0% found this document useful (0 votes)

156 views191 pages

CEH Day 2

Certified Ethical Hacker training. Crash course by Omar Santos via O'reilly learning platform. Day 2

Uploaded by

Yo Yo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

156 views191 pages

CEH Day 2

Certified Ethical Hacker training. Crash course by Omar Santos via O'reilly learning platform. Day 2

Uploaded by

Yo Yo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 191

Certified Ethical Hacker (CEH)

Certification Crash Course

(Day 2)

Omar Santos
@santosomar
theartofhacking.org
What we covered yesterday (DAY 1)

Introduction to Ethical Hacking and to the CEHv10 exam

Foot-printing, Enumeration, Reconnaissance, and Network Scanning

Vulnerability Analysis and System Hacking

Social Engineering

Denial-of-Service

Session Hijacking, Evading IDS, IPS, Firewalls, and Honeypots

theartofhacking.org
DAY 2

Cryptography

Hacking Wireless Networks

Hacking Web Servers and Web Applications

Hacking Mobile Platforms

IoT Hacking

Cloud Computing

theartofhacking.org
DISCLAIMER | WARNING

The information provided on this training is for educational purposes only. The
author, O’Reilly, or any other entity is in no way responsible for any misuse of
the information.

Some of the tools and technologies that you will learn in this training class may be
illegal depending on where you reside. Please check with your local laws.

Please practice and use all the tools that are shown in this training in a lab that is not
connected to the Internet or any other network.
theartofhacking.org
What this class is and is not…

• This is a review class of the CEHv10 exam and an

introduction to the CEHv11.
• This training helps you prepare for the test; it does not
guarantee that you will pass.
• We will cover all major topics covered in the CEHv10
and CEHv11 exams. You still need to practice, study,
and learn from other resources.

theartofhacking.org
Resources:
CEH Review: https://cehreview.com
The Art of Hacking: https://theartofhacking.org
GitHub: https://theartofhacking.org/github theartofhacking.org
https://cehreview.com theartofhacking.org
https://learning.oreilly.com/videos/certified-ethical-hacker/9780135647455

theartofhacking.org
https://learning.oreilly.com/certifications/9780136758433

theartofhacking.org
Cryptography

theartofhacking.org
The word cryptography or cryptology
comes from the Greek word kryptós,
What is which means a secret.
Cryptography?
It is the study of the techniques used for
encryption and secure communications.

theartofhacking.org
Cryptographers are always constructing
and analyzing protocols for preventing
unauthorized users from reading private
messages as well as the following areas
Why of information security:
Cryptography?
• Data confidentiality
• Data integrity
• Authentication
• Nonrepudiation
theartofhacking.org
• Virtual private networks (VPNs)
Examples of the • Ecommerce
use of • Secure email transfer
cryptography • Credit card chips
• many more…

theartofhacking.org
What is …the study of how to crack encryption
cryptanalysis? algorithms or their implementations.

theartofhacking.org
A cipher is a set of rules, which can also
Ciphers be called an algorithm, about how to
perform encryption or decryption.

theartofhacking.org
This type of cipher substitutes one
Substitution character for another.

theartofhacking.org
theartofhacking.org
theartofhacking.org
This is similar to substitution, but instead
of using a single alphabet, it can use
Polyalphabetic multiple alphabets and switch between
them by some trigger character in the
encoded message.

theartofhacking.org
This method uses many different options,
including the rearrangement of letters.

