Module 02 - Practical
Those are the steps that I took to complete the first flag-hunting session in the second module of the CEH v12 Practical Course.
Flag 1
Use an advanced Google hacking technique to find PDF files on the website www.eccouncil.org. Enter the complete URL of the CEH-Brochure.pdf file. In this flag you only need to apply google dork, this is a method provided by Google to make queries to get more precise information.
I suggest the following cheat sheet to learn fast about the commands for Advanced Google Search
Google: site:eccouncil.org filetype:pdf brochure
A: https://www.eccouncil.org/wp-content/uploads/2022/09/CEH-brochure.pdf
Flag 2
Search for “EC-Council CEHv11” on YouTube (https://www.youtube.com) and perform a reverse image search on the YouTube video titled as “EC-Council Certified Ethical Hacker (CEH) v11” using Youtube Metadata (https://mattw.io/youtube-metadata/) video analysis tool. Enter the Video ID.
Self-explanatory, there is no mystery in a YouTube Search.
Youtube Search: EC-Council Certified Ethical Hacker (CEH) v11
A: V_i3wCtn0qA
Flag 3
Use the NAPALM FTP Indexer (https://www.searchftps.net/) to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target’s FTP servers; else, enter NO.
Open you browser and go to: https://www.searchftps.net/
Search for “Microsoft”
You can see that there are a lot of files,
A: YES
Flag 4
Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO.
Open your browser and go to: https://www.shodan.io/
Search for “Amazon”
There are a lot of devices related to Amazon, one of them should have a vulnerability.
A: YES
Flag 5
Search for www.eccouncil.org on Netcraft (https://www.netcraft.com) and identify the operating system of the web server hosting the website www.eccouncil.org.
From your browser, go to: https://www.netcraft.com
Go to Resources > Site Report
Search for www.eccouncil.org
There is nothing explicit about the operating system of the web server, so let’s try with other site.
Go to: https://censys.io/domain?q=
Search for: www.eccouncil.org
Enter to the first IP and search in basic information.
A: Linux
Flag 6
Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (https://www.peekyou.com), an online people search service. Enter the name of the university where Satya Nadella studied MBA.
Go to https://www.peekyou.com/
Search for: Satya Nadella
Microsoft CEO
A: University of Chicago
Flag 7
Use theHarvester tool to gather the list of email IDs related to Microsoft (www.microsoft.com) organization from the Baidu search engine. Enter the option that specifies the domain or company name to search.
A: -d
Flag 8
Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search.
A: DuckDuckGo
Flag 9
Use Censys (https://search.censys.io/?q) to perform the passive footprinting of www.eccouncil.org. Flag submission is not required for this task, enter “No flag” as the answer.
Search for: www.eccouncil.org
A: No flag
Flag 10
Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn.
A: -b
Flag 11
Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu.
Using your Parrot Virtual machine, go to the Sherlock folder
Parrot Terminal: python3 sherlock.py satya nadella
A: https://independent.academia.edu/satya
Flag 12
Use the Followerwonk online tool (https://followerwonk.com/analyze) to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user’s influence and engagement on Twitter?
Search for @SatyaNadella
A: Social Authority
Flag 13
Use the ping command-line utility to test the reachability of the website www.eccouncil.org. Identify the maximum packet/frame size on this machine’s network.
Terminal:
ping www.eccouncil.org-f -l 1500No response
Terminal:
ping www.eccouncil.org -f -l 1300Here you get a response, continue…
After many iterations
Terminal:
ping www.eccouncil.org -f -l 1472
A: 1472
Flag 14
Use Photon tool to crawl www.certifiedhacker.com website for internal, external and scripts URLs. What is the option that was used to specify the target website?
python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 –wayback-u URL
-t Number of threads
--wayback specifies using URLs from archive.org as seed
A: -u
Flag 15
Use Photon tool to crawl www.certifiedhacker.com website using URLs from archive.org. Enter the option that specifies using URLs from archive.org as seeds.
A: --wayback
Flag 16
Gather information about www.certifiedhacker.com website using Central Ops. Enter the IP address gathered under Address lookup section.
Search for www.certifiedhacker.com
A: 162.241.216.11
Flag 17
In the Windows 11 machine, use Web Data Extractor web spidering tool to gather the target company’s (http://www.certifiedhacker.com) data. Enter the contact email ID of the support department.
A: support@introspire.web
Flag 18
In the Windows 11 machine, use HTTrack Web Site Copier tool to mirror the entire website of the target organization (http://www.certifiedhacker.com). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser.
This is a concept question, remember, this tool always create the mirror website with the main URL as:
A: index.html
Flag 19
Use GRecon to search for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites in target website. Enter the target that was used in this task to gather information.
A: certifiedhacker.com
Flag 20
Use CeWL ruby application to gather a wordlist from the target website (http://www.certifiedhacker.com). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website.
A: cewl -d 3 -m 6 www.certifiedhacker.com
Flag 21
In Windows 11 machine, use eMailTrackerPro tool located at E:\CEH-Tools\CEHv12 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO.
A: YES
Flag 22
Perform a Whois lookup using DomainTools and find the URL that belongs to registrar of the website www.certifiedhacker.com.
Browser: https://whois.domaintools.com/
A: http://networksolutions.com
Flag 23
Use the nslookup command-line utility to find the primary server of the website www.certifiedhacker.com
A: ns1.bluehost.com
Flag 24
Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11.
A: box5331.bluehost.com
Flag 25
Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any NS records; else, enter NO.
A: YES
Flag 26
Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any AAAA records; else, enter NO.
From the previous image, you can see it…
A: NO
Flag 27
Use the ARIN Whois database search tool (https://www.arin.net/about/welcome/region) to locate the network range of the target organization (www.certifiedhacker.com). Enter the network range information about the target organization.
Search for the Target IP: 162.241.216.11
A: 162.240.0.0 – 162.241.255.255
Flag 28
Perform network tracerouting using traceroute command in Linux machine for www.certifiedhacker.com domain. Enter the IP address of the target domain.
A: 162.241.216.11
Flag 29
Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites.
In the future, I will make a full post about recon-ng, stay tune!
A: recon/profiles-profiles/profiler
Flag 30
Use the Maltego tool to gather information about the target organization (www.certifiedhacker.com). Enter the information about the mail exchange server associated with the certifiedhacker.com domain.
A: mail.certifiedhacker.com
Flag 31
Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO.
Type: searchfy -q “Mark Zuckerberg”
A: YES
Flag 32
Use Foca tool to gather useful information about the www.eccouncil.org. Enter the number of browsers that are available under Search engines section.
3
Flag 33
Use the BillCipher tool to footprint a target website URL (www.certifiedhacker.com). Identify the webserver application used to host the web pages.
A: nginx
Flag 34
Use the OSINT Framework (https://osintframework.com) to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records.
A: https://centralops.net/co/DomainDossier.aspx
Last updated
