Ready to Start Your Career?

Ethical Hacking Overview

rohitkharat 's profile image

By: rohitkharat

February 12, 2018

CEH Course Modules



*Introduction to Ethical Hacking

 there are five phases of hacking

1. Information gathering (Reconnaissance) 

2. scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks (back door)


Footprinting and reconnaissance

Footprinting is the process of collecting as much information as possible about a target network, for identify various ways to intrude into an organization's network system

Footpriting is the first step of any attack on information systems;attacker gather publicly available sensitive information, using which he/she performs social engineering, system and network attacks, etc.


Footprinting Methodology

1. Footprinting through search engines

2. Footprinting using advanced google hacking techniques

3. Footprinting through social networking sites

4. Website footprinting

5. Email footprinting

6. Competitive intelligence

7. WHOIS Footprinting

8. DNS Footprinting

9. Network footprinting

10. Footprinting through social engineering



Scanning Networks

Overview of network scanning


1.    Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network

2.    Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization


CEH Scanning Methodology

1. Check for live systems

2. Check for open ports

3. Scanning beyond ids

4. Annear grabbing

5. Scan for Vulnerability

6. Draw network diagrams

7. Prepare proxies

8. Scanning pen testing


Vulnerablity scanning

Vulnerability scanning identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited


1. Network vulnerabilities

2. Open ports and running services

3. Application and services vulnerabilities

4. Application and services configuration errors


1. In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target

2. Attackers use extracted information to identify system attack point and perform password attack to gain unauthorized access to information system resources

3. Enumeration techniques are conducted in an internet environment



Techniques for enumeration

1. Extract user names using email IDs

2. Extract information using the default passwords

3. Extract user names using


4. Brute force active directory

5. Extract user groups from windows

6. Extract information using DNS zone transfer


Enumeration Module Flow

1.    Enumeration concepts

2.    NetBIOS enumeration

3.    SNMP Enumeration

4.    LDAP Enumeration

5.    NTP Enumeration

6.    SMTP and DNS Enumeration

7.    Enumeration Countermeasures

8.    Enumeration pen testing



System Hacking

Information at Hand Before System Hacking stage


-Footprinting Module

 1. IP Range

 2. Namespace

 3. Employees


-Scanning Module

 1. Target assessment

 2. Identified Systems

 3. Identified Services


-Enumeration Module

 1. Intrusive Probing

 2. User Lists

 3. Security Flaws



CEH Hacking Methodology (CHM) – 


CEH System Hacking Steps

1. Cracking Passwords

2. Escalating Privileges

3. Executing Applications

4. Hiding Files

5. Covering Tracks

6. Penetration Testing



Malware Threats

Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud

Examples of malware

1.    Trojan horse

2.    Virus

3.    Backdoor

4.    Worms

5.    Rootkit

6.    Spyware

7.    Ransomware

8.    Botnet

9.    Adware

10.  Crypter


Different Ways a Malware can Get into a System


1.    Instant Messenger applications

2.    IRC (Internet Relay Chat)

3.    Removable Devices

4.    Attachments

5.    Legitimate \"shrink-wrapped\" software packaged by a disgruntled employee

6.    Browser and email software bugs

7.    NetBIOS (File Sharing)

8.    Fake Programs

9.    Untrusted sites and freeware software

10.  Downloading files, games, and screensavers from internet sites



Module Flow


1.    Introduction to malware

2.    Trojan concepts

3.    virus and worm concepts

4.    malware reverse engineering

5.    malware detection

6.    countermeasures

7.    anti-malware software

8.    penetration testing


 Common Ports Used by Trojans –

 computer worms

 1. Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction

2. Most of the worms are created only to replicate and spread across a network, consuming available computing resource;however, some worms carry a payload to damage the host system

3. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet;these botnets can be used to carry further cyber attacks



Network sniffing and Threats


- sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools


- It is form of wiretap applied to computer networks


- Many enterprises' switch ports are open


- Anyone in the same physical location can plug into the network using an Ethernet cable



How a Sniffer Works


- Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment


- A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet


Active Sniffing


- Active sniffing is used to sniff a switch-based network


- Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's content addressable memory (CAM) table;CAM keeps track of which host is connected to which port



Hardware protocol Analyzer


- A hardware protocol analyzer is a piece of equipment that capture signals without altering the traffic in a cable segment


- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network


- It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules


- It allows attacker to see individual data bytes of each packet passing through the cable



Module flow 


Social Engineering

Social engineering is that art of convincing people to reveal confidential information.

Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.


