CEH - useful links

Michala Liavaag

I've exported the links I've captured during the training sessions using Mindjet Mindmanager which is what I use to take study notes. I haven't captured all the links or the names of all the many people who contributed them but thanks to all for sharing :)

Study guide by Sean

EC-Council Certified Ethical Hacker exam 312-50
CPE requirements

Cryptography

Penetration Testing Process

Foot-printing (aka Recon)
Open Source Intelligence Gathering (OSINT) Training by Michael Bazzell
Social Engineering
- Social Engineering Framework
- Kevin Mitnick on social engineering
- Guide to reading microexpressions - science of people
Maltego from Paterva
SHODAN - Computer Search Engine
Path Analyzer Pro - Graphical Traceroute
Metadata leakage
- ixquick
- MetaCrawler
- Dogpile
- Search.com
Whois tools
- DNSW.info
- Domain tools
- Whois.net
- MXtoolbox
Google hacking database
- Exploit DB
- Hackers for Charity
- Googlehacks utility
- Use Startpage to hide originator and prevent throttling by Google
Social networks
- Twitter
  - Echosec
  - The one million tweet map #onemilliontweetmap
- Usernames on social media
Web server content - Netcraft
Search engines (not just google) - OSINT custom search
People sites
- UK 192.com
- Yasni
- Spokeo People Search - White Pages - Find People
- Whitepages – Find People, Businesses & More
- AnyWho
Financial Web
- Open corporates
- CNBC Markets- Indexes, Bonds, Forex, Key Commodities, ETFs
Archives
- The way back machine
- Mailing list archives
  .
  .
Scanning
Zmap
Fing - Network Scanner on the App Store on iTunes
Angry IP scanner
nmap (zenmap = gui)
- SANS cheat sheet for nmap
- Infosec institute nmap cheat sheet
hping
Superscan
Scapy (packet crafter)
Vulnerability scanners (for whitebox pentest only)
- Tenable's Nessus Home Edition
- Rapid7's Nexpose Community Edition
- OpenVAS
- GFI Languard
Network diagrams / topology
- Solarwinds
- Friendly Pinger (may have virus) and has been replaced by Algorius Net Viewer
- Spiceworks network mapping software
- Zabbix
- Nagios
  .
Enumeration
LDAP tools
- LDAP Administrators
- http---directory.apache.org-studio
- Spiceworks Free AD Mgmt software
DNS tools
- nslookup (to force a zone transfer)
- samspade (old tool)
  *SANS Using Sam Spade
Superscan 4.1 by Foundstone
Dumpsec

.

Gain Access
See Packet sniffers section below
- Cracking MS-CHAP2
USB rubber ducky
- USB Rubber Ducky Deluxe
Rainbow tables
- RTgen
- WinRTgen
Social engineering
- Jimmy Kemmel 'What is your password?'
- World wide web tools to lookup default hardware passwords
Keyloggers
- Keyghost
- MS Windows Problem Steps Recorder (built-in tool)
- MS keyboard disguised as USB wall charger
- Thermal imaging to steal from ATM
  .
Privilege Escalation
- psgetsid (from Sysinternals suite)
- user2sid and sid2user by Evgenii B. Rudnyi
- Trinity rescue kit - requires physical access for local accounts
- ERD commander in v6.5 of Microsoft's Diagnostic and Recovery Toolset (MSDaRT)
- x.exe (old tool but Sean said he sill uses it)
  .
  .
Maintaining Access
Exfiltrating data from activity monitors
- Print activity monitor (PAM) by Red Line
- Surveilstar
Physical drop box (e.g. MiniPwner and Pwnieexpress )
.
Cover your tracks
auditpol
winzapper (for targetted removal of log entries*
Alternate data streams (forked file system) - Practical Guide to Alternative Data Streams in NTFS
Steganography
- spammimic (hide message in spam*
- Quickstego
- Invisible secrets
- MP3Stego
  - MP3Stego Hiding Text in MP3 Files
- Article by Sean on Steganography
- SANS reading room on Steganography
- How-al-qaeda-hid-secret-documents-in-a-porn-video
  .

