Student Feedback
312-50v11: Certified Ethical Hacker v11 Exam Certification Video Training Course Outline
Introduction
Setting Up a Hacking Lab
Linux Basics
Network Hacking
Network Hacking - Pre Connection...
Network Hacking - Gaining Access...
Network Hacking - Gaining Access...
Network Hacking - Gaining Access...
Network Hacking - Post Connectio...
Network Hacking - Post-Connectio...
Network Hacking - Post-Connectio...
Network Hacking - Detection &...
Gaining Access - Server Side Att...
Gaining Access - Client Side Att...
Gaining Access - Client Side Att...
Gaining Access - Using The Above...
Post Exploitation
Website Hacking
Website Hacking - Information Ga...
Website Hacking - File Upload, C...
Website Hacking - SQL Injection ...
Website Hacking - Cross Site Scr...
Website Hacking - Discovering Vu...
Introduction
312-50v11: Certified Ethical Hacker v11 Exam Certification Video Training Course Info
Gain in-depth knowledge for passing your exam with Exam-Labs 312-50v11: Certified Ethical Hacker v11 Exam certification video training course. The most trusted and reliable name for studying and passing with VCE files which include ECCouncil CEH 312-50v11 practice test questions and answers, study guide and exam practice test questions. Unlike any other 312-50v11: Certified Ethical Hacker v11 Exam video training course for your certification exam.
Network Hacking
4. What is MAC Address & How To Change It
When it comes to networking, you probably hear the term "Mac address" a lot. So in this lecture I'm going to cover: what do we mean by Mac address, what it is used for, and how to change it? Mac addresses stand for Media Access Control. It's a permanent physical and unique address assigned to network interfaces by the device manufacturer. So whether you have a wireless card or a wired or Ethernet card, each one of these network cards comes with a specific address that is unique to this card. So there are no two devices in the world that would have the same Mac address. And this address will always be the same for this specific device. Even if you unplug it from your computer and connect it to another computer, then this network device will always have the same address. So you might already know that the IP address is used on the Internet to identify computers and communicate between devices. On the Internet, the Mac address is used within the network to identify devices and transfer data between devices. So each piece of data or packet that is sent within the network contains a source Mac and a destination Mac. Therefore, this packet would flow from the source Mac to the destination Mac. So because this is a physical unique address for each interface on each network device, and because it is used to identify devices, changing it will make you anonymous on the network. Not only that, but the Mac address is often used by filters to prevent or allow devices to connect to networks and do specific tasks on the network. So being able to change your Mac address to another device's Mac address will allow you to impersonate this device and allow you to do things that you might not be able to do. So you'd be able to bypass filters or connect to networks that only specific devices with specific Mac addresses can connect to. And you will also be able to hide your identity. Now, changing the Mac address is very simple, so let me show you how to do that. First of all, I'm going to use theif config command to list all the network interfaces available on my Kali machine. What I mean by network interface is any device that allows us to connect to a network. So an example is a WiFi card or an Ethernet card, and so on. So you can see, first of all, we have ETHZero, and this is a virtual interface created by VirtualBox when we set Kelly to use an app network. As you can see, the interface name is ethical. You can see it has an IP address because, like I said, it's connected to a network. So if we go here, we can see that it's saying "wired connected." So this is the interface that represents the wired network that Cali is connected to, which is actually a virtual map network. You can also see the Net mask, the broadcast, and a really important piece of information, which is the editor. This is the Mac address of this virtual interface. Now you can see similar information for my other two interfaces, the Lo and the Land 0. The only thing is, as you can see for both of these interfaces, we do not have an IP address, and the main reason for that is because neither of these interfaces is connected to a network. Now, Lo is the default interface created by Linux, and Land Zero is my real wireless adapter, so I can use it to connect to WiFi networks. But if I go on the network in here, you'll see WiFi is not connected because I actually didn't connect to any network, and that's why it does not have an IP address. Now this doesn't matter because what we want to do is just change the Mac address, which again is shown here under the ether part. This is similar to what you're seeing for ETH 0. Now in order to change any of the values that you see here, you have to first disable the interface. So, in this case, we want to change the Mac address to be represented by the other, and the value is right here. So in order to disable an interface, we're going to do ifconfig, followed by the interface name, which is landzero in my example, followed by disable it. Now, if I hit enter, you'll see that the command runs without errors, which means that it got executed properly, and the next thing that we need to do is to change the option that we want to change, and in this example, we want to change the other, which is the Mac address. So first we're going to type if config.We're going to type the interface for which we want to change one of its options. Then we're going to type the option that we want to change, and what we want to change is the hardware address. So we're going to do HWEATHER, then we're going to give it the address that we want to change the Mac address to. So for example, I'm going to use "zero zero" 112-233-4455, a very simple command. We're doing it if we use configuration land