#New C|EH Traning @By Jit(C|EH ,C|HFI ,CISO)


Zanti is a tool ..its a very useful tool for penetration testing..

app link=> https://www.zimperium.com/zanti-mobile-penetration-testing


PRO Tech master click here

#New course for beginners

(This course is provided by our expert)

🔊Our experts need some subscribers so help us






System hacking guide EBook pdf version

link =>https://drive.google.com/file/d/1xff_8TY68Z9vu8slN6afIIJl_9hld3C4/view?usp=drivesdk


🔊Tutorial video will be upload soon..

appearing in "video classes"

Click here for official CEH training

Modules(Course Outline)


⬛Introduction Ethical Hacking✔

⬛Footprinting ✔


⬛Scanning Networks✔


⬛Vulnerability Analysis(practical)✔

⬛System Hacking(practical video available)✅

⬛Malware Threats(video available)✅


⬛Social Engineering(practical)✅

🔴Denial-of-Service(Practical & tools available)✔

🔴Session Hijacking(practical)

🔴Evading IDS, Firewalls, and Honeypots(full tutorial by expert)


🔵Hacking Web Servers(tutorial coming soon)

✨Hacking Web Applications(practical)

⬛SQL Injection(video available)

🔴Hacking Wireless Networks(explained)

🔴Hacking Mobile Platforms(explained)

🔵IoT Hacking(coming soon)

🔴Cloud Computing(video available)


We need to learn about cyber security to secure our cyber world


Introduction :

There have been drastic changes in technology over the past decade or so. The technology landscape is now

shifting toward mobility, the Cloud, and the Internet of Things (IoT). Directly or indirectly, this technology

change also brings new security risks along. This has given rise to a high demand for Information Security

professionals across the globe. According to the few surveys available, the number of qualified Information

Security professionals is far less than the actual demand.

Securing assets from a variety of threats is an interesting and equally rewarding job. There several

training programs and certifications that will get you started with your career in Information Security.

One such popular certification is Certified Ethical Hacker from the EC-Council. This certification is quite

comprehensive and intensive, covering various aspects of ethical hacking. The best thing is that it doesn’t

need any prequalification. Anyone with a keen interest in hacking and security can opt for this certification.

Because the course syllabus is vast, however, it can take a lot of effort to grasp all the concepts. This book is

essentially a foundation guide that covers not only the basics of hacking but also other basic prerequisites

that will help you understand the core topics in a better way. Going through this book before you take the

CEH course and certification will ease the process of absorbing knowledge during the course. An appendix

describing various Information Security career paths and another on interview preparation have also been

included to guide the reader after successful completion of CEH certification. I wish all readers the very best

for their career endeavors and hope you find this course to be valuable.

What Is an Operating System?

Computers don’t directly understand human languages. All they understand is binary machine language

(0s and 1s). But for humans, it’s extremely difficult to communicate with computers in that form. Software

programs are the interfaces between humans and computers that help both to communicate with each other

easily. There are two categories of software: system software and application software . An operating system is

the system software that helps manage and coordinate all hardware and software resources. Common tasks

include device management, multitasking, user management, memory allocation, and so on. The operating

system also provides a base or foundation for the execution of other application software. Some of the most

widely used operating systems are Microsoft Windows, Linux (Red Hat, Fedora, CentOS, Ubuntu, AIX, BSD,

and others), and Android/iOS for smart phones and tablet PCs. The operating system plays a crucial role

from the security perspective. However secure the application may be, if the underlying operating system

is vulnerable and unpatched , then it becomes a soft and easy target for hackers and intruders. Hence, from

a defensive as well as an offensive perspective, it is important to familiarize yourself with the basics of an

operating system and get acquainted with various security features that the operating system offers. The

following sections briefly discuss some of these features.

What Is a Kernel ?

In simple words, the kernel is the core of the operating system. It has full control over all the activities

that occur in the system, and it is the first program that is loaded on startup. A few of the important tasks

performed by the kernel are memory management , device management , and managing system calls . The

kernel does the critical job of connecting and interfacing application software with the hardware devices.

(02) Information

Gathering & foot


=>Before planning an attack on the target system or network, it is very important to have detailed information

about the target system. This information includes software versions, type of operating system installed, a list

of active services, a list of user accounts, and so on. This information helps plan and build or prevent further

attacks on the target system. This chapter introduces various "footprinting and enumeration techniques "

are useful in gathering vital information about the target system.

■ "Key Topics Types and importance of footprinting, enumeration, and common tools for enumeration "

What is Footprinting?

Footprinting is one of the initial stages of the hacking methodology . It is used to collect as much information

as possible about the target system and/or network. It involves getting information about the target network

topology , performing DNS and WHOIS queries, finding out the versions of remote operating systems and

application software, and then consolidating this information to build further attacks.

Before planning for the actual attack on the target network, footprinting gives a wealth of information to

the attacker. It helps determine strengths and weaknesses of the target network. It gives information about

the critical assets in that target network so that more emphasis can be made on exploiting those. In a way, it

helps attacker visualize the security posture of the target network and then plan for the most accurate attack

vectors. Without footprinting, the attacker is less likely to succeed with exploitation of the vulnerabilities in

the target network.

The following list provides the different types of footprinting:

• Website footprinting: This involves getting information about the target website.

