CEH Command List & Concepts

Posted Nov 22, 2024

By greekbust

23 min read

Footprinting and Reconnaissance

Footprinting and reconnaissance are the initial stages of a penetration test or attack where an adversary gathers information about a target to exploit vulnerabilities. This can involve collecting data through online resources, social media, or domain information.

Using Mullvad (OPSEC)

For operational security (OPSEC), it’s important to hide your real identity and location. Mullvad is a VPN service that can be used to anonymize your traffic and provide secure browsing. These commands set up a secure connection, check your status, and use SOCKS5 proxies to route traffic through a different IP.

        
      
mullvad account set account_number
mullvad lan set allow
mullvad connect
mullvad status
curl https://ipv4.am.i.mullvad.net --socks5-hostname 10.64.0.1
chromium-browser --proxy-server=socks5://10.64.0.1

Google Dorking

Google Dorking is a technique used to find specific information or vulnerabilities in websites by leveraging advanced Google search operators. The bash commands here include common dorking queries to search login portals, PDFs, cache versions, and more, which can be useful for reconnaissance.

        
      
# Google Dorks for specific site search
intitle:login site:example.org
filetype:pdf exploit site:example.org
cache:www.example.org
allinurl: career site:example.org
# Use go-dork for advanced search queries
go-dork -q "inurl:'...'"
go-dork -e bing -q ".php?id="
go-dork -q "intitle:'BigIP'" -p 2 -x http://127.0.0.1:8989
# other examples
PROXY=socks5://10.64.0.1:1080
go-dork -q "intitle:login example-bank" -x $PROXY 
go-dork -q "$(cat /home/greek/workspace/lists/google-dorks/dorks.txt | sed -n 201p)" -x $PROXY

Info from Video Search Engine

Video search engines can be valuable for gathering metadata related to uploaded videos. By using tools like the YouTube Metadata search, you can retrieve important details about videos, such as publication date, channel ID, and other related data. The reverse image search feature can help identify sources of images used in videos.

# Go to https://mattw.io/youtube-metadata/
# Submit YouTube video URL
# Retrieve video data such as published date, title, channel ID
Click Reverse image search

Info from FTP Search Engine

FTP search engines index files and documents found on publicly accessible FTP servers. These can contain sensitive information about organizations. Using these search engines, you can locate important files that may have been exposed unintentionally.

# Go to https://searchftps.net
# Search for your target organization
# Discover critical files and documents exposed in FTP servers
# Alternative: https://www.freewareweb.com

Info from IoT Search Engine

IoT search engines, like Shodan and Censys, index internet-connected devices. Searching for a target organization can reveal exposed devices, including routers, cameras, and other IoT devices, providing valuable information for further exploitation.

# Go to https://shodan.io or https://censys.io
# Search for target organization or specific IoT devices

Info from Netcraft

Netcraft provides background and hosting details about organizations. Using its site report feature, you can search for an organization and view network history, hosting details, and subdomains. Alternatively, you can use Sublist3r for gathering subdomain information.

# Go to https://www.sitereport.netcraft.com
# Search for your target organization
# Review network, hosting history, and domain details
# Click Domain field to see subdomains
# Alternatively, use Sublist3r for subdomains

Find Personal Info Using PeekYou

PeekYou is a people search engine that can reveal personal information, such as usernames, social media profiles, and more. You can use it to gather additional details about a target by searching for their name or usernames. Other services like Pipl, Intelius, and BeenVerified can also be useful.

# Go to peekyou.com
# Search for first and last name or usernames
# Click "view full report" to gather more details
# Other services: pipl, Intelius, BeenVerified

Gather an Email List Using theHarvester

TheHarvester is a tool used for collecting email addresses from public sources. By specifying a target domain and search engine, you can gather a list of emails associated with a specific organization. The -l flag controls the number of results.

# Gather emails related to microsoft.com
theHarvester -d microsoft.com -l 200 -b baidu

Exploring Information Using Deep and Dark Web Searches

When delving into the deep and dark web, specialized tools and techniques are essential for uncovering hidden information. Here are some methods and tools you can use:

Tor Browser: A crucial tool for accessing the dark web, Tor allows you to browse anonymously by routing your connection through multiple servers.
ExoneraTor and OnionLand: These tools help you explore Tor exit nodes and access hidden services.
The Hidden Wiki: A directory of links to various dark web sites, providing a starting point for exploration.

