Module 02 - Practical
Last updated
Last updated
Those are the steps that I took to complete the first flag-hunting session in the second module of the CEH v12 Practical Course.
Use an advanced Google hacking technique to find PDF files on the website www.eccouncil.org. Enter the complete URL of the CEH-Brochure.pdf file. In this flag you only need to apply google dork, this is a method provided by Google to make queries to get more precise information.
I suggest the following cheat sheet to learn fast about the commands for Advanced Google Search
Google: site:eccouncil.org filetype:pdf brochure
Search for “EC-Council CEHv11” on YouTube (https://www.youtube.com) and perform a reverse image search on the YouTube video titled as “EC-Council Certified Ethical Hacker (CEH) v11” using Youtube Metadata (https://mattw.io/youtube-metadata/) video analysis tool. Enter the Video ID.
Self-explanatory, there is no mystery in a YouTube Search.
Youtube Search: EC-Council Certified Ethical Hacker (CEH) v11
A: V_i3wCtn0qA
Use the NAPALM FTP Indexer (https://www.searchftps.net/) to extract critical FTP information about a target organization, Microsoft. Enter YES if you find files located on the target’s FTP servers; else, enter NO.
Search for “Microsoft”
You can see that there are a lot of files,
A: YES
Use the Shodan IoT search engine to search for information about vulnerable IoT devices in a target organization, Amazon. Enter YES if you find details of vulnerable IoT devices related to amazon; else, enter NO.
Search for “Amazon”
There are a lot of devices related to Amazon, one of them should have a vulnerability.
A: YES
Go to Resources > Site Report
There is nothing explicit about the operating system of the web server, so let’s try with other site.
Search for: www.eccouncil.org
Enter to the first IP and search in basic information.
A: Linux
Gather personal information about Satya Nadella (CEO of Microsoft) using PeekYou (https://www.peekyou.com), an online people search service. Enter the name of the university where Satya Nadella studied MBA.
Search for: Satya Nadella
Microsoft CEO
A: University of Chicago
Use theHarvester tool to gather the list of email IDs related to Microsoft (www.microsoft.com) organization from the Baidu search engine. Enter the option that specifies the domain or company name to search.
A: -d
Use Tor Browser to perform searches on the deep and dark web. Identify the search engine Tor Browser uses to perform a dark web search.
A: DuckDuckGo
Use Censys (https://search.censys.io/?q) to perform the passive footprinting of www.eccouncil.org. Flag submission is not required for this task, enter “No flag” as the answer.
A: No flag
Use theHarvester tool to gather information about the employees (name and job title) of a target organization (eccouncil.org) available on LinkedIn. Enter the option to specify the data source as LinkedIn.
A: -b
Use the Sherlock tool to gather all the URLs related to Satya Nadella from various social networking sites. Enter the complete URL related to Satya Nadella that is obtained from the social networking site Academia.edu.
Using your Parrot Virtual machine, go to the Sherlock folder
Parrot Terminal: python3 sherlock.py satya nadella
A: https://independent.academia.edu/satya
Use the Followerwonk online tool (https://followerwonk.com/analyze) to gather Twitter information about Satya Nadella. What is the name of rating Followerwonk uses to rate a user’s influence and engagement on Twitter?
Search for @SatyaNadella
A: Social Authority
Use the ping command-line utility to test the reachability of the website www.eccouncil.org. Identify the maximum packet/frame size on this machine’s network.
Terminal: ping www.eccouncil.org-f -l 1500
No response
Terminal: ping www.eccouncil.org -f -l 1300
Here you get a response, continue…
After many iterations
Terminal: ping www.eccouncil.org -f -l 1472
A: 1472
Use Photon tool to crawl www.certifiedhacker.com website for internal, external and scripts URLs. What is the option that was used to specify the target website?
python3 photon.py -u http://www.certifiedhacker.com -l 3 -t 200 –wayback
-u URL
-t Number of threads
--wayback specifies using URLs from archive.org as seed
A: -u
Use Photon tool to crawl www.certifiedhacker.com website using URLs from archive.org. Enter the option that specifies using URLs from archive.org as seeds.
