EC-Council
Ethical Hacking and Countermeasures Exam Outline
Footprinting







Whois (http://tucows.com, internic.net, arin.net…)
Sam Spade (Whois, DNS info, freeware network query tool)
NSLookup: DNS zone transfers, etc.
Smart Whois: automatically delivers information associated with an IP address no
matter where it is registered geographically.
eMailTracking Pro: e-mail analysis tool that allows you to track Internet e-mails back to
the sender (http://www.visualware.com/emailtrackerpro/index.html)
MailTracking.com: reliably find out when your email gets opened, how long it gets read
for, whether or not it gets forwarded to someone else or published on the internet, where
the reader is located, and more.
ARIN, RIPE: Finding the address range of the network
Route determination Tools





Traceroute: Unix / Linux
Tracert: Windows
NeoTrace: GUI tool
Visual Route: Better GUI Tool
Visual Lookout: identifies which country the connection to your computer is coming
from. a real-time “Netstat” that also provides history and a rich set of features to help
locate unwelcome visitors.
Scanning











Pinger: monitors end-to-end performance of Internet links. (http://wwwiepm.slac.stanford.edu/pinger/)
WS_Ping_Pro: Network diagnosis tool using SNMP, ICMP and other methods
Netscan Tools Pro 2000: Network diagnosis tool using SNMP, ICMP and other
methods.
Hping2: command-line oriented TCP/IP packet assembler/analyzer. supports TCP, UDP,
ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a
covered channel. Also, Firewall testing, Advanced port scanning, using different
protocols, TOS, fragmentation, Manual path MTU discovery, Advanced traceroute,
Remote OS fingerprinting, Remote uptime guessing, TCP/IP stacks auditing
Icmpenum: Host enumeration tool; uses ICMP Echo packets to probe networks, AND
ICMP Timestamp and ICMP Information packets as well. Supports spoofing and
promiscuous listening for reply packets.
netcraft.com: reports a site's OS, web server, and netblock owner and, if available, a
graphical view of the time since last reboot for each of the computers serving the site.
IPEye: a TCP port scanner that can do SYN, FIN, Null and Xmas scans.
IPSECSCAN: can scan either a single IP address or a range of IP addresses looking for
systems that are IPSec enabled.
Nmap
HTTrack Web Copier: free (libre/open source) and easy-to-use offline browser utility.
It allows you to download a World Wide Web site from the Internet to a local directory
1
Professional Hacking




Queso: Good at OS enumeration and other techniques
Cheops: for detecting a hosts OS and dealing with a large number of hosts quickly.
SocksChain: work through a chain of SOCKS or HTTP proxies to conceal the actual IPaddress.
HTTPort: allows you to bypass an HTTP proxy to use e-mail, IRC, ICQ, news, FTP,
AIM, any SOCKS capable software, etc.
War Dialing


THC-Scan
PhoneSweep
Enumeration


DumpSec: list all shares from WINDOWS systems, and basic user information can be
retrieved over a NETBIOS Null Session as well as accessible registry information.
NAT (NetBIOS Auditing Tool): 'The intention of this package is to perform various
security checks on remote servers running NetBIOS file sharing services.
SNMP Enumeration


SNMPUtil: SNMP enumeration; Windows tool
SolarWinds (IP Network Browser): SNMP enumeration and management tool
Windows Enumeration





User2SID: is a command line interface to a WIN32 function LookupAccountName
SID2User: is a command line interface to a WIN32 function LookupSidName.
Enum: combines allmost all possible attacks against NETBIOS. users and computers shares - password policy It establishes a NETBIOS Null Session and keeps it open during
the attack. Based on dictionaries or given values this tool will try to guess passwords.
UserInfo: small console utility which shows as much information about local users as
possible.
GetAcct: sidesteps "RestrictAnonymous=1" and acquires account information on
Windows NT/2000 machines.
System Hacking





Legion: NetBIOS scanner which can enumerate NetBIOS file shares across large ranges
of IP addresses. Legion also provides a brute force password cracking component which
can be directed against a single NetBIOS file share.
NTInfoScan: attacker scans an NT machine for information concerning its configuration,
including ftp services, telnet services, web services, system account information, file
systems and permissions.
VisualLast: insight into the NT event logs to assess the activity of their distributed
network more accurately and efficiently and is the advanced version of NTLast with a
number of additional and sophisticated features.
L0phtCrack: Excellent password cracker
KerbCrack: KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer
listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can
be used to find the passwords from the capture file using a brute force attack or a
dictionary attack.
2
Professional Hacking
Privilege Escalation