Transposition
T S S R
H I E E
I S C T
theartofhacking.org
Encryption algorithms can operate on
Block and Stream
blocks of data at a time, or bits and bytes
Ciphers of data, based on the type of cipher.

theartofhacking.org
A block cipher is a symmetric key cipher
(meaning the same key is used to encrypt
and decrypt) that operates on a group of
bits called a block.
Block Ciphers Examples:
• Advanced Encryption Standard (AES)
• Triple Digital Encryption Standard (3DES)
• Digital Encryption Standard (DES)
• Blowfish
• International Data Encryption Algorithm (IDEA)

theartofhacking.org
A stream cipher is a symmetric key cipher
(meaning the same key is used to encrypt
and decrypt), where the plaintext data to
Stream Ciphers be encrypted is done a bit at a time
against the bits of the key stream, also
called a cipher digit stream.

theartofhacking.org
A symmetric encryption algorithm, also
Symmetric known as a symmetric cipher, uses the
Algorithms same key to encrypt the data and decrypt
the data.

theartofhacking.org
An example of an asymmetric algorithm is a
public key algorithm.

There is something magical about asymmetric

algorithms because instead of using the same key
Asymmetric for encrypting and decrypting, they use two
different keys that mathematically work together
Algorithms as a pair.

Examples: RSA, Diffie-Hellman, DSA, ElGamal

theartofhacking.org
EVE
DEREK HANNAH

theartofhacking.org
• Hashing is a method used to verify data
integrity.

• A cryptographic hash function is a process that

Hashes takes a block of data and creates a small fixed-
sized hash value.

• It is a one-way function.

theartofhacking.org
• Individuals and organizations deploy VPNs to
provide data integrity, authentication, and data
encryption to ensure confidentiality of the
packets sent over an unprotected network or
the Internet.
• VPNs are designed to avoid the cost of
What Are unnecessary leased lines.
• Individuals also use VPNs to remain
VPNs? anonymous online.
• Even threat actors use VPN technologies to
encrypt data from compromised sites,
command and control communications, and to
maintain anonymity for the purposes of
malfeasance in underground sites and darknet
marketplaces.
theartofhacking.org
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Forwarding (L2F) protocol
Example VPN •
•
Layer 2 Tunneling Protocol (L2TP)
Generic Routing Encapsulation (GRE)
Technologies • Multiprotocol Label Switching (MPLS)
• Internet Protocol Security (IPsec)
• Secure Sockets Layer (SSL)

theartofhacking.org
Site-to-Site
VPNs

theartofhacking.org
Remote Access
VPNs

theartofhacking.org
Additional Crypto Details and References:
https://cehreview.com/go/crypto

theartofhacking.org
Hacking Wireless Networks

theartofhacking.org
A few questions before we get started…

theartofhacking.org
Which of the following best describes an attack where the threat
actor creates a rogue access point and configures it exactly the
same as the existing wireless network?

a) Evil Twin

a) Wireless Twin

a) Evil AP

a) Rogue Twin Client

theartofhacking.org
Whiteboard
Explanation of
Rogue and Evil
Twins

theartofhacking.org
Whiteboard
Explanation of
DeAuth Attacks

theartofhacking.org
DeAuth

theartofhacking.org
Which of the following is a methodology used by attackers
to find wireless access points wherever they may be?

a) Active wireless injection

a) Wireless Driving

a) War Driving

a) Evil Twin

theartofhacking.org
Which of the following is true about WEP?

a) WEP keys exists in two sizes: 48-bit (5 byte) and 104-bit (13 byte). In addition, WEP uses a 40-bit
initialization vector (IV), which is prepended to the pre-shared key (PSK). When you configure a
wireless infrastructure device with WEP the IVs are sent in the clear.

a) WEP keys exists in two sizes: 40-bit (5 byte) and 104-bit (13 byte). In addition, WEP uses a 40-bit
initialization vector (IV), which is prepended to the pre-shared key (PSK). When you configure a
wireless infrastructure device with WEP the IVs are sent encrypted with RC4.

a) WEP keys exists in two sizes: 40-bit (5 byte) and 104-bit (13 byte). In addition, WEP uses a 24-bit
initialization vector (IV), which is prepended to the pre-shared key (PSK). When you configure a
wireless infrastructure device with WEP the IVs are sent encrypted with AES.

theartofhacking.org
Which of the following is an attack against the WPA and
WPA2 protocols?

