My CEH V11 notes from EC-Council Book

13 min readMar 8, 2021


Chapter1; Introduction to Ethical Hacking.

Information security:- refers to the protection or safeguards of information or information system that use, store, transmit information from disclosure, alteration or destruction.

Information security elements:-

  1. Confidentiality:-Insure that information can be accessible by only authorized users. ex:- data classifications, data encryption.
  2. Integrity:-Insure that information can be changed or altered by only authorized users. ex:- access controls, checksum.
  3. Availability:-Insure the stored, processed information are available when needed. ex:- cluster machines, redundant systems, DDOS protection or antivirus software.
  4. Authority:-The one’s identity is created with a proof and conformed by a system. ex:-authentications controls.
  5. Non-repudiation:- The sender and receiver can’t deny the messages they sent or received. ex:-digital signature.

Attacks = Motives(Goals) + Methods + Vulnerabilities.

Attacks categories:-

  1. Passive attacks:- don’t tamper with the target system directly. Only intercept or monitor the network traffic.
  2. Active Attacks:-tamper with the target system directly.
  3. Close-in Attacks:- performed when attackers are in close of physical target systems.
  4. Insider Attacks:-performed with a trusted person.
  5. Distribution Attacks:-tamper with the hardware or software prior installation.

Information warfare or infowar refers to the use of Information and Communication Technology to gain competitive advantages over an opponent.

Defensive:- use actions or strategies to defend against attacks.

Offensive:-involve attacks against attackers.

Cyber kill chain:- is an efficient way to describe how to attack the target organization.

Cyber kill chain methodology:-

  1. Reconnaissance:-Gather information about the target organization. It can be active or passive.
  2. Weaponization:-Analyze the information gained from previous stage then select a payload and send it.
  3. Delivery:-Make sure that the payload is sent successfully, and whether the intrusion attempts are blocked or not.
  4. Exploitation:-Executing the payload code in the target systems.
  5. Installation:-Repeat the previous stages for other system to spread the attacks.
  6. Commands and Controls:- Create command and control channel to communicate and pass the data between system.
  7. Actions on objectives:-Perform actions to achieve intended goals.

TTPS; Tactics, Techniques and Procedures:- are helpful to analyze threats and profiling threat actors that used to strengthen the security of the organization.

Tactics:-Guidelines that describe the way attackers perform their attacks from beginning to the end; help to predict and detect evolving treats in early stages.

Techniques:-Defines the technical methods that attackers use to achieve their goals; help to identify vulnerabilities and implement measures in advance.

Procedures:-Defines as the organizational approaches followed by threat actor to lunch their attacks; help to identify what an attacker is looking for.

IoC; Indicators of Compromise:-are clues, artifacts or pieces of forensic data found on network or operating system of an organization that indicate of intrusion or malicious activities on the organization’s infrastructure.

IoC Categories:-

  1. Email indicators.
  2. Network-based indicators.
  3. Host-based indicators.
  4. Behavioral indicators.

Hacker classes:-

  1. Black hats:-they attack for illegal or malicious proposes.
  2. White hats:-they have promotions to attack their target.
  3. Grey hats:- they are in between Black and White hats.
  4. suicide hackers:-they are not careful about the consequences of their actions.
  5. Script kiddies:- they don’t have skills and use tools from other hackers.
  6. Cyber terrorists:-they are motivated by political or religious beliefs.
  7. State-sponsored:-they are employed by governments.
  8. Hacktivists:-they are motivated by political or religious beliefs.

The only difference between cyber terrorists and hacktivists is that the cyber terrorists want to send a message. However, the hacktivists want to harm their targets.

Hacker phases:-

  1. Reconnaissance.
  2. Scanning.
  3. Gaining Access.
  4. Maintaining Access.
  5. Clearing Tracks.

IA; Information Assurance:-assurance that the confidentiality, integrity, availability and authenticity of information and information system is protected during usage, processing, storing and transmission of information.

Defense-In-Depth:-is a security strategies in which several protection layers are placed throughout the an information system.

Risk:- is a degree of expectations that an adversary event may cause damage to the system.

Risk matrix:- is used to scale risk by considering probability, likelihood and consequences or impact of the risk.