zero to select the interface that we want to change its option for. We want to set the hardware address, and we want to set this address to this specific address. So you can use any address that you want, following the same format shown here. Just make sure your address starts with "I'm going to hit enter," and again we don't see any error messages, so it means the command got executed properly. Finally, because we disabled the interface with if config land zero down, we only need to enable it. So we just need to do "ifconfig land zero up" to enable it. Now the interface is enabled, and if we do if config again and look at the other part in here, you can see that it is changed to the Mac address that we specified. Now, this is done, and your Mac address is changed. Now you can go ahead and start using the interface, and it will appear to have this Mac address instead of its original Mac address. And like I said, this can be useful in so many scenarios. Now, keep in mind that the Mac address will revert back to the original one once you restart the computer. Because we're only changing the Mac address in memory. We're not really changing the physical Mac address. But if your Mac address is resetting to the original one without restarting, then something is going wrong, and it's probably happening because your network manager is resetting the Mac address. Not everybody will face this issue, so I'm not going to cover it in the lecture. However, if you encounter this problem and your Mac address returns to its original value without restarting the computer, consult the YouTube video and lecture resources. It will show you how to fix this issue.
5. Wireless Modes (Managed & Monitor)
From the previous lectures, we learned the basics of how networks work. We learned that devices on the same network communicate with each other using packets. So regardless of what you do on the network, whether you're watching a video, whether you're logging into a website, sending chat messages, or sending emails, regardless of what you're doing, all the data is sent as packets. Using the Mac address, devices in the network now ensure that these packets are routed correctly. So each packet has a source Mac and a destination Mac, and it flows from the source to the destination. So in this example, we have the client; it has this Mac; and we have the access point, which has this Mac. And as an example, if this client wanted to send a packet to the router, it would set the destination Mac address to the router's Mac address. Therefore, by default, each device only receives data that has the destination Mac as its own Mac address. But if you remember, as I said in wireless networks, if you're within range, then you'll be able to capture all of this communication because these packets are literally sent in the air. So we can just capture them even if they do not have our Mac address as the destination Mac. To do this, we need to change the mode of operation of our wireless interface so that it operates in monitor mode. So let me show you what I mean. If I go to my computer here and run iwconfig this time, we see if config, which lists all the interfaces, or we can use iwconfig to see the wireless interfaces only. And you can see we have Land Zero right here, which is my external wireless adapter. and you can see the mode of this adapter is set to managed. What this means is that basically this is the default mode of all wireless devices, and what it means is that this device will only capture packets that have the destination "Mac" as the Mac address of this device. So basically, it will only capture devices that are directed to my Kali machine. But this is not what we want. What we want is to be able to capture all the packets that are within our range, even if they are sent to the Raptor or to another device. So to do this, we need to set the mode to monitor mode instead of managed mode. So as usual, before you can change the options of your interface, you have to disable it. And previously we've seen we can do that by doing if-config on the device name, which is nonzero in my case, and then we can enable monitor mode. But before we do that, I'm actually going to run a command to kill any process that could interfere with using my interface in monitor mode. So the command that I'm going to run right now is not mandatory, but running it will actually give you better results when it comes to running the attacks that you will learn as we go in the course. So, this command is going to be "airman check kill." Now, you'll notice when you run this command, it will actually kill the network manager that usually runs in here. So you'll completely lose your Internet connection. But this is no problem because we will only need to be in Monitor Mode when we are running preconnection attacks. So attacks that do not require us to connect to any network So we actually do not need an Internet connection to run any of the attacks that require Monitor Mode. Now we're going to enable monitor mode. So we're going to do iwconfig, followed by the interface name that we want to enable MonitorMode on, which is land zero. We're going to say that I want to change the mode, and I want to change that to Monitor. So, a very simple command We're using IWconfig to change the mode. We're given the name of the interface that we want to change its mode for. We're saying I want to change the mode, and I want to set it to Monitor Mode. Now, if I hit Enter, you'll see the command will run with no errors, which means the command got executed properly. And finally, we'll need to enable the interface again, similar to what we did when we changed the Mac address. So all we have to do now is configure it, and we're done. Now, if I run iwconfig again, you will see that the mode is set to monitor now. So basically, this interface can now be used to capture any packet that is within our range, not only the packets that are directed to this computer. That's why in the future you'll see how we can use it to sniff packets, analyse them, and even break into networks. So in the future, if I say to use your interface in Monitor