Determining Target Operating System via Passive Footprinting

Passive footprinting involves gathering information without directly interacting with the target. Here’s a method to determine a target’s operating system:

Visit Censys and search for the organization of interest.
Review the basic information provided, which may include details about the operating system.
Gathering Employee Information from LinkedIn Using theHarvester

TheHarvester is a powerful tool for collecting data from public sources. To gather employee information from LinkedIn:

        
      
theHarvester -d tesla -l 200 -b linkedin

This command searches LinkedIn for up to 200 results related to the specified domain.

Sherlock is a tool designed to find usernames across various social networks. To gather personal information:

python3 sherlock.py satya nadella

You can also use tools like Social Searcher and UserRecon for similar purposes.

Gathering Information About a Target Using Ping

The ping command is a basic network utility for testing connectivity and gathering information about a target. To check connectivity to a domain, you can use:

ping tesla.com

To determine the maximum packet size that can be sent without fragmentation, you can perform a fragmentation check:

        
      
ping tesla.com -f -l 1500
# The response packet needs to be fragmented, indicating the frame is too large for the network.
ping tesla.com -f -l 1300
# Let's try to figure out the maximum packet size that can be sent; we know 1500 is too high.
ping tesla.com -f -l 1472

To observe how many hops a packet can make before being discarded, you can check the Time to Live (TTL):

ping tesla.com -i 3
# You can see the router discarding the frame because its TTL has expired.

To set the TTL and see how far a packet can travel, you can check the packet lifespan:

        
      
ping tesla.com -i 2 -n 1
# Setting TTL to 3
ping tesla.com -i 3 -n 1
# Observe if there is a reply coming from the IP address, and if there is no packet loss.
# Setting the TTL to 4
ping tesla.com -i 4 -n 1
# Identify what the Hop value might be.

Gathering Information About a Target Site Using Photon

Photon is a tool used for web reconnaissance to gather information about a target site. To begin, you can display the help menu to understand the available options and commands:

python3 photon.py -h

To gather information about a specific target site, such as Tesla, you can run the following command:

python3 photon.py -u https://tesla.com

This command will initiate the information-gathering process, and the results should be saved for further analysis. If you want to perform a more in-depth scan, you can specify additional parameters, such as the depth level and the number of threads, and include historical data from the Wayback Machine:

        
      
python3 photon.py -u https://www.tesla.com -l 3 -t 200 --wayback

These commands allow you to collect comprehensive data about the target site, which can be useful for security assessments and research.

Using Central Ops for Website Information

Central Ops is a versatile tool for gathering detailed information about a target website. Follow these steps to utilize its features:

        
      
Go to centralops.net 
# Check the Address lookup 
# Check the Domain Whois record 
# Check the Network Whois record 
# Check the DNS record 
# Can also use Website Informer, Burp Suite, Zaproxuy 

Extracting Company Data with Web Data Extractor

Web Data Extractor is a tool designed to collect various types of information from a target website. Here’s how to use it:

        
      
Use wdepro.exe # Web Data Extractor 
# Enter the target URL
# Click Start URL 
# Web Data Extractor will start collecting information (Session, Meta tags, Emails, Phones, Faxes, Links and Domains)
# Click Results tab . 
# Can also use ParseHub, SpiderFoot

Mirroring a Website with HTTrack

HTTrack Website Copier allows you to create a local copy of a target website for offline analysis. Follow these steps:

        
      
Run WinHTTrack Website Copier 
# Enter Target URL 
# Click Select Options 
# Click Scan rules 
# Run scan
# Browse Mirrored Website 
# Analyse all directories
# Can also use Cyotek WebCopy 

Gathering Information with Grecon

Grecon is a Python-based tool that helps identify various elements of a target website. To use Grecon:

python3 grecon.py
# Enter target URL 
# Checks for subdomains, login pages, directory listings, exposed documents, wordpress entries and pasting sites

Creating a Wordlist with CeWL

CeWL is a tool that generates custom wordlists from a target website’s content. Here’s how to use it:

        
      
cewl -d 2 -m 5 https://www.certifiedhacker.com
# Can also use this to make a unique wordlist 
cewl --help

Tracing Emails with eMailTrackerPro

eMailTrackerPro is a tool used to trace the origin and path of emails. Here’s how to use it:

        
      
Open EmailTrackerPro 
# To trace email headers, click the My Trace Reports Icon 
# Click new email trace
# Can also use Mailtrack, Infoga. 