For example, http://www.netcraft.com/ is a website that offers rich footprinting

services. It can tell you what server and software the target is running along with

other details, such as uptime. A Firefox plug-in known as Wappalyzer also gives

information about what web server, OS, and other add-ons or plug-ins the target

site is running. Figure  8-1 shows a sample output (marked in green boxes) from the

Wappalyzer plug-in.

Another useful website, http://www.bulkdachecker.com/url-extractor/ , helps

extract all the links in the target website. This further assists in plotting the attack

surface and excluding the items that may be out of scope. Figure  8-2 shows the tool

results for one of the demo websites.

Email footprinting: This technique involves gathering information about the email

recipient by using various tracing and tracking techniques.

• Email Tracing: Every email has two parts, a header and a body. The email

header contains technical information, including the mail server used to send

the email, timestamps, and so on, and the email body contains the actual

message that was sent. The email header can reveal lot of useful information

about the sender. For example, the site http://www.traceemail.com/traceemail-header.html allows users to trace an email just by copy-pasting the

email header into the Trace utility

Email Tracking: This technique involves sending an email to a recipient in

order to track the location and other details of the target user. For example,

www.readnotify.com is one such website that allows users to track emails sent

through this service. It works as follows:

• A user sends an email to the target recipient using readnotify .

• The receiver receives the email and opens it.

• As soon as the receiver opens the email for reading, the sender receives a

notification that the mail was opened along with location and other details.

• Competitive intelligence : Competitive intelligence is a methodology used by

businesses to gather and analyze information about products and customers of rival

companies. This information is then used to formulate better business strategies.

For example, the site www.sec.gov/edgar.shtml gives lot of interesting information

about various registered companies.

• WHOIS search: Querying the WHOIS database returns the domain registrant

information. To find out registrant information for any website, one can use

https://whois.icann.org . For example, a WHOIS query for demo.testfire.net

People search and social networking sites:

There are many free and publicly

available sites that let you search for people. Depending on the type of site, you

can get personal as well as professional information about the target person.

Facebook, one of the most popular social networking sites, easily gives out personal

information like pictures, locations visited, topics of interests and so on, while

the professional social networking platform Linkedin gives information about

various organizations the target person has worked for and his professional skills.

This information base can be quite useful to build a social engineering attack and

increase the probability of compromise. Figure  8-5 shows another popular people

search engine known as Pipl.

Searching devices with Shodan : The Internet is not just a place where only

individual computers and systems are connected. Today’s Internet is a complex

network of things and devices. Industrial control systems are also often

interconnected over the Internet. Shodan is a special-purpose search engine for

security enthusiasts that helps find devices, passwords, databases, webcams, and so

on over the Internet using specialized queries. Shodan is extremely easy to use and is

located at https://www.shodan.io .

• Maltego search engine: Maltego ( https://www.paterva.com ) is an advanced search

tool that searches for the subject across the Internet and creates a relationship graph

between the searched entities;


Information gathering, reconnaissance (active or passive): Abraham Lincoln

once said, “Give me six hours to chop down a tree and I will spend the first four

sharpening the axe.” This famous quote applies in penetration testing as well. In

order to perform a successful penetration test, the pen-tester must first spend

quality time gathering meaningful information about the target. The information

may include the following:

• IP range

• Live hosts

• Website registrant details

• DNS and mail server information

• Operating systems used

• Personnel contact information

• Any other leads or pieces of information that would further help building an attack

Reconnaissance can be classified into two types:

• Active reconnaissance : In active reconnaissance, the attacker sends

actual packets/datagrams/probes to the target system or network to

gather information. This may include ping scans, SYN scans, operating

system enumerations, banner grabbing, and so on. However, such type of

reconnaissance activity may raise an alarm and could be detected easily.

• Passive reconnaissance : In passive reconnaissance, the pen-tester tries to

gather as much as information about the target system from publicly available

sources, like the organization’s website or social media. The pen-tester doesn’t

use his tools to send packets/probes to the target organization, thus avoiding

any direct contact, which might raise an alert.

The Attack Phase

Once the pen-test project is kicked off by completing the activities in the pre-attack phase, it is time to find

any vulnerabilities and exploit the weaknesses found in the target system. This mainly involves enumerating

the devices, acquiring the targets, and escalating privileges.

• Perimeter testing : The network perimeter mainly includes devices like firewalls,

intrusion detection systems, intrusion prevention systems, and access control

gateways. A pen-tester needs to use various techniques to evade and bypass these

perimeter security devices and get inside the target network. The pen-tester can craft

special IP packets (manipulating the TCP flags) and send them to the target network

to test the strength of firewall rules. A certain level of probing may also reveal which

protocols are allowed and which are restricted. The IDS and IPS devices must also be

tested, by passing malicious traffic.

• Enumerating devices: Device enumeration includes creating a device inventory

with all the necessary parameters like the name of each device, its IP address, MAC

address, physical location, and the like. This can be done using tools like NMAP,

which scans the entire network and creates a network or host map. This information

can be later used to verify and identify any fake, unauthorized, or rogue device that

might exist in the network. Figure  7-5 is a sample network topology graph generated

from an NMAP scan.

