✏️
VuldarCourses
  • Welcome Page
  • CEH-Content
    • CEH Disclaimer
      • Summary Template
        • NULL
      • Practical Template
    • 0️Footprinting and Reconnaissance
      • Module 02 - Summary
        • Search Engines
        • Web Services
        • Social Networking
        • Website Footprinting
      • Module 02 - Practical
    • 1️Scanning Network
      • Module 03 - Summary
      • Module 03 - Practical
    • 2️Enumeration
      • Module 04 - Summary
      • Module 04 - Practical
    • 4️Vulnerability Analysis
      • Module 05 - Summary
      • Module 05 - Practical
    • ✍️Practical Engagement I
    • 5️System Hacking
      • Module 06 - Summary
      • Module 06 - Practical
  • IBM Cybersecurity
    • Network Security & Database Vulnerabilities
      • TCP/IP Protocol Framework
Powered by GitBook
On this page
  • Flag 1
  • Flag 2
  • Flag 3
  • Flag 4
  • Flag 5
  • Flag 6
  • Flag 7
  • Flag 8
  • Flag 9
  • Flag 10
  • Flag 11
  • Flag 12
  • Flag 13
  • Flag 14
  • Flag 15
  • Flag 16
  • Flag 17
  • Flag 18
  • Flag 19
  • Flag 20
  • Flag 21
  • Flag 22
  • Flag 23
  • Flag 24
  • Flag 25
  • Flag 26
  • Flag 27
  • Flag 28
  • Flag 29
  • Flag 30
  1. CEH-Content
  2. Enumeration

Module 04 - Practical

PreviousModule 04 - SummaryNextVulnerability Analysis

Last updated 1 year ago

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Name the shared folder/drive available on the Windows Server 2019 machine.

Using Windows 11 machine CMD, type: nbtstat -c

nbtstat -c
Screenshot of the output

A: \\WINDOWS11\CEH-Tools

Flag 2

Use the NetBIOS Enumerator to perform NetBIOS enumeration on the network (10.10.1.15 – 10.10.1.100). Enter the domain name associated with the IP address 10.10.1.22.

You can use the tool netbiosenumerator.exe from E:\CEH-Tools\CEHv12 Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator to get the result

Or using the Parrot Terminal, the following command:

nbtstat 10.10.1.22 -vh

A: CEH

Flag 3

Use snmp-check to enumerate a target and find the hostname of the machine at the IP address 10.10.1.22.

snmp-check 10.10.1.22

A: Server2022.CEH.com

Flag 4

What is the domain name of the machine at the IP address 10.10.1.22?

From the previous command snmp-scheck 10.10.1.22

A: CEH

Flag 5

Enumerate the machine at 10.10.1.22 using snmp-check and find the number of user accounts.

From the previous command snmp-scheck 10.10.1.22

A: 6

Flag 6

Perform SNMP enumeration using SoftPerfect Network Scanner and find the hostname of the machine at 10.10.1.9.

Remember to add Host Name at: Options > SNMP Remote

A: ubuntu.local

Flag 7

Perform SNMP enumeration using SoftPerfect Network Scanner and find the hostname of the machine at 10.10.1.14.

From the scan image at Flag 6

A: Android.local

Flag 8

Perform SNMP enumeration using SoftPerfect Network Scanner and find the Host Name of the machine at 10.10.1.22.

From the scan image at Flag 6

A: Server2022

Flag 9

Use SnmpWalk to perform SNMP enumeration on the Windows Server 2022 machine. Enter the option that sets a community string.

From the lab documentation:

snmpwalk -v1 -c public 10.10.1.22

  • -v specifies the SNMP version number (1 / 2c / 3)

  • -c sets a community string

A: -c

Flag 10

Use various Nmap scripts to perform SNMP enumeration on the Windows Server 2022 machine. What is the option that is used to specify a UDP scan?

A: -sU

Flag 11

Use various Nmap scripts to perform SNMP enumeration on the Windows Server 2022 machine. Enter the option that specifies the port to be scanned.

A: -p

Flag 12

Perform LDAP Enumeration using Active Directory Explorer (AD Explorer) and find the Domain Controller machine’s IP address.

User: Administrator

Pass: Pa$$w0rd

A: 10.10.1.22

Flag 13

Perform LDAP enumeration using Active Directory Explorer (AD Explorer) and find the userPrincipalName for the user named Jason.

A: jason@CEH.com

Flag 14

Use Nmap and Python commands to extract details on the LDAP server and connection. Enter the port number that is used by LDAP.

