Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures
Version Comparison
CEHv11
CEHv12
20
20
Total Number of Slides
1640
1676
Total Number of Labs
200
220
Total Number of New Labs
92
33
Attack Techniques
420
519
New Technology Added
OT Technology, Serverless
Computing, WPA3 Encryption,
APT, Fileless Malware, Web
API, and Web Shell
MITRE ATT&CK Framework,
Diamond Model of Intrusion
Analysis, Techniques for
Establishing Persistence,
Evading NAC and Endpoint
Security, Fog Computing, Edge
Computing, and Grid
Computing
OS Used for Labs
Windows 10, Windows Server
2019, Windows Server 2016,
Parrot Security, Android,
Ubuntu Linux
Windows 11, Windows Server
2022, Windows Server 2019,
Parrot Security, Android,
Ubuntu Linux
125 Questions (MCQ)
125 Questions (MCQ)
Exam Duration
4 Hours
4 Hours
Exam Delivery
VUE / ECCEXAM
VUE / ECCEXAM
Final NICE 2.0 Framework
Final NICE 2.0 Framework
Total Number of Modules
Exam
NICE Compliance
Page | 1
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
CEHv12 Change Summary
1. The Module 06: System Hacking module includes establishing persistence techniques in
CEHv12
2. The Module 07: Malware Threats module includes malware analysis for latest malware
in CEHv12
3. The Module 12: Evading IDS, Firewalls, and Honeypots includes evading NAC and
endpoint security in CEHv12
4. The Module 14: Hacking Web Applications module includes OWASP Top 10 Application
Security Risks - 2021 in CEHv12
5. The Module 19: Cloud Computing module includes fog computing, edge computing, grid
computing, cloud security controls, and cloud access security broker (CASB) in CEHv12
6. Update information as per the latest developments with a proper flow
7. Latest OS covered and a patched testing environment
8. All the tool screenshots are replaced with the latest version
9. All the tool listing slides are updated with the latest tools
10. All the countermeasure slides are updated
Page | 2
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Module Comparison
CEHv11
CEHv12
Module 01: Introduction to Ethical Hacking
Module 01: Introduction to Ethical Hacking
Module 02: Footprinting and
Reconnaissance
Module 02: Footprinting and
Reconnaissance
Module 03: Scanning Networks
Module 03: Scanning Networks
Module 04: Enumeration
Module 04: Enumeration
Module 05: Vulnerability Analysis
Module 05: Vulnerability Analysis
Module 06: System Hacking
Module 06: System Hacking
Module 07: Malware Threats
Module 07: Malware Threats
Module 08: Sniffing
Module 08: Sniffing
Module 09: Social Engineering
Module 09: Social Engineering
Module 10: Denial-of-Service
Module 10: Denial-of-Service
Module 11: Session Hijacking
Module 11: Session Hijacking
Module 12: Evading IDS, Firewalls, and
Honeypots
Module 12: Evading IDS, Firewalls, and
Honeypots
Module 13: Hacking Web Servers
Module 13: Hacking Web Servers
Module 14: Hacking Web Applications
Module 14: Hacking Web Applications
Module 15: SQL Injection
Module 15: SQL Injection
Module 16: Hacking Wireless Networks
Module 16: Hacking Wireless Networks
Module 17: Hacking Mobile Platforms
Module 17: Hacking Mobile Platforms
Module 18: IoT and OT Hacking
Module 18: IoT and OT Hacking
Module 19: Cloud Computing
Module 19: Cloud Computing
Module 20: Cryptography
Module 20: Cryptography
Page | 3
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Courseware Content Comparison
The notations used:
1. Red points are new slides in CEHv12
2. Blue points are substantially modified in CEHv12
3. Striked points are removed from CEHv11
4.
Striked points are moved to self study module in CEHv12
CEHv11
CEHv12
Module 01: Introduction to Ethical Hacking
Module 01: Introduction to Ethical Hacking
Information Security Overview
Information Security Overview
▪ Elements of Information Security
▪ Elements of Information Security
▪ Motives, Goals, and Objectives of Information
Security Attacks
▪ Motives, Goals, and Objectives of Information
Security Attacks
▪ Classification of Attacks
▪ Classification of Attacks
▪ Information Warfare
▪ Information Warfare
Cyber Kill Chain Concepts
Hacking Methodologies and Frameworks
▪ Cyber Kill Chain Methodology
▪ CEH Hacking Methodology (CHM)
▪ Tactics, Techniques, and Procedures (TTPs)
▪ Cyber Kill Chain Methodology
▪ Adversary Behavioral Identification
▪ Tactics, Techniques, and Procedures (TTPs)
▪ Indicators of Compromise (IoCs)
▪ Adversary Behavioral Identification
o Categories of Indicators of Compromise
Hacking Concepts
▪ Indicators of Compromise (IoCs)
o Categories of Indicators of Compromise
▪ What is Hacking?
▪ MITRE ATT&CK Framework
▪ Who is a Hacker?
▪ Diamond Model of Intrusion Analysis
▪ Hacker Classes
Hacking Concepts
▪ Hacking Phases
▪ What is Hacking?
o Reconnaissance
▪ Who is a Hacker?
o Scanning
▪ Hacker Classes
o Gaining Access
Ethical Hacking Concepts
o Maintaining Access
▪ What is Ethical Hacking?
o Clearing Tracks
▪ Why Ethical Hacking is Necessary
Ethical Hacking Concepts
▪ Scope and Limitations of Ethical Hacking
▪ What is Ethical Hacking?
▪ Skills of an Ethical Hacker
▪ Why Ethical Hacking is Necessary
Information Security Controls
▪ Scope and Limitations of Ethical Hacking
▪ Information Assurance (IA)
▪ Skills of an Ethical Hacker
▪ Continual/Adaptive Security Strategy
Information Security Controls
Page | 4
▪ Defense-in-Depth
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Information Assurance (IA)
▪ What is Risk?
▪ Defense-in-Depth
▪ Risk Management
▪ What is Risk?
▪ Cyber Threat Intelligence
o Risk Management
o Threat Intelligence Lifecycle
▪ Cyber Threat Intelligence
▪ Threat Modeling
▪ Threat Modeling
▪ Incident Management
▪ Incident Management
o Incident Handling and Response
▪ Role of AI and ML in Cyber Security
o How Do AI and ML Prevent Cyber Attacks?
Information Security Laws and Standards
▪ Payment Card Industry Data Security Standard
(PCI DSS)
▪ ISO/IEC 27001:2013
o Incident Handling and Response
▪ Role of AI and ML in Cyber Security
o How Do AI and ML Prevent Cyber Attacks?
Information Security Laws and Standards
▪ Payment Card Industry Data Security Standard
(PCI DSS)
▪ ISO/IEC 27001:2013
▪ Health Insurance Portability and Accountability
Act (HIPAA)
▪ Health Insurance Portability and Accountability
Act (HIPAA)
▪ Sarbanes Oxley Act (SOX)
▪ Sarbanes Oxley Act (SOX)
▪ The Digital Millennium Copyright Act (DMCA)
▪ The Digital Millennium Copyright Act (DMCA)
▪ The Federal Information Security Management
Act (FISMA)
▪ The Federal Information Security Management Act
(FISMA)
▪ General Data Protection Regulation (GDPR)
▪ Cyber Law in Different Countries
▪ Data Protection Act 2018 (DPA)
▪ Cyber Law in Different Countries
Module 02: Footprinting and Reconnaissance
Module 02: Footprinting and Reconnaissance
Footprinting Concepts
Footprinting Concepts
▪ What is Footprinting?
▪ What is Footprinting?
Footprinting through Search Engines
▪ Information Obtained in Footprinting
▪ Footprinting through Search Engines
▪ Footprinting Methodology
▪ Footprint Using Advanced Google Hacking
Techniques
Footprinting through Search Engines
▪ Google Hacking Database
▪ Footprinting through Search Engines
▪ VoIP and VPN Footprinting through Google
Hacking Database
▪ Footprint Using Advanced Google Hacking
Techniques
▪ Other Techniques for Footprinting through Search
Engines
▪ Google Hacking Database
o Gathering Information Using Google Advanced
Search and Advanced Image Search
Page | 5
▪ VPN Footprinting through Google Hacking
Database
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Gathering Information Using Reverse Image
Search
Exam 312-50 Certified Ethical Hacker
▪ Other Techniques for Footprinting through Search
Engines
o Gathering Information Using Video Search
Engines
o Google Advanced Search
o Gathering Information Using Meta Search
Engines
o Advanced Image Search
o Gathering Information Using FTP Search
Engines
o Reverse Image Search
o Gathering Information Using IoT Search
Engines
o Video Search Engines
Footprinting through Web Services
o Meta Search Engines
▪ Finding a Company’s Top-Level Domains (TLDs)
and Sub-domains
o FTP Search Engines
▪ Finding the Geographical Location of the Target
o IoT Search Engines
▪ People Search on Social Networking Sites and
People Search Services
Footprinting through Web Services
▪ Gathering Information from LinkedIn
▪ Finding a Company’s Top-Level Domains (TLDs)
and Sub-domains
▪ Harvesting Email Lists
▪ Finding the Geographical Location of the Target
▪ Gather Information from Financial Services
▪ People Search on Social Networking Sites and
People Search Services
▪ Footprinting through Job Sites
▪ Gathering Information from LinkedIn
▪ Deep and Dark Web Footprinting
▪ Harvesting Email Lists
▪ Determining the Operating System
▪ Footprinting through Job Sites
▪ VoIP and VPN Footprinting through SHODAN
▪ Deep and Dark Web Footprinting
▪ Competitive Intelligence Gathering
▪ Determining the Operating System
o Competitive Intelligence - When Did this
Company Begin? How Did it Develop?
▪ VoIP and VPN Footprinting through SHODAN
o Competitive Intelligence - What Are the
Company's Plans?
▪ Competitive Intelligence Gathering
o Competitive Intelligence - What Expert
Opinions Say About the Company
▪ Other Techniques for Footprinting through Web
Services
▪ Other Techniques for Footprinting through Web
Services
o Finding the Geographical Location of the
Target
o Information Gathering Using Business Profile
Sites
o Gathering Information from Financial Services
o Monitoring Target Using Alerts
o Gathering Information from Business Profile
Sites
o Tracking Online Reputation of the Target
o Monitoring Targets Using Alerts
o Information Gathering Using Groups, Forums,
and Blogs
o Tracking the Online Reputation of the Target
o Information Gathering Using NNTP Usenet
Newsgroups
o Gathering Information from Groups, Forums,
and Blogs
Page | 6
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Footprinting through Social Networking Sites
o Gathering Information from NNTP Usenet
Newsgroups
▪ Collecting Information through Social Engineering
on Social Networking Sites
o Gathering Information from Public SourceCode Repositories
▪ General Resources for Locating Information from
Social Media Sites
Footprinting through Social Networking Sites
▪ Conducting Location Search on Social Media Sites
▪ Collecting Information through Social Engineering
on Social Networking Sites
▪ Tools for Footprinting through Social Networking
Sites
▪ General Resources for Locating Information from
Social Media Sites
Website Footprinting
▪ Conducting Location Search on Social Media Sites
▪ Website Footprinting
▪ Constructing and Analyzing Social Network Graphs
▪ Website Footprinting using Web Spiders
▪ Tools for Footprinting through Social Networking
Sites
▪ Mirroring Entire Website
Website Footprinting
▪ Extracting Website Information from
https://archive.org
▪ Website Footprinting
▪ Extracting Website Links
▪ Website Footprinting using Web Spiders
▪ Gathering Wordlist from the Target Website
▪ Mirroring Entire Website
▪ Extracting Metadata of Public Documents
▪ Extracting Website Information from
https://archive.org
▪ Other Techniques for Website Footprinting
▪ Other Techniques for Website Footprinting
o Monitoring Web Pages for Updates and
Changes
o Extracting Website Links
o Searching for Contact Information, Email
Addresses and Telephone Numbers from
Company Website
o Gathering the Wordlist from the Target
Website
o Searching for Web Pages Posting Patterns and
Revision Numbers
o Extracting Metadata of Public Documents
o Monitoring Website Traffic of Target Company
o Monitoring Web Pages for Updates and
Changes
Email Footprinting
o Searching for Contact Information, Email
Addresses, and Telephone Numbers from
Company Website
▪ Tracking Email Communications
o Searching for Web Pages Posting Patterns and
Revision Numbers
▪ Email Tracking Tools
o Monitoring Website Traffic of the Target
Company
Whois Footprinting
Email Footprinting
▪ Whois Lookup
▪ Tracking Email Communications
▪ Finding IP Geolocation Information
▪ Email Tracking Tools
DNS Footprinting
Whois Footprinting
▪ Extracting DNS Information
▪ Whois Lookup
Page | 7
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Reverse DNS Lookup
▪ Finding IP Geolocation Information
Network Footprinting
DNS Footprinting
▪ Locate the Network Range
▪ Extracting DNS Information
▪ Traceroute
▪ Reverse DNS Lookup
▪ Traceroute Analysis
Network Footprinting
▪ Traceroute Tools
▪ Locate the Network Range
Footprinting through Social Engineering
▪ Traceroute
▪ Footprinting through Social Engineering
▪ Traceroute Analysis
▪ Collect Information Using Eavesdropping,
Shoulder Surfing, Dumpster Diving, and
Impersonation
▪ Traceroute Tools
Footprinting Tools
Footprinting through Social Engineering
▪ Maltego
▪ Footprinting through Social Engineering
▪ Recon-ng
▪ Collect Information Using Eavesdropping,
Shoulder Surfing, Dumpster Diving, and
Impersonation
▪ FOCA
Footprinting Tools
▪ OSRFramework
▪ Footprinting Tools: Maltego and Recon-ng
▪ OSINT Framework
▪ Footprinting Tools: FOCA and OSRFramework
▪ Recon-Dog
▪ Footprinting Tools: OSINT Framework
▪ BillCipher
▪ Footprinting Tools: Recon-Dog and BillCipher
Footprinting Countermeasures
▪ Footprinting Tools: Spyse
▪ Footprinting Countermeasures
Footprinting Countermeasures
▪ Footprinting Countermeasures
Module 03: Scanning Networks
Module 03: Scanning Networks
Network Scanning Concepts
Network Scanning Concepts
▪ Overview of Network Scanning
▪ Overview of Network Scanning
▪ TCP Communication Flags
▪ TCP Communication Flags
▪ TCP/IP Communication
▪ TCP/IP Communication
Scanning Tools
Scanning Tools
▪ Nmap
▪ Scanning Tools: Nmap
▪ Hping2/Hping3
▪ Scanning Tools: Hping3
o Hping Commands
o Hping Commands
▪ Scanning Tools
▪ Scanning Tools
▪ Scanning Tools for Mobile
▪ Scanning Tools for Mobile
Host Discovery
Host Discovery
▪ Host Discovery Techniques
▪ Host Discovery Techniques
o ARP Ping Scan and UDP Ping Scan
Page | 8
o ARP Ping Scan
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o ICMP ECHO Ping Scan
o UDP Ping Scan
o ICMP ECHO Ping Sweep
o ICMP ECHO Ping Scan
• Ping Sweep Tools
o ICMP ECHO Ping Sweep
• Ping Sweep Countermeasures
o ICMP Timestamp Ping Scan
o Other Host Discovery Techniques
o ICMP Address Mask Ping Scan
• ICMP Timestamp and Address Mask
Ping Scan
o TCP SYN Ping Scan
• TCP Ping Scan
o TCP ACK Ping Scan
✓ TCP SYN Ping Scan
o IP Protocol Ping Scan
✓ TCP ACK Ping Scan
o Ping Sweep Tools
• IP Protocol Ping Scan
Port and Service Discovery
▪ Port Scanning Techniques
o TCP Scanning
Port and Service Discovery
▪ Port Scanning Techniques
o TCP Scanning
• TCP Connect/Full Open Scan
• TCP Connect/Full Open Scan
• Stealth Scan (Half-open Scan)
• Stealth Scan (Half-open Scan)
• Inverse TCP Flag Scan
• Inverse TCP Flag Scan
✓ Xmas Scan
• Xmas Scan
✓ FIN Scan
• TCP Maimon Scan
✓ NULL Scan
• ACK Flag Probe Scan
✓ TCP Maimon Scan
• IDLE/IPID Header Scan
• ACK Flag Probe Scan
o UDP Scanning
✓ TTL-Based Scan
o SCTP Scanning
✓ Window-Based Scan
• SCTP INIT Scanning
• SCTP COOKIE ECHO Scanning
• IDLE/IPID Header Scan
o UDP Scan
o SSDP and List Scanning
o SCTP INIT Scan
o IPv6 Scanning
o SCTP COOKIE ECHO Scan
▪ Service Version Discovery
o SSDP and List Scan
▪ Nmap Scan Time Reduction Techniques
o IPv6 Scan
▪ Port Scanning Countermeasures
▪ Service Version Discovery
OS Discovery (Banner Grabbing/OS Fingerprinting)
▪ Nmap Scan Time Reduction Techniques
▪ OS Discovery/Banner Grabbing
OS Discovery (Banner Grabbing/OS Fingerprinting)
▪ How to Identify Target System OS
▪ OS Discovery/Banner Grabbing
o OS Discovery using Wireshark
▪ How to Identify Target System OS
o OS Discovery using Nmap and Unicornscan
o OS Discovery using Wireshark
o OS Discovery using Nmap Script Engine
o OS Discovery using Nmap and Unicornscan
o OS Discovery using IPv6 Fingerprinting
o OS Discovery using Nmap Script Engine
▪ Banner Grabbing Countermeasures
Page | 9
o OS Discovery using IPv6 Fingerprinting
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Scanning Beyond IDS and Firewall
Scanning Beyond IDS and Firewall
▪ IDS/Firewall Evasion Techniques
▪ IDS/Firewall Evasion Techniques
o Packet Fragmentation
o Packet Fragmentation
o Source Routing
o Source Routing
o Source Port Manipulation
o Source Port Manipulation
o IP Address Decoy
o IP Address Decoy
o IP Address Spoofing
o IP Address Spoofing
• IP Spoofing Detection Techniques: Direct
TTL Probes
o MAC Address Spoofing
• IP Spoofing Detection Techniques: IP
Identification Number
o Creating Custom Packets
• IP Spoofing Detection Techniques: TCP Flow
Control Method
o Randomizing Host Order and Sending Bad
Checksums
• IP Spoofing Countermeasures
o Proxy Servers
o Creating Custom Packets
• Proxy Chaining
• Using Packet Crafting Tools
• Proxy Tools
• Appending Custom Binary Data
• Proxy Tools for Mobile
• Appending Custom String
• Appending Random Data
o Anonymizers
• Censorship Circumvention
Tools: Alkasir and Tails
o Randomizing Host Order and Sending Bad
Checksums
Network Scanning Countermeasures
o Proxy Servers
▪ Ping Sweep Countermeasures
• Proxy Chaining
▪ Port Scanning Countermeasures
• Proxy Tools
▪ Banner Grabbing Countermeasures
• Proxy Tools for Mobile
▪ IP Spoofing Detection Techniques
o Anonymizers
o Direct TTL Probes
• Censorship Circumvention
Tools: Alkasir and Tails
o IP Identification Number
• Anonymizers
o TCP Flow Control Method
• Anonymizers for Mobile
Draw Network Diagrams
▪ IP Spoofing Countermeasures
▪ Scanning Detection and Prevention Tools
▪ Drawing Network Diagrams
▪ Network Discovery and Mapping Tools
▪ Network Discovery Tools for Mobile
Module 04: Enumeration
Module 04: Enumeration
Enumeration Concepts
Enumeration Concepts
▪ What is Enumeration?
▪ What is Enumeration?
Page | 10
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Techniques for Enumeration
▪ Techniques for Enumeration
▪ Services and Ports to Enumerate
▪ Services and Ports to Enumerate
NetBIOS Enumeration
NetBIOS Enumeration
▪ NetBIOS Enumeration
▪ NetBIOS Enumeration
▪ NetBIOS Enumeration Tools
▪ NetBIOS Enumeration Tools
▪ Enumerating User Accounts
▪ Enumerating User Accounts
▪ Enumerating Shared Resources Using Net View
▪ Enumerating Shared Resources Using Net View
SNMP Enumeration
SNMP Enumeration
▪ SNMP (Simple Network Management Protocol)
Enumeration
▪ SNMP (Simple Network Management Protocol)
Enumeration
▪ Working of SNMP
▪ Working of SNMP
▪ Management Information Base (MIB)
▪ Management Information Base (MIB)
▪ SNMP Enumeration Tools
▪ Enumerating SNMP using SnmpWalk
LDAP Enumeration
▪ Enumerating SNMP using Nmap
▪ LDAP Enumeration
▪ SNMP Enumeration Tools
▪ LDAP Enumeration Tools
LDAP Enumeration
NTP and NFS Enumeration
▪ LDAP Enumeration
▪ NTP Enumeration
▪ Manual and Automated LDAP Enumeration
▪ NTP Enumeration Commands
▪ LDAP Enumeration Tools
▪ NTP Enumeration Tools
NTP and NFS Enumeration
▪ NFS Enumeration
▪ NTP Enumeration
▪ NFS Enumeration Tools
▪ NTP Enumeration Commands
SMTP and DNS Enumeration
▪ NTP Enumeration Tools
▪ SMTP Enumeration
▪ NFS Enumeration
▪ SMTP Enumeration Tools
▪ NFS Enumeration Tools
▪ DNS Enumeration Using Zone Transfer
SMTP and DNS Enumeration
▪ DNS Cache Snooping
▪ SMTP Enumeration
▪ DNSSEC Zone Walking
▪ SMTP Enumeration using Nmap
Other Enumeration Techniques
▪ SMTP Enumeration using Metasploit
▪ IPsec Enumeration
▪ SMTP Enumeration Tools
▪ VoIP Enumeration
▪ DNS Enumeration Using Zone Transfer
▪ RPC Enumeration
▪ DNS Cache Snooping
▪ Unix/Linux User Enumeration
▪ DNSSEC Zone Walking
▪ Telnet Enumeration
▪ DNS and DNSSEC Enumeration using Nmap
▪ SMB Enumeration
Other Enumeration Techniques
▪ FTP Enumeration
▪ IPsec Enumeration
▪ TFTP Enumeration
▪ VoIP Enumeration
▪ IPv6 Enumeration
▪ RPC Enumeration
▪ BGP Enumeration
▪ Unix/Linux User Enumeration
Page | 11
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Enumeration Countermeasures
▪ Telnet and SMB Enumeration
▪ Enumeration Countermeasures
▪ FTP and TFTP Enumeration
▪ IPv6 Enumeration
▪ BGP Enumeration
Enumeration Countermeasures
▪ Enumeration Countermeasures
▪ DNS Enumeration Countermeasures
Module 05: Vulnerability Analysis
Module 05: Vulnerability Analysis
Vulnerability Assessment Concepts
Vulnerability Assessment Concepts
▪ Vulnerability Research
▪ What is Vulnerability?