Mode, this is what I mean. You'll basically have to enable Monitor Mode as shown here. Now, I've also included a YouTube video in the resources of this lecture to show an alternative method to enable Monitor Mode. Just in case you get errors with this method or you try to follow something that I do in the next lectures and it doesn't work, you can come back and try the alternative method. But if this worked, and if Monitor Mode is enabled successfully, then you don't need to watch that video; you can just continue with the course. One more thing to keep in mind Not all wireless adapters support Monitor Mode. So for this to work, you need to make sure that your actual adapter supports Monitor Mode. There are a number of adapters that support that. And I've included another video again in the resources of me talking about wireless adapters, how to pick the best one, and which ones that I recommend and use when I'm testing the security of networks.
Network Hacking - Pre Connection Attacks
1. Packet Sniffing Basics
Now that we have enabled Monitor Mode on our wireless interface, we are able to capture all the WiFi packets sent within our range even if the packet is not directed to our computer, even if we're not connected to the target network, and even without knowing the key or the password to the target network. So all we need right now is a programme that can capture these packets for us. The programme that we're going to use is called Aerodompi. It's part of the aircraft NG suit, and it's a packet sniffer. So it's basically a programme designed to capture packets while you're in Monitor Mode. So it will allow us to see all the wireless networks around us and show us detailed information about their Mac address, channel, encryption, clients connected to them, and so on. So let me show you how we're going to use it. First of all, you need to enable Monitor Mode on your wireless adapter as shown in the previous lectures. So if I go to my Kali machine and runiwconfig to list all the wireless devices on this computer, you'll see that I have an interface called Mon Zero, and this interface is in Monitor Mode. Now, depending on how you enabled MonitorMode, this could be called Land Zero or Land Zero 1, it doesn't really matter. You just want to make sure you enable Monitor Mode using one of the methods shown before, and then use the name of the adapter that is in Monitor Mode when you run Arrow dump Ng. Now, to run Arrow Dump NG, we're just going to type the name of the program, which is Aerodomp NG, followed by the name of my wireless adapter in Monitor Mode, which is Mon Zero, as you can see in this picture. So the command is very simple. We're typing in the programme name, which is Arrowdump ng, followed by the name of my interface in Monitor Mode; if I hit Enter, you'll see that it'll start working, discovering all the wireless networks around me and displaying useful information about them. This programme will continue working unless you quit it, and to quit this program, you have to press Control C from your keyboard. You can actually use Control-C to quit any running programme in your terminal. Now that we stop the program, let's analyse the output so we understand what it's showing us. So first of all, if we look at this column, the ESSID column, it should be a little bit familiar to you. And basically, this shows us the names of the wireless networks around us. So if I just go to my Mac machine and look for wireless networks, you'll see the same names that we see in here displayed under the ESSID. Now, all of the other columns show us more information about the network name that you see here, and this information will actually be very useful to us as we go through the course. The first column, the BSSID, shows us the Mac address of the target network. Next we have the PWR. So this is the signal strength, or the power of the network. Now, the higher the number, the better signal we have. So for example, the network with the best signal right here is this one. Next we have the beacons. These are frames sent by the network in order to broadcast its existence. So every network, even if it's said to be hidden, always sends these types of frames, basically broadcasting its existence and telling all the wireless devices around it that it exists. I have this BSSID. I work on this channel, I use this encryption, and my name is this. Next we have the number of data packets or dataframes, and these are the useful packets that we'll talk about later on once we get to the cracking section. This column represents the number of data packets that we collected in the past 10 seconds. Next we have the channel, which is the channel that the network works on. So, for example, this network right here, the test AP, works on channel six, this network works on channel one, and so on. Next, we have the maximum speed supported by the network. The encryption is a very important column and itshows us the encryption used by the network. So we can see that the TESTAP network is using WPA. We can see we have a network that uses the Web. We can see this network right here; it's an open network. So it doesn't use encryption. We don't even need a password to connect to it. And we can see we have a WPA-T2 network right here. Cipher is the cypher used in the network. So we can see here that we have CCMP, we have Web, and we have CCMP. Again, here is the authentication used on that network. And in here we can see its PSK, preshared key, and management key for this network. Don't be concerned about the ink decipher and the odd. We will talk about breaking into all these networks—Web, WPA, and WPA Two—in the Gaining Access section. And finally, you can see we have the ESSID section, which shows the name of the network. So this is what you see when you look for networks in your network. Manager, so that's it for this lecture. I just wanted to give you a quick look at how to discover all the networks around us using Aerodomp. Don't worry about aerodomping too much now. We're going to be using it a lot in the next lecture, and you'll get very comfortable with using it as we go through the course.