Risk management:- is the process of reducing and maintaining risks at acceptable level.

Risk management phases:-

  1. Risk Identifying.
  2. Risk Assessment.
  3. Risk Treatment.
  4. Risk Tracking.
  5. Risk Reviewing.

CIT; Cyber Intelligence Threat:- helps the organizations to identify and mitigate business risk by collecting information about unknown vulnerabilities, adversaries… .

Types of Threat Intelligence:-

  1. Strategical:-high-level information on changing risk; consumed by high-level executives and management.
  2. Tactical:-provides information related to TTPs; consumed by IT services and SOC mangers, administrators
  3. Operational:-provide information on specific attacks; consumed by security managers and network defenders.
  4. Technical:-provide information on specific IoC; consumed by SOC staff and IR; Incidents Response teams.

Threat modeling process:-

  1. Identify Security Objectives.
  2. Application Overview.
  3. Decompose Application.
  4. Identify Threats.
  5. Identify Vulnerabilities.

Incident Management:-is a set of defined processes to identify, analyze, prioritize and resolve security incidents to resolve normal services operations as quickly as possible and prevent future reoccurrence of the incidents.

Incident Response is a part of Incident Handling, which is part of Incident Management.

IH&R; Incidents Handling & Response:-

  1. Preparation.
  2. Incidents recording and assessment.
  3. Incident triage.
  4. Notification.
  5. Containment.
  6. Evidences gathering and forensic analyzing.
  7. Eradication.
  8. Recovery.
  9. Post-incident activities.

ML; Machine Learning Classifications:-

  1. Supervised:-use of algorithm that input a set of labeled training data. It’s divided into:- Classifications:-includes completely divided classes. Regression:-includes data that can’t be divided into classes; continuous data.
  2. Unsupervised:-use of algorithm that input a set of unlabeled training data. It’s divided into:-clustering:-divides the data into clusters based on their similarity. Dimensionally Reduction:-is the process of reducing the attributes of the data.

Information security laws and standards:

  1. PCI DSS; Payment Card Industry Data Security and Standards:-is information security and standard for organizations that hold cardholders information.
  2. ISO/IEC:-specify the requirements for establishing, implementing, maintaining and improving and information security management system within the organization.
  3. HIPAA; Health Insurance portability and Accountability Act:- is federal protection for the individually identifiable health information that hold by hospitals.
  4. SOX; Sarbanes Oxley Act:- is designed to protect the investors and the public by increasing the accuracy and reliability of corporate disclosures.
  5. DMCA; Digital Millennium Copyright Act:- is united states copyright law that implement two treaties of WIPO; World Intellectual Property Organization.
  6. FISMA; Federal Information Security Management Act:- provides a comprehensive framework for insuring the effectiveness of information security controls over information resources that support Federal operations and assets.

Cyberlaws differ from country to country.


Chapter2; Footprinting and Reconnaissance.

Footprinting:-is a first step in any attack on information systems in which an attacker collects information about the target network to identify various ways to intrude into target system.

Types of footprinting:-

  1. Passive:- Gathering information about the target without direct interactions.
  2. Active:- Gathering information about the target with direct interactions.

Objectives of footprinting:-

  1. Identify the security posture.
  2. Reducing the focus area.
  3. Identifying vulnerabilities.
  4. Drawing a network map.

Information obtained from footprinting:-

  1. Organization Information:- employees details, names, number, location, etc.
  2. Network Information:- domains, subdomains, IP addresses, whois, DNS, etc.
  3. System Information:- OS, location of servers, usernames and passwords, etc.

Footprinting methodology:-

1- Footprinting through search engines:- attackers use search engines to extract information about the target which help them to perform social engineering attack or other attacks. ex; google, yahoo, bing, etc. Attackers use advance search operators and create complex queries to find, filter sort information about the targets.

Google popular used advance search operators:-

  1. cache: :- display the web pages stored in Google cache.
  2. link: :- list web pages that have link to the given web page.
  3. related: :- list web pages that similar to the given web page.
  4. info: :- present some information that Google has about the given web pages.
  5. site: :- restrict the search results to those websites in the given domain.
  6. allintitle: :- restrict the search results to those websites containing all the search keywords in the title.
  7. intitle: :- restrict the search results to those documents containing the search keyword in the title.
  8. allinurl: :- restrict the search results to those websites containing all search keywords in the url.
  9. inurl: :- restrict the search results to those documents containing search keyword in the url.
  10. location: :- find information about a specific location.