Acquiring targets: This phase is more intrusive, and the pen tester tries to gain

access to all possible devices that were enumerated earlier. The tester makes use

of manual techniques as well as automated scanning tools to break into the target

systems. Once the pen-tester has access to the target system, the next step is to

determine which resources can be accessed. The resources might contain company￾confidential data , trade secrets, employee data, payroll data, or any other sensitive


• Escalating privileges: Once the pen-tester gets basic access to the target, they also

need to aim for privilege escalation. The ultimate objective here is to get access to

the administrator or root level user so as to gain the maximum possible control over

the target system. The pen-tester may use various techniques, like a brute-force

attack or existing system vulnerabilities, to escalate the privileges.

• Execute and implant: In this phase the pen-tester tries to execute arbitrary code on

the target system and also attempts to implant back doors for future compromise.

Techniques include exploiting buffer overflows or any such vulnerabilities found in

the target system. The pen-tester will then also test whether he can manipulate the

audit log to clear his tracks and get away without being noticed.

The Post-Attack Phase

Once all the tests have been performed on the target systems or network, it is necessary to clean and restore

the systems. This phase usually involves the following tasks

• Removing uploaded files: Many times testers upload malicious files, scripts,

payloads, or executables on the target system for the purpose of exploitation. It is

necessary to remove all such uploaded files so that they don’t act as a backdoor to

any unauthorized users thereafter.

• Cleaning Registry entries: Many exploits on Windows systems make modifications

in the Registry. It is necessary to clean out such malicious Registry entries. The best

way is to take a snapshot of the Registry before starting the tests and then restore the

Registry to that snapshot after completion of all tests.

• Removing tools and exploits: The entire penetration testing process involves using

many tools. It’s quite possible that the tester may have uploaded a set of tools on

a particular system within the target network. In such a scenario, it’s necessary to

remove all the tools once testing is complete.

• Restoring network: For testing specific scenarios, the network policies or the Access

Control Lists (ACLs) may have been modified. All such modifications must be

restored to their original state.

• Analyzing results: The process of penetration testing involves numerous tests, either

automated or manual. All these tests generate a lot of output data. It is essential to

analyze the result data from all the tests, remove false positives, and organize the

results in a structured manner.

• Presenting the findings report: All the effort that is put into the penetration test

will go in vain if a good report isn’t prepared and presented to relevant stakeholders.

The report must be tailored to the stakeholders and must contain an executive

summary, detailed findings, proof-of-concept (PoC) wherever applicable, and fix

recommendations. The report must contain sufficient information for stakeholders

to act upon the issues and must be easy to understand.

In this section we had an overview of various phases of penetration testing. An important aspect to

consider throughout these phases is audit logging. It is essential that the pen-tester enable audit log for all

the tests performed during these phases. This will not only help the pen-tester in preparing a better test

report but will also help to differentiate between the test traffic and any actual attack traffic that might have

been triggered during the pen-test. Most of the tools used for pen-testing produce audit and debug logs.

These logs can be preserved and used later during final reporting.

False Positives and False Negatives

Penetration testing involves use of many automated vulnerability scanning tools, which generate

vulnerability reports. However, these tools have their own limitations and at times the results from these

tools may be incorrect. Such cases require manual verification whether the reported vulnerability really

exists or not. Following are the two terms widely used in this regard:

• False positive: A false positive means a vulnerability has been incorrectly identified.

That is, the target system is not vulnerable, but the vulnerability scanner has still

reported it to be vulnerable.

• False negative: A false negative means a vulnerability exists in the target system but

has not been identified by the vulnerability scanner.

Nikto tool

⬛ (04)Scanning

Once you’ve completed the footprinting phase and you’ve gathered a

good amount of information about your target, it’s time to act on this information. This is

the point where you try to ascertain what assets the target has and what is of value.

The scanning process is possible in part because of the wealth of information you

gathered in Chapter 4, “Footprinting,” and how you are able to interpret that data. Using

information found on discussion groups, through emails, at job-posting sites, and other

means, you now have an idea of how to fine-tune your scan.

To successfully negotiate the scanning phase, you need a good understanding of

networks, protocols, and operating systems. I recommend that if your knowledge of

network and system fundamentals is shaky you go back and review Chapter 2, “System

Fundamentals,” before you proceed. This chapter brings forward some of that

information, but I will place our primary focus on scanning and gaining information, not

on past topics.

What Is Scanning?

Scanning is a process that involves engaging and probing a target network with the intent

of revealing useful information and then using that information for later phases of the

pen test. Armed with a knowledge of network fundamentals, a scanner, and the results of

a thorough footprinting, it is possible to get a decent picture of a target.�

Nmap tool

It is not unknown for an ethical hacker to engage in the network scanning

phase and emerge with a better diagram of the network environment than the client

has. y is this possible?

