- [ Certified Ethical Hacker v10 ] :: [ TOC ]
- [ Certified Ethical Hacker v10 ] :: [ Syllabus ]
- [ Certified Ethical Hacker v10 ] :: [ Chapters 1 & 2 ] :: Footprinting and Reconnaissance
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 ] :: Scanning
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Enumeration
- [ Certified Ethical Hacker v10 ] :: [ Chapter 3 cont’d ] :: Vulnerability Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 4 ] :: Sniffing, Evasion and Packet Analysis
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 ] :: System Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 5 cont’d] :: Hash Cracking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: SQL Injection
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: sqlmap
- [ Certified Ethical Hacker v10 ] :: [ Chapter 6 cont’d] :: Burp Suite
- [ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 ] :: Hacking Mobile Devices
- [ Certified Ethical Hacker v10 ] :: [ Chapter 8 cont’d ] :: Hacking the Internet of Things
- [ Certified Ethical Hacker v10 ] :: [ Chapter 9 ] :: Hacking in the Cloud
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 ] :: Trojans, Backdoors, Viruses and Worms
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Denial of Service
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow
- [ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Session Hijacking
- [ Certified Ethical Hacker v10 ] :: [ Chapter 11 ] :: Cryptography
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Social Engineering
- [ Certified Ethical Hacker v10 ] :: [ Chapter 12 ] :: Physical Security
- [ Certified Ethical Hacker v10 ] :: [ Chapter 13 ] :: Pen Testing Methodology
- [ CEH Training ] :: [ Day 7 ]
- Using the GNU Debugger: John Hammond
- [ Review ] :: EC-Council’s iLabs Platform
- [ Certified Ethical Hacker v10 ] :: Using ngrok to Set a Trap From Inside NAT
- [ Certified Ethical Hacker v10 ] :: [ Practical ] :: Become a CEH Master
A hacker only needs to be right once.
ECC’s System Hacking Goals
Gaining Access
One of the most common ways to gain access to a system is by seeing, asking for, stealing or cracking a password.
See the next section, Hash Cracking, for examples and explanation.
Windows can be a juicy target because Windows domains pass the user’s hashed password around the network for authentication. This creates the “pass the hash” vulnerability.
Pass the Hash
Windows networks (some of them) pass user authentication around by passing the users’ hashed passwords around. (Can you say “What an effing terrible idea”?)
For examples of pass the hash in action, let me take this opportunity to introduce you to Ippsec, his Youtube channel and his highly valuable website.
Let’s hit the website first, and search for “pass the hash”:
https://ippsec.rocks
You will find two relevant examples, Ypuffy and Silo.
In the Ypuffy video, jump to 20:00
https://www.youtube.com/watch?v=UoB-J-eDvrg&t=1290
In the Silo video, jump to 40:00
https://www.youtube.com/watch?v=2c7SzNo9uoA&t=2720
Exploit Toolkits for Fun and Profit
At least, some of these toolkits are profitable for their creators. The Blackhole Exploit Toolkit, for instance, will set you back $1500 a year:
https://thehackernews.com/2011/05/blackhole-exploit-kit-download.html
There are a TON of these to be found, but getting into theses is risky.
Creating Exploits with MSFvenom
Another way to gain access to a system is through a known exploit, which can be packaged up and delivered to the victim. See this good tutorial from the people at OffSec:
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
Rapid7’s How To:
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
We recommend watching lots of videos to see how MSFvenom works:
https://www.youtube.com/results?search_query=msfvenom
Creating Shell Code with Shellter
“Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).
The shellcode can be something yours or something generated through a framework, such as Metasploit.”
https://www.shellterproject.com/introducing-shellter/
https://www.shellterproject.com/Downloads/Shellter/Readme.txt
Creating Payloads with Veil
Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.
https://github.com/Veil-Framework/Veil
Escalating Privileges
Executing Applications
Hiding Files
Maintaining Access
Infosec Institute has a great discussion:
https://resources.infosecinstitute.com/penetration-testing-maintaining-access/
One of the biggest reasons to maintain access is to perform data exfiltration. Actually, this could be done from inside or outside a victim system, using a variety of covert channels, for instance DNS:
Give it a try (with appropriate permissions or a contract, of course):
https://github.com/Arno0x/DNSExfiltrator
Covering Tracks