This tool helps identify the source of an email by analyzing its headers, which can be useful in tracking phishing attempts or spam.

Performing Whois Footprinting

Whois footprinting involves gathering registration details about a domain. Follow these steps:

        
      
Go to http://whois.domaintools.com 
# Enter target URL 
# Can get registration details, name servers, IP address, location etc.
# Can also use tools such as SmartWhois, Batch IP Converter 

Whois databases provide information about domain ownership, which can be crucial for understanding the administrative and technical contacts associated with a domain.

Gathering DNS Information with nslookup

nslookup is a command-line tool used to query DNS records. Here’s how to use it:

        
      
nslookup 
set type=a
# Enter Target URL 
# Server: **dns.google** and Address: **8.8.8.8**
# This specifies that the result was directed to the default server hosted on the local machine (**Windows 11**) that resolves your requested domain
# Since the result returned is non-authoritative, you need to obtain the domain's authoritative name server.
set type=cname 
# Enter target URL 
# Returns domains authoritative name server with mail server address. 

nslookup 
set type=a
enter authoritative name server (ns1.bluehost.com)

# Can do Nslookup online too 
Go to http://www.kloth.net/services/nslookup.php 
# Set query field to A 

# Can also use tools such as DNSdumpster and DNS Records tool 

Locating Network Range

To determine the network range of a target, use the following method:

#Go to https://www.arin.net/about/welcome/region
#Get IP of target 

ARIN (American Registry for Internet Numbers) provides information about IP address allocations, which can help identify the network range associated with a target.

Performing Network Traceroute on Windows and Linux

Traceroute is a network diagnostic tool used to track the path packets take to reach a destination. Here’s how to perform it:

        
      
# Search IP 
tracert www.website.com
tracert /?
tracert -h 5 www.website.com
traceroute www.website.com

# Could also use VisualRoute, Traceroute NG 

Footprinting a Target Using Maltego

Maltego is a versatile tool that helps visualize relationships between different entities within a network. It uses transforms to extract and display data in a graphical format.

        
      
sudo maltego
# Launch Maltego and log in to access its features.
# Install necessary transforms to enhance data extraction capabilities.
# Use the Entity Palette to drag a website entity onto a new graph.
# Change the website entity to www.example.com.
# Right-click to select 'All Transforms' and run them to uncover DNS information.
# Explore DNS records such as SOA, MX, and NS by applying specific transforms.
# Transform the website entity to an IP address and location details.
# Use WHOIS transforms to extract additional entity information.

Footprinting Using OSRFramework

OSRFramework is designed for profiling and extracting data from various online sources. It provides a suite of tools for gathering domain and user information.

        
      
# Use the OSRFramework to gather domain and user profile data.
domainfy -n APPLE -t all
# Extract information about domains using domainfy.
searchfy -q "Tim Cook"
# Search for user profiles or names with searchfy.

# Additional tools in OSRFramework:
- **usufy**: Gathers registered accounts with given usernames.
- **mailfy**: Collects information about email accounts.
- **phonefy**: Checks for the existence of specific phone numbers.
- **entify**: Extracts entities using regular expressions from provided URLs.

Footprinting a Target Using FOCA

FOCA specializes in extracting metadata from documents to reveal hidden information about a target’s network and domain.

        
      
# Launch FOCA and create a new project for the target domain.
Double click FOCA.exe
# Enter the target domain website and select search engines for data collection.
# Choose all extensions and initiate a comprehensive search.
# Right-click entries to view detailed reports in a browser.
# Navigate through network and domain nodes to gather insights.
# Use the crawling tab and Google crawling button for document analysis.
# Access the document analysis node to view metadata summaries.

Footprinting a Target Using Recon-ng

Recon-ng is a comprehensive reconnaissance tool that provides a modular framework for gathering information about a target domain.