With the rapid growth of networks, adoption of

technology, large support teams, and personnel turnover, the client’s knowledge of

their own network may have become obscured somewhat. In some cases the people

who designed the nesyste

created the initial diagram, but after they left the company

or went to new positions, the diagram was never updated as new technology was

adopted. More commonly, changes are made to a network and hosts, with network

diagrams being an afterthought. Therefore, the diagram becomes outdated and highly

inaccurate. As an ethical hacker you should be prepared to encounter this situation

as well as be ready to suggest improvements to policy and operating procedures that

would prevent this from recurring. Remember that if the client doesn’t know what

their own environment looks like, they have no idea what should and shouldn’t be


Types of Scans

Not all scans will be looking for the same thing or attempting to achieve the same result,

so it is important that you understand what your options are going into the process. All

scans share the same general theme, which is to gain information about a host or group

of hosts, but if you dig a little deeper differences start to emerge. Each scan will provide a

different level and type of information than the others, and thus each will provide some

value to you.

To keep things simple, let’s break the types of scans into three different categories, each

with its own characteristics:

Port Scan Port scanning is the process of sending carefully crafted messages or packets

to a target computer with the intent of learning more about it. These probes are typically

associated with well-known port numbers or those less than or equal to 1024. Through

the careful application of this technique, you can learn about the services a system offers

to the network as a whole. It is even possible that during this process you can tell systems

such as mail servers, domain controllers, and web servers from one another. In this book

the primary tool we will use in port scanning is Fyodor’s nmap, which is considered by

many to be the definitive port scanner.

More than likely when the topic of scanning is mentioned, this is the type of scan many

think of. While many different scanners on the market perform the same task, nmap is

far and away the most frequently used.

Network Scan Network scanning is designed to locate all the live hosts on a network

(the hosts that are running). This type of scan will identify those systems that may be

attacked later or those that may be scanned a little more closely.

Scans that fit into this category are those such as ping sweeps, which rapidly scan a range

of IPs and determine if an address has a powered-on host attached to it or not. Tools to

perform this type of scan include nmap and Angry IP as well as others.

Vulnerability Scan A vulnerability scan is used to identify weaknesses or

vulnerabilities on a target system. This type of scan is quite commonly done as a proactive

measure, with the goal of catching problems internally before an attacker is able to locate

those same vulnerabilities and act on them. A typical vulnerability scan will discover

hosts, access points, and open ports; analyze service response; classify threats; and

generate reports.

Vulnerability scans are popular with companies because they can perform them on their

own quite easily to assess their systems. Two commonly used vulnerability scanners

include Tenable’s Nessus and Rapid7’s Nexpose. In addition there are specialized

scanners such as Burp Suite, Nikto, and WebInspect.

What types of information can you expect to come away with as part of a penetration

test? There’s no simple answer to that question, but we can make some general

assumptions on what may be uncovered. During the scanning process it is possible to

encounter information such as the following:

(1)Live hosts on a network

(2)Information on the open/closed ports on a host

(3)Information on the operating system(s) and the system architecture

(4)Services or processes running on hosts

(5)Types and seriousness of vulnerabilities

(6)Information about patches present on a system

(7)Presence of firewalls

(8)Addresses of routers and other devices

Looking at this list, it is easy to see why scanning is considered part of the intelligence gathering process an attacker uses to gain information about a target. Your skill, tenacity,

and creativity (in some cases) will determine how successful you will be when performing

a scan, so if you hit a roadblock during scanning, rethink the problem and determine your

next step. Remember to refer to the information you harvested during the earlier

footprinting phase for guidance.

Expect the information that is gathered during this phase to take a good amount of time

to analyze, depending on how good you are at reading the resulting information. Your

knowledge will help you not only to better target your initial scans but also to better

determine how to decipher certain parts of the results, as you will see later.

Checking for Live Systems

To begin, let’s start looking for targets to investigate and probe. Remember that while you

may have gathered information during the previous phase that described the IP or range

of IPs that an organization owns or is connected to, this does not mean that each address

has a host behind it. In order to proceed in any meaningful way, you need to find which

IPs actually have a “pulse” and which do not.

So how do you check for live systems in a targeted environment? It turns out that there

are plenty of ways to accomplish this task. However, the commonly accepted ways of

accomplishing this task are these:




⬛Port scanning

Each of these techniques provides information not obtainable by the other methods, or at

least they don’t offer it as easily. Once you understand the differences, you should have a

much better idea of how to deploy these methods in a penetration test.


What Is Enumeration ?

Enumeration is the process of extracting information from a target system to determine

more of the configuration and environment present. In many cases it is possible to extract

information such as usernames, machine names, shares, and services from a system as

well as other information, depending on the OS itself.

However, unlike with previous phases, you will be initiating active connections to a

system in an effort to gather a wide range of information. With this in mind, you need to

view enumeration as a phase that comes with much greater chances of getting caught.

Take extra effort to be precise lest you risk detection.

Think carefully about each of the actions you take, and think several steps

ahead in order to anticipate results and how to respond.

So why initiate active connections to a target? Simply put, it is the only way to learn

additional information on top of what we gathered so far through footprinting and

scanning. Through these active connections we can now execute directed queries at a

host, which will extract much additional information. Having retrieved sufficient

information, we can better assess the strengths and weaknesses of the system.

Information gathered during this phase generally falls into the following types:

Network resources and shares

Users and groups

Routing tables

Auditing and service settings

Machine names

Applications and banners

SNMP and DNS details

In previous chapters you were not too concerned with the legal issues.

However, at this point you need to understand that you may be crossing legal

boundaries. But if you have done your due diligence with your client, you won’t have

any problems because you have permission to perform these actions against the


You did get permission, right?