2- Footprinting through web services:- attackers can use search engine, Sublist3r command tool to enumerate subdomains, Netcraft or Pentest-Tools.

Attackers user tools to find physical location of the target by using various tools. ex; Google Earth, Google Maps and Wikimapia.

3- Footprinting through social networking sites:- attackers can use various tools to extract information from social networking site. ex; people search that provides many services. ex;intelius, pipl, BeenVerified, Whitepages, PeekYou.

Attackers can use TheHarvester tool to extract information from social networking sites. ex; linkden.

Attackers can use BuzzSumo, Google Trend and Hashatit tool to extract information from social networking sites.

Attackers can use Followerwonk, Hootsuit and sysomos tool to extract location information from social networking sites.

Attackers can use Theharvester or Mail Spider to collect available emails of the target organization.

Attackers can use Sherlock tool to search in vast social networking sites for a specific username.

Attackers can use social searcher tool to search for content in social networking sites in real time and provide deep analysis data.

Attackers can use Google Finance tool to collect information about the target organization finance.

Deep web:-contains websites that can’t be accessible by traditional browsers. examples for deep web browsers; Tor browser or www virtual library.

Dark web or darknet:-is a subset of deep web that enable anyone to access the deep web without being tracing. examples for darknet browsers; TOR browser, freenet, GNUnet, I2P, Restroshare.

Attackers can use SHODAN search engine to find connected devices to a network.

Censys search engine provide a full review of every device or server that exposed to internet.

Competitive Intelligence Gathering:-is the process of identifying, gathering, verifying and using information about your competitors from resources.

4- Website footprinting:- attackers use various of tools to extract information from target websites and view headers. ex; Burp suite, Zaproxy, Wappalyzer, web informer, etc.

web spiders:- perform automated searches on target websites and collect information. ex; Web Data Extactor and ParseHub.

Attackers use Burp Suite and Web Scarab to perform user-directed spidering.

Attacker use HTTrack, website copier, NCollector studio to perform web monitoring which is coping the website files into the local system.

To visit archived version of site attackers use

Tools to extract website links; Octoparse, Neteak Spider and Link Extractor.

Attackers gather unique wordlists from target websites to use it in their attacks. They use Cewl tool.

Attackers use Metagoofil, Exiftool to extract metadata or hidden files from websites.

5- Email footprinting:- attackers use various of tools to track email addresses and extract information from them. ex; eMailTrackerPro, Infoga, MailTrack and PoliteMail

6- Whois footprinting:-

whois query return:-

  1. Domain name details.
  2. Contact detail of the domain owner.
  3. Domain name servers.
  4. NetRange.
  5. When a domain has been created.
  6. Expiry records.
  7. Records last updated.

Attackers use IP2Location and IP Location finder to collect IP geolocation information of the target.

7- DNS footprinting:- DNS records provide information about the location and types of server.

DNS records types:-

Attackers use DNSReon to perform reverse DNS lookup on the target host.

Attackers use Reverse IP Domain Check tool to find for other domains that share the same web server.

8- Network footprinting:- attackers use network range information to draw a map of a target network. They use ARAIN whois database search tool to gather the range IP addresses, and to find range of IP addresses and use RIR; Regional Internet Registry the subnet mask used by the target organization.

traceroute:- is used to find the route of target host on network. It helps to test against Man-In-The-Middle attacks. Attackers se traceroutes to collect information about network topology, trusted routers and firewall location.

Type of traceroute:-

  1. ICMP; Internet Control Message Protocol traceroute:- works on windows OS. tracert [IP address or domain name].
  2. TCP traceroute:- tcptraceroute [IP address or domain name].
  3. UDP traceroute. traceroute [IP address or domain name].