▪ Resources for Vulnerability Research
o Examples of Vulnerabilities
▪ What is Vulnerability Assessment?
▪ Vulnerability Research
▪ Vulnerability Scoring Systems and Databases
▪ Resources for Vulnerability Research
o Common Vulnerability Scoring System (CVSS)
▪ What is Vulnerability Assessment?
o Common Vulnerabilities and Exposures (CVE)
▪ Vulnerability Scoring Systems and Databases
o National Vulnerability Database (NVD)
▪ Vulnerability-Management Life Cycle
o Common Weakness Enumeration (CWE)
▪ Vulnerability-Management Life Cycle
o Pre-Assessment Phase
o Pre-Assessment Phase
o Vulnerability Assessment Phase
o Post Assessment Phase
o Vulnerability Assessment Phase
Vulnerability Classification and Assessment Types
o Post Assessment Phase
▪ Vulnerability Classification
Vulnerability Classification and Assessment Types
o Misconfigurations/Weak Configurations
▪ Vulnerability Classification
o Application Flaws
▪ Types of Vulnerability Assessment
o Poor Patch Management
Vulnerability Assessment Solutions and Tools
o Design Flaws
▪ Comparing Approaches to Vulnerability
Assessment
o Third-Party Risks
▪ Characteristics of a Good Vulnerability Assessment
Solution
o Default Installations/Default Configurations
▪ Working of Vulnerability Scanning Solutions
o Operating System Flaws
▪ Types of Vulnerability Assessment Tools
o Default Passwords
▪ Choosing a Vulnerability Assessment Tool
o Zero-Day Vulnerabilities
▪ Criteria for Choosing a Vulnerability Assessment
Tool
o Legacy Platform Vulnerabilities
▪ Best Practices for Selecting Vulnerability
Assessment Tools
o System Sprawl/Undocumented Assets
▪ Vulnerability Assessment Tools
o Improper Certificate and Key Management
o Qualys Vulnerability Management
Page | 12
▪ Types of Vulnerability Assessment
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o Nessus Professional
Vulnerability Assessment Tools
o GFI LanGuard
▪ Comparing Approaches to Vulnerability
Assessment
o OpenVAS
▪ Characteristics of a Good Vulnerability Assessment
Solution
o Nikto
▪ Working of Vulnerability Scanning Solutions
o Other Vulnerability Assessment Tools
▪ Types of Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools for Mobile
▪ Choosing a Vulnerability Assessment Tool
Vulnerability Assessment Reports
▪ Criteria for Choosing a Vulnerability Assessment
Tool
▪ Vulnerability Assessment Reports
▪ Best Practices for Selecting Vulnerability
Assessment Tools
▪ Analyzing Vulnerability Scanning Report
▪ Vulnerability Assessment Tools: Qualys
Vulnerability Management
▪ Vulnerability Assessment Tools: Nessus
Professional and GFI LanGuard
▪ Vulnerability Assessment Tools: OpenVAS and
Nikto
▪ Other Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools for Mobile
Vulnerability Assessment Reports
▪ Vulnerability Assessment Reports
▪ Components of a Vulnerability Assessment Report
Module 06: System Hacking
Module 06: System Hacking
System Hacking Concepts
Gaining Access
▪ CEH Hacking Methodology (CHM)
▪ Cracking Passwords
▪ System Hacking Goals
o Microsoft Authentication
Gaining Access
o How Hash Passwords Are Stored in Windows
SAM?
▪ Cracking Passwords
o NTLM Authentication Process
o Microsoft Authentication
o Kerberos Authentication
o How Hash Passwords Are Stored in Windows
SAM?
o Password Cracking
o NTLM Authentication Process
o Types of Password Attacks
o Kerberos Authentication
• Non-Electronic Attacks
o Password Cracking
• Active Online Attacks
o Types of Password Attacks
• Non-Electronic Attacks
Page | 13
✓ Dictionary, Brute-Force, and Rule-based
Attack
✓ Password Spraying Attack and Mask
Attack
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
• Active Online Attacks
Exam 312-50 Certified Ethical Hacker
✓ Password Guessing
✓ Dictionary, Brute-Force and Rule-based
Attack
✓ Default Passwords
✓ Password Guessing
✓ Trojans/Spyware/Keyloggers
✓ Default Passwords
✓ Hash Injection/Pass-the-Hash (PtH)
Attack
✓ Trojans/Spyware/Keyloggers
✓ LLMNR/NBT-NS Poisoning
✓ Hash Injection/Pass-the-Hash (PtH)
Attack
✓ Internal Monologue Attack
✓ LLMNR/NBT-NS Poisoning
✓ Cracking Kerberos Password
✓ Internal Monologue Attack
✓ Pass the Ticket Attack
✓ Cracking Kerberos Password
✓ Other Active Online Attacks
✓ Pass the Ticket Attack
✓ Other Active Online Attacks
➢ GPU-based Attack
• Passive Online Attacks
➢ Combinator Attack
✓ Wire Sniffing
➢ Fingerprint Attack
✓ Man-in-the-Middle/Manipulator-in-theMiddle and Replay Attacks
➢ PRINCE Attack
• Offline Attacks
➢ Toggle-Case Attack
✓ Rainbow Table Attack
➢ Markov Chains Attack
✓ Distributed Network Attack
• Passive Online Attacks
o Password Recovery Tools
✓ Wire Sniffing
o Tools to Extract the Password Hashes
✓ Man-in-the-Middle and Replay Attacks
o Password Cracking using Domain Password
Audit Tool (DPAT)
• Offline Attacks
o Password-Cracking Tools: L0phtCrack and
ophcrack
✓ Rainbow Table Attack
o Password-Cracking Tools
✓ Distributed Network Attack
o Password Salting
o Password Recovery Tools
o How to Defend against Password Cracking
o Tools to Extract the Password Hashes
o How to Defend against LLMNR/NBT-NS
Poisoning
o Password Cracking Tools
o Tools to Detect LLMNR/NBT-NS Poisoning
o Password Salting
▪ Vulnerability Exploitation
o How to Defend against Password Cracking
o Exploit Sites
o How to Defend against LLMNR/NBT-NS
Poisoning
o Buffer Overflow
o Tools to Detect LLMNR/NBT-NS Poisoning
▪ Vulnerability Exploitation
o Exploit Sites
Page | 14
• Types of Buffer Overflow: Stack-Based
Buffer Overflow
• Types of Buffer Overflow: Heap-Based
Buffer Overflow
• Simple Buffer Overflow in C
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Buffer Overflow
• Types of Buffer Overflow
Exam 312-50 Certified Ethical Hacker
• Windows Buffer Overflow Exploitation
o Return-Oriented Programming (ROP) Attack
✓ Stack-Based Buffer Overflow
o Exploit Chaining
✓ Heap-Based Buffer Overflow
o Active Directory Enumeration Using
PowerView
• Simple Buffer Overflow in C
o Domain Mapping and Exploitation with
Bloodhound
• Windows Buffer Overflow Exploitation
o Identifying Insecurities Using GhostPack
Seatbelt
✓ Perform Spiking
o Buffer Overflow Detection Tools
✓ Perform Fuzzing
o Defending against Buffer Overflows
✓ Identify the Offset
Escalating Privileges
✓ Overwrite the EIP Register
▪ Privilege Escalation
✓ Identify Bad Characters
▪ Privilege Escalation Using DLL Hijacking
✓ Identify the Right Module
▪ Privilege Escalation by Exploiting Vulnerabilities
✓ Generate Shellcode and Gain Shell
Access
▪ Privilege Escalation Using Dylib Hijacking
• Buffer Overflow Detection Tools
▪ Privilege Escalation Using Spectre and Meltdown
Vulnerabilities
• Defending against Buffer Overflows
▪ Privilege Escalation Using Named Pipe
Impersonation
Escalating Privileges
▪ Privilege Escalation by Exploiting Misconfigured
Services
▪ Privilege Escalation
▪ Pivoting and Relaying to Hack External Machines
▪ Privilege Escalation Using DLL Hijacking
▪ Privilege Escalation Using Misconfigured NFS
▪ Privilege Escalation by Exploiting Vulnerabilities
▪ Privilege Escalation Using Windows Sticky Keys
▪ Privilege Escalation Using Dylib Hijacking
▪ Privilege Escalation by Bypassing User Account
Control (UAC)
▪ Privilege Escalation using Spectre and Meltdown
Vulnerabilities
▪ Privilege Escalation by Abusing Boot or Logon
Initialization Scripts
▪ Privilege Escalation using Named Pipe
Impersonation
▪ Privilege Escalation by Modifying Domain Policy
▪ Privilege Escalation by Exploiting Misconfigured
Services
▪ Retrieving Password Hashes of Other Domain
Controllers Using DCSync Attack
o Unquoted Service Paths
▪
▪ Other Privilege Escalation Techniques
o Service Object Permissions
o Parent PID Spoofing
o Unattended Installs
o Abusing Accessibility Features
Pivoting and Relaying to Hack External Machines
o SID-History Injection
▪ Other Privilege Escalation Techniques
o COM Hijacking
▪ Privilege Escalation Tools
o Scheduled Tasks in Linux
▪ How to Defend Against Privilege Escalation
Page | 15
▪ Privilege Escalation Tools
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o Tools for Defending against DLL and Dylib
Hijacking
o FullPowers
o Defending against Spectre and Meltdown
Vulnerabilities
o PEASS-ng
o Tools for Detecting Spectre and Meltdown
Vulnerabilities
▪ How to Defend Against Privilege Escalation
Maintaining Access
o Tools for Defending against DLL and Dylib
Hijacking
▪ Executing Applications
o Defending against Spectre and Meltdown
Vulnerabilities
o Remote Code Execution Techniques
• Tools for Executing Applications
o Keylogger
• Types of Keystroke Loggers
• Hardware Keyloggers
• Keyloggers for Windows
• Keyloggers for Mac
o Spyware
Maintaining Access
▪ Executing Applications
o Remote Code Execution Techniques
• Tools for Executing Applications
o Keylogger
• Types of Keystroke Loggers
• Remote Keylogger Attack Using Metasploit
• Spyware: Spytech SpyAgent and Power Spy
• Hardware Keyloggers
• Desktop and Child Monitoring Spyware
• Keyloggers for Windows
• USB Spyware
• Keyloggers for macOS
• Audio Spyware
o Spyware
• Video Spyware
• Spyware Tools: Spytech SpyAgent and
Power Spy
• Telephone/Cellphone Spyware
• Spyware Tools
• GPS Spyware
o How to Defend Against Keyloggers
• Anti-Keyloggers
o How to Defend Against Spyware
• Anti-Spyware
▪ Hiding Files
o Rootkits
o How to Defend Against Keyloggers
• Anti-Keyloggers
o How to Defend Against Spyware
• Anti-Spyware
▪ Hiding Files
o Rootkits
• Types of Rootkits
• Types of Rootkits
• How a Rootkit Works
• How a Rootkit Works
• Popular Rootkits
• Popular Rootkits
✓ Purple Fox Rootkit
✓ LoJax
✓ MoonBounce
✓ Scranos
✓ Dubbed Demodex Rootkit
✓ Horse Pill
Page | 16
o Tools for Detecting Spectre and Meltdown
Vulnerabilities
• Detecting Rootkits
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
✓ Necurs
Exam 312-50 Certified Ethical Hacker
• Steps for Detecting Rootkits
• Detecting Rootkits
• How to Defend against Rootkits
• Steps for Detecting Rootkits
• Anti-Rootkits
• How to Defend against Rootkits
• Anti-Rootkits
o NTFS Data Stream
o NTFS Data Stream
• How to Create NTFS Streams
• NTFS Stream Manipulation
• How to Create NTFS Streams
• How to Defend against NTFS Streams
• NTFS Stream Manipulation
• NTFS Stream Detectors
• How to Defend against NTFS Streams
• NTFS Stream Detectors
o What is Steganography?
o What is Steganography?
• Classification of Steganography
• Types of Steganography based on Cover
Medium
• Classification of Steganography
✓ Whitespace Steganography
• Types of Steganography based on Cover
Medium
✓ Image Steganography
✓ Whitespace Steganography
✓ Image Steganography
➢ Image Steganography Tools
➢ Image Steganography Tools
✓ Document Steganography
✓ Video Steganography
✓ Document Steganography
✓ Audio Steganography
✓ Video Steganography
✓ Folder Steganography
✓ Audio Steganography
✓ Spam/Email Steganography
✓ Folder Steganography
✓ Other Types of Steganography
✓ Spam/Email Steganography
• Steganography Tools for Mobile Phones
• Steganography Tools for Mobile Phones
• Steganalysis
• Steganalysis
• Steganalysis Methods/Attacks on
Steganography
• Steganalysis Methods/Attacks on
Steganography
• Detecting Steganography (Text, Image,
Audio, and Video Files)
• Detecting Steganography (Text, Image,
Audio, and Video Files)
• Steganography Detection Tools
• Steganography Detection Tools
▪ Establishing Persistence
Clearing Logs
o Maintaining Persistence by Abusing Boot or
Logon Autostart Executions
▪ Covering Tracks
o Domain Dominance through Different Paths
▪ Disabling Auditing: Auditpol
• Remote Code Execution
▪ Clearing Logs
• Abusing DPAPI
▪ Manually Clearing Event Logs
• Malicious Replication
▪ Ways to Clear Online Tracks
• Skeleton Key Attack
▪ Covering BASH Shell Tracks
• Golden Ticket Attack
Page | 17
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
▪ Covering Tracks on a Network
Exam 312-50 Certified Ethical Hacker
• Silver Ticket Attack
▪ Covering Tracks on an OS
o Maintain Domain Persistence Through
AdminSDHolder
▪ Delete Files using Cipher.exe
o Maintaining Persistence Through WMI Event
Subscription
▪ Disable Windows Functionality
o Overpass-the-Hash Attack
o Disabling the Last Access Timestamp
o Linux Post Exploitation
o Disabling Windows Hibernation
o Windows Post Exploitation
o Disabling Windows Virtual Memory (Paging
File)
o How to Defend against Persistence Attacks
o Disabling System Restore Points
Clearing Logs
o Disabling Windows Thumbnail Cache
▪ Covering Tracks
o Disabling Windows Prefetch Feature
▪ Disabling Auditing: Auditpol
▪ Track-Covering Tools
▪ Clearing Logs
▪ Defending against Covering Tracks
▪ Manually Clearing Event Logs
▪ Ways to Clear Online Tracks
▪ Covering BASH Shell Tracks
▪ Covering Tracks on a Network
▪ Covering Tracks on an OS
▪ Delete Files using Cipher.exe
▪ Disable Windows Functionality
▪ Hiding Artifacts in Windows, Linux, and macOS
▪ Track-Covering Tools
▪ Defending against Covering Tracks
Module 07: Malware Threats
Module 07: Malware Threats
Malware Concepts
Malware Concepts
▪ Introduction to Malware
▪ Introduction to Malware
▪ Different Ways for Malware to Enter a System
▪ Different Ways for Malware to Enter a System
▪ Common Techniques Attackers Use to Distribute
Malware on the Web
▪ Common Techniques Attackers Use to Distribute
Malware on the Web
▪ Components of Malware
o RTF Injection
APT Concepts
▪ Components of Malware
▪ What are Advanced Persistent Threats?
▪ Potentially Unwanted Application or Applications
(PUAs)
▪ Characteristics of Advanced Persistent Threats
o Adware
▪ Advanced Persistent Threat Lifecycle
APT Concepts
Trojan Concepts
▪ What are Advanced Persistent Threats?
▪ What is a Trojan?
▪ Characteristics of Advanced Persistent Threats
Page | 18
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ How Hackers Use Trojans
▪ Advanced Persistent Threat Lifecycle
▪ Common Ports used by Trojans
Trojan Concepts
▪ Types of Trojans
▪ What is a Trojan?
o Remote Access Trojans
▪ How Hackers Use Trojans
o Backdoor Trojans
▪ Common Ports used by Trojans
o Botnet Trojans
▪ Types of Trojans
o Rootkit Trojans
o Remote Access Trojans
o E-banking Trojans
o Backdoor Trojans
• Working of E-banking Trojans
o Botnet Trojans
• E-banking Trojan: Dreambot
o Rootkit Trojans
o Point-of-Sale Trojans
o E-banking Trojans
o Defacement Trojans
• Working of E-banking Trojans
o Service Protocol Trojans
• E-banking Trojan: Dreambot
o Mobile Trojans
o Point-of-Sale Trojans
o IoT Trojans
o Defacement Trojans
o Other Trojans
o Service Protocol Trojans
• Security Software Disabler Trojans
o Mobile Trojans
• Destructive Trojans
o IoT Trojans
• DDoS Trojans
o Security Software Disabler Trojans
• Command Shell Trojans
o Destructive Trojans
▪ How to Infect Systems Using a Trojan
o Creating a Trojan
o Employing a Dropper or Downloader
o DDoS Trojans
o Command Shell Trojans
▪ How to Infect Systems Using a Trojan
o Employing a Wrapper
o Creating a Trojan
o Employing a Crypter
o Employing a Dropper or Downloader
o Propagating and Deploying a Trojan
o Employing a Wrapper
• Deploy a Trojan through Emails
o Employing a Crypter
• Deploy a Trojan through Covert Channels
o Propagating and Deploying a Trojan
• Deploy a Trojan through Proxy Servers
o Exploit Kits
• Deploy a Trojan through USB/Flash Drives
Virus and Worm Concepts
• Evading Anti-Virus Software
▪ Introduction to Viruses
o Exploit Kits
Virus and Worm Concepts
▪ Introduction to Viruses
▪ Stages of Virus Lifecycle
▪ Working of Viruses
o How does a Computer Get Infected by Viruses?
▪ Types of Viruses
Page | 19
▪ Stages of Virus Lifecycle
▪ Working of Viruses
o How does a Computer Get Infected by Viruses?
▪ Types of Viruses
o System or Boot Sector Viruses
o File Viruses
o Multipartite Viruses
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o System and File Viruses
o Macro Viruses
o Multipartite and Macro Viruses
o Cluster Viruses
o Cluster and Stealth Viruses
o Stealth Viruses/Tunneling Viruses
o Encryption and Sparse Infector Viruses
o Encryption Viruses
o Polymorphic Viruses
o Sparse Infector Viruses
o Metamorphic Viruses
o Polymorphic Viruses
o Overwriting File or Cavity Viruses
o Metamorphic Viruses
o Companion/Camouflage and Shell Viruses
o Overwriting File or Cavity Viruses
o File Extension Viruses
o Companion/Camouflage Viruses
o FAT and Logic Bomb Viruses
o Shell Viruses
o Other Viruses
o File Extension Viruses
• Web Scripting Viruses
o FAT Viruses
• E-mail Viruses
o Logic Bomb Viruses
• Armored Viruses
o Web Scripting Virus
• Add-on Viruses
o E-mail Viruses
• Intrusive Viruses
o Armored Viruses
• Direct Action or Transient Viruses
o Add-on Viruses
• Terminate and Stay Resident (TSR) Viruses
o Intrusive Viruses
o Ransomware
▪ How to Infect Systems Using a Virus
o Creating a Virus
o Propagating and Deploying a Virus
• Virus Hoaxes
• Fake Antiviruses
o Direct Action or Transient Viruses
o Terminate and Stay Resident (TSR) Viruses
o Ransomware
• BlackCat
• BlackMatter
▪ How to Infect Systems Using a Virus: Creating a
Virus
▪ Computer Worms
▪ How to Infect Systems Using a Virus: Propagating
and Deploying a Virus
▪ Worm Makers
▪ Computer Worms
Fileless Malware Concepts
o Worm Makers
▪ What is Fileless Malware?
Fileless Malware Concepts
▪ Taxonomy of Fileless Malware Threats
▪ What is Fileless Malware?
▪ How does Fileless Malware Work?
▪ Taxonomy of Fileless Malware Threats
▪ Launching Fileless Malware through Document
Exploits and In-Memory Exploits
▪ How does Fileless Malware Work?
▪ Launching Fileless Malware through Script-based
Injection
▪ Launching Fileless Malware through Document
Exploits and In-Memory Exploits
▪ Launching Fileless Malware by Exploiting System
Admin Tools
▪ Launching Fileless Malware through Script-based
Injection
▪ Launching Fileless Malware through Phishing
▪ Launching Fileless Malware by Exploiting System
Admin Tools
Page | 20
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Maintaining Persistence with Fileless Techniques
▪ Launching Fileless Malware through Phishing
▪ Fileless Malware
▪ Maintaining Persistence with Fileless Techniques
▪ Fileless Malware Obfuscation Techniques to
Bypass Antivirus
▪ Fileless Malware
Malware Analysis
o LemonDuck
▪ What is Sheep Dip Computer?