So what options are available to an attacker performing enumeration? Let’s look at the

techniques you will be using in this chapter:

Extracting Information from Email IDs This technique is used to obtain username

and domain name information from an email address or ID.

An email address contains two parts: The first part before the @ is the username and

what comes after the @ is the domain name.

Obtaining Information through Default Passwords Every device has default

settings in place, and default passwords are part of this group. It is not uncommon to find

default settings either partially or wholly left in place, meaning that an attacker can easily

gain access to the system and extract information as needed.

Using Brute-Force Attacks on Directory Services A directory service is a database

that contains information used to administer the network. As such, it is a big target for an

attacker looking to gain extensive information about an environment. Many directories

are vulnerable to input verification deficiencies as well as other holes that may be

exploited for the purpose of discovering and compromising user accounts.

Exploiting SNMP The Simple Network Management Protocol (SNMP) can be exploited

by an attacker who can guess the strings and use them to extract usernames.

Exploiting SMTP The Simple Mail Transport Protocol (SMTP) can be exploited by an

attacker who can connect to and extract information about usernames through an SMTP


Working with DNS Zone Transfers A zone transfer in DNS is a normal occurrence,

but when this information falls into the wrong hands, the effect can be devastating. A

zone transfer is designed to update DNS servers with the correct information; however,

the zone contains information that could map out the network, providing valuable data

about the structure of the environment.

Capturing User Groups This technique involves extracting user accounts from

specified groups, storing the results, and determining whether the session accounts are in

the group.

Retrieving System Policy Settings In enterprise environments and others, there are

frequently policy settings or something similar in place that determine how security and

other things are handled. The enumeration phase can sometimes obtain these settings,

allowing you to get more insight into your target.

About Windows Enumeration

The Microsoft Windows operating system is designed to be used as either a stand-alone

or networked environment; however, for this discussion you will assume a networked

setup only. In the Windows world, securing access to resources, objects, and other

components is handled through many mechanisms, with some common threads as

covered here.

You need to know how access to resources such as file shares and other items is managed.

Windows uses a model that can be best summed up as defining who gets access to what

resources. For example, a user gets access to a file share or printer.


In any operating system, the item that is most responsible for controlling access to the

system is the user. In Windows, the user account manages access as necessary. User

accounts are used in Windows for everything from accessing file shares to running

services that allow software components to execute with the proper privileges and access.

In the Windows OS the default installation has two user accounts that are present and

ready to be used by the owner of the system: the administrator account and the guest

account. Let’s talk about these two accounts for a moment because they have taken on

some new importance and seen changes over the last few releases. In fact, the accounts

have experienced some changes since the introduction of Windows Vista up to the

current version, which is Windows 10.

Guest This account has been present in the Windows operating system for a considerable

amount of time but has not experienced substantial change itself. Essentially this account

is meant to be extremely limited in capability and power and is not enabled by default; it

must be enabled to be used (which in practice is very rarely done). In practice, the guest

account is just left disabled and that’s the end of it.

Administrator The administrator account has seen numerous changes from Windows

Vista forward. Since the release of Vista the account is present on every version of the

Windows OS; it is also not active by default. However, the question is why is this account

not activated by default? Simply put, it is to enhance the level of security present on the


Prior to Windows Vista, the administrator account was not only present on every system;

it was also always enabled. Many people got in the habit of using this account because it

let them do whatever they wanted without restriction. However, this was bad because not

only could the user consciously do whatever they wanted to without restriction, but other

processes and applications such as malware could run in the background with the same

level of system permissions as the current session (for example, admin privileges).

To counter this in Vista forward, the account has been disabled, and you are now

prompted to create your own account when you install the OS from scratch. While that

account can have administrator privileges, you must use them only in specific situations

that require them. In Windows, this means that unless you try to execute a function that

requires elevated administrator privileges, you won’t be using them even if you have the

ability to be an admin. But when you want to access a function or feature that requires

these elevated privileges, you will be asked if you want to run the command, and if so, you

will be allowed to do so. What Windows is actually doing is raising the privileges for that

single process and leaving everything else running on your account with normal

privileges. Yes, this means you are running as a standard user if you are an administrator,

and you will only be able to run administrator privileges on a case by case basis.

Windows does have some built-in accounts that aren’t meant to be used by a user

directly, if at all. These accounts are designed to run background processes and other

activities as necessary.

Processes in Windows can be run under one of the following user contexts:

Local Service A user account with higher than normal access to the local system but

only limited access to the network.

Network Service A user account with normal access to the network but only limited

access to the local system.

System A super-user-style account that has nearly unlimited access to the local system.

Current User The currently logged-in user, who can run applications and tasks but is

still subject to restrictions that other users are not subject to. The restrictions on this

account remain even if the account being used is an administrator account.

Each of these user accounts is used for specific reasons. In a typical Windows session,

each is running different processes behind the scenes to keep the system performing. In

fact, in Windows each account can be running one of more services at any one time,

though in many cases it is a one-to-one relationship.

What all of these user accounts have in common is structure and design. Each user object

contains information about the user of the account, the access level, groups they are a

member of, privileges, and other important information such as the unique identity,

which prevent conflicts.


Groups are used by operating systems such as Windows and Linux to control access to

resources as well as to simplify management. Groups are effective administration tools

that enable management of multiple users. A group can contain a large number of users

that can then be managed as a unit, not to mention the fact that a group can even have

other groups nested within it if it simplifies management. This approach allows you to

assign access to a resource such as a shared folder to a group instead of each user

individually, saving substantial time and effort. You can configure your own groups as

you see fit on your network and systems, but most vendors such as Microsoft include a

number of predefined groups that you can use or modify as needed. There are several

default groups in Windows:

Anonymous Logon Designed to allow anonymous access to resources; typically used

when accessing a web server or web applications.

Batch Used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that

deletes temporary files.

Creator Group Windows 2000 uses this group to automatically grant access

permissions to users who are members of the same group(s) as the creator of a file or a


Creator Owner The person who created the file or directory is a member of this group.

Windows 2000 and later uses this group to automatically grant access permissions to the

creator of a file or directory.

Everyone All interactive, network, dial-up, and authenticated users are members of this

group. This group is used to give wide access to a system resource.

Interactive Any user logged on to the local system has the Interactive identity, which

allows only local users to access a resource.

Network Any user accessing the system through a network has the Network identity,

which allows only remote users to access a resource.

Restricted Users and computers with restricted capabilities have the Restricted identity.

On a member server or workstation, a local user who is a member of the Users group

(rather than the Power Users group) has this identity.

Self Refers to the object and allows the object to modify itself.

Service Any service accessing the system has the Service identity, which grants access to

processes being run by Windows 2000 and later services.

System Windows 2000 and later operating systems have the System identity, which is

used when the operating system needs to perform a system-level function.

Terminal Server User Allows Terminal Server users to access Terminal Server

applications and to perform other necessary tasks with Terminal Services.

Note that depending on the environment, the software and hardware

installed, and the policies dictating the configuration of systems, you may have way

more groups with different names than are listed here.

Security Identifiers

Well congrats on making it this far, but now we have to talk about the real “meat” behind

users and groups, which is a security identifier (SID). Simply put, the SID is a number

assigned by the OS to uniquely identify a specific object such as a user, group, or even a


When an object is created, the system generates and assigns the SID, notes it, and assures

that it is never used again.

Why Even Bother Using an SID?

While everyday users and maintainers or a system can get away with using common

names, for Windows internally this will not work. If Windows referred to a common

name like humans do instead of using an SID, then everything associated with that name

would become void or inaccessible if the name were changed in any way.

Rather than allow this situation to occur, the user account is instead tied to an

unchangeable string (the SID), which allows the username to change without affecting

any of the user’s settings. This means that a username can change, but the SID (while

linked to the username) will not. In fact, you can’t change the SID that’s associated with

an account without having to manually update all of the security settings that were

associated with that user to rebuild its identity.

Decoding SID Numbers

All SIDs start with S-1-5-21 but are otherwise unique. You, the penetration tester, can

choose to decode the whole SID to determine in-depth information about a user or group,

but let’s look specifically at user accounts.

The two main accounts (guest and administrator) have some unique properties.

Specifically, these accounts end in 500 for the administrator and 501 for the guest. This

holds true no matter which Windows system you have. So if you see accounts ending in

these numbers, you have hit pay dirt.

You’ll also find SIDs on every installation of Windows that correspond to certain built-in


For example, the S-1-5-18 SID can be found in any copy of Windows you come across and

corresponds to the LocalSystem account, the system account that’s loaded by Windows

before a user logs on.

The following are a few examples of the string values for groups and special users that are

universal across all Windows installs:

S-1-0-0 (Null SID)—This is assigned when the SID value is unknown or for a group

without any members.

S-1-1-0 (World)—This is a group consisting of every user.

S-1-2-0 (Local)—This SID is assigned to users who log on to a local terminal.

Even though you use a username to access the system, Windows identifies each user,

group, or object by the SID. For example, Windows uses the SID to look up a user account

and see whether a password matches. Also, SIDs are used in every situation in which

permissions need to be checked—for example, when a user attempts to access a folder or

shared resource. Note that SIDs are never reused.

So Where Does All of This Get Stored?

Obviously, user and group information is very important and we need a place to store and

keep track of all of it; in Windows, this is the Security Accounts Manager (SAM). Simply

put, the SAM is a database on the local host that contains the usernames and passwords

of those who have accounts on that specific system. The SAM is wrapped up in and part of

the Windows Registry for each system.

Within the SAM, each user account is assigned certain pieces of information. Information

associated with an account comes in the form of a password, which is stored in an

encrypted format in both Lan Manager (LM) hash and NTLM hash formats. This hash

allows the computer to determine if the password entered by the user is correct or

incorrect and needs to be reentered.

Before I get called out on the inclusion of LM hash as one of the formats

in which passwords are stored, let me clarify. From Windows XP forward, the LM

hash capability in Windows has been disabled due to security reasons. In the

majority of situations, it should be kept this way because few applications need this

support, but it is possible to activate it if needed. Activation should only ever be

undertaken after carefully reviewing the current need versus security vulnerabilities

(more on this part later in this chapter).

Complete Path

The SAM file is located on each Windows host in the windowssystem32config folder.

However, only in extreme circumstances such as a corrupted Windows installation or

similar situation should you even consider tampering with this file. Removing, altering,

or messing with this file in any way could easily cause the OS to become unbootable.

Windows Version Support

For all intents and purposes, the SAM file is alive and well in all versions of Windows

except those that are 15 years old or older. In versions that support the SAM, the database

runs as a background process and to the user it is out of sight and out of mind.

Take note that the SAM is a local system feature and is not meant for

networks outside of very small workgroups. For larger networks we have Microsoft’s

Active Directory or OpenLDAP as well as others.

Linux Basic

The Linux and Windows operating systems do have a good number of things in common,

and one of them is the need for users and groups. Since you will encounter Linux

systems, we need to look at them as well.


Much like Windows users, Linux users must have a user account to log in to and gain

access to a system. User accounts contain all the properties that will allow a user to access

all the resources, files, and folders on a computer. Much like Windows, the information

associated with a user account can be stored either on the local host or on a network.

A typical account used to log in to a Linux computer consists of the following


Username and user ID (UID)


Primary group name and group ID (GID)

Secondary group names and group IDs

Location of the home directory

Preferred shell

Whenever a user account is created, Linux records the user login information and stores

the values in the etc/passwd file on the host itself. The passwd file can be viewed and

edited with any text editor.

Each user account has an entry recorded in the following format:

username:password:UID:GID:name:home directory:shell

Let’s take a look at what makes up the information for each entry in the passwd file:

The username and user ID identify the user on the system. When a user account is

created, it is given a name and assigned a UID from a predetermined range of

numbers. The UID must be a positive number and is usually above 500 for user

accounts. System accounts usually have numbers below 100.

Each user account has its own password, which is encrypted and stored on the

computer itself or on another computer on the network. Local passwords are stored in

the /etc/passwd file or /etc/shadow file. When the user logs in by entering a username

and password, Linux takes the entered password, encrypts it, and then compares the

encrypted value to the value of the password stored in the user account. If the entered

value is the same as the value stored in the password field on the computer, the user is

granted access.

Administrators often use the /etc/passwd file to hold user account information but

store the encrypted password in the /etc/shadow file, which is readable only by root.

When this method is used, the passwd file entry has an x in the password field.

Groups are used to administer and organize user accounts. When rights and

permissions are assigned to a group, all user accounts that are part of the group

receive the same rights and permissions. The group has a unique name and

identification number (GID). The primary GID and group name are stored as entries

in the /etc/passwd file on the computer itself.

Each user has a designated primary (or default) group and can also belong to

additional groups called secondary groups. When users create files or launch

programs, those files and programs are associated with one group as the owner.

A user

can access files and programs if they are a member of the group with permissions to

allow access. The group can be the user’s primary group or any of their secondary groups

Although not strictly part of the user account, secondary groups are also a part of the

user login experience. Groups and GIDs are used to manage rights and permissions to

other files and folders. Secondary groups for each user are listed as entries in

/etc/group on the computer itself.

Services and Ports of Interest

As we wade deeper into the enumeration phase, let’s make sure you understand some

more details about ports. You already have encountered ports in both Chapter 2, “System

Fundamentals,” and Chapter 5, “Scanning,” but let’s fill in some more details that you’ll

find handy.

You should expect during your scanning phase to uncover a number of ports, some of

which may be useful to you for enumeration and others less so. Here are several that you

should pay close attention to:

TCP 21—FTP Port 21 is used for the File Transfer Protocol, which is used to transfer files

from client to server or vice versa. The protocol is supported by all major operating

systems in use today.

TCP 23—Telnet Telnet is a long-standing protocol and software used to remotely

connect to systems and run processes on the target systems. Telnet is available on many

systems and devices, but has seen decreased usage over the years because of a lack of

security features; for example, passwords are sent in the clear.

TCP 25—SMTP This port is used specifically for Simple Mail Transport Protocol, which

is used to send messages (usually email) from client to server and from server to server.

TCP 53—DNS This port is used for DNS zone transfers, the mechanism through which

the DNS system keeps servers up to date with the latest zone data.

UDP 53—DNS Pay attention to the fact that we are talking about port 53 UDP and not

TCP. The UDP port is used for name queries about name-to-IP and IP-to-name mappings.

TCP 80—HTTP Hypertext Transport Protocol is a common protocol used in all web

browsers and many web applications.

TCP 135—RPC This port is used during client-server communications, such as allowing

Microsoft Outlook to communicate with Microsoft Exchange. Specifically, this port is

used by the Remote Procedure Call service in Windows.

TCP 137—NetBIOS This port associated with NetBIOS Name Service (NBNS) is a

mechanism designed to provide name resolution services involving the NetBIOS protocol.

The service allows NetBIOS to associate names and IP addresses of individuals systems

and services. It is important to note that this service is a natural and easy target for many


TCP 139—NetBIOS NetBIOS Session Service, also known as SMB over NetBIOS, lets

you manage connections between NetBIOS-enabled clients and applications and is

associated with port TCP 139. The service is used by NetBIOS to establish connections

and tear them down when they are no longer needed.

TCP 445—SMB over TCP SMB over TCP, or Direct Host, is a service designed to

improve network access and bypass NetBIOS use. This service is available only in

versions of Windows starting at Windows 2000 and later. SMB over TCP is closely

associated with TCP 445.

UDP 161 and 162—SNMP SNMP is a protocol used to manage and monitor network

devices and hosts. The protocol is designed to facilitate messaging, monitoring, auditing,

and other capabilities. SNMP works on two ports: 161 and 162. Listening takes place on

161 and traps are received on 162.

TCP/UDP 389—LDAP Lightweight Directory Access Protocol (LDAP) is used by many

applications; two of the most common are Active Directory and Exchange. The protocol is

used to exchange information between two parties. If the TCP/UDP 389 port is open, it

indicates that one of these or a similar product may be present.

TCP/UDP 3268—Global Catalog Service Global Catalog Service is associated with

Microsoft’s Active Directory and runs on port 3368 on Windows 2000 systems and later.

The service is used to locate information within Active Directory.

I can’t stress this enough: You must know your ports for the exam as well

as in the field. Fortunately, for the exam there are only a handful of ports that you

must remember (including their TCP/UDP status). In the field you will frequently be

presented with port numbers that aren’t mentioned on the CEH, and in those cases

you must be prepared by having a list of ports printed out or in a document on your

computer or smartphone. Just because CEH doesn’t test on a topic doesn’t mean you

won’t run into it.

Remember, getting certified is one thing, but you must also have practical


Commonly Exploited Services

The Windows OS is popular with both users and attackers for various reasons, but for

now let’s focus on attackers and what they exploit.

Windows has long been known for running a number of services by default, each of which

opens up a can of worms for a defender and a target of opportunity for an attacker. Each

service on a system is designed to provide extra features and capabilities to the system

such as file sharing, name resolution, and network management, among others. Windows

can have 30 or so services running by default, not including the ones that individual

applications may install.

One step in gaining a foothold in a Windows system is exploiting the NetBIOS API.


service was originally intended to assist in the access to resources on a local area network

only. The service was designed to use 16-character names, with the first 15 characters

identifying the machine and the last character representing a service or item on the

machine itself. NetBIOS has proven to be a blessing to some and a curse to others. Let’s

look at why.

NetBIOS was developed by Sytek and IBM many years ago for the LANs

that were available at the time. Due to the design of the protocol and the evolution of

networks, the service is no longer preferred.

An attacker who is using certain tools and techniques (more on this in a moment) can

extract quite a bit of information from NetBIOS. Using scanning techniques, an attacker

can sweep a system, find port 139 open, and know that this port is commonly associated

with NetBIOS. Once the port has been identified, they can attempt to view or access

information such as file shares, printer sharing, usernames, group information, or other

goodies that may prove helpful.

One of the many tools that can be used to work with NetBIOS is a command-line utility

called nbtstat. This utility can display information, including name tables and protocol

statistics, for local or remote systems. Included with every version of the Windows

operating system, nbtstat can assist in network troubleshooting and maintenance. It is

specifically designed to troubleshoot name-resolution issues that are a result of the

NetBIOS service. During normal operation, a service in Windows known as NetBIOS over

TCP/IP will resolve NetBIOS names to IP addresses. nbtstat is designed to locate

problems with this service.

In addition, the utility has the ability to return names (if any) registered with the

Windows Internet Naming Service (WINS).

Tasks You Can Do with nbtstat

Run the nbtstat command as follows to return the name table on a remote system:

nbtstat.exe –a "netbios name of remote system"

The -a switch can be used to return a list of addresses and NetBIOS names that the

system has resolved. The command line that uses this option would look like the

following if the targeted system had an IP address of

nbtstat -A

The nbtstat command can do much more than these two functions. The following is a

partial list of the options available with the nbtstat command:

-a returns the NetBIOS name table and Media Access Control (MAC) address of the

address card for the computer name specified.

-A lists the same information as -a when given the target’s IP address.

-c lists the contents of the NetBIOS name cache.

-n (Names) displays the names registered locally by NetBIOS applications such as the

server and redirector.

-r (Resolved) displays a count of all names resolved by broadcast or the WINS server.

-s (Sessions) lists the NetBIOS sessions table and converts destination IP addresses to

computer NetBIOS names.

-S (Sessions) lists the current NetBIOS sessions and their status, along with the IP


The nbtstat command is case sensitive. Note that some of the switches are uppercase and

some are lowercase, and this is how you must use them. If you fail to use the correct case

for the switch, the command may yield incorrect results or no result at all.


Using nbtstat to View Who Is Logged into a Computer

In this exercise we will use nbtstat to determine who is logged into a remote


1. At the Windows command prompt enter the command nbtstat –a followed by

the name of the computer you want to examine.

2. If the port is open, the service running, and the machine available, you should see

results similar to the following. In this example we assume a machine with the

name “aperture.”

NetBIOS Remote Machine Name Table

Name Type Status







3. Examine the list and note that under the Type heading we have a mixture of <03>

records and others. The user account will be identified by an <03> label and

nothing else. Since we know the machine name is APERTURE, it’ s not hard to

single out the <03> record LCEDROS as a username logged into the system

3 Types Of Cybersecurity Assessments - Threat Sketch
vulnerability assessment

A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its ...

Vulnerability Assessment and Penetration Testing (VAPT) are two types of vulnerability testing. ... Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible and identify which flaws pose a threat to the application.
Created by Jit Banerjee