        
      
recon-ng
help
# install all modules 
marketplace install all
#display all modules
modules search 
workspaces 
#create new workspace example
workspaces create example
workspaces list

# add domain in which we want to perform recon on 
db insert domains
#Enter the domain we want to recon 
domain (TEXT) example.com
show domains 

# search 'brute' module 
modules load brute 
modules load recon/domains-hosts/brute_hosts
# enter run to run it 
run 

# resolve with bing module instead 
back 
modules load recon/domains-hosts/bing_domain_web
run 

# perform a reverse lookup for each IP address 
modules load reverse_resolve
modules load recon/hosts-hosts/reverse_resolve
run

# show whats been harvested so far 
show hosts

# Reporting
back 
modules load reporting
modules load reporting/html
options list 

# setting options for reporting 
options set FILENAME /home/attacker/Desktop/results.html
options set CREATOR tester
options set CUSTOMER customerr Networks
# Generate report
run 

Initialization and Setup:

Launch Recon-ng with recon-ng and use help to view available commands.
Install all modules using marketplace install all to ensure you have the necessary tools for reconnaissance.
Use modules search to display all installed modules. Workspace Management:
Create a new workspace named “example” with workspaces create example to organize your findings.
List all workspaces with workspaces list to manage multiple projects. Domain Insertion:
Prepare the database for domain insertion with db insert domains.
Insert the target domain “certifiedhacker.com” using domain (TEXT) example.com.
Display the domains in the database with show domains. Module Execution for Data Gathering:
Load the brute_hosts module with modules load recon/domains-hosts/brute_hosts to perform a brute force search for subdomains.
Execute the module with run to gather subdomain information.
Use back to return to the module selection menu and load the bing_domain_web module for domain resolution using Bing.
Run the module to resolve domain details. Reverse IP Lookup:
Load the reverse_resolve module with modules load recon/hosts-hosts/reverse_resolve to perform reverse lookups on IP addresses.
Run the module to identify other domains hosted on the same server. Reviewing Harvested Data:
Use show hosts to display the hosts gathered during reconnaissance, providing an overview of the collected data. Reporting:
Load the reporting/html module with modules load reporting/html to generate HTML reports.
List configurable options with options list and set parameters such as filename, creator, and customer details.
Generate the report with run, saving it to the specified location.

Collecting Personal Information

        
      
workspaces create reconnaissance 
# use ARIn Whois RWS to harvest POC data from WHOIS Queries
modules load recon/domains-contacts/whois_pocs
info command 
options set SOURCE facebook.com
run 

Workspace Creation: Create a new workspace “reconnaissance” to separate personal information gathering tasks.
WHOIS Data Collection: Load the whois_pocs module to extract point-of-contact data from WHOIS queries, targeting domains like “facebook.com.”
Execution: Set the source domain and run the module to gather personal information.

Footprinting Using BillCipher

BillCipher is a Python-based tool designed for gathering information about a target website. It provides various options for footprinting, such as DNS lookup and GeoIP lookup. Here’s how to use it:

python3 billcipher.py

When prompted, type the target website URL you wish to investigate. This sets the focus for the subsequent footprinting actions.
Enter “1” when prompted to perform a DNS lookup. This retrieves DNS records for the target, providing insights into its domain configuration.
After completing the DNS lookup, you can choose to continue by entering “Yes.”
Enter the website URL again when prompted for further analysis.
Enter “3” to perform a GeoIP lookup. This provides geographical information about the IP address associated with the target, such as its location.
Repeat the process for option “4” to perform a Subnet Lookup, which identifies the subnet range of the target’s IP address.
Continue exploring other options provided by BillCipher to gather comprehensive information about the target.

Footprinting Using OSINT Framework

The OSINT Framework is a web-based resource that organizes various open-source intelligence tools and techniques for gathering information about a target. Here’s how to use it:

Go to https://osintframework.com

Access the OSINT Framework website, which serves as a directory for various OSINT tools and resources.

Host Discovery with Nmap Notes

Nmap is a versatile and widely-used tool for network scanning. Below are some very basic but common host discovery techniques:

        
      
# disabled arp scans 
nmap -sn -PR $IP 
# UDP ping scan
nmap -sn -PU $IP
# ICMP ECHO ping scan , useful for locating active devices or determing if ICMP is passing via firewall
nmap -sn -PE $IP
# ICMP ECHO Ping Sweep 
nmap -sn -PE $IP-23
# ICMP timestamp ping scan , query timestamp message 
nmap -sn -PP $IP 
# ICMP Address Mask Ping Scan 
nmap -sn -PM $IP
# TCP SYN Ping Scan 
nmap -sn -PS $IP
#TCP ACK Ping AScan 
nmap -sn -PA $IP
#IP protocol ping scan 
nmap -sn -PO $IP