Traceroute tools:-

  1. Path Analyzer Pro.
  2. ViualRoute.

9- Footprinting through social engineering:-

Social Engineering techniques:-

  1. Eavesdropping.
  2. Shoulder Snuffing.
  3. Dumpster diving.
  4. Impersonating.

Footprinting tools::-

  1. Maltego:- used to know the real relationship and world links between people.
  2. Recon-ng:- is a web reconnaissance framework.
  3. FOCA; Footprinting Organization with Collected Archives:- is used to find metadata and hidden information in documents.
  4. OSRFramework:- includes applications related to username checking, DNS lookup, deep web search, etc.
  5. OSINT Framework:- is online source intelligence gathering information used to collect in formation from free tools or resources.
  6. Recon-Dog:- is all in one tool used to collect needed information.
  7. BillCyber:- is an information gathering tool for IP addresses or websites.


Chapter3; Scanning Networks.

Network scanning:- refers to a set of procedures used for identifying ports, hosts and services on a network.

TCP headers contain 6 flags:-

1- Flags to govern the establishment, maintenance and termination of the connections:-

  1. SYN; Synchronize:- initiates connection between hosts.
  2. ACK; Acknowledgement:- acknowledges the receipt of a message.
  3. FIN; Finish:- terminates the connections.
  4. RST; Reset:- resets a connection.

2- Flags to provide instruction to the system:-

  1. PSH; Push:- sends all buffered data immediately.
  2. URG; Urgent:- processes the data immediately.

Attackers can use various scanning tools. ex:- Nmap, Hping2\Hping2, Metasploit and NetScanTool Pro.

Hping2\Hping3 commands:-

Host discovery is a technique to find active/live host in a network.

Host discovery techniques:-

1-ARP Ping scan:- attackers send ARP requests to the target hosts and receiving ARP responds from alive hosts. nmap -sn -PR [IP address]

2- UDP Ping scan:- attackers send UDP requests to the target hosts and receiving UDP responds from alive hosts. nmap -sn -PU [IP address]

3- ICMP Ping scan:-

  1. ICMP ECHO Ping scan:- attackers send ICMP ECHO requests to the target hosts and receiving ICMP ECHO responds from alive hosts. It’s useful to check alive system or ICMP pass through firewall. nmap -sn -PE [IP address]
  2. ICMP ECHO Ping Sweep scan:- attackers send ICMP ECHO requests to multiple target hosts and receiving ICMP ECHO responds from alive hosts. It’s useful to check alive system. nmap -sn -PE [IP address]
  3. ICMP timestamp Ping scan:- nmap -sn -Pp [IP address]
  4. ICMP Address Mask Ping scan:-nmap -sn -Pm [IP address]

ping tools:-Angry IP Address, NetScanTools Pro.

4-TCP Ping scan:-

  1. TCP SYN Ping Scan:- attackers send SYN probe packets to the target hosts and receiving ACK packets from alive hosts, or RST from dead hosts. nmap -sn -PS [IP address]
  2. TCP ACK Ping scan:-attackers send ACK probe packets to the target hosts and receiving RST packets from alive hosts. nmap -sn -PA [IP address]

5- IP Protocol scan:-attackers send various probes packets to the target hosts and receiving any respond from alive hosts. nmap -sn -PO [IP address]

Port Scanning Techniques:-

1- TCP Scanning:-

1- Open TCP Scanning; TCP connect/Full Open Scan:-if the complete three way handshake is established, the port is open. It doesn’t require superuser privileges. nmam -sT -v [IP Address]

2- Stealth TCP Scanning:-

1- Half Open Scanning:-it rest the connection before complete three way handshake establishment. Used to bypass firewalls. nmap -sS -v [IP Address]

2- Inverse TCP Flags:-send probe packet with [PSH, URG, FIN] or no flags to the target hosts. If there was no respond, the port is open. If it respond with RST probe, it’s closed.

