Crack a WEP Network using Wifiphisher
3.3 Crack a WEP Network using Aircrack-ng 3.3 Crack a WEP Network using Aircrack-ng
3.4 Crack a WPA Network using Fern Wifi 3.4 Crack a WPA Network using Fern Wifi
Cracker Cracker
3.5 Crack a WPA2 Network using Aircrack-ng 3.5 Crack a WPA2 Network using Aircrack-ng
3.6 Create a Rogue Access Point to Capture 3.6 Create a Rogue Access Point to Capture
Data Packets using MANA-Toolkit Data Packets

Module 17: Hacking Mobile Platforms Module 17: Hacking Mobile Platforms
1. Hack Android Devices 1. Hack Android Devices
1.1 Hack an Android Device by Creating Binary 1.1 Hack an Android Device by Creating Binary
Payloads using Parrot Security Payloads using Parrot Security
1.2 Harvest Users’ Credentials using the Social- 1.2 Harvest Users’ Credentials using the Social-
Engineer Toolkit Engineer Toolkit
1.3 Launch a DoS Attack on a Target Machine 1.3 Launch a DoS Attack on a Target Machine
using Low Orbital Cannon (LOIC) on the using Low Orbit Ion Cannon (LOIC) on the
Android Mobile Platform Android Mobile Platform
1.4 Exploit the Android Platform through ADB 1.4 Exploit the Android Platform through ADB
using PhoneSploit using PhoneSploit
2. Secure Android Devices using Various Android 1.5 Hack an Android Device by Creating APK
Security Tools File using AndroRAT
2.1 Analyze a Malicious App using Online 2. Secure Android Devices using Various Android
Android Analyzers Security Tools
2.2 Analyze a Malicious App using Quixxi 2.1 Analyze a Malicious App using Online
Vulnerability Scanner Android Analyzers
2.3 Secure Android Devices from Malicious 2.2 Secure Android Devices from Malicious
Apps using Malwarebytes Security Apps using Malwarebytes Security

Page | 70 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

Module 18: IoT and OT Hacking Module 18: IoT and OT Hacking
1. Perform Footprinting using Various Footprinting 1. Perform Footprinting using Various Footprinting
Techniques Techniques
1.1 Gather Information using Online 1.1 Gather Information using Online
Footprinting Tools Footprinting Tools
2. Capture and Analyze IoT Device Traffic 2. Capture and Analyze IoT Device Traffic
2.1 Capture and Analyze IoT Traffic using 2.1 Capture and Analyze IoT Traffic using
Wireshark Wireshark

Module 19: Cloud Computing Module 19: Cloud Computing

1. Perform S3 Bucket Enumeration using Various 1. Perform S3 Bucket Enumeration using Various
S3 Bucket Enumeration Tools S3 Bucket Enumeration Tools
1.1 Enumerate S3 Buckets using lazys3 1.1 Enumerate S3 Buckets using lazys3
1.2 Enumerate S3 Buckets using S3Scanner 1.2 Enumerate S3 Buckets using S3Scanner
1.3 Enumerate S3 Buckets using Firefox
2. Exploit S3 Buckets
Extension
2.1 Exploit Open S3 Buckets using AWS CLI 2. Exploit S3 Buckets
3. Perform Privilege Escalation to Gain Higher
2.1 Exploit Open S3 Buckets using AWS CLI
Privileges
3.1 Escalate IAM User Privileges by Exploiting 3. Perform Privilege Escalation to Gain Higher
Misconfigured User Policy Privileges
3.1 Escalate IAM User Privileges by Exploiting
Misconfigured User Policy

Module 20: Cryptography Module 20: Cryptography

1. Encrypt the Information using Various 1. Encrypt the Information using Various
Cryptography Tools Cryptography Tools
1.1 Calculate One-way Hashes using HashCalc 1.1 Calculate One-way Hashes using HashCalc
1.2 Calculate MD5 Hashes using MD5 1.2 Calculate MD5 Hashes using MD5
Calculator Calculator
1.3 Calculate MD5 Hashes using HashMyFiles 1.3 Calculate MD5 Hashes using HashMyFiles
1.4 Perform File and Text Message Encryption 1.4 Perform File and Text Message Encryption
using CryptoForge using CryptoForge
1.5 Perform File Encryption using Advanced 1.5 Perform File Encryption using Advanced
Encryption Package Encryption Package
1.6 Encrypt and Decrypt Data using 1.6 Encrypt and Decrypt Data using
BCTextEncoder BCTextEncoder
2. Create a Self-Signed Certificate 2. Create a Self-Signed Certificate
2.1 Create and Use Self-signed Certificates 2.1 Create and Use Self-signed Certificates
3. Perform Email Encryption 3. Perform Email Encryption
3.1 Perform Email Encryption using Rmail 3.1 Perform Email Encryption using Rmail
4. Perform Disk Encryption 4. Perform Disk Encryption

Page | 71 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Version Change Document

4.1 Perform Disk Encryption using VeraCrypt 4.1 Perform Disk Encryption using VeraCrypt
4.2 Perform Disk Encryption using BitLocker 4.2 Perform Disk Encryption using BitLocker
Drive Encryption Drive Encryption
4.3 Perform Disk Encryption using Rohos Disk 4.3 Perform Disk Encryption using Rohos Disk
Encryption Encryption
5. Perform Cryptanalysis using Various 5. Perform Cryptanalysis using Various
Cryptanalysis Tools Cryptanalysis Tools
5.1 Perform Cryptanalysis using CrypTool 5.1 Perform Cryptanalysis using CrypTool
5.2 Perform Cryptanalysis using AlphaPeeler 5.2 Perform Cryptanalysis using AlphaPeeler

Page | 72 Ethical Hacking and Countermeasures Copyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.