Module 02 - Practical

Those are the steps that I took to complete the first flag-hunting session in the second module of the CEH v12 Practical Course.

Flag 1

Use an advanced Google hacking technique to find PDF files on the website www.eccouncil.org. Enter the complete URL of the CEH-Brochure.pdf file. In this flag you only need to apply google dork, this is a method provided by Google to make queries to get more precise information.

I suggest the following cheat sheet to learn fast about the commands for Advanced Google Search

Google: site:eccouncil.org filetype:pdf brochure

A: https://www.eccouncil.org/wp-content/uploads/2022/09/CEH-brochure.pdf

Flag 2

Search for “EC-Council CEHv11” on YouTube (https://www.youtube.com) and perform a reverse image search on the YouTube video titled as “EC-Council Certified Ethical Hacker (CEH) v11” using Youtube Metadata (https://mattw.io/youtube-metadata/) video analysis tool. Enter the Video ID.

Self-explanatory, there is no mystery in a YouTube Search.

Youtube Search: EC-Council Certified Ethical Hacker (CEH) v11

A: V_i3wCtn0qA

Flag 3

Use the NAPALM FTP Indexer (https://www.searchftps.net/) to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target’s FTP servers; else, enter NO.

Open you browser and go to: https://www.searchftps.net/
Search for “Microsoft”

You can see that there are a lot of files,

A: YES

Flag 4

Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO.

Open your browser and go to: https://www.shodan.io/
Search for “Amazon”

There are a lot of devices related to Amazon, one of them should have a vulnerability.

A: YES

Flag 5

Search for www.eccouncil.org on Netcraft (https://www.netcraft.com) and identify the operating system of the web server hosting the website www.eccouncil.org.

From your browser, go to: https://www.netcraft.com
Go to Resources > Site Report

Search for www.eccouncil.org

There is nothing explicit about the operating system of the web server, so let’s try with other site.

Go to: https://censys.io/domain?q=
Search for: www.eccouncil.org
Enter to the first IP and search in basic information.

A: Linux

Flag 6

Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (https://www.peekyou.com), an online people search service. Enter the name of the university where Satya Nadella studied MBA.

Go to https://www.peekyou.com/
Search for: Satya Nadella
Microsoft CEO

A: University of Chicago

Flag 7

Use theHarvester tool to gather the list of email IDs related to Microsoft (www.microsoft.com) organization from the Baidu search engine. Enter the option that specifies the domain or company name to search.

A: -d

Flag 8

Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search.

A: DuckDuckGo

Flag 9

Use Censys (https://search.censys.io/?q) to perform the passive footprinting of www.eccouncil.org. Flag submission is not required for this task, enter “No flag” as the answer.

Go to https://search.censys.io/?q
Search for: www.eccouncil.org

A: No flag

Flag 10

Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn.

A: -b

Flag 11

Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu.

Using your Parrot Virtual machine, go to the Sherlock folder
Parrot Terminal: python3 sherlock.py satya nadella

git clone https://github.com/sherlock-project/sherlock
cd ./sherlock/sherlock
python3 sherlock.py satya nadella

A: https://independent.academia.edu/satya

Flag 12

Use the Followerwonk online tool (https://followerwonk.com/analyze) to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user’s influence and engagement on Twitter?

Go to https://followerwonk.com/analyze
Search for @SatyaNadella

A: Social Authority

Flag 13

Use the ping command-line utility to test the reachability of the website www.eccouncil.org. Identify the maximum packet/frame size on this machine’s network.

Terminal: ping www.eccouncil.org-f -l 1500
- No response
Terminal: ping www.eccouncil.org -f -l 1300
- Here you get a response, continue…
After many iterations
Terminal: ping www.eccouncil.org -f -l 1472

A: 1472

Flag 14

Use Photon tool to crawl www.certifiedhacker.com website for internal, external and scripts URLs. What is the option that was used to specify the target website?

python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 –wayback
- -u URL
- -t Number of threads
- --wayback specifies using URLs from archive.org as seed

A: -u

Flag 15

Use Photon tool to crawl www.certifiedhacker.com website using URLs from archive.org. Enter the option that specifies using URLs from archive.org as seeds.

A: --wayback

Flag 16

Gather information about www.certifiedhacker.com website using Central Ops. Enter the IP address gathered under Address lookup section.

Go to https://centralops.net/co/
Search for www.certifiedhacker.com

A: 162.241.216.11

Flag 17

In the Windows 11 machine, use Web Data Extractor web spidering tool to gather the target company’s (http://www.certifiedhacker.com) data. Enter the contact email ID of the support department.

A: support@introspire.web

Flag 18

In the Windows 11 machine, use HTTrack Web Site Copier tool to mirror the entire website of the target organization (http://www.certifiedhacker.com). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser.

This is a concept question, remember, this tool always create the mirror website with the main URL as:

A: index.html

Flag 19

Use GRecon to search for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites in target website. Enter the target that was used in this task to gather information.

git clone https://github.com/TebbaaX/GRecon
cd GRecon
python3 -m pip install -r requirements.txt
python3 Grecon.py

A: certifiedhacker.com

Flag 20

Use CeWL ruby application to gather a wordlist from the target website (http://www.certifiedhacker.com). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website.

A: cewl -d 3 -m 6 www.certifiedhacker.com

Flag 21

In Windows 11 machine, use eMailTrackerPro tool located at E:\CEH-Tools\CEHv12 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO.

A: YES

Flag 22

Perform a Whois lookup using DomainTools and find the URL that belongs to registrar of the website www.certifiedhacker.com.

Browser: https://whois.domaintools.com/

A: http://networksolutions.com

Flag 23

Use the nslookup command-line utility to find the primary server of the website www.certifiedhacker.com

A: ns1.bluehost.com

Flag 24

Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11.

A: box5331.bluehost.com

Flag 25

Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any NS records; else, enter NO.

A: YES

Flag 26

Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any AAAA records; else, enter NO.

From the previous image, you can see it…

A: NO

Flag 27

Use the ARIN Whois database search tool (https://www.arin.net/about/welcome/region) to locate the network range of the target organization (www.certifiedhacker.com). Enter the network range information about the target organization.

Go to https://www.arin.net/about/welcome/region
Search for the Target IP: 162.241.216.11

A: 162.240.0.0 – 162.241.255.255

Flag 28

Perform network tracerouting using traceroute command in Linux machine for www.certifiedhacker.com domain. Enter the IP address of the target domain.

A: 162.241.216.11

Flag 29

Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites.

In the future, I will make a full post about recon-ng, stay tune!

A: recon/profiles-profiles/profiler

Flag 30

Use the Maltego tool to gather information about the target organization (www.certifiedhacker.com). Enter the information about the mail exchange server associated with the certifiedhacker.com domain.

A: mail.certifiedhacker.com

Flag 31

Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO.

Type: searchfy -q “Mark Zuckerberg”

A: YES

Flag 32

Use Foca tool to gather useful information about the www.eccouncil.org. Enter the number of browsers that are available under Search engines section.

Flag 33

Use the BillCipher tool to footprint a target website URL (www.certifiedhacker.com). Identify the webserver application used to host the web pages.

A: nginx

Flag 34

Use the OSINT Framework (https://osintframework.com) to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records.

A: https://centralops.net/co/DomainDossier.aspx

PreviousWebsite Footprinting NextScanning Network

Last updated 1 year ago