▪ Fileless Malware Obfuscation Techniques to
Bypass Antivirus
▪ Antivirus Sensor Systems
Malware Analysis
▪ Introduction to Malware Analysis
▪ What is Sheep Dip Computer?
▪ Malware Analysis Procedure: Preparing Testbed
▪ Antivirus Sensor Systems
▪ Static Malware Analysis
▪ Introduction to Malware Analysis
o File Fingerprinting
▪ Malware Analysis Procedure: Preparing Testbed
o Local and Online Malware Scanning
▪ Static Malware Analysis
o Performing Strings Search
o File Fingerprinting
o Identifying Packing/Obfuscation Methods
o Local and Online Malware Scanning
o Finding the Portable Executables (PE)
Information
o Performing Strings Search
o Identifying File Dependencies
o Identifying Packing/Obfuscation Methods
o Malware Disassembly
▪ Dynamic Malware Analysis
• Identifying Packing/Obfuscation Method of
ELF Malware
• Detect It Easy (DIE)
o Port Monitoring
o Finding the Portable Executables (PE)
Information
o Process Monitoring
o Identifying File Dependencies
o Registry Monitoring
o Malware Disassembly
o Windows Services Monitoring
• Ghidra
o Startup Programs Monitoring
• x64dbg
o Event Logs Monitoring/Analysis
o Analyzing ELF Executable Files
o Installation Monitoring
o Analyzing Mach Object (Mach-O) Executable
Files
o Files and Folders Monitoring
o Analyzing Malicious MS Office Documents
o Device Drivers Monitoring
• Finding Suspicious Components
o Network Traffic Monitoring/Analysis
• Finding Macro Streams
o DNS Monitoring/Resolution
• Dumping Macro Streams
o API Calls Monitoring
• Identifying Suspicious VBA Keywords
▪ Virus Detection Methods
▪ Trojan Analysis: Emotet
▪ Dynamic Malware Analysis
o Port Monitoring
Emotet Malware Attack Phases:
o Process Monitoring
Infection Phase
o Registry Monitoring
Maintaining Persistence Phase
o Windows Services Monitoring
Page | 21
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
System Compromise Phase
o Startup Programs Monitoring
Network Propagation Phase
o Event Logs Monitoring/Analysis
▪ Virus Analysis: SamSam Ransomware
SamSam Ransomware Attack Stages
o Installation Monitoring
o Files and Folders Monitoring
▪ Fileless Malware Analysis: Astaroth Attack
o Device Drivers Monitoring
Countermeasures
o Network Traffic Monitoring/Analysis
▪ Trojan Countermeasures
o DNS Monitoring/Resolution
▪ Backdoor Countermeasures
o API Calls Monitoring
▪ Virus and Worm Countermeasures
o System Calls Monitoring
▪ Fileless Malware Countermeasures
▪ Virus Detection Methods
Anti-Malware Software
▪ Trojan Analysis: ElectroRAT
▪ Anti-Trojan Software
o ElectroRAT Malware Attack Phases
▪ Antivirus Software
• Initial propagation and Infection
▪ Fileless Malware Detection Tools
• Deploying Malware
▪ Fileless Malware Protection Tools
• Exploitation
• Maintaining Persistence
▪ Virus Analysis: REvil Ransomware
o REvil Ransomware Attack Stages
• Initial Access
• Download and Execution
• Exploitation
• Lateral Movement / Defense Evasion and
Discovery
• Credential Access and Exfiltration /
Command and Control
▪ Fileless Malware Analysis: SockDetour
o SockDetour Fileless Malware Attack Stages
• Pre-exploitation
• Initial infection
• Exploitation
• Post-exploitation
• Client Authentication and C2
Communication After Exploitation
• Plugin Loading Feature
Malware Countermeasures
▪ Trojan Countermeasures
▪ Backdoor Countermeasures
▪ Virus and Worm Countermeasures
▪ Fileless Malware Countermeasures
Page | 22
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Anti-Malware Software
▪ Anti-Trojan Software
▪ Antivirus Software
▪ Fileless Malware Detection Tools
▪ Fileless Malware Protection Tools
Module 08: Sniffing
Module 08: Sniffing
Sniffing Concepts
Sniffing Concepts
▪ Network Sniffing
▪ Network Sniffing
▪ Types of Sniffing
▪ Types of Sniffing
▪ How an Attacker Hacks the Network Using Sniffers
▪ How an Attacker Hacks the Network Using Sniffers
▪ Protocols Vulnerable to Sniffing
▪ Protocols Vulnerable to Sniffing
▪ Sniffing in the Data Link Layer of the OSI Model
▪ Sniffing in the Data Link Layer of the OSI Model
▪ Hardware Protocol Analyzers
▪ Hardware Protocol Analyzers
▪ SPAN Port
▪ SPAN Port
▪ Wiretapping
▪ Wiretapping
▪ Lawful Interception
▪ Lawful Interception
Sniffing Technique: MAC Attacks
Sniffing Technique: MAC Attacks
▪ MAC Address/CAM Table
▪ MAC Address/CAM Table
▪ How CAM Works
▪ How CAM Works
▪ What Happens When a CAM Table Is Full?
▪ What Happens When a CAM Table Is Full?
▪ MAC Flooding
▪ MAC Flooding
▪ Switch Port Stealing
▪ Switch Port Stealing
▪ How to Defend against MAC Attacks
▪ How to Defend against MAC Attacks
Sniffing Technique: DHCP Attacks
Sniffing Technique: DHCP Attacks
▪ How DHCP Works
▪ How DHCP Works
▪ DHCP Request/Reply Messages
▪ DHCP Request/Reply Messages
▪ DHCP Starvation Attack
▪ DHCP Starvation Attack
▪ Rogue DHCP Server Attack
▪ Rogue DHCP Server Attack
▪ How to Defend Against DHCP Starvation and
Rogue Server Attacks
▪ How to Defend Against DHCP Starvation and
Rogue Server Attacks
Sniffing Technique: ARP Poisoning
o MAC Limiting Configuration on Juniper
Switches
▪ What Is Address Resolution Protocol (ARP)?
o Configuring DHCP Filtering on a Switch
▪ ARP Spoofing Attack
Sniffing Technique: ARP Poisoning
▪ Threats of ARP Poisoning
▪ What Is Address Resolution Protocol (ARP)?
▪ ARP Poisoning Tools
▪ ARP Spoofing Attack
▪ How to Defend Against ARP Poisoning
▪ Threats of ARP Poisoning
▪ Configuring DHCP Snooping and Dynamic ARP
▪ ARP Poisoning Tools
Page | 23
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Inspection on Cisco Switches
▪ ARP Spoofing Detection Tools
o Habu
Sniffing Technique: Spoofing Attacks
▪ How to Defend Against ARP Poisoning
▪ MAC Spoofing/Duplicating
▪ Configuring DHCP Snooping and Dynamic ARP
Inspection on Cisco Switches
▪ MAC Spoofing Technique: Windows
▪ ARP Spoofing Detection Tools
▪ MAC Spoofing Tools
Sniffing Technique: Spoofing Attacks
▪ IRDP Spoofing
▪ MAC Spoofing/Duplicating
▪ VLAN Hopping
▪ MAC Spoofing Technique: Windows
o Switch Spoofing
▪ MAC Spoofing Tools
o Double Tagging
▪ IRDP Spoofing
▪ STP Attack
▪ VLAN Hopping
▪ How to Defend Against MAC Spoofing
▪ STP Attack
▪ How to Defend Against VLAN Hopping
▪ How to Defend Against MAC Spoofing
▪ How to Defend Against STP Attacks
▪ How to Defend Against VLAN Hopping
Sniffing Technique: DNS Poisoning
▪ How to Defend Against STP Attacks
▪ DNS Poisoning Techniques
Sniffing Technique: DNS Poisoning
o Intranet DNS Spoofing
▪ DNS Poisoning Techniques
o Internet DNS Spoofing
o Intranet DNS Spoofing
o Proxy Server DNS Poisoning
o Internet DNS Spoofing
o DNS Cache Poisoning
o Proxy Server DNS Poisoning
▪ DNS Poisoning Tools
▪ How to Defend Against DNS Spoofing
o DNS Cache Poisoning
• SAD DNS Attack
Sniffing Tools
▪ DNS Poisoning Tools
▪ Sniffing Tool: Wireshark
▪ How to Defend Against DNS Spoofing
o Follow TCP Stream in Wireshark
Sniffing Tools
o Display Filters in Wireshark
▪ Sniffing Tool: Wireshark
o Additional Wireshark Filters
o Follow TCP Stream in Wireshark
▪ Sniffing Tools
o Display Filters in Wireshark
▪ Packet Sniffing Tools for Mobile Phones
o Additional Wireshark Filters
Countermeasures
▪ How to Defend Against Sniffing
▪ Sniffing Tools
o RITA (Real Intelligence Threat Analytics)
Sniffing Detection Techniques
▪ Packet Sniffing Tools for Mobile Phones
▪ How to Detect Sniffing
Sniffing Countermeasures
▪ Sniffer Detection Techniques
▪ How to Defend Against Sniffing
o Ping Method
▪ How to Detect Sniffing
o DNS Method
▪ Sniffer Detection Techniques
o ARP Method
▪ Promiscuous Detection Tools
Page | 24
o Ping Method
o DNS Method
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o ARP Method
▪ Promiscuous Detection Tools
Module 09: Social Engineering
Module 09: Social Engineering
Social Engineering Concepts
Social Engineering Concepts
▪ What is Social Engineering?
▪ What is Social Engineering?
▪ Phases of a Social Engineering Attack
▪ Phases of a Social Engineering Attack
Social Engineering Techniques
Social Engineering Techniques
▪ Types of Social Engineering
▪ Types of Social Engineering
▪ Human-based Social Engineering
▪ Human-based Social Engineering
o Impersonation
o Impersonation
o Impersonation (Vishing)
o Impersonation (Vishing)
o Eavesdropping
o Eavesdropping
o Shoulder Surfing
o Shoulder Surfing
o Dumpster Diving
o Dumpster Diving
o Reverse Social Engineering
o Reverse Social Engineering
o Piggybacking
o Piggybacking
o Tailgating
o Tailgating
o Diversion Theft
o Diversion Theft
o Honey Trap
o Honey Trap
o Baiting
o Baiting
o Quid Pro Quo
o Quid Pro Quo
o Elicitation
o Elicitation
▪ Computer-based Social Engineering
o Phishing
▪ Computer-based Social Engineering
o Phishing
• Examples of Phishing Emails
• Examples of Phishing Emails
• Types of Phishing
• Types of Phishing
• Phishing Tools
✓ Spear Phishing
▪ Mobile-based Social Engineering
✓ Whaling
o Publishing Malicious Apps
✓ Pharming
o Repackaging Legitimate Apps
✓ Spimming
o Fake Security Applications
✓ Angler Phishing
o SMiShing (SMS Phishing)
✓ Catfishing Attack
Insider Threats
▪ Insider Threats/Insider Attacks
▪ Types of Insider Threats
✓ Deepfake Attacks
o Phishing Tools
▪ Mobile-based Social Engineering
▪ Behavioral Indications of an Insider Threat
o Publishing Malicious Apps
Impersonation on Social Networking Sites
o Repackaging Legitimate Apps
Page | 25
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Social Engineering through Impersonation on
Social Networking Sites
o Fake Security Applications
▪ Impersonation on Facebook
o SMiShing (SMS Phishing)
▪ Social Networking Threats to Corporate Networks
Insider Threats
Identity Theft
▪ Insider Threats/Insider Attacks
▪ Identity Theft
▪ Types of Insider Threats
Countermeasures
o Accidental Insider
▪ Social Engineering Countermeasures
▪ Behavioral Indications of an Insider Threat
▪ Detecting Insider Threats
Impersonation on Social Networking Sites
▪ Insider Threats Countermeasures
▪ Social Engineering through Impersonation on
Social Networking Sites
▪ Identity Theft Countermeasures
▪ Impersonation on Facebook
▪ How to Detect Phishing Emails?
▪ Social Networking Threats to Corporate Networks
▪ Anti-Phishing Toolbar
Identity Theft
▪ Common Social Engineering Targets and Defense
Strategies
▪ Identity Theft
▪ Social Engineering Tools
Social Engineering Countermeasures
▪ Audit Organization's Security for Phishing Attacks
using OhPhish
▪ Social Engineering Countermeasures
▪ How to Defend against Phishing Attacks?
▪ Detecting Insider Threats
▪ Insider Threats Countermeasures
▪ Identity Theft Countermeasures
▪ How to Detect Phishing Emails?
▪ Anti-Phishing Toolbar
▪ Common Social Engineering Targets and Defense
Strategies
▪ Social Engineering Tools
▪ Audit Organization's Security for Phishing Attacks
using OhPhish
Module 10: Denial-of-Service
Module 10: Denial-of-Service
DoS/DDoS Concepts
DoS/DDoS Concepts
▪ What is a DoS Attack?
▪ What is a DoS Attack?
▪ What is a DDoS Attack?
▪ What is a DDoS Attack?
DoS/DDoS Attack Techniques
Botnets
▪ Basic Categories of DoS/DDoS Attack Vectors
▪ Organized Cyber Crime: Organizational Chart
o Volumetric Attacks
Page | 26
▪ Botnets
• UDP Flood Attack
▪ A Typical Botnet Setup
• ICMP Flood Attack
▪ Botnet Ecosystem
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
• Ping of Death and Smurf Attacks
▪ Scanning Methods for Finding Vulnerable
Machines
• Pulse Wave and Zero-Day DDoS Attacks
▪ How Does Malicious Code Propagate?
o Protocol Attacks
• SYN Flood Attack
• Fragmentation Attack
• Spoofed Session Flood Attack
o Application Layer Attacks
DoS/DDoS Attack Techniques
▪ Basic Categories of DoS/DDoS Attack Vectors
o Volumetric Attacks
• UDP Flood Attack
• ICMP Flood Attack
• HTTP GET/POST and Slowloris Attacks
• Ping of Death and Smurf Attacks
• UDP Application Layer Flood Attack
• Pulse Wave and Zero-Day DDoS Attacks
▪ Multi-Vector Attack
o Protocol Attacks
▪ Peer-to-Peer Attack
• SYN Flood Attack
▪ Permanent Denial-of-Service Attack
• Fragmentation Attack
▪ Distributed Reflection Denial-of-Service (DRDoS)
Attack
• Spoofed Session Flood Attack
Botnets
o Application Layer Attacks
▪ Organized Cyber Crime: Organizational Chart
• HTTP GET/POST and Slowloris Attacks
▪ Botnets
• UDP Application Layer Flood Attack
▪ A Typical Botnet Setup
▪ Multi-Vector Attack
▪ Botnet Ecosystem
▪ Peer-to-Peer Attack
▪ Scanning Methods for Finding Vulnerable
Machines
▪ Permanent Denial-of-Service Attack
▪ How Does Malicious Code Propagate?
▪ TCP SACK Panic
DDoS Case Study
▪ Distributed Reflection Denial-of-Service (DRDoS)
Attack
▪ DDoS Attack
▪ DDoS Extortion/Ransom DDoS (RDDoS) Attack
▪ Hackers Advertise Links for Downloading Botnets
▪ DoS/DDoS Attack Tools
▪ Use of Mobile Devices as Botnets for Launching
DDoS Attacks
▪ DoS and DDoS Attack Tools for Mobiles
▪ DDoS Case Study: DDoS Attack on GitHub
DDoS Case Study
DoS/DDoS Attack Tools
▪ DDoS Attack
▪ DoS/DDoS Attack Tools
▪ Hackers Advertise Links for Downloading Botnets
▪ DoS and DDoS Attack Tools for Mobiles
▪ Use of Mobile Devices as Botnets for Launching
DDoS Attacks
Countermeasures
▪ DDoS Case Study: DDoS Attack on Microsoft Azure
▪ Detection Techniques
DoS/DDoS Attack Countermeasures
▪ DoS/DDoS Countermeasure Strategies
▪ Detection Techniques
▪ DDoS Attack Countermeasures
▪ DoS/DDoS Countermeasure Strategies
o Protect Secondary Victims
o Detect and Neutralize Handlers
Page | 27
▪ DDoS Attack Countermeasures
o Protect Secondary Victims
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o Prevent Potential Attacks
o Detect and Neutralize Handlers
o Deflect Attacks
o Prevent Potential Attacks
o Mitigate Attacks
o Deflect Attacks
o Post-Attack Forensics
o Mitigate Attacks
▪ Techniques to Defend against Botnets
o Post-Attack Forensics
▪ Additional DoS/DDoS Countermeasures
▪ Techniques to Defend against Botnets
▪ DoS/DDoS Protection at ISP Level
▪ Additional DoS/DDoS Countermeasures
▪ Enabling TCP Intercept on Cisco IOS Software
▪ DoS/DDoS Protection at ISP Level
DoS/DDoS Protection Tools
▪ Enabling TCP Intercept on Cisco IOS Software
▪ Advanced DDoS Protection Appliances
▪ Advanced DDoS Protection Appliances
▪ DoS/DDoS Protection Tools
▪ DoS/DDoS Protection Tools
▪ DoS/DDoS Protection Services
▪ DoS/DDoS Protection Services
Module 11: Session Hijacking
Module 11: Session Hijacking
Session Hijacking Concepts
Session Hijacking Concepts
▪ What is Session Hijacking?
▪ What is Session Hijacking?
▪ Why is Session Hijacking Successful?
▪ Why is Session Hijacking Successful?
▪ Session Hijacking Process
▪ Session Hijacking Process
▪ Packet Analysis of a Local Session Hijack
▪ Packet Analysis of a Local Session Hijack
▪ Types of Session Hijacking
▪ Types of Session Hijacking
▪ Session Hijacking in OSI Model
▪ Session Hijacking in OSI Model
▪ Spoofing vs. Hijacking
▪ Spoofing vs. Hijacking
Application-Level Session Hijacking
Application-Level Session Hijacking
▪ Application-Level Session Hijacking
▪ Application-Level Session Hijacking
▪ Compromising Session IDs using Sniffing and by
Predicting Session Token
▪ Compromising Session IDs using Sniffing and by
Predicting Session Token
o How to Predict a Session Token
o How to Predict a Session Token
▪ Compromising Session IDs Using Man-in-theMiddle Attack
▪ Compromising Session IDs Using Man-in-theMiddle/Manipulator-in-the-Middle Attack
▪ Compromising Session IDs Using Man-in-theBrowser Attack
▪ Compromising Session IDs Using Man-in-theBrowser/Manipulator-in-the-Browser Attack
o Steps to Perform Man-in-the-Browser Attack
o Steps to Perform Man-in-the-Browser Attack
▪ Compromising Session IDs Using Client-side
Attacks
▪ Compromising Session IDs Using Client-side
Attacks
▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Script Attack
▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Script Attack
▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Request Forgery Attack
▪ Compromising Session IDs Using Client-side
Attacks: Cross-site Request Forgery Attack
▪ Compromising Session IDs Using Session Replay
Attacks
▪ Compromising Session IDs Using Session Replay
Attacks
Page | 28
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Compromising Session IDs Using Session Fixation
▪ Compromising Session IDs Using Session Fixation
▪ Session Hijacking Using Proxy Servers
▪ Session Hijacking Using Proxy Servers
▪ Session Hijacking Using CRIME Attack
▪ Session Hijacking Using CRIME Attack
▪ Session Hijacking Using Forbidden Attack
▪ Session Hijacking Using Forbidden Attack
▪ Session Hijacking Using Session Donation Attack
▪ Session Hijacking Using Session Donation Attack
Network Level Session Hijacking
▪ PetitPotam Hijacking
▪ Network Level Session Hijacking
Network-Level Session Hijacking
▪ TCP/IP Hijacking
▪ Network Level Session Hijacking
▪ IP Spoofing: Source Routed Packets
▪ TCP/IP Hijacking
▪ RST Hijacking
▪ IP Spoofing: Source Routed Packets
▪ Blind Hijacking
▪ RST Hijacking
▪ UDP Hijacking
▪ Blind and UDP Hijacking
▪ MiTM Attack Using Forged ICMP and ARP Spoofing ▪ MiTM Attack Using Forged ICMP and ARP Spoofing
Session Hijacking Tools
Session Hijacking Tools
▪ Session Hijacking Tools
▪ Session Hijacking Tools
▪ Session Hijacking Tools for Mobile Phones
o Hetty
Countermeasures
▪ Session Hijacking Tools for Mobile Phones
▪ Session Hijacking Detection Methods
Session Hijacking Countermeasures
▪ Protecting against Session Hijacking
▪ Session Hijacking Detection Methods
▪ Web Development Guidelines to Prevent Session
Hijacking
▪ Protecting against Session Hijacking
▪ Web User Guidelines to Prevent Session Hijacking
▪ Web Development Guidelines to Prevent Session
Hijacking
▪ Session Hijacking Detection Tools
▪ Web User Guidelines to Prevent Session Hijacking
▪ Approaches Causing Vulnerability to Session
Hijacking and their Preventative Solutions
▪ Session Hijacking Detection Tools
▪ Approaches to Prevent Session Hijacking
▪ Approaches Causing Vulnerability to Session
Hijacking and their Preventative Solutions
▪ Approaches to Prevent MITM Attacks
▪ Approaches to Prevent Session Hijacking
▪ IPSec
o IPsec Authentication and Confidentiality
▪ Session Hijacking Prevention Tools
o HTTP Referrer Header
▪ Approaches to Prevent MITM Attacks
o DNS over HTTPS
o Password Manager
o Zero-trust Principles
▪ IPsec
o IPsec Authentication and Confidentiality
▪ Session Hijacking Prevention Tools
Page | 29
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Module 12: Evading IDS, Firewalls, and
Honeypots
Module 12: Evading IDS, Firewalls, and
Honeypots
IDS, IPS, Firewall, and Honeypot Concepts
IDS, IPS, Firewall, and Honeypot Concepts
▪ Intrusion Detection System (IDS)
▪ Intrusion Detection System (IDS)
o How an IDS Detects an Intrusion?