2. WiFi Bands - 2.4Ghz & 5Ghz Frequencies
In this lecture, I'd like to talk about WiFi bands. The band of a network defines what frequency it can use to broadcast the signal. This means it also defines the frequency that the clients, or the computers, need to be able to support and use in order to be able to connect to this network. The two main frequencies used in WiFi networks are 2.4 and 5 GHz. Now, previously, when we used Aerodomp, we were only sniffing on the 4 GHz frequency. You can see, first of all, that my wireless adapter is in monitor mode 10 here. So if I just do Aerodom, you'll see that I can access the wireless networks around me. But you might have noticed that you won't actually see all the networks around you when you run Aerodomp. I'm going to control see this, and if I go here to my normal host machine, it actually has a built-in wireless adapter, so it's not as strong as my Alpha adapter. But if I look for networks, you'll see I actually have much more networks in here. And mainly, I have networks ending here in the name "5G." Now the network doesn't have to necessarily end in 5G, but here in Ireland, if a network broadcasts over 5G, the service provider adds 5G to the network name. But we also have other networks broadcasting over 5G that don't end in 5G. But the main point I want to make is that I can't see all of the networks around me in here in Aero Dump NG. Because AerodompNg only sniffs at 2.4 GHz, this is the case. So if you do this and you don't see all the networks around you, or if you're sniffing on your own network but you don't see all the clients in your network, it's possible that your router is broadcasting over two bands, 2.4 and 5. If you're not seeing the router at all or if you're not seeing the network at all, like what's happening here for me, then the router is probably just broadcasting over 5 GHz. Now, this doesn't mean that your wireless adapter is bad; it just literally means that this adapter is not able to see 5 GHz frequencies. It's just past its limit, beyond its reach. The main problem with 5 GHz is that there are a lot of wireless adapters that can see it and can communicate with it, but not many of them support monitor mode and packet injection. So you might see me and other people recommending wireless adapters like the Alpha AW US 36 NHA. This is my most favourite wireless adapter. I use it all the time, even now. But the problem with that adapter is that it doesn't pick up a 5 GHz frequency. So it doesn't mean that that adapter is bad; it just means that it can't see a 5 GHz frequency. Like I said, there aren't many wireless adapters that support 5 GHz. But I have an adapter here. It's Alpha AWS 36 ACH. And this adapter supports both 2.4 frequencies. It's not as good as the Alpha, but it does the job. Now if you want more information about wireless adapters, check out the link in the resources. I'm not going to talk a lot about what wireless adapters do, but in this lecture I want to show you how to sniff and discover 5 GHz frequency networks. And then you can use all of the attacks you learned in my previous lecture and videos with 5 GHz networks. So the adapter that I'm using right now supports 5 GHz. But as you can see, I still can't pick up these networks. That's because I need to specifically tell Aerodrom that I want you to listen on 5 GHz frequencies and 5 GHz channels. All we have to do is do an Arrow dump NG like we always do. And then we're going to use a new argument that we haven't seen before. And this is known as the band theory. And we're going to tell it that I want you to sniff on band A, and that's the band that supports 5 GHz frequency.And then I'm just going to give it the name of my wireless adapter and monitor mode, which is 10. So the command is very simple; it's very similar to what we've used before. And all we have to do is just type Arrow dump NG" followed by the band. And the band that we want to use is A. And we're following that with our wireless interface. So I'm going to hit Enter. And, as you can see, as soon as we hit this, I'm going to do Control C because you can see the results and that we now have a lot more networks. And we have the 5 GHz network. So we have this network and this network that we weren't able to see. We have the Jameson Whiskey Network as well. And basically, we're able to capture all the networks that use the 5 GHz frequency. Now what you can also do—let me clear the screen—is you can specify multiple bands using the band argument. So again, using the same command, instead of just saying band A, we can do band A BG. And what this will do is tell Aerodymp to capture data on both 2.4 and 5 GHz frequencies at the same time. So let me show you. So, as you can see right here, we're capturing some 2.4 GHz networks and some 5 GHz networks at the same time. And we'll also be able to discover clients connected to both bands. The only