Malware (chapter 8 )

Worm example
Trojans
- netcat
- Ncat - Netcat for the 21st Century
- cryptcat
- Detection
  - TCPview from Sysinternals Suite
  - netstat -a
Rootkits
- Microsoft Threat Report on Rootkits
- Rootkit Revealer from Sysinternals Suite
Advanced Persistent Threats (APTs)
- Book: Countdown Zero Day Stuxnet
- Symantec Analysis of Regin
IP viking live attack map
shows which ant-malware products detect a threat)
Anti-malware tools referenced in forum
- Virustotal (online scanner for files and URLs
- VIPRE
- Spybot
- ESET
- Malwarebytes
- Windows Defender

.
Sniffing

Tools
- Wireshark
  - Presentation from Washington
  - [itpro.tv wireshark course]
    (http://itpro.tv/course/54c2920ae10805157000002c/)
  - Documentation
  - Sample packet captures
- Linux Dsniff (for SMTP packet extraction)
- Etherape graphical only
- Network Monitor (Microsoft) replaced by Microsoft Message Analyzer
- WinPCap
- Command line utilities
  - tcpdump
  - windump
- Wireless with wireshark
  - AirPCap (hardware for wireless, approx $300-800)
Detecting sniffers
- promqry for Windows
- Arpwatch for Linux
- Sniffdet (old)
- wireshark filter can be configured
- a ping packet can be crafted

Social Engineering

Social Engineer Podcast
Social Engineering Toolkit
- Usage of SET
Social Engineering Framework
Recommended Books
- The Art of Deception by Kevin Mitnick
- Catch me if you can by Frank Abagnale
Managing an Information Security and Privacy Awareness and Training Program, Second Edition by Rebecca Herold - personal recommendation, excellent

.
Denial of Service

Examples cited
Botnets used for DDOS
- Snizbi botnet
Packet crafting
- hping2
- hping3
- colasoft packet crafter
'Gobbler' for targeted attack against a DHCP server
Attack types cited
- Generic
  - SYN flood
  - Ping based
    - ICMP (ping) flood
    - POD attack (Ping of Death)
    - Teardrop
    - Smurf (TCP)
    - Fraggle (UDP)
- Targetted
  - DHCP servers
    - DHCP starvation attack (see Gobbler tool)
  - DNS servers
    - DNS poisoning attack
  - NTP servers
    - NTP amiplification attack
  - Web servers
    - examples cited: slashdot and 'fark effect'
  - SQL servers
    - examples cited: Slammer worm
- Physical attacks
  - Phlashing attacks against routers / switches
Other useful links
- Denial-of-service attack - Wikipedia
- Digital Attack Map (visualise DDOS over time)
- US CERT on Denial of Service (Published 1997)
- Distributed denial-of-service attack defense
- Zone H (hacked sites)
  - Zone H archive
- Internet Health Report (shows internet backbone providers)
- Kali Linux Hacking Tutorials Denial Of Service Attacks Explained for Beginners and Dummies

.
Session Hijacking

Session Management Cheat Sheet from OWASP

.
Web Servers and Web Applications

Tools
- Siterippers
  - Httrack
  - Black Widow
  - wget
Scanning, etc.
- Burpsuite
- IBM Security AppScan
Firefox add-ins
- Selenium automation
- Tamper Data (also see Why Hackers Love the Tamper Data Firefox Add-On
  *Countermeasures
- Web application firewall - Mod Security (open source)
- Web IDS/IPS - Appsensor from OWASP
Other stuff
- January 2015 Web Server Survey Netcraft
- Defcon 18 - You spent all that money and you still got owned

.
SQL Injection

Tools
- Firefox addins
  * SQL inject me
  - HackBar
- SQLmap
- Google dorking list for 2015/16
Additional resources
- Tutorial on SQLi Labs - InfoSec Institute uses Audi-1-sqli-labs · GitHub
- SQL injection tutorial (used in class)

.
Wireless Networking

Security standards
Frequency bands
Attack types
- war-catting (!)
- Wi-Fi jamming (don't do it!)
Tools
- Bluetooth
  - btscanner 2.1 for linux
  - Ubertooth One
  - UD100 SENA - also sold by Pwnie Express
  - Bluetooth from a mile away (make your own bluetooth adapter
  - Bluetooth keylogger
- Wireless
In-depth tutorials on wi-fi hacking
- SecurityTube Wireless LAN Security and Penetration Testing Megaprimer with Vivek Ramachandran - personally highly recommend
- Hak5 1122.1, WiFi Hacking Workshop Part 1.1 recommended by WS
- Eli the computer guy recommended by BC
Additional resources
- Whitepaper on rogue Access Point detection
- Cisco Aironet Antennas and Accessories Reference Guide
- Dominic on Bluetooth (video) recommended by DH
- Car hacked on 60 minutes also see Security Now episode on vehicle hacking

.
Evading IDSs, Firewalls, and Honeypots
Coming soon
.
Physical Security
This was not covered as a separate segment but embedded into the social engineering and other examples. Lots online on the topic including a useful checklist from SANS. One resource I particularly like for various things is the CPNI website.
.