Module Flow


1. Social Engineering concepts

2. Social engineering Techniques

3. Impersonation on social networking sites

4. Identify theft

5. Social engineering countermeasures

6. Penetration testing


Type of social engineering



- Denial of service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate user


- In a DoS attack, attacker flood a victim system with non-legitimate service requests or traffic to overload its resources


- DoS attack leads to unavailability of a particular website and slow network performance



Basic Categories of DoS/DDoS Attack Vectors 


Permanent denial-of-service Attack


Phlashing - permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware


Sabotage - Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware


Bricking a system - This attack is carried out using a method known as \"bricking a system\"

Using this method, attackers send fraudulent hardware updates to the victims




Module Flow 

Hacking Webservers


Web server security issue

- Web server is a program (both hardware and software) that hosts websites;attackers usually target software vulnerabilities and configuration errors to compromise web servers

- Nowadays, network and os level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. however, web servers are accessible from anywhere on the web, which makes them less secured and more vulnerable to attacks




Impact of webserver Attacks 

1. Compromise of user accounts

2. Website defacement

3. Secondary attacks from the website

4. Root access to other applications or servers



Module Flow

Open Source Webserver Architecture

*Hacking Web Applications

- web applications provide an interface between end user and web server through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser

- Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.

- Web technologies such as Web 2.0 provide more attack surface for web application exploitation

- Web applications and web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency


Module Flow 


SQL Injection


- SQL injection is a technique used to take advantage of non-validate input vulnerabilities to pass SQL commands through a web application for execution by a backend database

- SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database

- It is a flow in web applications and not a database or web server issue  


Type of SQL injection


SQL Injection Methodology


1. Information Gathering and SQL injection vulnerability Detection

2. Launch SQL Injection Attacks

3. Advanced SQL Injection


Module Flow    


Testing for SQL Injection


*Hacking Wireless Networks

Wireless Networks


- Wi-Fi refer to wireless local area networks (WLAN) based on IEEE 802.11 Standard


- It is widely used technology for wireless communication across a radio channel


- Devices such as a personal computer, video-game console, smartphone etc. use Wi-Fi to connect to a network resource such as the internet via a wireless network access point


Wireless Standard


Type of Wireless Encryption

-    WAP2 Enterprise

-    WEP

-    ASE

-    EAP

-    802.11i

-    TKIP

-    WPA

-    LEAP

-    CCMP




WEP should be replaced with more secure WPA and WPA2


How to break WPA Encryption


   WPA PSK user a user defined password to initialize as it is a per- packet key but the keys can be brute-forced using dictionary attacks


2. Offline Attack

    You only have to be near the AP for a matter of secound in order to capture the WPA/WPA2 authentication handshake, by capturing the right type of packets, you can crack WPA keys offline


3. De-authentication Attack

    Force the connect client to disconnect, then capture the re-connect and authentication packet using tools such as aireplay, you should be able to re-authenticate in a few second then attempt to dictionary brute force the PMK


4. Brute- force WPA keys

    You can use tools such as air crack, airplay, kismac to brute-force WPA keys


Hacking Mobile Platforms


How a hacker can Profit from mobile when successfully compromised




- Audio

- Camera

- Call logs

- Location

- SMS message




- sending premium rate Sms messages

- stealing transaction authentication numbers (TANs)

- Extortion via ransomware

- Fake antivirus

- Making expensive calls


Data Theft


- Account details

- Contacts

- Call Logs

- Phone number

Stealing data via app vulnerabilities

- Stealing international mobile equlpment identity Number (IMEI)


Botnet Activity


- Launching D DOS attacks

- Click Found

- Sending Premium rate SMS messages




- SMS redirection

- Sending email messages

- posting to social media


Mobile Platform vulnerabilities and risks


Module Flow

*Evading IDS, Firewalls, and Honeypots


An intrusion detection system (IDS)


An intrusion detection system (IDS) inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach

The IDS checks traffic for signatures that match known intrusion patterns, and signals an alarm when a match is found




- Firewall is hardware and/or software designed to prevent unauthorized access to or from a private network


- They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the internet


- Firewall examines all messages entering or leaving the internet and locks those that do not meet the specified security criteria


- Firewall may be concerned with the type of traffic or with the source or destination addresses and ports



Type of firewall


1. Packet Filters

2. Circuit Level Gateways

3. Application Level Gateways

4. Stateful Multilayer Inspection Firewalls





- A honeypot is an information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network


- It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise


- A honeypot can log port access attempts, or monitor an attacker's keystrokes. these could be early warnings of a more concerted attack



*Cloud Computing

Cloud computing is an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network


Characteristics of cloud computing


1. on-demand self service

2. Distributed storage

3. Rapid elasticity

4. Automated management

5. Broad network access

6. Resource pooling

7. Measured service

8. Virtualization technology



Type Of cloud computing services


 Cloud computing Benefits


 Module Flow 

1. Introduction to cloud computing

2. Cloud computing threats

3. Cloud computing attacks

4. Cloud security

5. Cloud security tools

6. Cloud penetration testing




- Cryptography is the conversion of data into a scrambled code that is decrypted and sent across a private or public network


- Cryptography is used to protect confidential data such as email message, chat sessions, web transaction, personal data, corporate data, e-commerce applications, etc.


- Objectives

1. Confidentiality

2. Integrity

3. Authentication

4. Non-repudiation



 Module flow 

1. Cryptography concepts

2. Encryption algorithms

3. Cryptography Tools

4. Public Key infrastructure (PKI)

5. Email Encryption

6. Disk Encryption

7. Cryptography Attacks

8. Cryptanalysis tools


 Penetration Testing


Penetration testing defined


There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test(Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network


Penetration testing methodology

Check Weakness


Schedule Demo