problem with using Aero Dump like this is, first of all, you need a powerful wireless adapter to do this. Also, it will be slightly slower than when you're sniffing on one band because you're sniffing on two bands. You have a large number of channels that Aerodymp Nghas to hop on and discover clients and networks broadcasting on these channels. So if you want quicker results, then you're better off just specifying the band when you want to sniff on 5 GHz frequencies and just not specifying the band when sniffing on 2 GHz frequencies. But as you can see, you can just run the command like so with band ABG, and this way you'll be able to capture data sent over two, four, and five GHz frequencies. Also keep in mind that in order to sniff data at a five-GHz frequency, like I said, your wireless adapter needs to be able to support this band. So simply adding the band argument will not work unless your wireless adapter can support and sniff data on this band. One more thing that I want to note: I've actually said this before. If you run Aerodymp against a network and you see some devices missing, then there is a high chance that these devices are connected over 5 GHz. So again, use the band, and then you should be able to see these devices.
3. Targeted Packet Sniffing
In the last lecture, we saw how to use Aerodompo NG to list all the networks around us and display useful information about them. Usually, we do this in order to see our target network, see the signal strength, see how far we are from it, and then start targeting this target network. Now, in this example, I'm going to assume that my target network is this one right here. This is actually the network that my host machine is connected to. And now that I have my target network and I have some basic information about it, let's see how we can run Aerodomp against this network only, not against all networks. And this way, we'll be able to gather more information about it. So, to do this, first of all, I'm going to have to write the name of my program, which is Arrow Dump NG. Then I'm going to specify a specific BSSID or a specific Mac address for Arrow Dump NG to sniff data from. So my target network has a BSSID like this. We can see it here under the BSSID. So I'm going to copy it, and then I'm going to do BSSID, and I'm going to give it the BSSID that I just copied. I'll then specify a channel for Aerodome to sniff on. Again, if we look under the channel column in here, we can see my target network is on channel two. So I'm going to do Channel Two. So now we're telling Aerodynamic NG that I want you to sniff data on channel two, and only from a network that has this BSSID. I'm also going to tell Aerodompi that I want you to store all the data that you're going to gather for me in a file. So I'm going to say write, and then I'm going to type a file name, and let's call this test. And at the end, as usual, I need to give it the name of my wireless adapter in monitor mode, which is 10 in my case. So a very simple command Let's go over it one more time. We're doing Arrow Dump NG. That's the name of the programme that I want to use. I'm telling it that I only want you to sniff data from a specific BSSID. Then I'm giving it the BSSID of my target. Then I'm telling it I want you to only sniff data from a specific channel, and I'm giving it the channel that I wanted to sniff data from. Again, we can get it from here. It's number two. Finally, I'm telling it that I want you to write all the data that you're going to capture in a file that we're going to call Test. And then I'm giving it my wireless adapter in Monitor Mode, which is 10. Now I'm going to hit Enter. And as you can see, unlike the last time, arrowdump Ng is only showing me one network in here. This is the network that I wanted it to sniff data on. And we can also see we have a completely new section right now. So when I ran Aerodymp in the previous lecture, you see, I only had the networks in here, and I had nothing here at the bottom. However, as you can see, we now have more entries in the second section of aerodynam. And basically, anything that you see here in the second section is the client or device connected to this network. So right now we can see this network has three devices connected to it. And you can see the MAC addresses of these devices under the station. As you can see, all of these devices are connected to the same network. So the BSSID is still the same. This is the MAC address of the network. And under the station, we have the different clients or different devices connected to this network. We can also see the power. So this is the signal strength of each of these devices. We can see the speed, the amount of data lost, the number of frames and packets captured, and whether or not any of these devices are still probing for networks. So, even if you run aerodynamic against all networks, you'll see this section