o How an IDS Detects an Intrusion?
o General Indications of Intrusions
o General Indications of Intrusions
o Types of Intrusion Detection Systems
o Types of Intrusion Detection Systems
o Types of IDS Alerts
o Types of IDS Alerts
▪ Intrusion Prevention System (IPS)
▪ Intrusion Prevention System (IPS)
▪ Firewall
▪ Firewall
o Firewall Architecture
o Firewall Architecture
o Demilitarized Zone (DMZ)
o Demilitarized Zone (DMZ)
o Types of Firewalls
o Types of Firewalls
o Firewall Technologies
o Firewall Technologies
• Packet Filtering Firewall
• Packet Filtering Firewall
• Circuit-Level Gateway Firewall
• Circuit-Level Gateway Firewall
• Application-Level Firewall
• Application-Level Firewall
• Stateful Multilayer Inspection Firewall
• Stateful Multilayer Inspection Firewall
• Application Proxy
• Application Proxy
• Network Address Translation (NAT)
• Network Address Translation (NAT)
• Virtual Private Network
• Virtual Private Network
o Firewall Limitations
▪ Honeypot
o Types of Honeypots
o Firewall Limitations
▪ Honeypot
o Types of Honeypots
IDS, IPS, Firewall, and Honeypot Solutions
IDS, IPS, Firewall, and Honeypot Solutions
▪ Intrusion Detection Tools
▪ Intrusion Detection using YARA Rules
o Snort
• Snort Rules
▪ Intrusion Detection Tools
o Snort
• Snort Rules: Rule Actions and IP Protocols
• Snort Rules
• Snort Rules: The Direction Operator and IP
Addresses
• Snort Rules: Rule Actions and IP Protocols
• Snort Rules: Port Numbers
• Snort Rules: The Direction Operator and IP
Addresses
o Intrusion Detection Tools
• Snort Rules: Port Numbers
o Intrusion Detection Tools for Mobile Devices
• Intrusion Detection Tools
▪ Intrusion Prevention Tools
▪ Firewalls
o Firewalls for Mobile Devices
▪ Honeypot Tools
Page | 30
o Intrusion Detection Tools for Mobile Devices
▪ Intrusion Prevention Tools
▪ Firewalls
o Firewalls for Mobile Devices
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Evading IDS
▪ Honeypot Tools
▪ IDS Evasion Techniques
Evading IDS
o Insertion Attack
▪ IDS Evasion Techniques
o Evasion
o Insertion Attack
o Denial-of-Service Attack (DoS)
o Evasion
o Obfuscating
o Denial-of-Service Attack (DoS)
o False Positive Generation
o Obfuscating
o Session Splicing
o False Positive Generation
o Unicode Evasion Technique
o Session Splicing
o Fragmentation Attack
o Unicode Evasion Technique
o Overlapping Fragments
o Fragmentation Attack
o Time-To-Live Attacks
o Overlapping Fragments
o Invalid RST Packets
o Time-To-Live Attacks
o Urgency Flag
o Invalid RST Packets
o Polymorphic Shellcode
o Urgency Flag
o ASCII Shellcode
o Polymorphic Shellcode
o Application-Layer Attacks
o ASCII Shellcode
o Desynchronization
o Application-Layer Attacks
o Other Types of Evasion
o Desynchronization
Evading Firewalls
▪ Firewall Evasion Techniques
o Firewall Identification
o Other Types of Evasion
Evading Firewalls
▪ Firewall Evasion Techniques
o IP Address Spoofing
o Firewall Identification
o Source Routing
o IP Address Spoofing
o Tiny Fragments
o Source Routing
o Bypass Blocked Sites Using an IP Address in
Place of a URL
o Tiny Fragments
o Bypass Blocked Sites Using Anonymous
Website Surfing Sites
o Bypass Blocked Sites Using an IP Address in
Place of a URL
o Bypass a Firewall Using a Proxy Server
o Bypass Blocked Sites Using Anonymous
Website Surfing Sites
o Bypassing Firewalls through the ICMP
Tunneling Method
o Bypass a Firewall Using a Proxy Server
o Bypassing Firewalls through the ACK Tunneling
Method
o Bypassing Firewalls through the ICMP
Tunneling Method
o Bypassing Firewalls through the HTTP
Tunneling Method
o Bypassing Firewalls through the ACK Tunneling
Method
• Why do I Need HTTP Tunneling?
• HTTP Tunneling Tools
Page | 31
o Bypassing Firewalls through the HTTP
Tunneling Method
• Why do I Need HTTP Tunneling?
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Bypassing Firewalls through the SSH Tunneling
Method
Exam 312-50 Certified Ethical Hacker
• HTTP Tunneling Tools
• SSH Tunneling Tools: Bitvise and Secure
Pipes
o Bypassing Firewalls through the SSH Tunneling
Method
o Bypassing Firewalls through the DNS Tunneling
Method
• SSH Tunneling Tools: Bitvise and Secure
Pipes
o Bypassing Firewalls through External Systems
o Bypassing Firewalls through the DNS Tunneling
Method
o Bypassing Firewalls through MITM Attacks
o Bypassing Firewalls through External Systems
o Bypassing Firewalls through Content
o Bypassing Firewalls through MITM Attacks
o Bypassing the WAF using an XSS Attack
o Bypassing Firewalls through Content
IDS/Firewall Evading Tools
IDS/Firewall Evading Tools
Packet Fragment Generator Tools
o Bypassing the WAF using an XSS Attack
o Other Techniques for Bypassing WAF
• Using HTTP Header Spoofing
Detecting Honeypots
• Using Blacklist Detection
▪ Detecting Honeypots
• Using Fuzzing/Bruteforcing
o Detecting and Defeating Honeypots
• Abusing SSL/TLS ciphers
▪ Honeypot Detection Tools: Send-Safe Honeypot
Hunter
o Bypassing Firewalls through HTML Smuggling
IDS/Firewall Evasion Countermeasures
o Bypassing Firewalls through Windows BITS
▪ How to Defend Against IDS Evasion
Evading NAC and Endpoint Security
▪ How to Defend Against Firewall Evasion
▪ Bypassing NAC using VLAN Hopping
▪ Bypassing NAC using Pre-authenticated Device
▪ Bypassing Endpoint Security using Ghostwriting
▪ Bypassing Endpoint Security using Application
Whitelisting
▪ Bypassing Endpoint Security using XLM
Weaponization
▪ Bypassing Endpoint Security by Dechaining
Macros
▪ Bypassing Endpoint Security by Clearing Memory
Hooks
▪ Bypassing Antivirus using Metasploit Templates
▪ Bypassing Symantec Endpoint Protection
▪ Other Techniques for Bypassing Endpoint Security
o Hosting Phishing Sites
o Passing Encoded Commands
o Fast Flux DNS Method
o Timing-based Evasion
o Signed Binary Proxy Execution
Page | 32
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
IDS/Firewall Evading Tools
▪ IDS/Firewall Evading Tools
▪ Packet Fragment Generator Tools
Detecting Honeypots
▪ Detecting Honeypots
o Detecting and Defeating Honeypots
▪ Honeypot Detection Tools: Send-Safe Honeypot
Hunter
IDS/Firewall Evasion Countermeasures
▪ How to Defend Against IDS Evasion
▪ How to Defend Against Firewall Evasion
Module 13: Hacking Web Servers
Module 13: Hacking Web Servers
Web Server Concepts
Web Server Concepts
▪ Web Server Operations
▪ Web Server Operations
▪ Web Server Security Issues
▪ Web Server Security Issues
▪ Why are Web Servers Compromised?
▪ Why are Web Servers Compromised?
Web Server Attacks
Web Server Attacks
▪ DoS/DDoS Attacks
▪ DNS Server Hijacking
▪ DNS Server Hijacking
▪ DNS Amplification Attack
▪ DNS Amplification Attack
▪ Directory Traversal Attacks
▪ Directory Traversal Attacks
▪ Website Defacement
▪ Man-in-the-Middle/Sniffing Attack
▪ Web Server Misconfiguration
▪ Phishing Attacks
▪ HTTP Response-Splitting Attack
▪ Website Defacement
▪ Web Cache Poisoning Attack
▪ Web Server Misconfiguration
▪ SSH Brute Force Attack
▪ HTTP Response-Splitting Attack
▪ Web Cache Poisoning Attack
o Web Server Password Cracking
▪ Other Web Server Attacks
▪ SSH Brute Force Attack
o DoS/DDoS Attacks
▪ Web Server Password Cracking
o Man-in-the-Middle Attack
▪ Server-Side Request Forgery (SSRF) Attack
o Phishing Attacks
▪ Web Application Attacks
o Web Application Attacks
Web Server Attack Methodology
Web Server Attack Methodology
▪ Information Gathering
▪ Information Gathering
o Information Gathering from Robots.txt File
▪ Web Server Footprinting/Banner Grabbing
o Information Gathering from Robots.txt File
▪ Web Server Footprinting/Banner Grabbing
o Web Server Footprinting Tools
o Web Server Footprinting Tools
o Enumerating Web Server Information Using
Nmap
o Enumerating Web Server Information Using
Nmap
Page | 33
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
▪ Website Mirroring
Exam 312-50 Certified Ethical Hacker
▪ Website Mirroring
o Finding Default Credentials of Web Server
o Finding Default Credentials of Web Server
o Finding Default Content of Web Server
o Finding Default Content of Web Server
o Finding Directory Listings of Web Server
o Finding Directory Listings of Web Server
▪ Vulnerability Scanning
o Finding Exploitable Vulnerabilities
▪ Session Hijacking
• Dirhunt
▪ Vulnerability Scanning
o Finding Exploitable Vulnerabilities
▪ Web Server Password Hacking
▪ Session Hijacking
▪ Using Application Server as a Proxy
▪ Web Server Password Hacking
Web Server Attack Tools
▪ Using Application Server as a Proxy
▪ Metasploit
▪ Web Server Attack Tools
o Metasploit Exploit Module
o Metasploit
o Metasploit Payload and Auxiliary Modules
• Metasploit Exploit Module
o Metasploit NOPS Module
• Metasploit Payload and Auxiliary Modules
▪ Web Server Attack Tools
Countermeasures
• Metasploit NOPS Module
o Web Server Attack Tools
▪ Place Web Servers in Separate Secure Server
Security Segment on Network
Web Server Attack Countermeasures
▪ Countermeasures
▪ Place Web Servers in Separate Secure Server
Security Segment on Network
o Patches and Updates
▪ Countermeasures
o Protocols and Accounts
o Patches and Updates
o Files and Directories
o Protocols and Accounts
▪ Detecting Web Server Hacking Attempts
o Files and Directories
▪ How to Defend Against Web Server Attacks
▪ Detecting Web Server Hacking Attempts
▪ How to Defend against HTTP Response-Splitting
and Web Cache Poisoning
▪ How to Defend Against Web Server Attacks
▪ How to Defend against DNS Hijacking
▪ How to Defend against HTTP Response-Splitting
and Web Cache Poisoning
Patch Management
▪ How to Defend against DNS Hijacking
▪ Patches and Hotfixes
▪ Web Server Security Tools
▪ What is Patch Management?
o Web Application Security Scanners
▪ Installation of a Patch
o Web Server Security Scanners
▪ Patch Management Tools
o Web Server Malware Infection Monitoring
Tools
Web Server Security Tools
o Web Server Security Tools
▪ Web Application Security Scanners
o Web Server Pen Testing Tools
▪ Web Server Security Scanners
Patch Management
▪ Web Server Malware Infection Monitoring Tools
▪ Patches and Hotfixes
Page | 34
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Web Server Security Tools
▪ What is Patch Management?
▪ Web Server Pen Testing Tools
▪ Installation of a Patch
▪ Patch Management Tools
Module 14: Hacking Web Applications
Module 14: Hacking Web Applications
Web Application Concepts
Web Application Concepts
▪ Introduction to Web Applications
▪ Introduction to Web Applications
▪ Web Application Architecture
▪ Web Application Architecture
▪ Web Services
▪ Web Services
▪ Vulnerability Stack
▪ Vulnerability Stack
Web Application Threats
Web Application Threats
▪ OWASP Top 10 Application Security Risks – 2017
▪ OWASP Top 10 Application Security Risks - 2021
o A1 - Injection Flaws
o A01 - Broken Access Control
• SQL Injection Attacks
o A02 - Cryptographic Failures/Sensitive Data
Exposure
• Command Injection Attacks
o A03 - Injection Flaws
✓ Command Injection Example
• SQL Injection Attacks
• File Injection Attack
• Command Injection Attacks
• LDAP Injection Attacks
• Command Injection Example
• Other Injection Attacks
• File Injection Attack
✓ Server-Side JS Injection
• LDAP Injection Attacks
✓ Server-Side Include Injection
• Other Injection Attacks
✓ Server-Side Template Injection
✓ Log Injection
✓ JNDI Injection
• Cross-Site Scripting (XSS) Attacks
✓ HTML Injection
✓ Cross-Site Scripting Attack Scenario:
Attack via Email
✓ CRLF Injection
✓ XSS Attack in Blog Posting
✓ XSS Attack in Comment Field
o A2 - Broken Authentication
o A3 - Sensitive Data Exposure
o A04 - Insecure Design
o A4 - XML External Entity (XXE)
o A05 - Security Misconfiguration
o A5 - Broken Access Control
•
XML External Entity (XXE)
o A6 - Security Misconfiguration
o A06 - Vulnerable and Outdated
Components/Using Components with Known
Vulnerabilities
o A7 - Cross-Site Scripting (XSS) Attacks
o A07 - Identification and Authentication
Failures/Broken Authentication
• Cross-Site Scripting Attack Scenario: Attack
via Email
• XSS Attack in Blog Posting
Page | 35
o A08 - Software and Data Integrity Failures
• Insecure Deserialization
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
• XSS Attack in Comment Field
o A8 - Insecure Deserialization
o A9 - Using Components with Known
Vulnerabilities
o A10 - Insufficient Logging and Monitoring
▪ Other Web Application Threats
o Directory Traversal
Exam 312-50 Certified Ethical Hacker
o A09 - Security Logging and Monitoring
Failures/Insufficient Logging and Monitoring
o A10 - Server-Side Request Forgery (SSRF)
• Types of Server-Side Request Forgery (SSRF)
Attack
✓ Injecting SSRF payload
✓ Cross-Site Port Attack (XSPA)
▪ Other Web Application Threats
o Unvalidated Redirects and Forwards
o Directory Traversal
o Watering Hole Attack
o Unvalidated Redirects and Forwards
o Cross-Site Request Forgery (CSRF) Attack
• Open Redirection
o Cookie/Session Poisoning
• Header-Based Open Redirection
o Web Service Attack
• JavaScript-Based Open Redirection
o Web Service Footprinting Attack
o Watering Hole Attack
o Web Service XML Poisoning
o Cross-Site Request Forgery (CSRF) Attack
o Hidden Field Manipulation Attack
o Cookie/Session Poisoning
o Web-based Timing Attacks
o Web Service Attack
o MarioNet Attack
o Web Service Footprinting Attack
o Clickjacking Attack
o Web Service XML Poisoning
o DNS Rebinding Attack
o Hidden Field Manipulation Attack
Web Application Hacking Methodology
o Web-based Timing Attacks
▪ Web Application Hacking Methodology
o MarioNet Attack
▪ Footprint Web Infrastructure
o Clickjacking Attack
o Server Discovery
o DNS Rebinding Attack
o Service Discovery
o Same-Site Attack
o Server Identification/Banner Grabbing
o Pass-the-cookie Attack
o Detecting Web App Firewalls and Proxies on
Target Site
Web Application Hacking Methodology
o Hidden Content Discovery
▪ Web Application Hacking Methodology
o Detect Load Balancers
▪ Footprint Web Infrastructure
▪ Analyze Web Applications
o Server Discovery
o Identify Entry Points for User Input
o Service Discovery
o Identify Server-Side Technologies
o Server Identification/Banner Grabbing
o Identify Server-Side Functionality
o Detecting Web App Firewalls and Proxies on
Target Site
o Identify Files and Directories
o Hidden Content Discovery
o Identify Web Application Vulnerabilities
o Detect Load Balancers
o Map the Attack Surface
▪ Bypass Client-side Controls
Page | 36
▪ Analyze Web Applications
o Identify Entry Points for User Input
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o Attack Hidden Form Fields
o Identify Server-Side Technologies
o Attack Browser Extensions
o Identify Server-Side Functionality
o Perform Source Code Review
o Identify Files and Directories
o Evade XSS Filters
o Identify Web Application Vulnerabilities
▪ Attack Authentication Mechanism
o Design and Implementation Flaws in
Authentication Mechanism
o Map the Attack Surface
▪ Bypass Client-side Controls
o Username Enumeration
o Attack Hidden Form Fields
o Password Attacks: Password Functionality
Exploits
o Attack Browser Extensions
o Password Attacks: Password Guessing and
Brute-forcing
• Attack Google Chrome Browser Extensions
o Password Attacks: Attack Password Reset
Mechanism
o Perform Source Code Review
o Session Attacks: Session ID Prediction/Bruteforcing
o Evade XSS Filters
o Cookie Exploitation: Cookie Poisoning
o Bypass Authentication: Bypass SAML-based
SSO
▪ Attack Authorization Schemes
▪ Attack Authentication Mechanism
o Design and Implementation Flaws in
Authentication Mechanism
o Username Enumeration
o Authorization Attack: HTTP Request Tampering
o Password Attacks: Password Functionality
Exploits
o Authorization Attack: Cookie Parameter
Tampering
o Password Attacks: Password Guessing and
Brute-forcing
▪ Attack Access Controls
o Password Attacks: Attack Password Reset
Mechanism
▪ Attack Session Management Mechanism
o Session Attacks: Session ID Prediction/Bruteforcing
o Attacking Session Token Generation
Mechanism
o Cookie Exploitation: Cookie Poisoning
o Attacking Session Tokens Handling Mechanism:
Session Token Sniffing
o Bypass Authentication: Bypass SAML-based
SSO
▪ Perform Injection/Input Validation Attacks
o Perform Local File Inclusion (LFI)
▪ Attack Application Logic Flaws
▪ Attack Authorization Schemes
o Authorization Attack: HTTP Request Tampering
o Authorization Attack: Cookie Parameter
Tampering
▪ Attack Shared Environments
▪ Attack Access Controls
▪ Attack Database Connectivity
▪ Attack Session Management Mechanism
o Connection String Injection
o Attacking Session Token Generation
Mechanism
o Connection String Parameter Pollution (CSPP)
Attacks
o Attacking Session Tokens Handling Mechanism:
Session Token Sniffing
Page | 37
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Connection Pool DoS
▪ Attack Web Application Client
▪ Attack Web Services
Exam 312-50 Certified Ethical Hacker
▪ Perform Injection/Input Validation Attacks
o Perform Local File Inclusion (LFI)
▪ Attack Application Logic Flaws
o Web Services Probing Attacks
▪ Attack Shared Environments
o Web Service Attacks: SOAP Injection
▪ Attack Database Connectivity
o Web Service Attacks: SOAPAction Spoofing
o Connection String Injection
o Web Service Attacks: WS-Address Spoofing
o Connection String Parameter Pollution (CSPP)
Attacks
o Web Service Attacks: XML Injection
o Connection Pool DoS
o Web Services Parsing Attacks
▪ Attack Web Application Client
o Web Service Attack Tools
▪ Attack Web Services
▪ Additional Web Application Hacking Tools
o Web Services Probing Attacks
Web API, Webhooks, and Web Shell
o Web Service Attacks: SOAP Injection
▪ What is Web API?
o Web Service Attacks: SOAPAction Spoofing
o Web Services APIs
▪ What are Webhooks?
o Webhooks Vs. APIs
▪ OWASP Top 10 API Security Risks
▪ API Vulnerabilities
▪ Web API Hacking Methodology
o Web Service Attacks: WS-Address Spoofing
o Web Service Attacks: XML Injection
o Web Services Parsing Attacks
o Web Service Attack Tools
▪ Additional Web Application Hacking Tools
o TIDoS-Framework
o Identify the Target
Web API, Webhooks, and Web Shell
o Detect Security Standards
▪ What is Web API?
o Identify the Attack Surface
o Launch Attacks
▪ What are Webhooks?