Open zenmap.exe
# **-sT**: performs the TCP connect/full open scan and **-v**: enables the verbose output (include all hosts and ports in the output).
nmap -sT -v 10.10.1.22
# Click Scan 
# TCP connect scan completes a three-way handshake with the target machine. In the TCP three-way handshake, the client sends a SYN packet, which the recipient acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once the handshake is completed, the client sends an RST packet to end the connection.
# Click Ports/Hosts tab 
# Click topology tab 
# Click host details tab 
# Click Scans 
# Click Services to the left 

# ON THE VICTIM ::::: On windows, Control Panel, System and Security -> Windows Defender Firewall on or off, enable the firewall click OK
# Back to the ATTACKERR:::
# Stealth Scan used to bypass firewall rules 
nmap -sS -v 10.10.1.22
# The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
# Xmas scan 
nmap -sX -v 10.10.1.22
# Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
# Maimon scan 
nmap -sM -v 10.10.1.22
# In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.
# ACK flag probe scan 
nmap -sA -v 10.10.1.22 
# **-sA**: performs the ACK flag probe scan and **-v**: enables the verbose output (include all hosts and ports in the output).


## SWitched BACK to VICTIM Machine::: Turned off firewall 
# UDP scan 
nmap -sU -v 10.10.1.22

# Able to select different profiles on Zenmap 
# Able to create profiles on zenmap 

# Click scans table, select scan option Null scan 
# NULL Scan 
nmap -sN -v 10.10.1.22

# IDLE/IPID Header Scan 
# A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
nmap -sl -v 10.10.1.9

# SCTP INIT Scan 
# An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
nmap -sY -v 10.10.1.9

# SCTP COOKIE Echo Scan
#A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
nmap -sZ -v 10.10.1.9

# Service detection scan 
nmap -sV 10.10.1.22 

# Agressive scan 
# enables aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You should not use -A against target networks without permission.
nmap -A 10.10.*

Host Discovery with Angry IP Scanner

Angry IP Scanner is a simple yet powerful cross-platform tool. Here’s how to use it:

Run Angry IP Scanner.
Enter the IP range to scan.
Navigate to Preferences:
- Under the Scanning tab, set the pinging method to Combined UDP+TCP.
- In the Display tab, select Alive Hosts (responding to pings).
Click Start to begin the scan.

Additionally, consider tools like:

SolarWinds Engineer’s Toolset
NetScanTools Pro
Colasoft Ping Tool
Visual Ping
PingTester
OpsUtil

Port and Service Discovery with MegaPing

MegaPing offers comprehensive scanning capabilities. Follow these steps:

Install using megaping_setup.exe.
Launch the tool and choose IP Scanner:
- Enter the target IP range and click Start.
Select Port Scanner:
- Enter the target IP and click Add.
Choose the host and start the scan.

Port and Service Discovery with NetScanTools Pro

NetScanTools Pro provides manual tools for network analysis:

Run ntsp11demo.exe.
In the left pane:
- Under Manual Tools (All), select Ping Scanner.
- Ensure Use Default System DNS is ticked, enter the IP range, and click Start.
For port scanning:
- Select Port Scanner.
- Tick TCP Full Connect and initiate a Scan Range of Ports.

Port Scanning with SX Tool

SX Tool is a command-line utility for network scanning. Below are common use cases:

        
      
#scan IP range to get MAC addresses , ARP scan 
sx arp 10.10.1.0/24
# converts a text file to JSON, creates an ARP cache file 
sx arp 10.10.1.0/24 --json | tee arp.cache
# perform TCP scan range of ports based of arp.cache
cat arp.cache | sx tcp -p 1-65535 10.10.1.11
# more info 
sx --help
# UDP scan , targeting port 53, returns the IP address, ICMP packet type and code set to the reply packet 
cat arp.cache | sx udp --json -p 53 10.10.1.11
######### NOTE #######
#> - According to **RFC1122**, a host should generate Destination Unreachable messages with code: 2 (Protocol Unreachable), when the designated transport protocol is not #supported; or 3 (Port Unreachable), when the designated transport protocol (e.g., UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.
#> - According to **RFC792**, network unreachable error is specified with code: 0, Host unreachable error with code: 1, Protocol unreachable error with code: 2, Port unreachable error with code 3.
######################

# No output indicates that the target port is open 
cat arp.cache | sx udp --json -p 500 10.10.1.11

Command Cheatsheet

cheatsheet

This post is licensed under CC BY 4.0 by the author.