1-Xmas scan:-send probe packet with [PSH, URG, FIN] to the target hosts. If there was no respond, the port is open. If it respond with RST probe, it’s closed. It isn’t worked in Microsoft Windows. nmap -sX -v [IP Address]

2- FIN scan:-

3- NULL san:-

4- Maimon scan:-send probe packet with [FIN, ACK] to the target hosts. If there was no respond, the port is open or filtered. If it respond with RST probe. nmap -sM -v [IP Address]

3- ACK Flag probe scan:-send probe packet with [ ACK] to the target hosts and analyze the responds. If TTL value is less than 64 or or window value nonzero, the port is open. send probe packet with [ACK] with random sequence number to the target hosts. If there was no respond, the port is filtered. nmap -sA -v [IP Address]

3- Third Party and Spoofed TCP Scan; IDLE/IP ID Header Scan:-every packet send on the internet has a framework identification called IPID. Attackers send packet with SYN/ACK to the target hosts and the target host responds with IPID number of the current packet.

2- UDP Scanning:-There is no three way handshake in UDP connection. There is no respond when a port is opened. if the port is closed , it receive a with unreachable ICMP. nmap -sU -v [IP address]

3- SCTP Scanning:-

  1. SCTP INIT scan:- attackers send INIT chunks to the target hosts and receiving INIT chunks respond from opened ports, or ABORT chunks respond from closed ports. nmap -sY -v [IP address]
  2. SCTP COOKIE/ECHO scan:-attackers send COOKIE ECHO chunks to the target hosts and if there is no replies, the ports are opened, or ABORT chunks respond from closed ports. nmap -sZ -v [IP address].A good IDS only can detect SCTP COOKIE/ECHO.

4- SSDP; Simple Service Discovery Protocol Scanning:-

  1. Simple Service Discovery Protocol Scanning:- is a network protocol work in conjunction with UPnP to detect play and plug. Attacker exploit the vulnerabilities in UPnP to lunch buffer overflow or DDOS attacks.

2. List scanning:- prints list of host names or IP addresses without pinging them. nmap -sL -v [IP address]

5- IPv6 Scanning:- nmap -6 [IP address].

Service version discovery:- used to obtain more information about services, OS, etc running in the hosts. nmap -sV [IP address]

Banner grabbing/OS Footprinting:-is a method used to determine the OS running on the remote target host. It can e active or passive.

Attackers can identify the OS of the target hosts by observing the TTL and window size values in the responses packet.

Attacker use tools for OS discovery; ex; nmap -O [IP address] or nmap -6 [IP address] , Unicornscan identify the OS by observing the TTL value, NSE; Nmap Scripting Engine → nmap- -script [script-name][IP address]

IDS/ Firewall evasion techniques:-

  1. packet fragmentation:- used by SYN/FIN technique; nmap -sS -T4 -A -f -v [IP address]
  2. source routing.
  3. source port manipulation:- nmap -g [port] [IP address] nmap -sorce-port [port] [IP address]
  4. IP address decoy:-generate IP address decoys; nmap -D RAND:[number of decoy][target] or nmap -D decoy1, decoy2, me, etc[target].
  5. IP address spoofing:- change the source IP address; Hping3 [URL][Fake IP address]. IP address spoofing techniques:- 1- direct TTL probes. 2- IPID number 3- TCP flow control method.
  6. creating custom packet:-by using tools. ex; Colatsoft Packet builder, NetScanTool Pro, by appending custom binary data → nmap [IP] -data Oxdeadbeef, by appending custom string → nmap [IP]-data-string “string1”, by appending random string → nmap [IP] -data-string [num;5]
  7. randomizing host order:- nmap -radomize-hosts [IP].
  8. sending bad checksum:- nmap -badsum [IP].
  9. proxy server:-proxy tools; Burp suite, proxy switcher, CyberGhost VPN . *proxy chaining:-use multiple proxies servers.
  10. anonymizers:- remove all identity information from a user’s computer, while surfs the internet. It allow to bypass the internet censors.

use of anonymizers:-

  1. Privacy and Anonymity.
  2. Protection against online attacks.
  3. Access restricted content.
  4. Bypass IDS and Firewall rules.

Anonymizers tools:-

  1. Alkasir.
  2. Tails.
  3. Whonix.
  4. Psiphon.
  5. Orbot.
  6. OpenDoor.

Drawing network map:-shows the logical and physical paths to potential target using various tools. ex; network topology mapper, OpManager, the dude, netBrain, etc.


Chapter4; Enumeration

Created on 20 March 2021

Last edition on 11 March 2021