• Fuzzing
▪ OWASP Top 10 API Security Risks
• Invalid Input Attacks
▪ API Vulnerabilities
• Malicious Input Attacks
▪ Web API Hacking Methodology
• Injection Attacks
o Identify the Target
• Exploiting Insecure Configurations
o Detect Security Standards
✓ Insecure SSL Configuration
o Identify the Attack Surface
✓ Insecure Direct Object References
(IDOR)
✓ Insecure Session/Authentication
Handling
Page | 38
o Web Services APIs
• Analyze Web API Requests and Responses
o Launch Attacks
• Login/ Credential Stuffing Attacks
• Fuzzing and Invalid Input Attacks
• API DDoS Attacks
• Malicious Input Attacks
• Authorization Attacks on API: OAuth
Attacks
• Injection Attacks
• Other Techniques to Hack an API
• Exploiting Insecure Configurations
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
✓ Reverse Engineering
• Login/ Credential Stuffing Attacks
✓ User Spoofing
• API DDoS Attacks
✓ Man-in-the-Middle Attack
• Authorization Attacks on API: OAuth
Attacks
✓ Session Replay Attack
✓ SSRF using Dynamic Client Registration
endpoint
✓ Social Engineering
✓ WebFinger User Enumeration
o REST API Vulnerability Scanning
o Bypassing IDOR via Parameter Pollution
▪ Web Shells
o Web Shell Tools
▪ Gaining Backdoor Access via Web Shell
▪ How to Prevent Installation of a Web Shell
✓ Exploit Flawed Scope Validation
• Other Techniques to Hack an API
o REST API Vulnerability Scanning
o Bypassing IDOR via Parameter Pollution
▪ Web Shells
o Web Shell Tools
▪ Web Shell Detection Tools
▪ How to Prevent Installation of a Web Shell
▪ Secure API Architecture
▪ Web Shell Detection Tools
▪ API Security Risks and Solutions
▪ Secure API Architecture
▪ Best Practices for API Security
o Implementing Layered Security in an API
▪ Best Practices for Securing Webhooks
▪ API Security Risks and Solutions
Web Application Security
▪ Best Practices for API Security
▪ Web Application Security Testing
▪ Best Practices for Securing Webhooks
o Manual Web App Security Assessment
Web Application Security
o Automated Web App Security Assessment
▪ Web Application Security Testing
o Static Application Security Testing (SAST)
▪ Web Application Fuzz Testing
o Dynamic Application Security Testing (DAST)
▪ Source Code Review
▪ Web Application Fuzz Testing
▪ Encoding Schemes
▪ Source Code Review
▪ Whitelisting vs. Blacklisting Applications
▪ Encoding Schemes
▪ Whitelisting vs. Blacklisting Applications
o Application Whitelisting and Blacklisting Tools
o Application Whitelisting and Blacklisting Tools
▪ How to Defend Against Injection Attacks
▪ Web Application Attack Countermeasures
▪ How to Defend Against Injection Attacks
▪ How to Defend Against Web Application Attacks
▪ Web Application Attack Countermeasures
▪ RASP for Protecting Web Servers
▪ How to Defend Against Web Application Attacks
▪ Bug Bounty Programs
▪ RASP for Protecting Web Servers
▪ Web Application Security Testing Tools
▪ Bug Bounty Programs
▪ Web Application Firewalls
▪ Web Application Security Testing Tools
▪ Web Application Firewalls
Page | 39
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Module 15: SQL Injection
Module 15: SQL Injection
SQL Injection Concepts
SQL Injection Concepts
▪ What is SQL Injection?
▪ What is SQL Injection?
▪ SQL Injection and Server-side Technologies
▪ SQL Injection and Server-side Technologies
▪ Understanding HTTP POST Request
▪ Understanding HTTP POST Request
▪ Understanding Normal SQL Query
▪ Understanding Normal SQL Query
▪ Understanding an SQL Injection Query
▪ Understanding an SQL Injection Query
▪ Understanding an SQL Injection Query – Code
Analysis
▪ Understanding an SQL Injection Query – Code
Analysis
▪ Example of a Web Application Vulnerable to SQL
Injection: BadProductList.aspx
▪ Example of a Web Application Vulnerable to SQL
Injection: BadProductList.aspx
▪ Example of a Web Application Vulnerable to SQL
Injection: Attack Analysis
▪ Example of a Web Application Vulnerable to SQL
Injection: Attack Analysis
▪ Examples of SQL Injection
▪ Examples of SQL Injection
Types of SQL Injection
Types of SQL Injection
▪ Types of SQL injection
▪ Types of SQL injection
o In-Band SQL Injection
o In-Band SQL Injection
• Error Based SQL Injection
• Error Based SQL Injection
• Union SQL Injection
• Union SQL Injection
o Blind/Inferential SQL Injection
o Blind/Inferential SQL Injection
• Blind SQL Injection: No Error Message
Returned
• Blind SQL Injection: No Error Message
Returned
• Blind SQL Injection: WAITFOR DELAY (YES or
NO Response)
• Blind SQL Injection: WAITFOR DELAY (YES or
NO Response)
• Blind SQL Injection: Boolean Exploitation
and Heavy Query
• Blind SQL Injection: Boolean Exploitation
and Heavy Query
o Out-of-Band SQL injection
o Out-of-Band SQL injection
SQL Injection Methodology
SQL Injection Methodology
▪ Information Gathering and SQL Injection
Vulnerability Detection
▪ Information Gathering and SQL Injection
Vulnerability Detection
o Information Gathering
o Information Gathering
o Identifying Data Entry Paths
o Identifying Data Entry Paths
o Extracting Information through Error Messages
o Extracting Information through Error Messages
o SQL Injection Vulnerability Detection: Testing
for SQL Injection
o SQL Injection Vulnerability Detection: Testing
for SQL Injection
o Additional Methods to Detect SQL Injection
o Additional Methods to Detect SQL Injection
o SQL Injection Black Box Pen Testing
o SQL Injection Black Box Pen Testing
o Source Code Review to Detect SQL Injection
Vulnerabilities
o Source Code Review to Detect SQL Injection
Vulnerabilities
o Testing for Blind SQL Injection Vulnerability in
MySQL and MSSQL
o Testing for Blind SQL Injection Vulnerability in
MySQL and MSSQL
Page | 40
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
▪ Launch SQL Injection Attacks
Exam 312-50 Certified Ethical Hacker
▪ Launch SQL Injection Attacks
o Perform Union SQL Injection
o Perform Union SQL Injection
o Perform Error Based SQL Injection
o Perform Error Based SQL Injection
o Perform Error Based SQL Injection using Stored
Procedure Injection
o Perform Error Based SQL Injection using Stored
Procedure Injection
o Bypass Website Logins Using SQL Injection
o Bypass Website Logins Using SQL Injection
o Perform Blind SQL Injection – Exploitation
(MySQL)
o Perform Blind SQL Injection – Exploitation
(MySQL)
o Blind SQL Injection - Extract Database User
o Blind SQL Injection - Extract Database User
o Blind SQL Injection - Extract Database Name
o Blind SQL Injection - Extract Database Name
o Blind SQL Injection - Extract Column Name
o Blind SQL Injection - Extract Column Name
o Blind SQL Injection - Extract Data from ROWS
o Blind SQL Injection - Extract Data from ROWS
o Perform Double Blind SQL Injection – Classical
Exploitation (MySQL)
o Perform Double Blind SQL Injection – Classical
Exploitation (MySQL)
o Perform Blind SQL Injection Using Out-of-Band
Exploitation Technique
o Perform Blind SQL Injection Using Out-of-Band
Exploitation Technique
o Exploiting Second-Order SQL Injection
o Exploiting Second-Order SQL Injection
o Bypass Firewall using SQL Injection
o Bypass Firewall using SQL Injection
o Perform SQL Injection to Insert a New User and
Update Password
o Perform SQL Injection to Insert a New User and
Update Password
o Exporting a Value with Regular Expression
Attack
o Exporting a Value with Regular Expression
Attack
▪ Advanced SQL Injection
▪ Advanced SQL Injection
o Database, Table, and Column Enumeration
o Database, Table, and Column Enumeration
o Advanced Enumeration
o Advanced Enumeration
o Features of Different DBMSs
o Features of Different DBMSs
o Creating Database Accounts
o Creating Database Accounts
o Password Grabbing
o Password Grabbing
o Grabbing SQL Server Hashes
o Grabbing SQL Server Hashes
o Transfer Database to Attacker's Machine
o Transfer Database to Attacker's Machine
o Interacting with the Operating System
o Interacting with the Operating System
o Interacting with the File System
o Interacting with the File System
o Network Reconnaissance Using SQL Injection
o Network Reconnaissance Using SQL Injection
o Network Reconnaissance Full Query
o Network Reconnaissance Full Query
o Finding and Bypassing Admin Panel of a
Website
o Finding and Bypassing Admin Panel of a
Website
o PL/SQL Exploitation
o PL/SQL Exploitation
o Creating Server Backdoors using SQL Injection
o Creating Server Backdoors using SQL Injection
o HTTP Header-Based SQL Injection
o HTTP Header-Based SQL Injection
o DNS Exfiltration using SQL Injection
o DNS Exfiltration using SQL Injection
Page | 41
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Case Study: SQL Injection Attack and Defense
SQL Injection Tools
Exam 312-50 Certified Ethical Hacker
o MongoDB Injection/NoSQL Injection Attack
o Case Study: SQL Injection Attack and Defense
▪ SQL Injection Tools
SQL Injection Tools
▪ SQL Injection Tools for Mobile Devices
▪ SQL Injection Tools
Evasion Techniques
▪ SQL Injection Tools for Mobile Devices
▪ Evading IDS
Evasion Techniques
▪ Types of Signature Evasion Techniques
▪ Evading IDS
o In-line Comment
▪ Types of Signature Evasion Techniques
o Char Encoding
o In-line Comment and Char Encoding
o String Concatenation
o String Concatenation and Obfuscated Code
o Obfuscated Codes
o Manipulating White Spaces and Hex Encoding
o Manipulating White Spaces
o Sophisticated Matches and URL Encoding
o Hex Encoding
o Null Byte and Case Variation
o Sophisticated Matches
o Declare Variables and IP Fragmentation
o URL Encoding
o Variation
o Null Byte
SQL Injection Countermeasures
o Case Variation
▪ How to Defend Against SQL Injection Attacks
o Declare Variables
o Use Type-Safe SQL Parameters
o IP Fragmentation
o Defenses in the Application
o Variations
Countermeasures
▪ How to Defend Against SQL Injection Attacks
o Use Type-Safe SQL Parameters
o Defenses in the Application
• LIKE Clauses
• Wrapping Parameters with QUOTENAME()
and REPLACE()
▪ Detecting SQL Injection Attacks
▪ SQL Injection Detection Tools
o OWASP ZAP and Damn Small SQLi Scanner
(DSSS)
• Input Validation
o Snort
• Output Encoding
o SQL Injection Detection Tools
• Enforcing Least Privilege
▪ Detecting SQL Injection Attacks
▪ SQL Injection Detection Tools
o OWASP ZAP
o Damn Small SQLi Scanner (DSSS)
o Snort
o SQL Injection Detection Tools
Module 16: Hacking Wireless Networks
Module 16: Hacking Wireless Networks
Wireless Concepts
Wireless Concepts
▪ Wireless Terminology
▪ Wireless Terminology
Page | 42
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Wireless Networks
▪ Wireless Networks
▪ Wireless Standards
▪ Wireless Standards
▪ Service Set Identifier (SSID)
▪ Service Set Identifier (SSID)
▪ Wi-Fi Authentication Modes
▪ Wi-Fi Authentication Modes
▪ Wi-Fi Authentication Process Using a Centralized
Authentication Server
▪ Wi-Fi Authentication Process Using a Centralized
Authentication Server
▪ Types of Wireless Antennas
▪ Types of Wireless Antennas
Wireless Encryption
Wireless Encryption
▪ Types of Wireless Encryption
▪ Types of Wireless Encryption
o Wired Equivalent Privacy (WEP) Encryption
o Wired Equivalent Privacy (WEP) Encryption
o Wi-Fi Protected Access (WPA) Encryption
o Wi-Fi Protected Access (WPA) Encryption
o WPA2 Encryption
o WPA2 Encryption
o WPA3 Encryption
o WPA3 Encryption
▪ Comparison of WEP, WPA, WPA2, and WPA3
▪ Comparison of WEP, WPA, WPA2, and WPA3
▪ Issues in WEP, WPA, and WPA2
▪ Issues in WEP, WPA, and WPA2
Wireless Threats
Wireless Threats
▪ Wireless Threats
▪ Wireless Threats
o Rogue AP Attack
o Rogue AP Attack
o Client Mis-association
o Client Mis-association
o Misconfigured AP Attack
o Misconfigured AP Attack
o Unauthorized Association
o Unauthorized Association
o Ad-Hoc Connection Attack
o Ad-Hoc Connection Attack
o Honeypot AP Attack
o Honeypot AP Attack
o AP MAC Spoofing
o AP MAC Spoofing
o Denial-of-Service Attack
o Denial-of-Service Attack
o Key Reinstallation Attack (KRACK)
o Key Reinstallation Attack (KRACK)
o Jamming Signal Attack
o Jamming Signal Attack
• Wi-Fi Jamming Devices
• Wi-Fi Jamming Devices
o aLTEr Attack
o aLTEr Attack
o Wormhole Attack
o Wormhole and Sinkhole Attacks
o Sinkhole Attack
o Inter-Chip Privilege Escalation/Wireless CoExistence Attack
Wireless Hacking Methodology
o GNSS Spoofing
▪ Wireless Hacking Methodology
Wireless Hacking Methodology
▪ Wi-Fi Discovery
▪ Wireless Hacking Methodology
o Wireless Network Footprinting
▪ Wi-Fi Discovery
o Finding Wi-Fi Networks in Range to Attack
o Wireless Network Footprinting
o Finding WPS-Enabled APs
o Finding Wi-Fi Networks in Range to Attack
o Wi-Fi Discovery Tools
o Finding WPS-Enabled APs
Page | 43
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Mobile-based Wi-Fi Discovery Tools
▪ GPS Mapping
o GPS Mapping Tools
Exam 312-50 Certified Ethical Hacker
o Wi-Fi Discovery Tools
o Mobile-based Wi-Fi Discovery Tools
▪ GPS Mapping
o Wi-Fi Hotspot Finder Tools
o GPS Mapping Tools
o Wi-Fi Network Discovery Through WarDriving
o Wi-Fi Hotspot Finder Tools
▪ Wireless Traffic Analysis
o Choosing the Optimal Wi-Fi Card
o Wi-Fi Network Discovery Through WarDriving
▪ Wireless Traffic Analysis
o Sniffing Wireless Traffic
o Choosing the Optimal Wi-Fi Card
o Perform Spectrum Analysis
o Sniffing Wireless Traffic
▪ Launch of Wireless Attacks
o Aircrack-ng Suite
o Perform Spectrum Analysis
▪ Launch of Wireless Attacks
o Detection of Hidden SSIDs
o Aircrack-ng Suite
o Fragmentation Attack
o Detection of Hidden SSIDs
o MAC Spoofing Attack
o Fragmentation Attack
o Denial-of-Service: Disassociation and Deauthentication Attacks
o MAC Spoofing Attack
o Man-in-the-Middle Attack
o Denial-of-Service: Disassociation and Deauthentication Attacks
o MITM Attack Using Aircrack-ng
o Man-in-the-Middle Attack
o Wireless ARP Poisoning Attack
o MITM Attack Using Aircrack-ng
• ARP Poisoning Attack Using Ettercap
o Rogue APs
• Creation of a Rogue AP Using MANA Toolkit
o Evil Twin
• Set Up of a Fake Hotspot (Evil Twin)
o aLTEr Attack
o Wi-Jacking Attack
▪ Wi-Fi Encryption Cracking
o WEP Encryption Cracking
o Cracking WEP Using Aircrack-ng
o Wireless ARP Poisoning Attack
• ARP Poisoning Attack Using Ettercap
o Rogue APs
• Creation of a Rogue AP Using MANA Toolkit
o Evil Twin
• Set Up of a Fake Hotspot (Evil Twin)
o aLTEr Attack
o Wi-Jacking Attack
o RFID Cloning Attack
▪ Wi-Fi Encryption Cracking
o WPA/WPA2 Encryption Cracking
o WEP Encryption Cracking
o Cracking WPA-PSK Using Aircrack-ng
o Cracking WEP Using Aircrack-ng
o Cracking WPA/WPA2 Using Wifiphisher
o WPA/WPA2 Encryption Cracking
o Cracking WPS Using Reaver
o Cracking WPA-PSK Using Aircrack-ng
o WPA3 Encryption Cracking
o Cracking WPA/WPA2 Using Wifiphisher
o WEP Cracking and WPA Brute Forcing Using
Wesside-ng and Fern Wifi Cracker
o Cracking WPS Using Reaver
Wireless Hacking Tools
o WPA3 Encryption Cracking
▪ WEP/WPA/WPA2 Cracking Tools
o WEP Cracking and WPA Brute Forcing Using
Page | 44
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Wesside-ng and Fern Wifi Cracker
▪ WEP/WPA/WPA2 Cracking Tools for Mobile
Wireless Hacking Tools
▪ Wi-Fi Packet Sniffers
▪ WEP/WPA/WPA2 Cracking Tools
▪ Wi-Fi Traffic Analyzer Tools
▪ WEP/WPA/WPA2 Cracking Tools for Mobile
▪ Other Wireless Hacking Tools
▪ Wi-Fi Packet Sniffers
Bluetooth Hacking
▪ Wi-Fi Traffic Analyzer Tools
▪ Bluetooth Stack
▪ Other Wireless Hacking Tools
▪ Bluetooth Hacking
Bluetooth Hacking
▪ Bluetooth Threats
▪ Bluetooth Stack
▪ Bluejacking
▪ Bluetooth Hacking
▪ Bluetooth Reconnaissance Using Bluez
▪ Bluetooth Threats
▪ Btlejacking Using BtleJack
▪ Bluejacking
▪ Bluetooth Hacking Tools
▪ Bluetooth Reconnaissance Using Bluez
Countermeasures
▪ Btlejacking Using BtleJack
▪ Wireless Security Layers
▪ Cracking BLE Encryption Using crackle
▪ Defense Against WPA/WPA2/WPA3 Cracking
▪ Bluetooth Hacking Tools
▪ Defense Against KRACK Attacks
Wireless Attack Countermeasures
▪ Defense Against aLTEr Attacks
▪ Wireless Security Layers
▪ Detection and Blocking of Rogue APs
▪ Defense Against WPA/WPA2/WPA3 Cracking
▪ Defense Against Wireless Attacks
▪ Defense Against KRACK and aLTEr Attacks
▪ Defense Against Bluetooth Hacking
▪ Detection and Blocking of Rogue APs
Wireless Security Tools
▪ Defense Against Wireless Attacks
▪ Wireless Intrusion Prevention Systems
▪ Defense Against Bluetooth Hacking
▪ WIPS Deployment
Wireless Security Tools
▪ Wi-Fi Security Auditing Tools
▪ Wireless Intrusion Prevention Systems
▪ Wi-Fi IPSs
▪ WIPS Deployment
▪ Wi-Fi Predictive Planning Tools
▪ Wi-Fi Security Auditing Tools
▪ Wi-Fi Vulnerability Scanning Tools
▪ Wi-Fi IPSs
▪ Bluetooth Security Tools
▪ Wi-Fi Predictive Planning Tools
▪ Wi-Fi Security Tools for Mobile
▪ Wi-Fi Vulnerability Scanning Tools
▪ Bluetooth Security Tools
▪ Wi-Fi Security Tools for Mobile
Module 17: Hacking Mobile Platforms
Module 17: Hacking Mobile Platforms
Mobile Platform Attack Vectors
Mobile Platform Attack Vectors
▪ Vulnerable Areas in Mobile Business Environment
▪ Vulnerable Areas in Mobile Business Environment
▪ OWASP Top 10 Mobile Risks – 2016
▪ OWASP Top 10 Mobile Risks – 2016
▪ Anatomy of a Mobile Attack
▪ Anatomy of a Mobile Attack
Page | 45
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ How a Hacker can Profit from Mobile Devices that
are Successfully Compromised
▪ How a Hacker can Profit from Mobile Devices that
are Successfully Compromised
▪ Mobile Attack Vectors and Mobile Platform
Vulnerabilities
▪ Mobile Attack Vectors and Mobile Platform
Vulnerabilities
▪ Security Issues Arising from App Stores
▪ Security Issues Arising from App Stores
▪ App Sandboxing Issues
▪ App Sandboxing Issues
▪ Mobile Spam
▪ Mobile Spam
▪ SMS Phishing Attack (SMiShing) (Targeted Attack
Scan)
▪ SMS Phishing Attack (SMiShing) (Targeted Attack
Scan)
o SMS Phishing Attack Examples
o SMS Phishing Attack Examples
▪ Pairing Mobile Devices on Open Bluetooth and
Wi-Fi Connections
▪ Pairing Mobile Devices on Open Bluetooth and
Wi-Fi Connections
▪ Agent Smith Attack
▪ Agent Smith Attack
▪ Exploiting SS7 Vulnerability
▪ Exploiting SS7 Vulnerability
▪ Simjacker: SIM Card Attack
▪ Simjacker: SIM Card Attack
Hacking Android OS
▪ OTP Hijacking/Two-Factor Authentication
Hijacking
▪ Android OS
▪ Camera/Microphone Capture Attacks
o Android Device Administration API
▪ Android Rooting
o Camfecting Attack
o Android Camera Hijack Attack
o Rooting Android Using KingoRoot
Hacking Android OS
o Android Rooting Tools
▪ Android OS
▪ Hacking Android Devices
o Blocking Wi-Fi Access Using NetCut
o Android Device Administration API
▪ Android Rooting
o Identifying Attack Surfaces Using drozer
o Rooting Android Using KingoRoot
o Hacking with zANTI and Network Spoofer
o Android Rooting Tools
o Launch DoS Attack using Low Orbit Ion Cannon
(LOIC)
▪ Hacking Android Devices
o Session Hijacking Using DroidSheep
o Blocking Wi-Fi Access Using NetCut
o Hacking with Orbot Proxy
o Identifying Attack Surfaces Using drozer
o Exploiting Android Device through ADB Using
PhoneSploit
o Hacking with zANTI and Network Spoofer
o Android-based Sniffers
o Launch DoS Attack using Low Orbit Ion Cannon
(LOIC)
o Launching Man-in-the-Disk Attack
o Session Hijacking Using DroidSheep
o Launching Sphearphone Attack
o Hacking with Orbot Proxy
o Other Techniques for Hacking Android Devices
o Exploiting Android Device through ADB Using
PhoneSploit
Page | 46
• Advanced SMS Phishing
o Android-based Sniffers
• Bypass SSL Pinning
o Launching Man-in-the-Disk Attack
• Tap ’n Ghost Attack
o Launching Sphearphone Attack
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
o Android Trojans
Exam 312-50 Certified Ethical Hacker
o Exploiting Android Devices Using Metasploit
▪ Android Hacking Tools
o Other Techniques for Hacking Android Devices
▪ Securing Android Devices
o Android Trojans
▪ Android Security Tools
▪ OTP Hijacking Tools
o Android Device Tracking Tools: Google Find My
Device
▪ Camera/Microphone Hijacking Tools
o Android Device Tracking Tools
▪ Android Hacking Tools
o Android Vulnerability Scanners
▪ Securing Android Devices
o Online Android Analyzers
▪ Android Security Tools
Hacking iOS
o Android Device Tracking Tools: Google Find My
Device
▪ Apple iOS
o Android Device Tracking Tools
▪ Jailbreaking iOS
o Android Vulnerability Scanners
o Jailbreaking Techniques
o Online Android Analyzers
o Jailbreaking of iOS 13.2 Using Cydia
Hacking iOS
o Jailbreaking of iOS 13.2 Using Hexxa Plus
▪ Apple iOS
o Jailbreaking Tools
▪ Jailbreaking iOS
▪ Hacking iOS Devices
o Jailbreaking Techniques
o Hacking using Spyzie
o Jailbreaking iOS Using Hexxa Plus
o Hacking Network using Network Analyzer Pro
o Jailbreaking Tools
o iOS Trustjacking
▪ Hacking iOS Devices
o iOS Malware
o Hacking using Spyzie
o iOS Hacking Tools
o Hacking Network using Network Analyzer Pro
▪ Securing iOS Devices
o iOS Trustjacking
▪ iOS Device Security Tools
o Analyzing and Manipulating iOS Applications
▪ iOS Device Tracking Tools
• Manipulating an iOS Application Using
cycript
Mobile Device Management
• iOS Method Swizzling
▪ Mobile Device Management (MDM)
• Extracting Secrets Using Keychain Dumper
▪ Mobile Device Management Solutions
• Analyzing an iOS Application Using
objection
o IBM MaaS360
o iOS Malware
o Citrix Endpoint Management
o iOS Hacking Tools
▪ Bring Your Own Device (BYOD)
▪ Securing iOS Devices
o BYOD Risks
▪ iOS Device Security Tools
o BYOD Policy Implementation
▪ iOS Device Tracking Tools
o BYOD Security Guidelines
Mobile Device Management
Mobile Security Guidelines and Tools
▪ Mobile Device Management (MDM)
▪ OWASP Top 10 Mobile Controls
▪ Mobile Device Management Solutions: IBM
Page | 47
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
MaaS360
▪ General Guidelines for Mobile Platform Security
▪ Mobile Device Security Guidelines for
Administrator
o Mobile Device Management Solutions
▪ Bring Your Own Device (BYOD)
▪ SMS Phishing Countermeasures
o BYOD Risks
▪ Reverse Engineering Mobile Applications
o BYOD Policy Implementation
▪ Mobile Security Tools
o BYOD Security Guidelines
o Source Code Analysis Tools
Mobile Security Guidelines and Tools
o Reverse Engineering Tools
▪ OWASP Top 10 Mobile Controls
o App Repackaging Detector
▪ General Guidelines for Mobile Platform Security
o Mobile Protection Tools
▪ Mobile Device Security Guidelines for
Administrator
o Mobile Anti-Spyware
▪ SMS Phishing Countermeasures
o Mobile Pen Testing Toolkit: ImmuniWeb®
MobileSuite
▪ Critical Data Storage in Android and iOS: KeyStore
and Keychain Recommendations
▪ Mobile Security Tools
o Source Code Analysis Tools
o Reverse Engineering Tools
o App Repackaging Detector
o Mobile Protection Tools
o Mobile Anti-Spyware
o Mobile Pen Testing Toolkit: ImmuniWeb®
MobileSuite
Module 18: IoT and OT Hacking
Module 18: IoT and OT Hacking
IoT Hacking
IoT Hacking
IoT Concepts
IoT Concepts
▪ What is the IoT?
▪ What is the IoT?
▪ How the IoT Works
▪ How the IoT Works
▪ IoT Architecture
▪ IoT Architecture
▪ IoT Application Areas and Devices
▪ IoT Application Areas and Devices
▪ IoT Technologies and Protocols
▪ IoT Technologies and Protocols
▪ IoT Communication Models
▪ IoT Communication Models
▪ Challenges of IoT
▪ Challenges of IoT
▪ Threat vs Opportunity
▪ Threat vs Opportunity
IoT Attacks
IoT Attacks
▪ IoT Security Problems
▪ IoT Security Problems
▪ OWASP Top 10 IoT Threats
▪ OWASP Top 10 IoT Threats
▪ OWASP IoT Attack Surface Areas
▪ OWASP IoT Attack Surface Areas
Page | 48
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ IoT Vulnerabilities
▪ IoT Vulnerabilities
▪ IoT Threats
▪ IoT Threats
▪ Hacking IoT Devices: General Scenario
▪ Hacking IoT Devices: General Scenario
▪ IoT Attacks
▪ IoT Attacks
o DDoS Attack
o DDoS Attack
o Exploit HVAC
o Exploit HVAC
o Rolling Code Attack
o Rolling Code Attack
o BlueBorne Attack
o BlueBorne Attack
o Jamming Attack
o Jamming Attack
o Hacking Smart Grid/Industrial Devices: Remote
Access using Backdoor
o Hacking Smart Grid/Industrial Devices: Remote
Access using Backdoor
o SDR-Based Attacks on IoT
o SDR-Based Attacks on IoT
o Identifying and Accessing Local IoT Devices
o Identifying and Accessing Local IoT Devices
o Fault Injection Attacks
o Fault Injection Attacks
o Other IoT Attacks
o Other IoT Attacks
▪ IoT Attacks in Different Sectors
▪ IoT Attacks in Different Sectors
▪ Case Study: Dyn Attack
▪ Case Study: Enemybot
IoT Hacking Methodology
IoT Hacking Methodology
▪ What is IoT Device Hacking?
▪ What is IoT Device Hacking?
▪ IoT Hacking Methodology
▪ IoT Hacking Methodology
o Information Gathering Using Shodan
o Information Gathering Using Shodan
o Information Gathering using MultiPing
o Information Gathering using MultiPing
o Information Gathering using FCC ID Search
o Information Gathering using FCC ID Search
o Discovering IoT Devices with Default
Credentials using IoTSeeker
o Discovering IoT Devices with Default
Credentials using IoTSeeker
o Vulnerability Scanning using Nmap
o Vulnerability Scanning using Nmap
o Vulnerability Scanning using RIoT Vulnerability
Scanner
o Vulnerability Scanning using RIoT Vulnerability
Scanner
o Sniffing using Foren6
o Sniffing using Foren6
o Sniffing using Wireshark
o Sniffing using Wireshark
o Analyzing Spectrum and IoT Traffic
o Analyzing Spectrum and IoT Traffic
o Rolling code Attack using RFCrack
o Rolling code Attack using RFCrack
o Hacking Zigbee Devices with Attify Zigbee
Framework
o Hacking Zigbee Devices with Attify Zigbee
Framework
o BlueBorne Attack Using HackRF One
o BlueBorne Attack Using HackRF One
o Replay Attack using HackRF One
o Replay Attack using HackRF One
o SDR-Based Attacks using RTL-SDR and GNU
Radio
o SDR-Based Attacks using RTL-SDR and GNU
Radio
o Side Channel Attack using ChipWhisperer
o Side Channel Attack using ChipWhisperer
o Gaining Remote Access using Telnet
o Identifying IoT Communication Buses and
Page | 49
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Interfaces
o Maintain Access by Exploiting Firmware
o NAND Glitching
o Firmware Analysis and Reverse Engineering
o Gaining Remote Access using Telnet
IoT Hacking Tools
▪ Information-Gathering Tools
▪ Sniffing Tools
▪ Vulnerability-Scanning Tools
o Maintain Access by Exploiting Firmware
• Firmware Analysis and Reverse Engineering
✓ Emulate Firmware for Dynamic Testing
▪ IoT Hacking Tools
▪ Tools to Perform SDR-Based Attacks
o Information-Gathering Tools
▪ IoT Hacking Tools
o Sniffing Tools
Countermeasures
o Vulnerability-Scanning Tools
▪ How to Defend Against IoT Hacking
o Tools to Perform SDR-Based Attacks
▪ General Guidelines for IoT Device Manufacturing
Companies
o IoT Hacking Tools
▪ OWASP Top 10 IoT Vulnerabilities Solutions
IoT Attack Countermeasures
▪ IoT Framework Security Considerations
▪ How to Defend Against IoT Hacking
▪ IoT Device Management
▪ General Guidelines for IoT Device Manufacturing
Companies
▪ IoT Security Tools
▪ OWASP Top 10 IoT Vulnerabilities Solutions
OT Hacking
▪ IoT Framework Security Considerations
OT Concepts
▪ IoT Hardware Security Best Practices
▪ What is OT?
▪ IoT Device Management
▪ Essential Terminology
▪ IoT Security Tools
▪ IT/OT Convergence (IIOT)
OT Hacking
▪ The Purdue Model
OT Concepts
▪ Challenges of OT
▪ What is OT?
▪ Introduction to ICS
▪ Essential Terminology
▪ Components of an ICS
▪ IT/OT Convergence (IIOT)
o Distributed Control System (DCS)
▪ The Purdue Model
o Supervisory Control and Data Acquisition
(SCADA)
▪ Challenges of OT
o Programmable Logic Controller (PLC)
▪ Introduction to ICS
o Basic Process Control System (BPCS)
▪ Components of an ICS
o Safety Instrumented Systems (SIS)
o Distributed Control System (DCS)
▪ OT Technologies and Protocols
o Supervisory Control and Data Acquisition
(SCADA)
OT Attacks
o Programmable Logic Controller (PLC)
▪ OT Vulnerabilities
o Basic Process Control System (BPCS)
▪ OT Threats
o Safety Instrumented Systems (SIS)
▪ OT Attacks
Page | 50
▪ OT Technologies and Protocols
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
o HMI-based Attacks
OT Attacks
o Side-Channel Attacks
▪ OT Vulnerabilities
• Timing Analysis
▪ MITRE ATT&CK for ICS
• Power Analysis
▪ OT Threats
o Hacking Programmable Logic Controller (PLC)
o Hacking Industrial Systems through RF Remote
Controllers
▪ OT Attacks
o HMI-based Attacks
• Replay Attack
o Side-Channel Attacks
• Command Injection
o Hacking Programmable Logic Controller (PLC)
• Re-pairing with Malicious RF controller
o Hacking Industrial Systems through RF Remote
Controllers
• Malicious Reprogramming Attack
o OT Malware
o OT Malware
▪ OT Malware Analysis: INDUSTROYER.V2
▪ OT Malware Analysis: LockerGoga Ransomware
OT Hacking Methodology
OT Hacking Methodology
▪ What is OT Hacking?
▪ What is OT Hacking?
▪ OT Hacking Methodology
▪ OT Hacking Methodology
o Identifying ICS/SCADA Systems using Shodan
o Identifying ICS/SCADA Systems using Shodan
o Gathering Default Passwords using CRITIFENCE
o Gathering Default Passwords using CRITIFENCE
o Scanning ICS/SCADA Systems using Nmap
o Scanning ICS/SCADA Systems using Nmap
o Vulnerability Scanning using Nessus
o Enumerating Slave Controllers using SCADA
Shutdown Tool
o Vulnerability Scanning using Skybox
Vulnerability Control
o Vulnerability Scanning using Nessus
o Fuzzing ICS Protocols
o Vulnerability Scanning using Skybox
Vulnerability Control
o Sniffing using NetworkMiner
o Sniffing using NetworkMiner
o Analyzing Modbus/TCP Traffic Using Wireshark
o Analyzing Modbus/TCP Traffic Using Wireshark
o Discovering ICS/SCADA Network Topology
using GRASSMARLIN
o Discovering ICS/SCADA Network Topology
using GRASSMARLIN
o Hacking ICS Hardware
o Hacking ICS Hardware
o Hacking Modbus Slaves using Metasploit
o Hacking Modbus Slaves using Metasploit
o Hacking PLC using modbus-cli
o Hacking PLC using modbus-cli
o Gaining Remote Access using DNP3
o Gaining Remote Access using DNP3
▪ OT Hacking Tools
OT Hacking Tools
o Information-Gathering Tools
▪ Information-Gathering Tools
o Sniffing and Vulnerability-Scanning Tools
▪ Sniffing and Vulnerability-Scanning Tools
o OT Hacking Tools
▪ OT Hacking Tools
OT Attack Countermeasures
Countermeasures
▪ How to Defend Against OT Hacking
▪ How to Defend Against OT Hacking
▪ OT Vulnerabilities and Solutions
Page | 51
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ OT Vulnerabilities and Solutions
▪ How to Secure an IT/OT Environment
▪ How to Secure an IT/OT Environment
▪ Implementing a Zero-Trust Model for ICS/SCADA
▪ International OT Security Organizations
▪ International OT Security Organizations and
Frameworks
▪ OT Security Solutions
o OTCSA
▪ OT Security Tools
o OT-ISAC
o NERC
o Industrial Internet Security Framework (IISF)
o ISA/IEC-62443
▪ OT Security Solutions
▪ OT Security Tools
Module 19: Cloud Computing
Module 19: Cloud Computing
Cloud Computing Concepts
Cloud Computing Concepts
▪ Introduction to Cloud Computing
▪ Introduction to Cloud Computing
▪ Types of Cloud Computing Services
▪ Types of Cloud Computing Services
▪ Separation of Responsibilities in Cloud
o Infrastructure-as-a-Service (IaaS)
▪ Cloud Deployment Models
o Platform-as-a-Service (PaaS)
▪ NIST Cloud Deployment Reference Architecture
o Software-as-a-Service (SaaS)
▪ Cloud Storage Architecture
o Identity-as-a-Service (IDaaS)
▪ Role of AI in Cloud Computing
o Security-as-a-Service (SECaaS)
▪ Virtual Reality and Augmented Reality on Cloud
o Container-as-a-Service (CaaS)
▪ Cloud Service Providers
o Function-as-a-Service (FaaS)
Container Technology
o Anything-as-a-Service (XaaS)
▪ What is a Container?
o Firewalls-as-a-Service (FWaaS)
o Container Technology Architecture
o Desktop-as-a-Service (DaaS)
▪ Containers Vs. Virtual Machines
o Mobile Backend-as-a-Service (MBaaS)
▪ What is Docker?
o Machines-as-a-Service (MaaS) Business Model
o Docker Engine
▪ Separation of Responsibilities in Cloud
o Docker Architecture
▪ Cloud Deployment Models
o Microservices Vs. Docker
o Public Cloud
o Docker Networking
o Private Cloud
▪ Container Orchestration
o Community Cloud
▪ What is Kubernetes?
o Hybrid Cloud
o Kubernetes Cluster Architecture
o Multi Cloud
o Kubernetes Vs. Docker
o Distributed Cloud
▪ Container Security Challenges
▪ Container Management Platforms
Page | 52
o Poly Cloud
▪ NIST Cloud Deployment Reference Architecture
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Kubernetes Platforms
▪ Cloud Storage Architecture
Serverless Computing
▪ Role of AI in Cloud Computing
▪ What is Serverless Computing?
▪ Virtual Reality and Augmented Reality on Cloud
▪ Serverless Vs. Containers
▪ Fog Computing
▪ Serverless Computing Frameworks
▪ Edge Computing
Cloud Computing Threats
▪ Cloud vs. Fog Computing vs. Edge Computing
▪ OWASP Top 10 Cloud Security Risks
▪ Cloud Computing vs. Grid Computing
▪ OWASP Top 10 Serverless Security Risks
▪ Cloud Service Providers
▪ Cloud Computing Threats
Container Technology
▪ Container Vulnerabilities
▪ What is a Container?
▪ Kubernetes Vulnerabilities
▪ Containers Vs. Virtual Machines
▪ Cloud Attacks
▪ What is Docker?
o Service Hijacking using Social Engineering
o Microservices Vs. Docker
o Service Hijacking using Network Sniffing
o Docker Networking
o Side-Channel Attacks or Cross-guest VM
Breaches
▪ Container Orchestration
o Wrapping Attack
▪ What is Kubernetes?
o Man-in-the-Cloud (MITC) Attack
o Kubernetes Vs. Docker
o Cloud Hopper Attack
▪ Clusters and Containers
o Cloud Cryptojacking
▪ Container Security Challenges
o Cloudborne Attack
▪ Container Management Platforms
o Other Cloud Attacks
▪ Kubernetes Platforms
Cloud Hacking
Serverless Computing
▪ What is Cloud Hacking?
▪ What is Serverless Computing?
▪ Hacking Cloud
▪ Serverless Vs. Containers
o Container Vulnerability Scanning using Trivy
▪ Serverless Computing Frameworks
o Kubernetes Vulnerability Scanning using Sysdig
Cloud Computing Threats
o Enumerating S3 Buckets
▪ OWASP Top 10 Cloud Security Risks
• Inspecting HTML
▪ OWASP Top 10 Serverless Security Risks
• Brute-Forcing URL
▪ Cloud Computing Threats
• Finding Subdomains
▪ Container Vulnerabilities
• Reverse IP Search
▪ Kubernetes Vulnerabilities
• Advanced Google Hacking
▪ Cloud Attacks
o Identifying Open S3 Buckets using S3Scanner
o Service Hijacking using Social Engineering
o Enumerating Kubernetes etcd
o Service Hijacking using Network Sniffing
o Enumerating AWS Account IDs
o Side-Channel Attacks or Cross-guest VM
Breaches
o Enumerating IAM Roles
o Wrapping Attack
o Enumerating Bucket Permissions using
o Man-in-the-Cloud (MITC) Attack
Page | 53
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
S3Inspector
o Exploiting Amazon Cloud Infrastructure using
Nimbostratus
o Cloud Hopper Attack
o Exploiting Misconfigured AWS S3 Buckets
o Cloud Cryptojacking
o Compromising AWS IAM Credentials
o Cloudborne Attack
o Hijacking Misconfigured IAM Roles using Pacu
o Instance Metadata Service (IMDS) Attack
o Cracking AWS Access Keys using
DumpsterDiver
o Cache Poisoned Denial of Service
(CPDoS)/Content Delivery Network (CDN)
Cache Poisoning Attack
o Exploiting Docker Containers on AWS using
Cloud Container Attack Tool (CCAT)
o Cloud Snooper Attack
o Exploiting Docker Remote API
o Golden SAML Attack
o Hacking Container Volumes
o Other Cloud Attacks
o CloudGoat AWS – Vulnerable by Design
▪ Cloud Malware
o Gaining Access by Exploiting SSRF Vulnerability
Cloud Hacking
o AWS IAM Privilege Escalation Techniques
▪ What is Cloud Hacking?
o Escalating Privileges of Google Storage Buckets
using GCPBucketBrute
▪ Hacking Cloud
o Backdooring Docker Images using dockerscan
o Container Vulnerability Scanning using Trivy
o Maintaining Access and Covering Tracks on
AWS Cloud Environment by Manipulating
CloudTrial Service
o Kubernetes Vulnerability Scanning using Sysdig
▪ AWS Hacking Tool: AWS pwn
o Enumerating S3 Buckets
Cloud Security
o Identifying Open S3 Buckets using S3Scanner
▪ Cloud Security Control Layers
o Enumerating AWS Account IDs
▪ Cloud Security is the Responsibility of both Cloud
Provider and Consumer
o Enumerating IAM Roles
▪ Cloud Computing Security Considerations
o Enumerating Bucket Permissions using
S3Inspector
▪ Placement of Security Controls in the Cloud
o Enumerating Kubernetes etcd
▪ Best Practices for Securing Cloud
o Enumerating Azure Active Directory (AD)
Accounts
▪ NIST Recommendations for Cloud Security
o Gathering Cloud Keys Through IMDS Attack
▪ Kubernetes Vulnerabilities and Solutions
o Exploiting Amazon Cloud Infrastructure using
Nimbostratus
▪ Serverless Security Risks and Solutions
o Exploiting Misconfigured AWS S3 Buckets
▪ Best Practices for Container Security
o Compromising AWS IAM Credentials
▪ Best Practices for Docker Security
o Hijacking Misconfigured IAM Roles using Pacu
▪ Best Practices for Kubernetes Security
o Cracking AWS Access Keys using
DumpsterDiver
▪ Best Practices for Serverless Security
o Exploiting Docker Containers on AWS using
Cloud Container Attack Tool (CCAT)
Page | 54
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Zero Trust Networks
o Serverless-Based Attacks on AWS Lambda
▪ Organization/Provider Cloud Security Compliance
Checklist
o Exploiting Shadow Admins in AWS
▪ International Cloud Security Organizations
o Exploiting Docker Remote API
▪ Cloud Security Tools
o Hacking Container Volumes
▪ Container Security Tools
o CloudGoat 2 – Vulnerable by Design AWS
Deployment Tool
▪ Kubernetes Security Tools
o Gaining Access by Exploiting SSRF Vulnerability
▪ Serverless Application Security Solutions
o AWS IAM Privilege Escalation Techniques
o Escalating Privileges of Google Storage Buckets
using GCPBucketBrute
o Privilege Escalation Using Misconfigured User
Accounts in Azure AD
o Creating Backdoor Accounts in AWS
o Backdooring Docker Images using dockerscan
o Maintaining Access and Covering Tracks on
AWS Cloud Environment by Manipulating
CloudTrial Service
▪ AWS Hacking Tool: AWS pwn
Cloud Security
▪ Cloud Security Control Layers
▪ Cloud Security is the Responsibility of both Cloud
Provider and Consumer
▪ Cloud Computing Security Considerations
▪ Placement of Security Controls in the Cloud
▪ Best Practices for Securing Cloud
▪ NIST Recommendations for Cloud Security
▪ Security Assertion Markup Language (SAML)
▪ Cloud Network Security
o Virtual Private Cloud (VPC)
o Public and Private Subnets
o Transit Gateways
o VPC Endpoint
▪ Cloud Security Controls
o Cloud Application Security
o High Availability Across Zones
o Cloud Integration and Auditing
o Security Groups
o Instance Awareness
▪ Kubernetes Vulnerabilities and Solutions
Page | 55
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Serverless Security Risks and Solutions
▪ Best Practices for Container Security
▪ Best Practices for Docker Security
▪ Best Practices for Kubernetes Security
▪ Best Practices for Serverless Security
▪ Zero Trust Networks
▪ Organization/Provider Cloud Security Compliance
Checklist
▪ International Cloud Security Organizations
▪ Shadow Cloud Asset Discovery Tools
▪ Cloud Security Tools
▪ Container Security Tools
▪ Kubernetes Security Tools
▪ Serverless Application Security Solutions
▪ Cloud Access Security Broker (CASB)
o CASB Solutions
• Forcepoint CASB
▪ Next-Generation Secure Web Gateway (NG SWG)
o NG SWG Solutions
Module 20: Cryptography
Module 20: Cryptography
Cryptography Concepts
Cryptography Concepts
▪ Cryptography
▪ Cryptography
o Types of Cryptography
▪ Government Access to Keys (GAK)
▪ Government Access to Keys (GAK)
Encryption Algorithms
Encryption Algorithms
▪ Ciphers
▪ Ciphers
▪ Data Encryption Standard (DES) and Advanced
Encryption Standard (AES)
▪ Data Encryption Standard (DES)
▪ RC4, RC5, and RC6 Algorithms
▪ Advanced Encryption Standard (AES)
▪ Twofish and Threefish
▪ RC4, RC5, and RC6 Algorithms
▪ Serpent and TEA
▪ Twofish
▪ CAST-128
▪ Threefish
▪ GOST Block Cipher and Camellia
▪ Serpent
▪ DSA and Related Signature Schemes
▪ TEA
▪ Rivest Shamir Adleman (RSA)
▪ CAST-128
▪ Diffie-Hellman
▪ GOST Block Cipher
▪ YAK
▪ Camellia
▪ Message Digest (One-Way Hash) Functions
▪ DSA and Related Signature Schemes
Page | 56
o Message Digest Function: MD5 and MD6
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Rivest Shamir Adleman (RSA)
o Message Digest Function: Secure Hashing
Algorithm (SHA)
▪ Diffie-Hellman
o RIPEMD – 160 and HMAC
▪ YAK
▪ Message Digest (One-Way Hash) Functions
o Message Digest Function: MD5 and MD6
▪ Other Encryption Techniques
o Post-quantum Cryptography
o Lightweight Cryptography
o Message Digest Function: Secure Hashing
Algorithm (SHA)
▪ Comparison of Cryptographic Algorithms
o RIPEMD - 160
▪ Cipher Modes of Operation
o HMAC
▪ Other Encryption Techniques
o Electronic Code Book (ECB) Mode
o Cipher Block Chaining (CBC) Mode
o Elliptic Curve Cryptography
o Cipher Feedback (CFB) Mode
o Quantum Cryptography
o Counter Mode
o Homomorphic Encryption
o Hardware-Based Encryption
▪ Comparison of Cryptographic Algorithms
Cryptography Tools
▪ MD5 and MD6 Hash Calculators
▪ Modes of Authenticated Encryption
o Authenticated Encryption with Message
Authentication Code (MAC)
o Authenticated Encryption with Associated Data
(AEAD)
▪ Applications of Cryptography - Blockchain
o Types of Blockchain
▪ Hash Calculators for Mobile
Cryptography Tools
▪ Cryptography Tools
▪ MD5 and MD6 Hash Calculators
▪ Cryptography Tools for Mobile
▪ Hash Calculators for Mobile
Public Key Infrastructure (PKI)
▪ Cryptography Tools
▪ Public Key Infrastructure (PKI)
▪ Cryptography Tools for Mobile
o Certification Authorities
Public Key Infrastructure (PKI)
o Signed Certificate (CA) Vs. Self Signed
Certificate
▪ Public Key Infrastructure (PKI)
Email Encryption
o Certification Authorities
▪ Digital Signature
o Signed Certificate (CA) Vs. Self Signed
Certificate
▪ Secure Sockets Layer (SSL)
Email Encryption
▪ Transport Layer Security (TLS)
▪ Digital Signature
▪ Cryptography Toolkits
▪ Secure Sockets Layer (SSL)
▪ Pretty Good Privacy (PGP)
▪ Transport Layer Security (TLS)
▪ GNU Privacy Guard (CPG)
▪ Cryptography Toolkits
▪ Web of Trust (WOT)
▪ Pretty Good Privacy (PGP)
▪ Email Encryption Tools
▪ GNU Privacy Guard (CPG)
Disk Encryption
▪ Web of Trust (WOT)
▪ Disk Encryption
▪ Encrypting Email Messages in Outlook
Page | 57
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
▪ Disk Encryption Tools: VeraCrypt and Symantec
Drive Encryption
o S/MIME Encryption
▪ Disk Encryption Tools
o Microsoft 365 Message Encryption
Cryptanalysis
▪ Signing/Encrypting Email Messages on Mac
▪ Cryptanalysis Methods
▪ Encrypting/Decrypting Email Messages Using
OpenPGP
o Linear Cryptanalysis
▪ Email Encryption Tools
o Differential Cryptanalysis
Disk Encryption
o Integral Cryptanalysis
▪ Disk Encryption
▪ Code Breaking Methodologies
▪ Disk Encryption Tools: VeraCrypt and Symantec
Drive Encryption
▪ Cryptography Attacks
▪ Disk Encryption Tools
o Brute-Force Attack
▪ Disk Encryption Tools for Linux
o Birthday Attack
▪ Disk Encryption Tools for macOS
o Birthday Paradox: Probability
Cryptanalysis
o Meet-in-the-Middle Attack on Digital Signature
Schemes
▪ Cryptanalysis Methods
o Side-Channel Attack
o Quantum Cryptanalysis
o Hash Collision Attack
▪ Code Breaking Methodologies
o DUHK Attack
▪ Cryptography Attacks
o Rainbow Table Attack
o Brute-Force Attack
o Related-Key Attack
o Birthday Attack
o Padding Oracle Attack
o Birthday Paradox: Probability
o DROWN Attack
o Meet-in-the-Middle Attack on Digital Signature
Schemes
▪ Cryptanalysis Tools
o Side-Channel Attack
▪ Online MD5 Decryption Tools
o Hash Collision Attack
Countermeasures
o DUHK Attack
▪ How to Defend Against Cryptographic Attacks
o Rainbow Table Attack
▪ Key Stretching
o Related-Key Attack
o PBKDF2
o Padding Oracle Attack
o Bcrypt
o DROWN Attack
▪ Cryptanalysis Tools
▪ Online MD5 Decryption Tools
Cryptography Attack Countermeasures
▪ How to Defend Against Cryptographic Attacks
▪ Key Stretching
Page | 58
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Labs Comparison
The notations used:
1. Red points are new labs in CEHv12
2. Blue points are substantially modified labs in CEHv12
3.
Striked labs are removed from CEHv11
CEHv11
CEHv12
Module 01: Introduction to Ethical Hacking
Module 01: Introduction to Ethical Hacking
Module 02: Footprinting and Reconnaissance
Module 02: Footprinting and Reconnaissance
1.
2.
3.
4.
Page | 59
Perform Footprinting Through Search Engines
1.
Perform Footprinting Through Search Engines
1.1 Gather Information using Advanced Google
Hacking Techniques
1.1 Gather Information using Advanced Google
Hacking Techniques
1.2 Gather Information from Video Search
Engines
1.2 Gather Information from Video Search
Engines
1.3 Gather Information from FTP Search
Engines
1.3 Gather Information from FTP Search
Engines
1.4 Gather Information from IoT Search
Engines
1.4 Gather Information from IoT Search
Engines
Perform Footprinting Through Web Services
2.
Perform Footprinting Through Web Services
2.1 Find the Company’s Domains and Subdomains using Netcraft
2.1 Find the Company’s Domains and Subdomains using Netcraft
2.2 Gather Personal Information using PeekYou
Online People Search Service
2.2 Gather Personal Information using PeekYou
Online People Search Service
2.3 Gather an Email List using theHarvester
2.3 Gather an Email List using theHarvester
2.4 Gather Information using Deep and Dark
Web Searching
2.4 Gather Information using Deep and Dark
Web Searching
2.5 Determine Target OS Through Passive
Footprinting
2.5 Determine Target OS Through Passive
Footprinting
Perform Footprinting Through Social
Networking Sites
3.
Perform Footprinting Through Social
Networking Sites
3.1 Gather Employees’ Information from
LinkedIn using theHarvester
3.1 Gather Employees’ Information from
LinkedIn using theHarvester
3.2 Gather Personal Information from Various
Social Networking Sites using Sherlock
3.2 Gather Personal Information from Various
Social Networking Sites using Sherlock
3.3 Gather Information using Followerwonk
3.3 Gather Information using Followerwonk
Perform Website Footprinting
4.
Perform Website Footprinting
4.1 Gather Information About a Target Website
using Ping Command Line Utility
4.1 Gather Information About a Target Website
using Ping Command Line Utility
4.2 Gather Information About a Target Website
using Website Informer
4.2 Gather Information of a Target Website
using Photon
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
5.
6.
Exam 312-50 Certified Ethical Hacker
4.3 Extract a Company’s Data using Web Data
Extractor
4.3 Gather information about a target website
using Central Ops
4.4 Mirror a Target Website using HTTrack Web
Site Copier
4.4 Extract a Company’s Data using Web Data
Extractor
4.5 Gather a Wordlist from the Target Website
using CeWL
4.5 Mirror a Target Website using HTTrack Web
Site Copier
Perform Email Footprinting
4.6 Gather Information About a Target Website
using GRecon
5.1 Gather Information About a Target by
Tracing Emails using eMailTrackerPro
4.7 Gather a Wordlist from the Target Website
using CeWL
Perform Whois Footprinting
5.
5.1 Gather Information About a Target by
Tracing Emails using eMailTrackerPro
6.1 Perform Whois Lookup using DomainTools
7.
Perform DNS Footprinting
6.
7.1 Gather DNS Information using nslookup
Command Line Utility and Online Tool
7.2 Perform Reverse DNS Lookup using Reverse
IP Domain Check and DNSRecon
8.
Perform Whois Footprinting
6.1 Perform Whois Lookup using DomainTools
7.
Perform DNS Footprinting
Perform Network Footprinting
7.1 Gather DNS Information using nslookup
Command Line Utility and Online Tool
8.1 Locate the Network Range
7.2 Perform Reverse DNS Lookup using Reverse
IP Domain Check and DNSRecon
8.2 Perform Network Tracerouting in Windows
and Linux Machines
7.3 Gather Information of Subdomain and DNS
Records using SecurityTrails
8.3 Perform Advanced Network Route Tracing
using Path Analyzer Pro
9.
Perform Email Footprinting
8.
Perform Network Footprinting
Perform Footprinting using Various Footprinting
Tools
8.1 Locate the Network Range
9.1 Footprinting a Target using Recon-ng
8.2 Perform Network Tracerouting in Windows
and Linux Machines
9.2 Footprinting a Target using Maltego
8.3 Perform Advanced Network Route Tracing
using Path Analyzer Pro
9.3 Footprinting a Target using OSRFramework
9.
Perform Footprinting using Various Footprinting
Tools
9.4 Footprinting a Target using FOCA
9.1 Footprinting a Target using Recon-ng
9.5 Footprinting a Target using BillCipher
9.2 Footprinting a Target using Maltego
9.6 Footprinting a Target using OSINT
Framework
9.3 Footprinting a Target using OSRFramework
9.4 Footprinting a Target using FOCA
9.5 Footprinting a Target using BillCipher
9.6 Footprinting a Target using OSINT
Framework
Page | 60
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Module 03: Scanning Networks
1.
2.
3.
Perform Host Discovery
Perform Host Discovery
1.2 Perform Host Discovery using Angry IP
Scanner
1.2 Perform Host Discovery using Angry IP
Scanner
Perform Port and Service Discovery
2.
Perform Port and Service Discovery
2.1 Perform Port and Service Discovery using
MegaPing
2.1 Perform Port and Service Discovery using
MegaPing
2.2 Perform Port and Service Discovery using
NetScanTools Pro
2.2 Perform Port and Service Discovery using
NetScanTools Pro
2.3 Explore Various Network Scanning
Techniques using Nmap
2.3 Perform Port Scanning using sx Tool
2.4 Explore Various Network Scanning
Techniques using Hping3
2.4 Explore Various Network Scanning
Techniques using Nmap
Perform OS Discovery
2.5 Explore Various Network Scanning
Techniques using Hping3
3.
Perform OS Discovery
3.2 Perform OS Discovery using Nmap Script
Engine (NSE)
3.1 Identify the Target System’s OS with Timeto-Live (TTL) and TCP Window Sizes using
Wireshark
3.3 Perform OS Discovery using Unicornscan
3.2 Perform OS Discovery using Nmap Script
Engine (NSE)
Scan beyond IDS and Firewall
3.3 Perform OS Discovery using Unicornscan
4.
Scan beyond IDS and Firewall
4.2 Create Custom Packets using Colasoft
Packet Builder to Scan beyond IDS/Firewall
4.1 Scan beyond IDS/Firewall using various
Evasion Techniques
4.3 Create Custom UDP and TCP Packets using
Hping3 to Scan beyond IDS/Firewall
4.2 Create Custom Packets using Colasoft
Packet Builder to Scan beyond IDS/Firewall
4.4 Create Custom Packets using Nmap to Scan
beyond IDS/Firewall
4.3 Create Custom UDP and TCP Packets using
Hping3 to Scan beyond IDS/Firewall
4.5 Browse Anonymously using Proxy Switcher
4.4 Browse Anonymously using Proxy Switcher
4.6 Browse Anonymously using CyberGhost
VPN
4.5 Browse Anonymously using CyberGhost
VPN
Draw Network Diagrams
5.1 Draw Network Diagrams using Network
Topology Mapper
6.
1.
1.1 Perform Host Discovery using Nmap
4.1 Scan beyond IDS/Firewall using various
Evasion Techniques
5.
Module 03: Scanning Networks
1.1 Perform Host Discovery using Nmap
3.1 Identify the Target System’s OS with Timeto-Live (TTL) and TCP Window Sizes using
Wireshark
4.
Exam 312-50 Certified Ethical Hacker
5.
Perform Network Scanning using Various
Scanning Tools
5.1 Scan a Target Network using Metasploit
Perform Network Scanning using Various
Scanning Tools
6.1 Scan a Target Network using Metasploit
Page | 61
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Module 04: Enumeration
1.
2.
3.
4.
5.
Perform NetBIOS Enumeration
1.
Perform NetBIOS Enumeration
1.1 Perform NetBIOS Enumeration using
Windows Command-Line Utilities
1.2 Perform NetBIOS Enumeration using
NetBIOS Enumerator
1.2 Perform NetBIOS Enumeration using
NetBIOS Enumerator
1.3 Perform NetBIOS Enumeration using an NSE
Script
1.3 Perform NetBIOS Enumeration using an
NSE Script
Perform SNMP Enumeration
2.
Perform SNMP Enumeration
2.1 Perform SNMP Enumeration using snmpcheck
2.1 Perform SNMP Enumeration using snmpcheck
2.2 Perform SNMP Enumeration using
SoftPerfect Network Scanner
2.2 Perform SNMP Enumeration using
SoftPerfect Network Scanner
Perform LDAP Enumeration
2.3 Perform SNMP Enumeration using
SnmpWalk
3.1 Perform LDAP Enumeration using Active
Directory Explorer (AD Explorer)
2.4 Perform SNMP Enumeration using Nmap
Perform NFS Enumeration
3.
Perform LDAP Enumeration
4.1 Perform NFS Enumeration using RPCScan
and SuperEnum
3.1 Perform LDAP Enumeration using Active
Directory Explorer (AD Explorer)
Perform DNS Enumeration
3.2 Perform LDAP Enumeration using Python
and Nmap
5.1 Perform DNS Enumeration using Zone
Transfer
3.3 Perform LDAP Enumeration using ldapsearch
4.
Perform NFS Enumeration
4.1 Perform NFS Enumeration using RPCScan
and SuperEnum
Perform RPC, SMB, and FTP Enumeration
6.1 Perform RPC and SMB Enumeration using
NetScanTools Pro
7.
Module 04: Enumeration
1.1 Perform NetBIOS Enumeration using
Windows Command-Line Utilities
5.2 Perform DNS Enumeration using DNSSEC
Zone Walking
6.
Exam 312-50 Certified Ethical Hacker
5.
Perform DNS Enumeration
6.2 Perform RPC, SMB, and FTP Enumeration
using Nmap
5.1 Perform DNS Enumeration using Zone
Transfer
Perform Enumeration using Various
Enumeration Tools
5.2 Perform DNS Enumeration using DNSSEC
Zone Walking
7.1 Enumerate Information using Global
Network Inventory
5.3 Perform DNS Enumeration using Nmap
7.2 Enumerate Network Resources using
Advanced IP Scanner
6.
7.3 Enumerate Information from Windows and
Samba Hosts using Enum4linux
Perform SMTP Enumeration
6.1 Perform SMTP Enumeration using Nmap
7.
Perform RPC, SMB, and FTP Enumeration
7.1 Perform RPC and SMB Enumeration using
Page | 62
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
NetScanTools Pro
7.2 Perform RPC, SMB, and FTP Enumeration
using Nmap
8.
Perform Enumeration using Various
Enumeration Tools
8.1 Enumerate Information using Global
Network Inventory
8.2 Enumerate Network Resources using
Advanced IP Scanner
8.3 Enumerate Information from Windows and
Samba Hosts using Enum4linux
Module 05: Vulnerability Analysis
1.
2.
Perform Vulnerability Research with
Vulnerability Scoring Systems and Databases
Page | 63
1.
Perform Vulnerability Research with
Vulnerability Scoring Systems and Databases
1.1 Perform Vulnerability Research in Common
Weakness Enumeration (CWE)
1.1 Perform Vulnerability Research in Common
Weakness Enumeration (CWE)
1.2 Perform Vulnerability Research in Common
Vulnerabilities and Exposures (CVE)
1.2 Perform Vulnerability Research in Common
Vulnerabilities and Exposures (CVE)
1.3 Perform Vulnerability Research in National
Vulnerability Database (NVD)
1.3 Perform Vulnerability Research in National
Vulnerability Database (NVD)
Perform Vulnerability Assessment using Various
Vulnerability Assessment Tools
2.
Perform Vulnerability Assessment using Various
Vulnerability Assessment Tools
2.1 Perform Vulnerability Analysis using
OpenVAS
2.1 Perform Vulnerability Analysis using
OpenVAS
2.2 Perform Vulnerability Scanning using
Nessus
2.2 Perform Vulnerability Scanning using
Nessus
2.3 Perform Vulnerability Scanning using GFI
LanGuard
2.3 Perform Vulnerability Scanning using GFI
LanGuard
2.4 Perform Web Servers and Applications
Vulnerability Scanning using CGI Scanner
Nikto
2.4 Perform Web Servers and Applications
Vulnerability Scanning using CGI Scanner
Nikto
Module 06: System Hacking
1.
Module 05: Vulnerability Analysis
Gain Access to the System
Module 06: System Hacking
1.
Gain Access to the System
1.1 Perform Active Online Attack to Crack the
System’s Password using Responder
1.1 Perform Active Online Attack to Crack the
System’s Password using Responder
1.2 Audit System Passwords using L0phtCrack
1.2 Audit System Passwords using L0phtCrack
1.3 Find Vulnerabilities on Exploit Sites
1.3 Find Vulnerabilities on Exploit Sites
1.4 Exploit Client-Side Vulnerabilities and
Establish a VNC Session
1.4 Exploit Client-Side Vulnerabilities and
Establish a VNC Session
1.5 Gain Access to a Remote System using
Armitage
1.5 Gain Access to a Remote System using
Armitage
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
2.
1.6 Hack a Windows Machine with a Malicious
Office Document using TheFatRat
1.6 Gain Access to a Remote System using
Ninja Jonin
1.7 Perform Buffer Overflow Attack to Gain
Access to a Remote System
1.7 Perform Buffer Overflow Attack to Gain
Access to a Remote System
Perform Privilege Escalation to Gain Higher
Privileges
2.1 Escalate Privileges using Privilege
Escalation Tools and Exploit Client-Side
Vulnerabilities
3.
2.
Perform Privilege Escalation to Gain Higher
Privileges
2.2 Hack a Windows Machine using Metasploit
and Perform Post-Exploitation using
Meterpreter
2.1 Escalate Privileges using Privilege
Escalation Tools and Exploit Client-Side
Vulnerabilities
Maintain Remote Access and Hide Malicious
Activities
2.2 Hack a Windows Machine using Metasploit
and Perform Post-Exploitation using
Meterpreter
3.1 User System Monitoring and Surveillance
using Power Spy
2.3 Escalate Privileges by Exploiting
Vulnerability in pkexec
3.2 User System Monitoring and Surveillance
using Spytech SpyAgent
2.4 Escalate Privileges in Linux Machine by
Exploiting Misconfigured NFS
3.3 Hide Files using NTFS Streams
2.5 Escalate Privileges by Bypassing UAC and
Exploiting Sticky Keys
3.4 Hide Data using White Space
Steganography
2.6 Escalate Privileges to Gather Hashdump
using Mimikatz
3.5 Image Steganography using OpenStego
4.
Exam 312-50 Certified Ethical Hacker
3.