Penetration testing distributions
KaliLinux
BlackArch
Backbox Linux
Cyborg Hawk

IDS

Snort
Snorby

Other security tool sites
Sysinternals suite
Security tools

Labs

Report writing

Other interesting links posted

Epic Privacy Browser
33Mail.com -unlimited free disposable anonymous email addresses
Cheat sheets at packetlife
Phishing Quiz from OpenDNS
Hacking webcams
LatinSquares
Computer crime presentations and training
EFS and audit policy video from ITPro.tv
Complementary training (I use in addition to itpro.tv)
- Open security training
- Cybrary ethical hacking
Mindmaps for pen testers by Aman Hardikar

.
Security Podcasts listened to by participants

syd-hausmann

@Michala-Liavaag Thanks Michala, this is incredibly useful!

Creigh Chlopek-2

Wow.... Michala... Thanks
4 Kudos Points to your geek street cred in my book.:+1: :+1: :+1: :+1:

Michala Liavaag

Post updates for chapter 10 on Social Engineering (I missed on of the sessions through so will go back and update when I've watched it) and chapter 11 DOS/DDOS. Glad that other people are finding this useful :)

I've also got some random links from people to add to this later on.

McYak

Thank you very much Michala. I've been writing everything down as we go along, but would have to sort through notes and compile a list. You saved me a LOT of work. It's appreciated.

Chris McGrath

Thanks again Michala this is so organized much appreciated!

Ben Coyle

Thanks for a wonderful job Michala

Ben Coyle

interested in a list of tools and commands from "The Art Of Intrution" by Kiven Mitnick?
Some of them are old

Netstat, 10phtCrack, whios, nslookup, rpcbind(portmapper), nfsshell, netcat, keyghost, John the ripper, Spy lantern keylogger, Citrix metaframe, pwdump3, spycop(detects keyloggers), WinVNC, TightVNC, Damware, CGI Scripts, LSADump2, pkcrack,setup.pl( backticked variable injection), IDA pro(reverse engineering), tripwire, subterfuge(in Kali Linux).

Michala Liavaag

@Ben-Coyle Thanks for sharing those :)

I've updated this thread with links from the following sessions:

Chapter 11: Denial of Service
Chapter 12: Session Hijacking
Chapter 13: Web Servers and Web Applications (still some more to come on this on as I missed some segments)
Chapter 14: SQL Injection
Chapter 15: Wireless Networking

Still to do:

Chapter 16: Evading IDSs, Firewalls, and Honeypots
Chapter 17: Physical Security
Other useful links

Scott

Hey Michala,

Any idea when you'll have the rest of it? We appreciate all your work on this! :hamster:

Rick Sidwell

Another useful resource is the EC-Council's C|EH Candidate Handbook, available from their Downloads page. The direct link is https://cert.eccouncil.org/images/doc/CEH-Handbook-v2.0.pdf. It's a 55 page document with all the details you need to attempt the exam, including agreements you need to sign, accommodation requests (if needed), and continuing education requirements.

Michala Liavaag

Hi all, somewhat delayed due to a lot going on at the moment.

I came across an excellent resource which some of you may already be familiar with: The Penetration Testing Execution Standard and supporting Technical Guidelines. Lots of great stuff there which supplements the list compiled above. There is also a Freemind version of an older version of the standard.

debra j.

Here's a link to the newest Penetration testing distro, Cyborg Hawk

https://www.linux.com/community/blogs/130-distributions/798938-cyborg-hawk-linux

And thanks for all that you have done for us, Michala. We greatly appreciate it!

Ronnie Wong

Thanks again for keeping the ITProTV forum filled with valuable information, all of you that keep this stuff going help to provide a great resource!

Cordially,
Ronnie Wong
Host, ITProTV

Michala Liavaag

@Scott-Pitcock202 Sorry I'm not finished yet, I'm behind as I started a new job so my focus is there at the moment. Will come back to this when I get chance though.

Michala Liavaag

@debra-j.--o Thanks for that Debra, added to the pen testing distro section :)

Michala Liavaag

@Ronnie-Wong You're welcome. This is such a great resource with all the different courses for a very reasonable price that I think it's only fair to give something back as it were :)

D. Rogers

This post is deleted!

D. Rogers

Here is a list of good sites for your CEH tools and practice. I received this from a SANS poster or email - I forget.

http://www.amanhardikar.com/mindmaps/PracticeUrls.html

This guy has developed more mind maps at the following link.

http://www.amanhardikar.com/mindmaps.html

Hacking practice lab
Forensics practice lab
Infrastructure testing

and more

Michala Liavaag

@D.-Rogers Thaks for those - some great mindmaps there. The SANS poster is pretty good for showing potential attack vectors to people too :+1: