CEH Skill Check - Part I

Scenario

You have been hired as a part of the Red Team at CEHORG, an IT and ITES organization that deals with advanced research and development in the field of information security. It has offices all over the country connected in real-time by its network infrastructure.

Your organization is worried about rising cybersecurity incidents and has entrusted you with a comprehensive security audit of the complete infrastructure.

CEHORG’s internal network consists of several subnets housing various organizational units like any large organization. The front office is connected to a separate subnet that connects to the company’s public-facing computers. The company has installed multiple kiosks to help customers understand their products and services. The front office also has Wi-Fi connectivity to cater to the users who carry their smartphones and laptops.

The CEHORG’s internal network is made up of Militarized and Demilitarized zones. As a security precaution, and by design, all the internal resource zones are configured with different subnet IPs. The militarized zone houses the application servers that provide application frameworks for various departments. The Demilitarized Zone contains public-facing systems of the organization, such as web and mail servers. The headquarter’s network topology and protocols are replicated worldwide in all its satellite offices for easy communication with the headquarters.

Description

CEHv12 Skill Check is divided into four parts. All four parts represent a single target organization as described in the scenario. The objective of these skill checks is to apply learning from CEH (Certified Ethical Hacker) modules in a real-life scenario to solve challenges you will face in red team assignments in your job roles. The skill check will help you practice the skills acquired in the class and convert them into proficiency.

Part 1 of CEH Skill Check covers Footprinting and Reconnaissance, Scanning Networks, Enumeration, and Vulnerability Analysis modules. In this part, you are required to perform passive and active reconnaissance of the target organization, enumerating services, shares, users, user groups, etc., and perform vulnerability analysis of the identified systems/networks on the target. You need to note all the information discovered in this part of the Skill Check and proceed to the subsequent phases of the ethical hacking cycle in the next part of the Skill Check.

On the cyber range, you will have access to Ethical Hacker Workstations,* EH Workstation – 1* and EH Workstation – 2. EH Workstation – 1 is a Parrot Security machine and EH Workstation – 2 is a Windows 11 machine. You can switch to these machines from the Resources tab.

The credentials to access EH Workstation – 1 (Parrot Security) machine are as below:

Username: attacker Password: toor

The credentials to access EH Workstation – 2 (Windows 11) are as below:

Username: Admin Password: Pa$$w0rd

The credentials to access OpenVAS on EH Workstation – 1 (Parrot Security) machine are as below:

Username: admin Password: password

Note: You can use username.txt and password.txt available on the Desktop of the EH Workstation – 1 (Parrot Security) machine for any credentials/password cracking attempt.

Challenge 1:

You are performing reconnaissance for CEHORG and has been assigned a task to find out the physical location of one of their webservers hosting www.certifiedhacker.com. What are the GEO Coordinates of the webserver? Note: Provide answer as Latitude, Longitude. (Format: NN.NNN, *NN.NNN)

用nslookup查詢 domain name ip，之後到這個網站輸入ip，即可得到答案

Challenge 2:

Identify if the website www.certifiedhacker.com allows DNS zone transfer. (Yes/No) (Format: Aa)

雖然題目已經告訴答案了，不過還是實作一下測試DOS zone transfer 結果 Transfer failed

Challenge 3:

Identify the number of live machines in 172.16.0.0/24 subnet. (Format: N)

用nmap -sn 172.16.0.0/24 辨識live的machines

第一個是gatway 故答案為3

Challenge 4:

Find the IP address of the machine which has port 21 open. Note: Target network 172.16.0.0/24 (Format: NNN.NN.N.NN)

用nmap -p 21 172.16.0.0/24 --open辨識在該網段有開21 port 的machine

螢幕擷取畫面 2024-08-14 143758

Challenge 5:

Find the IP address of the Domain Controller machine in 10.10.10.0/24. (Format: NN.NN.NN.NN)