A: --wayback
Gather information about www.certifiedhacker.com website using Central Ops. Enter the IP address gathered under Address lookup section.
A: 162.241.216.11
In the Windows 11 machine, use Web Data Extractor web spidering tool to gather the target company’s (http://www.certifiedhacker.com) data. Enter the contact email ID of the support department.
A: support@introspire.web
In the Windows 11 machine, use HTTrack Web Site Copier tool to mirror the entire website of the target organization (http://www.certifiedhacker.com). Enter the newly created HTML file name, which allows you to view the webpage of the mirrored website on any browser.
This is a concept question, remember, this tool always create the mirror website with the main URL as:
A: index.html
Use GRecon to search for available subdomains, sub-subdomains, login pages, directory listings, exposed documents, WordPress entries and pasting sites in target website. Enter the target that was used in this task to gather information.
A: certifiedhacker.com
Use CeWL ruby application to gather a wordlist from the target website (http://www.certifiedhacker.com). Enter the command which allows you to gather a unique wordlist from the target website with a minimum word length of 6 and the depth of 3 to spider the target website.
A: cewl -d 3 -m 6 www.certifiedhacker.com
In Windows 11 machine, use eMailTrackerPro tool located at E:\CEH-Tools\CEHv12 Module 02 Footprinting and Reconnaissance\Email Tracking Tools to gather information about an email by analyzing the email header. Observe the output and enter YES if the tool contains the “Abuse Reporting” feature; else, enter NO.
A: YES
A: http://networksolutions.com
A: ns1.bluehost.com
Perform a reverse DNS lookup using DNSRecon on IP range (162.241.216.0-162.241.216.255) to locate a DNS PTR record. Enter the DNS PTR record for IP address 162.241.216.11.
A: box5331.bluehost.com
Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any NS records; else, enter NO.
A: YES
Use SecurityTrails to gather information regarding the subdomains and DNS records of the certifiedhacker.com website. Enter YES if you find any AAAA records; else, enter NO.
From the previous image, you can see it…
A: NO
Use the ARIN Whois database search tool (https://www.arin.net/about/welcome/region) to locate the network range of the target organization (www.certifiedhacker.com). Enter the network range information about the target organization.
Search for the Target IP: 162.241.216.11
A: 162.240.0.0 – 162.241.255.255
Perform network tracerouting using traceroute command in Linux machine for www.certifiedhacker.com domain. Enter the IP address of the target domain.
A: 162.241.216.11
Use the Recon-ng tool to gather personnel information. Enter the Recon-ng module name, which allows you to find user profiles on various websites.
In the future, I will make a full post about recon-ng, stay tune!
A: recon/profiles-profiles/profiler
Use the Maltego tool to gather information about the target organization (www.certifiedhacker.com). Enter the information about the mail exchange server associated with the certifiedhacker.com domain.
A: mail.certifiedhacker.com
Use the OSRFramework tool to check for the existence of a Mark Zuckerberg profile on different social networking platforms. Enter YES if the given user profile exists; else, enter NO.
Type: searchfy -q “Mark Zuckerberg”
A: YES
Use Foca tool to gather useful information about the www.eccouncil.org. Enter the number of browsers that are available under Search engines section.
3
Use the BillCipher tool to footprint a target website URL (www.certifiedhacker.com). Identify the webserver application used to host the web pages.
A: nginx
Use the OSINT Framework (https://osintframework.com) to explore footprinting categories and associated tools. Enter the complete website URL of the Domain Dossier tool, which generates reports from public records.
A: https://centralops.net/co/DomainDossier.aspx
A:
Open you browser and go to:
Open your browser and go to:
Search for www.eccouncil.org on Netcraft (https://www.netcraft.com) and identify the operating system of the web server hosting the website .
From your browser, go to:
Search for
Go to:
Go to
Go to
Search for:
Go to
Go to
Search for
Perform a Whois lookup using DomainTools and find the URL that belongs to registrar of the website .
Browser:
Use the nslookup command-line utility to find the primary server of the website
Go to
