Module 04 - Practical

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Name the shared folder/drive available on the Windows Server 2019 machine.

Using Windows 11 machine CMD, type: nbtstat -c

nbtstat -c

A: \\WINDOWS11\CEH-Tools

Flag 2

Use the NetBIOS Enumerator to perform NetBIOS enumeration on the network (10.10.1.15 – 10.10.1.100). Enter the domain name associated with the IP address 10.10.1.22.

You can use the tool netbiosenumerator.exe from E:\CEH-Tools\CEHv12 Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator to get the result

Or using the Parrot Terminal, the following command:

nbtstat 10.10.1.22 -vh

A: CEH

Flag 3

Use snmp-check to enumerate a target and find the hostname of the machine at the IP address 10.10.1.22.

snmp-check 10.10.1.22

A: Server2022.CEH.com

Flag 4

What is the domain name of the machine at the IP address 10.10.1.22?

From the previous command snmp-scheck 10.10.1.22

A: CEH

Flag 5

Enumerate the machine at 10.10.1.22 using snmp-check and find the number of user accounts.

From the previous command snmp-scheck 10.10.1.22

A: 6

Flag 6

Perform SNMP enumeration using SoftPerfect Network Scanner and find the hostname of the machine at 10.10.1.9.

Remember to add Host Name at: Options > SNMP Remote

A: ubuntu.local

Flag 7

Perform SNMP enumeration using SoftPerfect Network Scanner and find the hostname of the machine at 10.10.1.14.

From the scan image at Flag 6

A: Android.local

Flag 8

Perform SNMP enumeration using SoftPerfect Network Scanner and find the Host Name of the machine at 10.10.1.22.

From the scan image at Flag 6

A: Server2022

Flag 9

Use SnmpWalk to perform SNMP enumeration on the Windows Server 2022 machine. Enter the option that sets a community string.

From the lab documentation:

snmpwalk -v1 -c public 10.10.1.22

  • -v specifies the SNMP version number (1 / 2c / 3)

  • -c sets a community string

A: -c

Flag 10

Use various Nmap scripts to perform SNMP enumeration on the Windows Server 2022 machine. What is the option that is used to specify a UDP scan?

A: -sU

Flag 11

Use various Nmap scripts to perform SNMP enumeration on the Windows Server 2022 machine. Enter the option that specifies the port to be scanned.

A: -p

Flag 12

Perform LDAP Enumeration using Active Directory Explorer (AD Explorer) and find the Domain Controller machine’s IP address.

User: Administrator

Pass: Pa$$w0rd

A: 10.10.1.22

Flag 13

Perform LDAP enumeration using Active Directory Explorer (AD Explorer) and find the userPrincipalName for the user named Jason.

A: jason@CEH.com

Flag 14

Use Nmap and Python commands to extract details on the LDAP server and connection. Enter the port number that is used by LDAP.

A: 389

Flag 15

Use Python commands to extract details on the LDAP server and connection. Enter the command used in python shell to gather information such as naming context or domain name.

python3

Step by step:

import ldap3
server=ldap3.Server(‘10.10.10.25’, get_info=ldap3.ALL,port=389)
connection=ldap3.Connection(server)
connection.bind()
server.info

A: server.info

Flag 16

Use ldapsearch to perform LDAP enumeration on the target system to gather details related to the naming contexts. Which option is used to specify simple authentication?

A: -x

Flag 17

Use ldapsearch to perform LDAP enumeration on the target system to obtain more information about the primary domain. Which option is used to specify the base DN for search?

A: -b

Flag 18

Perform NFS Enumeration using RPCScan and SuperEnum and find the port used by the NFS service on 10.10.1.19.

A: 2049

Flag 19

Can you perform zone transfer on the primary host of certifiedhacker.com? (Yes/No)

Parrot Terminal
dig @ns1.bluehost.com www.certifiedhacker.com axfr

A: No

Flag 20

Perform DNS enumeration and find the “responsible mail address” for the domain certifiedhacker.com.

Windows Terminal
$ nslookup
$ set type=cname
$ certifiedhacker.com

A: dnsadmin.box5331.bluehost.com

Flag 21

Perform DNS enumeration using dnsrecon and find the IP address of the name server (ns2) for certifiedhacker.com.

Parrot Terminal
$ cd /home/attacker/dnsrecon
$ chmod +x ./dnsrecon.py
$ ./dnsrecon.py -d www.certifiedhacker.com

A: 162.159.25.175

Flag 22

Use nmap to perform DNS enumeration on certifiedhacker.com to gather the list of all the available DNS services on the target host along with their associated ports. What is the rDNS record for 162.241.216.11?

A: box5331.bluehost.com

Flag 23

Use the Nmap to perform SMTP enumeration to enumerate the list of all the possible mail users on the Windows Server 2019 machine. Enter the number of users enumerated on the target machine

Parrot Terminal
nmap -p 25 --script=smtp-enum-users 10.10.1.19

A: 10

Flag 24

Perform SMB enumeration using NetScanTools Pro. Is SMB version 1 (SMB 1) enabled on the machine at 10.10.1.19? (Yes/No)

Parrot Terminal
nmap -p 445 -A 10.10.1.19

Term: nmap -p 445 -A 10.10.1.19

A: No

Flag 25

Enumerate the machine at 10.10.1.19 using Nmap and find its http-server-header.

Parrot Terminal
nmap -T4 -A 10.10.1.19

Try: nmap -T4 -A 10.10.1.19

A: Microsoft-IIS/10.0

Flag 26

Perform enumeration using Global Network Inventory and find the full name of the OS installed in the machine at 10.10.1.22.

A: Microsoft Windows Server 2022 Standard

Flag 27

Enumerate network resources using Advanced IP Scanner and find the version of the Apache httpd service running on the machine at 10.10.1.9.

Parrot Terminal
nmap -T4 -A 10.10.1.9

A: 2.4.52

Flag 28

Enumerate users on the machine at 10.10.1.22 using Enum4linux and find the relative identifier (RID) for the user “shiela.”

Parrot Terminal
enum4linux -u martin -p apple -U 10.10.1.22

A: 0x451

Flag 29

Enumerate the machine at 10.10.1.22 using Enum4linux and find its Platform_ID.

Parrot Terminal
enum4linux -u martin -p apple -O 10.10.1.22

Try: enum4linux -u martin -p apple -0 10.10.1.22

A: 500

Flag 30

Enumerate the machine at 10.10.1.22 using Enum4linux and find its server type.

From the previous code.

A: 0x84102f

PreviousModule 04 - SummaryNextVulnerability Analysis

Last updated