a) KRACK

a) WPA Buster

a) Initialization Vector KRACK

a) Four-way handshake injection

theartofhacking.org
Which of the following describes a KARMA attack?

a) KARMA is a man-in-the-middle attack in wired networks allowing an attacker

to intercept traffic.

a) KARMA is an evasion attack that creates a rogue AP allowing an attacker to

intercept wireless traffic.

a) KARMA is command injection attack that creates a rogue router allowing an

attacker to inject malicious wireless traffic.

a) KARMA is a man-in-the-middle attack that creates a rogue AP allowing an

attacker to intercept wireless traffic.

theartofhacking.org
WEP Deficiencies

• WEP is susceptible to many different attacks and it is considered an obsolete

wireless protocol.

• WEP must be avoided and many wireless network devices no longer support it.

• WEP keys exists in two sizes: 40-bit (5 byte) and 104-bit (13 byte).

• In addition, WEP uses a 24-bit initialization vector (IV), which is prepended to the
pre-shared key (PSK). When you configure a wireless infrastructure device with
WEP, the IVs are sent in the clear.

theartofhacking.org
More WEP Problems

• WEP has been defeated for decades.

• WEP uses RC4 in a manner that allows an attacker to crack the PSK with little
effort. The problem is how WEP uses the IVs in each packet.
• When WEP uses RC4 to encrypt a packet, it prepends the IV to the secret key
before including the key into RC4.
• Subsequently, the attacker has the first three bytes of an allegedly “secret” key
used on every packet. In order to recover the PSK, you just need to collect
enough data from the air.
• You can accelerate this attack by just injecting ARP packets (because the length
is predictable) allowing you to recover the PSK much faster.
• After you recover the WEP key, you can use it to access the wireless network.

theartofhacking.org
WPA Handshake

theartofhacking.org
theartofhacking.org
Attacking the Preferred Network Lists

• Operating systems and wireless supplicants (clients), in many cases, maintain

a list of trusted or preferred wireless networks. This is also referred to as the
preferred network list (PNL).
• This list includes the wireless network SSID, clear text passwords or WEP or
WPA passwords.
• Clients use these preferred networks to automatically associate to wireless
networks when they are not connected to an AP or a wireless router.
• You can listen to these client requests and impersonate such wireless networks
in order to make the clients connect to your wireless device and eavesdrop in
their conversation or to manipulate their communication.

theartofhacking.org
theartofhacking.org
Wireless Networks, IoT, and Mobile Devices Hacking
(video course with tons of demos – FREE with Safari Subscription)

https://cehreview.com/go/wireless

theartofhacking.org
Buffer Overflows

theartofhacking.org
Introduction to Buffer Overflows
theartofhacking.org
H E L L O

H E L L O W O R L
D

theartofhacking.org
heap

theartofhacking.org
EIP
• The Instruction pointer register.
• Stores the address of the next instruction to be executed.
• Its value is incremented after every instruction execution
(depending on the size of an instruction).

theartofhacking.org
ESP
• The Stack pointer register.
• Stores the address of the top of the stack. This is the
address of the last element on the stack.
• The stack grows downward in memory(from higher
address values to lower address values).
• Subsequently, ESP points to the value in stack at the
lowest memory address.

theartofhacking.org
EBP
• The Base pointer register.
• The EBP register usually set to ESP at the start of the
function.
• This is done to keep tab of function parameters and local
variables.
• Local variables are accessed by subtracting offsets
from EBP and function parameters are accessed by
adding offsets to it.

theartofhacking.org
,

theartofhacking.org
WHAT IS SHELLCODE?

A small set of instructions (piece of

code) used as the payload in the
exploitation of a vulnerability, such
as a buffer overflow.

theartofhacking.org
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom theartofhacking.org
theartofhacking.org
Hacking Web Servers and
Web Applications

theartofhacking.org
Web Application
Penetration Testing
Methodologies

theartofhacking.org
https://www.owasp.org/index.php/OWASP_Testing_Project theartofhacking.org
theartofhacking.org
* For your reference only