A: 389

Flag 15

Use Python commands to extract details on the LDAP server and connection. Enter the command used in python shell to gather information such as naming context or domain name.

python3

Step by step:

import ldap3
server=ldap3.Server(‘10.10.10.25’, get_info=ldap3.ALL,port=389)
connection=ldap3.Connection(server)
connection.bind()
server.info

A: server.info

Flag 16

Use ldapsearch to perform LDAP enumeration on the target system to gather details related to the naming contexts. Which option is used to specify simple authentication?

A: -x

Flag 17

Use ldapsearch to perform LDAP enumeration on the target system to obtain more information about the primary domain. Which option is used to specify the base DN for search?

A: -b

Flag 18

Perform NFS Enumeration using RPCScan and SuperEnum and find the port used by the NFS service on 10.10.1.19.

A: 2049

Flag 19

Can you perform zone transfer on the primary host of certifiedhacker.com? (Yes/No)

Parrot Terminal
dig @ns1.bluehost.com www.certifiedhacker.com axfr

A: No

Flag 20

Perform DNS enumeration and find the “responsible mail address” for the domain certifiedhacker.com.

Windows Terminal
$ nslookup
$ set type=cname
$ certifiedhacker.com

A: dnsadmin.box5331.bluehost.com

Flag 21

Perform DNS enumeration using dnsrecon and find the IP address of the name server (ns2) for certifiedhacker.com.

Parrot Terminal
$ cd /home/attacker/dnsrecon
$ chmod +x ./dnsrecon.py
$ ./dnsrecon.py -d www.certifiedhacker.com

A: 162.159.25.175

Flag 22

Use nmap to perform DNS enumeration on certifiedhacker.com to gather the list of all the available DNS services on the target host along with their associated ports. What is the rDNS record for 162.241.216.11?

A: box5331.bluehost.com

Flag 23

Use the Nmap to perform SMTP enumeration to enumerate the list of all the possible mail users on the Windows Server 2019 machine. Enter the number of users enumerated on the target machine

Parrot Terminal
nmap -p 25 --script=smtp-enum-users 10.10.1.19

A: 10

Flag 24

Perform SMB enumeration using NetScanTools Pro. Is SMB version 1 (SMB 1) enabled on the machine at 10.10.1.19? (Yes/No)

Parrot Terminal
nmap -p 445 -A 10.10.1.19

Term: nmap -p 445 -A 10.10.1.19

A: No

Flag 25

Enumerate the machine at 10.10.1.19 using Nmap and find its http-server-header.

Parrot Terminal
nmap -T4 -A 10.10.1.19

Try: nmap -T4 -A 10.10.1.19

A: Microsoft-IIS/10.0

Flag 26

Perform enumeration using Global Network Inventory and find the full name of the OS installed in the machine at 10.10.1.22.

A: Microsoft Windows Server 2022 Standard

Flag 27

Enumerate network resources using Advanced IP Scanner and find the version of the Apache httpd service running on the machine at 10.10.1.9.

Parrot Terminal
nmap -T4 -A 10.10.1.9

A: 2.4.52

Flag 28

Enumerate users on the machine at 10.10.1.22 using Enum4linux and find the relative identifier (RID) for the user “shiela.”

Parrot Terminal
enum4linux -u martin -p apple -U 10.10.1.22

A: 0x451

Flag 29

Enumerate the machine at 10.10.1.22 using Enum4linux and find its Platform_ID.

Parrot Terminal
enum4linux -u martin -p apple -O 10.10.1.22

Try: enum4linux -u martin -p apple -0 10.10.1.22

A: 500

Flag 30

Enumerate the machine at 10.10.1.22 using Enum4linux and find its server type.

From the previous code.

A: 0x84102f

nbtscan output
snmp-check’s output
Output from SoftPerfect Network Scanner, tool provided by CEH. Red: Flag 6, Blue: Flag 7, Green: Flag 8
From:
Active Directory Explorer, Windows Tool provided by CEH
Active Directory Explorer, Windows Tool provided by CEH
Result from the Python method to get the LDAP server information
Information from: https://securitysnake.blog/ldapsearch-cheatsheet/
Output from dnsrecon.py
From the previous code
Nmap’s Output
Nmap’s output at SMB
Output from Global Network Inventory, tool provided by CEH
2️
https://cdn.comparitech.com/wp-content/uploads/2019/06/Nmap-Cheat-Sheet-1.jpg
https://cdn.comparitech.com/wp-content/uploads/2019/06/Nmap-Cheat-Sheet-1.jpg