and notice that some devices aren't connected and are literally looking for networks. So you'd see the name of the networks that they're looking for under the probe. Now. If I hit CTRL C, Aero Dump NG will quit. It will stop working. But I should have new files in my current working directory that contain the data that we just captured. Because remember, when we run the command, we use the right option in here to store the data in a file called test. So if I just do LS to list all the files in my current working directory, you can see I have four files. All of them start with TEST, but they all have different extensions. So we have a CSV, we have a Net XML, we have a Cab, and we have a Kismet CSV. Now, also notice that Aerodynamic automatically appended a minus sign to each of these files. So in the future, when you go and try to use the capture file, make sure you append one to the file name that you specify in the command. Now, the main file that we're going to be using is the CAV file. Again, this file contains the data that we captured during the period that Aerodymp Ng was working on in here.And basically, this file should contain everything thatwas sent to and from my target network. So it should contain URLs, chat messages, usernames, passwords, or anything that any of these devices did on the Internet, because anything that they had to do will have to be sent to the router, as we've seen before. The only problem is, if you look at the encryption, In here, you can see that mytarget network uses WPA two encryption. So all of the data sent between the router and the client is encrypted. So let me show you what I mean. I'm going to use a tool called Wire Shark to analyse the data. And don't worry about how to use Wireshark. We will talk about it in detail later on. Right now, I just want to make sure that you understand the idea that now we're able to capture all these packets. The only problem is that these packets are encrypted. So I'm going to do wireshark to run wireshark, and then I'm going to open my capture file. So I'm going to go to File Open, and it's already in my root directory. So I'm just going to scroll down and select my test cap. I'm going to open it and make it full screen. And as you can see, if we click on any of these packets, you can see we really have no useful data. You can see everything looks like a jobbrush, and we can't read anything. Even though these packets might contain usernames, passwords, or URLs, the only useful thing that we can see here is the device manufacturer. So we know one of the devices connected to the network has this specific MAC address. So it's the one that ends with an eight. And if we go up, we can see that it's this specific device. We know now it is an Apple device, so it could be an Apple computer, an iPhone, or an iPad. And this is actually my MacBook computer. That is the host machine. Again, we can see we also have a device that's using a Hawaii chipset. So this can be a phone, or it could be the router. And if you look at the Mac address here and compare it to the Mac addresses that we have here, you can see that this is actually under the BSSID. So this is the MAC address of the router. So now we know that the brand of my router is Hawaii. So we can gather more information by opening this file in Wireshark, and we can kind of guess what computers are there and what operating systems they use. But this is not detailed enough. And the main problem with this is the fact that the network is using encryption. Now, in the next section, we're going to be talking about how to break this encryption. And once we do, you'll see how we can see the passwords and the user names in plain text, and you'll also see how we can map all of the computers on the same network, gather detailed information about them, hack into them, and do some really cool stuff. You should have guessed from everything I've said so far that if this network was an open network, one that didn't use passwords, you would have been able to see all of the URLs and everything that they do in here. But again, if you can't connect to the network without a password, then you'll automatically be at the post-connection section. And in that section, like I said, we're going to talk about some really, really cool attacks that you can do once you have the password or once you can connect to the network. So don't worry about Wireshark for now. I just wanted to make sure that you understood why encryption is useful and why it's used and why we can't see much now because we don't know the key. We will talk about Wireshark and all of that later on in the next section.
Pay a fraction of the cost to study with Exam-Labs 312-50v11: Certified Ethical Hacker v11 Exam certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including 312-50v11: Certified Ethical Hacker v11 Exam certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.