Maintain Remote Access and Hide Malicious
Activities
3.6 Covert Channels using Covert_TCP
3.1 User System Monitoring and Surveillance
using Power Spy
Clear Logs to Hide the Evidence of Compromise
3.2 User System Monitoring and Surveillance
using Spytech SpyAgent
4.1 View, Enable, and Clear Audit Policies using
Auditpol
3.3 Hide Files using NTFS Streams
4.2 Clear Windows Machine Logs using Various
Utilities
3.4 Hide Data using White Space
Steganography
4.3 Clear Linux Machine Logs using the BASH
Shell
3.5 Image Steganography using OpenStego and
StegOnline
4.4 Clear Windows Machine Logs using
CCleaner
3.6 Maintain Persistence by Abusing Boot or
Logon Autostart Execution
3.7 Maintain Domain Persistence by Exploiting
Active Directory Objects
3.8 Privilege Escalation and Maintain
Persistence using WMI
3.9 Covert Channels using Covert_TCP
4.
Clear Logs to Hide the Evidence of Compromise
4.1 View, Enable, and Clear Audit Policies using
Page | 64
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Auditpol
4.2 Clear Windows Machine Logs using Various
Utilities
4.3 Clear Linux Machine Logs using the BASH
Shell
4.4 Hiding Artifacts in Windows and Linux
Machines
4.5 Clear Windows Machine Logs using
CCleaner
Module 07: Malware Threats
1.
Gain Access to the Target System using Trojans
4.
1.2 Hide a Trojan using SwayzCryptor and Make
it Undetectable to Various Anti-Virus
Programs
1.2 Hide a Trojan using SwayzCryptor and Make
it Undetectable to Various Anti-Virus
Programs
1.3 Create a Server using the ProRat Tool
1.3 Create a Trojan Server using Theef RAT
Trojan
2.
Infect the Target System using a Virus
2.1 Create a Virus using the JPS Virus Maker
Tool and Infect the Target System
Infect the Target System using a Virus
3.
Perform Static Malware Analysis
Perform Static Malware Analysis
3.1 Perform Malware Scanning using Hybrid
Analysis
3.1 Perform Online Malware Scanning using
VirusTotal
3.2 Perform a Strings Search using BinText
3.2 Perform a Strings Search using BinText
3.3 Identify Packaging and Obfuscation
Methods using PEid
3.3 Identify Packaging and Obfuscation
Methods using PEid
3.4 Analyze ELF Executable File using Detect It
Easy (DIE)
3.4 Find the Portable Executable (PE)
Information of a Malware Executable File
using PE Explorer
3.5 Find the Portable Executable (PE)
Information of a Malware Executable File
using PE Explorer
3.5 Identify File Dependencies using
Dependency Walker
3.6 Identify File Dependencies using
Dependency Walker
3.6 Perform Malware Disassembly using IDA
and OllyDbg
3.7 Perform Malware Disassembly using IDA
and OllyDbg
Perform Dynamic Malware Analysis
3.8 Perform Malware Disassembly using Ghidra
4.1 Perform Port Monitoring using TCPView
and CurrPorts
4.2 Perform Process Monitoring using Process
Page | 65
Gain Access to the Target System using Trojans
1.1 Gain Control over a Victim Machine using
the njRAT RAT Trojan
2.1 Create a Virus using the JPS Virus Maker
Tool and Infect the Target System
3.
1.
1.1 Gain Control over a Victim Machine using
the njRAT RAT Trojan
1.4 Create a Trojan Server using Theef RAT
Trojan
2.
Module 07: Malware Threats
4.
Perform Dynamic Malware Analysis
4.1 Perform Port Monitoring using TCPView
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
Monitor
and CurrPorts
4.3 Perform Registry Monitoring using Regshot
and jv16 PowerTools
4.2 Perform Process Monitoring using Process
Monitor
4.4 Perform Windows Services Monitoring
using Windows Service Manager (SrvMan)
4.3 Perform Registry Monitoring using Reg
Organizer
4.5 Perform Startup Programs Monitoring using
Autoruns for Windows and WinPatrol
4.4 Perform Windows Services Monitoring
using Windows Service Manager (SrvMan)
4.6 Perform Installation Monitoring using
Mirekusoft Install Monitor
4.5 Perform Startup Programs Monitoring using
Autoruns for Windows and WinPatrol
4.7 Perform Files and Folder Monitoring using
PA File Sight
4.6 Perform Installation Monitoring using
Mirekusoft Install Monitor
4.8 Perform Device Drivers Monitoring using
DriverView and Driver Booster
4.7 Perform Files and Folder Monitoring using
PA File Sight
4.9 Perform DNS Monitoring using
DNSQuerySniffer
4.8 Perform Device Driver Monitoring using
DriverView and Driver Reviver
4.9 Perform DNS Monitoring using
DNSQuerySniffer
Module 08: Sniffing
1.
2.
Perform Active Sniffing
Page | 66
1.
Perform Active Sniffing
1.1 Perform MAC Flooding using macof
1.1 Perform MAC Flooding using macof
1.2 Perform a DHCP Starvation Attack using
Yersinia
1.2 Perform a DHCP Starvation Attack using
Yersinia
1.3 Perform ARP Poisoning using arpspoof
1.3 Perform ARP Poisoning using arpspoof
1.4 Perform an Man-in-the-Middle (MITM)
Attack using Cain & Abel
1.4 Perform an Man-in-the-Middle (MITM)
Attack using Cain & Abel
1.5 Spoof a MAC Address using TMAC and
SMAC
1.5 Spoof a MAC Address using TMAC and
SMAC
Perform Network Sniffing using Various Sniffing
Tools
1.6 Spoof a MAC Address of Linux Machine
using macchanger
2.1 Perform Password Sniffing using Wireshark
3.
Module 08: Sniffing
2.
Perform Network Sniffing using Various Sniffing
Tools
2.2 Analyze a Network using the Capsa
Network Analyzer
2.1 Perform Password Sniffing using Wireshark
2.3 Analyze a Network using the Omnipeek
Network Protocol Analyzer
2.2 Analyze a Network using the Omnipeek
Network Protocol Analyzer
2.4 Analyze a Network using the SteelCentral
Packet Analyzer
2.3 Analyze a Network using the SteelCentral
Packet Analyzer
Detect Network Sniffing
3.
Detect Network Sniffing
3.1 Detect ARP Poisoning in a Switch-Based
Network
3.1 Detect ARP Poisoning and Promiscuous
Mode in a Switch-Based Network
3.2 Detect ARP Attacks using Xarp
3.2 Detect ARP Poisoning using the Capsa
Network Analyzer
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Exam 312-50 Certified Ethical Hacker
3.3 Detect Promiscuous Mode using Nmap and
NetScanTools Pro
Module 09: Social Engineering
1.
Perform Social Engineering using Various
Techniques
Module 09: Social Engineering
1.
1.1 Sniff Users’ Credentials using the SocialEngineer Toolkit (SET)
1.2 Perform Phishing using ShellPhish
2.
1.1 Sniff Credentials using the Social-Engineer
Toolkit (SET)
2.
Detect a Phishing Attack
Detect a Phishing Attack
2.1 Detect Phishing using Netcraft
2.1 Detect Phishing using Netcraft
2.2 Detect Phishing using PhishTank
2.2 Detect Phishing using PhishTank
3.
Perform Social Engineering using Various
Techniques
3.
Audit Organization's Security for Phishing
Attacks
Audit Organization's Security for Phishing
Attacks
3.1 Audit Organization's Security for Phishing
Attacks using OhPhish
3.1 Audit Organization's Security for Phishing
Attacks using OhPhish
Module 10: Denial-of-Service
1.
2.
Perform DoS and DDoS Attacks using Various
Techniques
Module 10: Denial-of-Service
1.
Perform DoS and DDoS Attacks using Various
Techniques
1.1 Perform a DoS Attack (SYN Flooding) on a
Target Host using Metasploit
1.1 Perform a DoS Attack (SYN Flooding) on a
Target Host using Metasploit
1.2 Perform a DoS Attack on a Target Host
using hping3
1.2 Perform a DoS Attack on a Target Host
using hping3
1.3 Perform a DDoS Attack using HOIC
1.3 Perform a DoS Attack using Raven-storm
1.4 Perform a DDoS Attack using LOIC
1.4 Perform a DDoS Attack using HOIC
Detect and Protect Against DoS and DDoS
Attacks
1.5 Perform a DDoS Attack using LOIC
2.1 Detect and Protect against DDoS Attack
using Anti DDoS Guardian
2.
Detect and Protect Against DoS and DDoS
Attacks
2.1 Detect and Protect against DDoS Attack
using Anti DDoS Guardian
Module 11: Session Hijacking
1.
2.
Perform Session Hijacking
Module 11: Session Hijacking
1.
Perform Session Hijacking
1.1 Hijack a Session using Zed Attack Proxy
(ZAP)
1.1 Hijack a Session using Zed Attack Proxy
(ZAP)
1.2 Intercept HTTP Traffic using bettercap
1.2 Intercept HTTP Traffic using bettercap
Detect Session Hijacking
1.3 Intercept HTTP Traffic using Hetty
2.1 Detect Session Hijacking using Wireshark
2.
Detect Session Hijacking
2.1 Detect Session Hijacking using Wireshark
Page | 67
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Module 12: Evading IDS, Firewalls, and
Honeypots
1.
2.
Perform Intrusion Detection using Various Tools
Exam 312-50 Certified Ethical Hacker
Module 12: Evading IDS, Firewalls, and
Honeypots
1.
Perform Intrusion Detection using Various Tools
1.1 Detect Intrusions using Snort
1.1 Detect Intrusions using Snort
1.2 Detect Malicious Network Traffic using
ZoneAlarm FREE FIREWALL 2019
1.2 Detect Malicious Network Traffic using
ZoneAlarm FREE FIREWALL
1.3 Detect Malicious Network Traffic using
HoneyBOT
1.3 Detect Malicious Network Traffic using
HoneyBOT
Evade Firewalls using Various Evasion
Techniques
2.
Evade Firewalls using Various Evasion
Techniques
2.1 Bypass Windows Firewall using Nmap
Evasion Techniques
2.1 Bypass Windows Firewall using Nmap
Evasion Techniques
2.2 Bypass Firewall Rules using HTTP/FTP
Tunneling
2.2 Bypass Firewall Rules using HTTP/FTP
Tunneling
2.3 Bypass Antivirus using Metasploit
Templates
Module 13: Hacking Web Servers
1.
2.
Footprint the Web Server
Module 13: Hacking Web Servers
1.
1.1 Information Gathering using Ghost Eye
1.1 Information Gathering using Ghost Eye
1.2 Perform Web Server Reconnaissance using
Skipfish
1.2 Perform Web Server Reconnaissance using
Skipfish
1.3 Footprint a Web Server using the httprecon
Tool
1.3 Footprint a Web Server using the httprecon
Tool
1.4 Footprint a Web Server using ID Serve
1.4 Footprint a Web Server using ID Serve
1.5 Footprint a Web Server using Netcat and
Telnet
1.5 Footprint a Web Server using Netcat and
Telnet
1.6 Enumerate Web Server Information using
Nmap Scripting Engine (NSE)
1.6 Enumerate Web Server Information using
Nmap Scripting Engine (NSE)
1.7 Uniscan Web Server Fingerprinting in
Parrot Security
1.7 Uniscan Web Server Fingerprinting in
Parrot Security
Perform a Web Server Attack
2.
2.1 Crack FTP Credentials using a Dictionary
Attack
Module 14: Hacking Web Applications
1.
Page | 68
Footprint the Web Server
Footprint the Web Infrastructure
Perform a Web Server Attack
2.1 Crack FTP Credentials using a Dictionary
Attack
Module 14: Hacking Web Applications
1.
Footprint the Web Infrastructure
1.1 Perform Web Application Reconnaissance
1.1 Perform Web Application Reconnaissance
using Nmap and Telnet
1.2 Perform Web Application Reconnaissance
using WhatWeb
1.2 Perform Web Application Reconnaissance
using WhatWeb
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
2.
3.
Exam 312-50 Certified Ethical Hacker
1.3 Perform Web Spidering using OWASP ZAP
1.3 Perform Web Spidering using OWASP ZAP
1.4 Detect Load Balancers using Various Tools
1.4 Detect Load Balancers using Various Tools
1.5 Identify Web Server Directories
1.5 Identify Web Server Directories using
Various Tools
1.6 Perform Web Application Vulnerability
Scanning using Vega
1.6 Perform Web Application Vulnerability
Scanning using Vega
1.7 Identify Clickjacking Vulnerability using
iframe
1.7 Identify Clickjacking Vulnerability using
ClickjackPoc
Perform Web Application Attacks
2.
Perform Web Application Attacks
2.1 Perform a Brute-force Attack using Burp
Suite
2.1 Perform a Brute-force Attack using Burp
Suite
2.2 Perform Parameter Tampering using Burp
Suite
2.2 Perform Parameter Tampering using Burp
Suite
2.3 Exploit Parameter Tampering and XSS
Vulnerabilities in Web Applications
2.3 Identifying XSS Vulnerabilities in Web
Applications using PwnXSS
2.4 Perform Cross-Site Request Forgery (CSRF)
Attack
2.4 Exploit Parameter Tampering and XSS
Vulnerabilities in Web Applications
2.5 Enumerate and Hack a Web Application
using WPScan and Metasploit
2.5 Perform Cross-Site Request Forgery (CSRF)
Attack
2.6 Exploit a Remote Command Execution
Vulnerability to Compromise a Target Web
Server
2.6 Enumerate and Hack a Web Application
using WPScan and Metasploit
2.7 Exploit a File Upload Vulnerability at
Different Security Levels
2.7 Exploit a Remote Command Execution
Vulnerability to Compromise a Target Web
Server
2.8 Gain Backdoor Access via a Web Shell using
Weevely
2.8 Exploit a File Upload Vulnerability at
Different Security Levels
Detect Web Application Vulnerabilities using
Various Web Application Security Tools
2.9 Gain Access by exploiting Log4j
Vulnerability
3.1 Detect Web Application Vulnerabilities
using N-Stalker Web Application Security
Scanner
3.
Detect Web Application Vulnerabilities using
Various Web Application Security Tools
3.1 Detect Web Application Vulnerabilities
using N-Stalker Web Application Security
Scanner
Module 15: SQL Injection
1.
2.
Page | 69
Perform SQL Injection Attacks
Module 15: SQL Injection
1.
Perform SQL Injection Attacks
1.1 Perform an SQL Injection Attack on an
MSSQL Database
1.1 Perform an SQL Injection Attack on an
MSSQL Database
1.2 Perform an SQL Injection Attack Against
MSSQL to Extract Databases using sqlmap
1.2 Perform an SQL Injection Attack Against
MSSQL to Extract Databases using sqlmap
Detect SQL Injection Vulnerabilities using
Various SQL Injection Detection Tools
2.
Detect SQL Injection Vulnerabilities using
Various SQL Injection Detection Tools
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
2.1 Detect SQL Injection Vulnerabilities using
DSSS
2.1 Detect SQL Injection Vulnerabilities using
DSSS
2.2 Detect SQL Injection Vulnerabilities using
OWASP ZAP
2.2 Detect SQL Injection Vulnerabilities using
OWASP ZAP
Module 16: Hacking Wireless Networks
1.
Exam 312-50 Certified Ethical Hacker
Footprint a Wireless Network
Module 16: Hacking Wireless Networks
1.
1.1 Find Wi-Fi Networks in Range using
NetSurveyor
2.
Perform Wireless Traffic Analysis
1.1 Find Wi-Fi Networks in Range using
NetSurveyor
2.
2.1 Find Wi-Fi Networks and Sniff Wi-Fi Packets
using Wash and Wireshark
3.
Perform Wireless Attacks
2.
2.1 Find Wi-Fi Networks and Sniff Wi-Fi Packets
using Wash and Wireshark
3.
Perform Wireless Attacks
3.1 Find Hidden SSIDs using Aircrack-ng
3.2 Crack a WEP Network using Wifiphisher
3.2 Crack a WEP Network using Wifiphisher
3.3 Crack a WEP Network using Aircrack-ng
3.3 Crack a WEP Network using Aircrack-ng
3.4 Crack a WPA Network using Fern Wifi
Cracker
3.4 Crack a WPA Network using Fern Wifi
Cracker
3.5 Crack a WPA2 Network using Aircrack-ng
3.5 Crack a WPA2 Network using Aircrack-ng
3.6 Create a Rogue Access Point to Capture
Data Packets using MANA-Toolkit
3.6 Create a Rogue Access Point to Capture
Data Packets
Hack Android Devices
Module 17: Hacking Mobile Platforms
1.
Hack Android Devices
1.1 Hack an Android Device by Creating Binary
Payloads using Parrot Security
1.1 Hack an Android Device by Creating Binary
Payloads using Parrot Security
1.2 Harvest Users’ Credentials using the SocialEngineer Toolkit
1.2 Harvest Users’ Credentials using the SocialEngineer Toolkit
1.3 Launch a DoS Attack on a Target Machine
using Low Orbital Cannon (LOIC) on the
Android Mobile Platform
1.3 Launch a DoS Attack on a Target Machine
using Low Orbit Ion Cannon (LOIC) on the
Android Mobile Platform
1.4 Exploit the Android Platform through ADB
using PhoneSploit
1.4 Exploit the Android Platform through ADB
using PhoneSploit
Secure Android Devices using Various Android
Security Tools
1.5 Hack an Android Device by Creating APK
File using AndroRAT
2.1 Analyze a Malicious App using Online
Android Analyzers
Page | 70
Perform Wireless Traffic Analysis
3.1 Find Hidden SSIDs using Aircrack-ng
Module 17: Hacking Mobile Platforms
1.
Footprint a Wireless Network
2.
Secure Android Devices using Various Android
Security Tools
2.2 Analyze a Malicious App using Quixxi
Vulnerability Scanner
2.1 Analyze a Malicious App using Online
Android Analyzers
2.3 Secure Android Devices from Malicious
Apps using Malwarebytes Security
2.2 Secure Android Devices from Malicious
Apps using Malwarebytes Security
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
Module 18: IoT and OT Hacking
1.
Perform Footprinting using Various Footprinting
Techniques
Exam 312-50 Certified Ethical Hacker
Module 18: IoT and OT Hacking
1.
1.1 Gather Information using Online
Footprinting Tools
2.
Capture and Analyze IoT Device Traffic
1.1 Gather Information using Online
Footprinting Tools
2.
2.1 Capture and Analyze IoT Traffic using
Wireshark
Module 19: Cloud Computing
1.
2.
Perform S3 Bucket Enumeration using Various
S3 Bucket Enumeration Tools
Capture and Analyze IoT Device Traffic
2.1 Capture and Analyze IoT Traffic using
Wireshark
Module 19: Cloud Computing
1.
Perform S3 Bucket Enumeration using Various
S3 Bucket Enumeration Tools
1.1 Enumerate S3 Buckets using lazys3
1.1 Enumerate S3 Buckets using lazys3
1.2 Enumerate S3 Buckets using S3Scanner
1.2 Enumerate S3 Buckets using S3Scanner
Exploit S3 Buckets
1.3 Enumerate S3 Buckets using Firefox
Extension
2.1 Exploit Open S3 Buckets using AWS CLI
3.
Perform Footprinting using Various Footprinting
Techniques
2.
Perform Privilege Escalation to Gain Higher
Privileges
3.1 Escalate IAM User Privileges by Exploiting
Misconfigured User Policy
Exploit S3 Buckets
2.1 Exploit Open S3 Buckets using AWS CLI
3.
Perform Privilege Escalation to Gain Higher
Privileges
3.1 Escalate IAM User Privileges by Exploiting
Misconfigured User Policy
Module 20: Cryptography
1.
2.
Encrypt the Information using Various
Cryptography Tools
Module 20: Cryptography
1.
1.1 Calculate One-way Hashes using HashCalc
1.1 Calculate One-way Hashes using HashCalc
1.2 Calculate MD5 Hashes using MD5
Calculator
1.2 Calculate MD5 Hashes using MD5
Calculator
1.3 Calculate MD5 Hashes using HashMyFiles
1.3 Calculate MD5 Hashes using HashMyFiles
1.4 Perform File and Text Message Encryption
using CryptoForge
1.4 Perform File and Text Message Encryption
using CryptoForge
1.5 Perform File Encryption using Advanced
Encryption Package
1.5 Perform File Encryption using Advanced
Encryption Package
1.6 Encrypt and Decrypt Data using
BCTextEncoder
1.6 Encrypt and Decrypt Data using
BCTextEncoder
Create a Self-Signed Certificate
2.
2.1 Create and Use Self-signed Certificates
3.
Perform Email Encryption
Page | 71
Perform Disk Encryption
Create a Self-Signed Certificate
2.1 Create and Use Self-signed Certificates
3.
3.1 Perform Email Encryption using Rmail
4.
Encrypt the Information using Various
Cryptography Tools
Perform Email Encryption
3.1 Perform Email Encryption using Rmail
4.
Perform Disk Encryption
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Version Change Document
5.
Page | 72
Exam 312-50 Certified Ethical Hacker
4.1 Perform Disk Encryption using VeraCrypt
4.1 Perform Disk Encryption using VeraCrypt
4.2 Perform Disk Encryption using BitLocker
Drive Encryption
4.2 Perform Disk Encryption using BitLocker
Drive Encryption
4.3 Perform Disk Encryption using Rohos Disk
Encryption
4.3 Perform Disk Encryption using Rohos Disk
Encryption
Perform Cryptanalysis using Various
Cryptanalysis Tools
5.
Perform Cryptanalysis using Various
Cryptanalysis Tools
5.1 Perform Cryptanalysis using CrypTool
5.1 Perform Cryptanalysis using CrypTool
5.2 Perform Cryptanalysis using AlphaPeeler
5.2 Perform Cryptanalysis using AlphaPeeler
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.