init

CEH Impt Cmd Line Programs.txt

@@ -0,0 +1,59 @@
+NMAP
+nmap -T4 -n -sS 192.168.0.1/24 # SYN
+# Study -sT (tcp), -sS (syn), -sA (ack), -sF (fin), -sN (null), -sX (xmas), -sI (idle), -sU (udp), -sV (service detection), -O (OS detection)
+# -sA: ACK - Filtered/Unfiltered - For detecting firewall, unfiltered (open/close) returns RST packet
+# -sF: FIN - Closed/Open|Filtered - RST when closed, no response when open|filtered
+# 	-sX: XMAS - FIN, PSH, URG - Same as FIN
+#	-sN: NULL - Same as FIN
+# -sU: UDP - Open/Closed/Filtered/Open|Filtered - UDP response when open, ICMP type 3 code 3 (Port Unreachable) when closed, other ICMP when filtered, no response when open|filtered
+# -sI <host:port>: IDLE - Stealth scan using zombie host and IP fragmentation ID
+
+NETCAT
+nc -zv -w 1 google.com 21 # Scan google's port 21, -z scan, -v verbose, -w timeout
+nc -lvp 6969 # Opens a server on 6969, -l listens, -v verbose, -p port 6969
+nc 192.168.1.54 6969 # Banner Grab with GET / HTTP/1.1 after connecting
+# CRYPTCAT, netcat alternative with encryption involved
+
+HPING3
+hping3 -c 3 --scan 1-3000 -S -V 192.168.1.254 # Scans port 1-3000 on 192.168.1.254 with 3 SYN packets each
+hping3 -c 100 -d 120 -S -p 21 --flood --rand-source google.com # Flood google with 100 counts, SYN packets with data size 120 bytes, on port 21, with random spoofed IP source
+
+FIREWALK
+firewalk -S1-1000 -i eth0 -n -pTCP 192.168.1.254 192.168.1.30 # Scan port 1-1000 through eth0, no hostname resolution, with TCP protocol, via gateway 192.168.1.254 against target 192.168.1.30
+
+NSLOOKUP
+nslookup
+	server ns1.google.com
+	set type=any # Or A (address), NS (nameserver), MX (mailserver), SOA (start of authority), CNAME (canonical name), PTR (pointer)
+	ls -d google.com # Zone transfer
+
+DIG
+dig www.google.com
+dig mx www.google.com # Get mail server entries
+dig axfr @ns1.google.com www.google.com # Zone transfer
+
+NBTSTAT
+nbtstat -A 192.168.1.254 # Get remote NetBIOS table
+nbtstat -n # Get local table
+
+JOHN THE RIPPER
+john shadow.txt
+john --wordlist=passwords.txt shadow.txt
+
+SSH
+ssh [email protected]
+ssh -L 6969:www.leet.com:21 [email protected] # Tunnel FTP through local port 6969 to port 21 on leet.com
+
+TCPDUMP
+tcpdump -i eth0	# Capture on eth0
+tcpdump -w cap.log # Write to cap.log
+tcpdump -r cap.log # Read from cap.log
+
+WHOIS
+whois google.com
+# Important WHOIS Registrars:
+# ARIN - North America
+# APNIC - Asia Pacific
+# AFRINIC - Africa
+# LACNIC - Latin America and Caribbean
+# RIPE - Europe

CEH Lab Notes (Old).txt

@@ -0,0 +1,59 @@
+# Module 02 - Footprinting and Reconnaissance
+
+    ping
+        -f -l 1024          # Send 1024 byte ICMP echo request, no fragment, for checking network's max frame size
+        -i 3                # Send ICMP echo request with TTL of 3, can be used to manually traceroute a host
+*   tracert [host]          # Traceroute
+*   nslookup
+        - set type=a        # Get IP from domain name
+        - [host]
+        - set type=cname    # Get canonical name of domain, something like alias
+        - [host]
+        - set type=soa      # Get information about domain's authoritative server
+        - [host]
+*   pipl.com                # Online database for searching up people
+    firebug                 # Firefox plugin for debugging website (html, css, js, net, cookies, etc.)
+*   Web Data Extractor      # Web Spider for collecting emails, phone no, names, metadata, etc. Does not work on Win10.
+*   HTTrack                 # Website cloner
+*   eMailTrackerPro         # Trace emails, location, hops, network whois, email server ports, etc.
+    SmartWhois              # Whois tool
+    Path Analyzer Pro       # Traceroute Program, doesn't work on Win7/8/10
+**  Maltego                 # Intelligence and info gathering app. User/Pass:[email protected]
+**  recon-ng                # Metasploit-like tool for recon on domains
+        - workspaces list/add/select/delete
+        - Domains
+            - add domains microsoft.com, show domains
+            - load recon/domain-hosts/*, run
+            - load reverse_resolve, run
+            - show hosts
+        - Personal Information
+            - load recon/domains-contacts/whois_pocs, set SOURCE facebook.com, run, show contacts
+            - load recon/profiles-profiles/*, set SOURCE optixal, run, show profiles
+        - Pushpin Geomapping (May require API key) (Not working)
+            - add locations
+            - load recon/locations-locations/(reverse_)geocode
+            - show locations
+            - load recon/locations-pushpins/*, run
+        - load reporting
+            - show options
+            - set CREATOR optixal - etc.
+            - run
+            - back
+*   FOCA
+    Search Diggity
+
+# Module 03 - Scanning Networks
+
+**  hping3                  # A better ping program that uses TCP packets by default instead of ICMP packets
+        -c 3                # Count of 3 packets
+        --scan 1-3000 -S    # Scans ports 1 to 3000 with SYN TCP packets
+        -p 80 -S            # Scan port 80 with SYN TCP packets
+        --udp --rand-source --data 500  # Send random src UDP packets instead with data size of 500 bytes
+        --flood             # Sends packets as fast as possible, without caring about incoming replies
+        -V                  # Verbose mode
+        -D                  # Debug mode
+*   Colasoft Packet Builder # GUI for crafting custom packets and sending them
+    MegaPing
+*   Zenmap (nmap GUI)
+
+Page 196

README.md

@@ -0,0 +1 @@
+# CEHv9-Notes