用nmap -p 389,636 10.10.10.0/24 --open去掃一些DC較有可能開的ports

Challenge 6:

Perform a host discovery scanning and identify the NetBIOS name of the host at 10.10.10.25. (Format: AAAAAAAAA)

這裡主要是用nmap nse 下去幫忙nmap -sC 10.10.10.25 --top-ports=20

Challenge 7:

Perform an intense scan on 10.10.10.25 and find out the FQDN of the machine in the network. (Format: AaaaaAaaa.AAAAAA.aaa)

跟上一題一樣的方式FQDN也在裡面

Challenge 8:

What is the DNS Computer Name of the Domain Controller? (Format: AaaaaAaaa.AAAAAA.aaa)

也是同上方式，在枚舉3389 port有DNS computer name

Challenge 9:

While performing a security assessment against the CEHORG network, you came to know that one machine in the network is running OpenSSH and is vulnerable. Identify the version of the OpenSSH running on the machine. Note: Target network 192.168.0.0/24. (Format: N.NaN)

用nmap -p 22 192.168.0.0/24 --open -sV辨識在該網段有開ssh 的主機，和版本

螢幕擷取畫面 2024-08-14 150010

Challenge 10:

During a security assessment, it was found that a server was hosting a website that was susceptible to blind SQL injection attacks. Further investigation revealed that the underlying database management system of the site was MySQL. Determine the machine OS that hosted the database. (Format: Aaaaaa)

先掃出有開mysql service 的machinenmap -p 3306 192.168.0.0/24 --open
接著再針對找出來的主機進一步找出OSnmap -O 192.168.0.55 -sV

螢幕擷取畫面 2024-08-14 150714

Challenge 11:

Perform LDAP enumeration on the target network and find out how many user accounts are associated with the domain. (Format: N)

直接枚舉nmap 10.10.10.25 --script=*user*

Challenge 12:

Perform an LDAP Search on the Domain Controller machine and find out the version of the LDAP protocol. (Format: AAAAaN)

用ldapsearch -x -H ldap://10.10.10.25去查找LDAP伺服器

Challenge 13:

What is the IP address of the machine that has NFS service enabled? Note: Target network 192.168.0.0/24. (Format: NNN.NNN.N.NN)

一樣的方式掃出網段NFS端口有開的主機nmap -p 111 192.168.0.0/24 --open

Challenge 14:

Perform a DNS enumeration on www.certifiedhacker.com and find out the name servers used by the domain. (Format: aaN.aaaaaaaa.aaa, aaN.aaaaaaaa.aaa)

搜尋DNS 查詢名稱伺服器 (NS) 記錄nslookup -type=ns

Challenge 15:

Find the IP address of the machine running SMTP service on the 192.168.0.0/24 network. (Format: NNN.NNN.N.NN)

一樣方式找網段內有開smtp的主機nmap -p 25 192.168.0.0/24 --open

Challenge 16:

Perform an SMB Enumeration on 192.168.0.51 and check whether the Message signing feature is enabled or disabled. Give your response as Yes/No. (Format: Aaa)

直接枚舉445 端口nmap -p 445 192.168.0.51 -sC -T5

Challenge 17:

Perform a vulnerability research on CVE-2022-30171 and find out the base score and impact of the vulnerability. (Format: N.N Aaaaaa)

去NVD找到這個CEV

Challenge 18:

Perform vulnerability scanning for the domain controller using OpenVAS and identify the number of vulnerabilities with severity level as "medium". (Format: N)

在terminal中輸入gvm-start開啟openvas，admin/password登入後到tasks可以看到已經幫我們掃好了

Challenge 19:

Perform vulnerability scanning for the webserver hosting movies.cehorg.com using OpenVAS and identify the severity level of RPC vulnerability. (Format: N)

同上

Challenge 20:

Perform vulnerability scanning for the Linux host in the 172.16.0.0/24 network using OpenVAS and find the number of vulnerabilities with severity level as medium. (Format: N)

同上