# Module 02 - Practical Those are the steps that I took to complete the first flag-hunting session in the second module of the CEH v12 Practical Course. ### Flag 1 Use an advanced Google hacking technique to find PDF files on the website [www.eccouncil.org](http://www.eccouncil.org). Enter the complete URL of the CEH-Brochure.pdf file. In this flag you only need to apply google dork, this is a method provided by Google to make queries to get more precise information. I suggest the following cheat sheet to learn fast about the commands for Advanced Google Search {% embed url="" fullWidth="false" %} {% endembed %} 1. Google: site:eccouncil.org filetype:pdf brochure A: ### Flag 2 Search for “EC-Council CEHv11” on YouTube () and perform a reverse image search on the YouTube video titled as “EC-Council Certified Ethical Hacker (CEH) v11” using Youtube Metadata () video analysis tool. Enter the Video ID. Self-explanatory, there is no mystery in a YouTube Search. 1. Youtube Search: EC-Council Certified Ethical Hacker (CEH) v11 A: V\_i3wCtn0qA ### Flag 3 Use the NAPALM FTP Indexer () to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target’s FTP servers; else, enter NO. 1. Open you browser and go to: 2. Search for “Microsoft”

* You can see that there are a lot of files,

A: YES ### Flag 4 Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO. 1. Open your browser and go to: 2. Search for “Amazon”

* There are a lot of devices related to Amazon, one of them should have a vulnerability. A: YES ### Flag 5 Search for [www.eccouncil.org](http://www.eccouncil.org) on Netcraft () and identify the operating system of the web server hosting the website [www.eccouncil.org](http://www.eccouncil.org/). {% embed url="" %} * From your browser, go to: [https://www.netcraft.com](https://www.netcraft.com/) * Go to **Resources** > **Site Report**

* Search for [www.eccouncil.org](http://www.eccouncil.org/) There is nothing explicit about the operating system of the web server, so let’s try with other site. {% embed url="" %} * Go to: * Search for: [www.eccouncil.org](http://www.eccouncil.org) * Enter to the first IP and search in basic information.

A: Linux ### Flag 6 Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (), an online people search service. Enter the name of the university where Satya Nadella studied MBA. * Go to * Search for: Satya Nadella * Microsoft CEO

A: University of Chicago ### Flag 7 Use theHarvester tool to gather the list of email IDs related to Microsoft ([www.microsoft.com](http://www.microsoft.com)) organization from the Baidu search engine. Enter the option that specifies the domain or company name to search.

A: -d ### Flag 8 Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search. A: DuckDuckGo ### Flag 9 Use Censys () to perform the passive footprinting of [www.eccouncil.org](http://www.eccouncil.org). Flag submission is not required for this task, enter “No flag” as the answer. {% embed url="" %} * Go to * Search for: [www.eccouncil.org](http://www.eccouncil.org/) A: No flag ### Flag 10 Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn.

A: -b ### Flag 11 Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu. * Using your Parrot Virtual machine, go to the Sherlock folder * Parrot Terminal: python3 sherlock.py satya nadella ```bash git clone https://github.com/sherlock-project/sherlock cd ./sherlock/sherlock python3 sherlock.py satya nadella ``` A: ### Flag 12 Use the Followerwonk online tool () to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user’s influence and engagement on Twitter? * Go to * Search for @SatyaNadella

A: Social Authority ### Flag 13 Use the ping command-line utility to test the reachability of the website [www.eccouncil.org](http://www.eccouncil.org). Identify the maximum packet/frame size on this machine’s network. * Terminal: `ping www.eccouncil.org-f -l 1500` * No response * Terminal: `ping www.eccouncil.org -f -l 1300` * Here you get a response, continue… * ***After many iterations*** * Terminal: `ping www.eccouncil.org -f -l 1472` A: 1472 ### Flag 14 Use Photon tool to crawl [www.certifiedhacker.com](http://www.certifiedhacker.com) website for internal, external and scripts URLs. What is the option that was used to specify the target website? * `python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 –wayback` * -u URL * -t Number of threads * \--wayback specifies using URLs from archive.org as seed A: -u ### Flag 15 Use Photon tool to crawl [www.certifiedhacker.com](http://www.certifiedhacker.com) website using URLs from archive.org. Enter the option that specifies using URLs from archive.org as seeds. A: --wayback ### Flag 16 Gather information about [www.certifiedhacker.com](http://www.certifiedhacker.com) website using Central Ops. Enter the IP address gathered under Address lookup section. * Go to * Search for [www.certifiedhacker.com](http://www.certifiedhacker.com/)

A: 162.241.216.11 ### Flag 17 In the Windows 11 machine, use Web Data Extractor web spidering tool to gather the target company’s () data. Enter the contact email ID of the support department.

A: ### Flag 18 In the Windows 11 machine, use HTTrack Web Site Copier tool to mirror the entire website of the target organization (). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser. This is a concept question, remember, this tool always create the mirror website with the main URL as: A: index.html ### Flag 19 Use GRecon to search for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites in target website. Enter the target that was used in this task to gather information. ```bash git clone https://github.com/TebbaaX/GRecon cd GRecon python3 -m pip install -r requirements.txt python3 Grecon.py ```

A: certifiedhacker.com ### Flag 20 Use CeWL ruby application to gather a wordlist from the target website (). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website.

A: cewl -d 3 -m 6 [www.certifiedhacker.com](http://www.certifiedhacker.com) ### Flag 21 In Windows 11 machine, use eMailTrackerPro tool located at E:\CEH-Tools\CEHv12 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO.

A: YES ### Flag 22 Perform a Whois lookup using DomainTools and find the URL that belongs to registrar of the website [www.certifiedhacker.com](http://www.certifiedhacker.com/). Browser:

A: ### Flag 23 Use the nslookup command-line utility to find the primary server of the website [www.certifiedhacker.com](http://www.certifiedhacker.com/)

A: ns1.bluehost.com ### Flag 24 Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11.

A: box5331.bluehost.com ### Flag 25 Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any NS records; else, enter NO.

A: YES ### Flag 26 Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any AAAA records; else, enter NO. From the previous image, you can see it… A: NO ### Flag 27 Use the ARIN Whois database search tool () to locate the network range of the target organization ([www.certifiedhacker.com](http://www.certifiedhacker.com)). Enter the network range information about the target organization. * Go to * Search for the Target IP: 162.241.216.11

A: 162.240.0.0 – 162.241.255.255 ### Flag 28 Perform network tracerouting using traceroute command in Linux machine for [www.certifiedhacker.com](http://www.certifiedhacker.com) domain. Enter the IP address of the target domain.

A: 162.241.216.11 ### Flag 29 Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites. In the future, I will make a full post about recon-ng, stay tune! A: recon/profiles-profiles/profiler ### Flag 30 Use the Maltego tool to gather information about the target organization ([www.certifiedhacker.com](http://www.certifiedhacker.com)). Enter the information about the mail exchange server associated with the certifiedhacker.com domain.

A: mail.certifiedhacker.com ### Flag 31 Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO. * Type: searchfy -q “Mark Zuckerberg”

A: YES ### Flag 32 Use Foca tool to gather useful information about the [www.eccouncil.org](http://www.eccouncil.org). Enter the number of browsers that are available under Search engines section.

3 ### Flag 33 Use the BillCipher tool to footprint a target website URL ([www.certifiedhacker.com](http://www.certifiedhacker.com)). Identify the webserver application used to host the web pages. A: nginx ### Flag 34 Use the OSINT Framework () to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records.