GetAdmin: allows any normal user to join the administrator group
SMBRelay/SMBRelay2: takes advantage of the Server Message Block (SMB) file
sharing protocol. It collects NTLM password hashes and writes them to hashes.txt in a
format usable by L0phtcrack so the passwords can be cracked later. It is an SMB man-inthe-middle attack.
SMBGrinder: attempts to determine a user password by actually trying to
log on to a computer remotely using SAMBA (the SMB protocol).
SMBDie: tool which crashes Windows machines with Netbios enabled by sending a
specially crafted SMB request. Tested against Windows NT/2k/XP/.NET RC1.
(http://packetstorm.decepticons.org/filedesc/SMBdie.zip.html)
NBTDeputy: register a NetBIOS computer name on the network and is ready to respond
to NetBT name-query requests. Works nicely with SMBRelay.
Nbname: decodes and displays all NetBIOS name packets it receives on UDP port 137.
John the Ripper: Password Cracker
Keystroke Logger





Spector: Keylogger software
AntiSpector: small tool which recognizes and removes the installed surveillance tool
SPECTOR
EBlaster: Keylogger software
SpyAnywhere: Keylogger software
IKS Software Logger(http://www.amecisco.com/): is a desktop activity logger that is
powered by a kernel mode driver. This driver enables it to run silently at the lowest level
of windows 2000/XP operating systems. IKS is extremely difficult to detect, primarily
because of it's steath surveillance methods.
File Verification Tools Tools


MD5 Checksum utility
Tripwire: automatically verifies data and file integrity against a known good source file
in the Tripwire database and quickly notifies you of changes.
Covering Tracks






Auditpol: AuditPol is a command-line tool that enables the user to modify the audit
policy of the local computer or of any remote computer. To run AuditPol, the user must
have administrator privileges on the target computer.
Elslave: delete all the logs in the nt/2k machine so any audits taken are removed from the
machine.
Winzapper: lets you erase event records selectively from the Security Log in Windows
NT 4.0 and Windows 2000.
Evidence Eliminator: purges local sensitive info from system; covers tracks typically
accessible through EnCase-type Forensics analysis.
NTFS File Streaming: allows data to be stored in hidden files that are linked to a
normal visible file. Streams are not limited in size and there can be more than one stream
linked to a normal file. The primary reason why ADS is a security risk is because
streams are almost completely hidden and represent possibly the closest thing to a perfect
hiding spot on a file system - something trojans can and will take advantage of. Streams
can easily be created/written to/read from, allowing any trojan or virus author to take
advantage of a hidden file area. But while streams can easily be used, they can only be
detected with specialist software.
makestrm: moves data from a commandline-specified file into a hidden Alternate Data
Stream attached to the original.(www.diamondcs.com.au/streams/streams.htm)
3
Professional Hacking
Steganography






ImageHide: Hide loads of text in images; Simple encrypt and decrypt of data
MP3Stego: hide information in MP3 files during the compression process.
Snow: used to conceal messages in ASCII text by appending whitespace to the end of
lines.
StegDetect: detects data at the end of image files hidden with tools like appendX or
camouflage
Dskprobe: sector editor for Windows 2000. It allows a user with local Administrator
rights to directly edit, save, and copy data on the physical hard drive that is not accessible
in any other way.
EFSView: lists the users who have ordinary decryption keys or recovery keys for an EFS
encrypted file.
Buffer Overflows

Outoutlook: Exploit for Outlook / Outlook Express GMT Field Buffer Overflow
Vulnerability
Trojans and Backdoors















QAZ: malicious code spreads within a network of shared computer systems, infecting the
Notepad.exe file.
Tini: 3 kilobyte trojan written in Assembly. It uses telnet as its client. Tini uses cmd.exe
to run commands received on port 7777.
Netcat: utility that is able to write and read data across TCP and UDP network
connections.
Donald Dick: Trojan
SubSeven: goes beyond NetBus, including: File controls, Monitoring, Network control.
BackOrifice 2000: Trojan (communication port is 31337)
NetBus: allows a remote user to access and control your machine by way of its Internet
link.
Graffiti
Silk Rope 2000
EliteWrap: used to pack various Trojan files together into a single executable
IconPlus:
Whack a Mole: increases the Trojan qualities of Netbus and others, by giving the user
an incentive to run the program.
BoSniffer: Trojan detecter that is a Trojan
FireKiller 2000: Disables AV and firewall
Reverse WWW Shell: backdoor working through any firewall which has got the security
policy to allow users to surf the WWW
Port Monitoring Tools




FPort: fport reports all open TCP/IP and UDP ports and maps them to the owning
application.
TCPView: displays all active TCP and UDP endpoints on your system, indicating which
process is associated with each local and remote IP address and relaying continuous,
detailed real-time data on system's TCP/IP activity.
Inzider - lists processes in Windows system and the ports each one listen on
Hard Disk Killer: destructive virus affecting MS-DOS computers. This virus infects the
boot sector, then hides itself by marking unused blocks on floppy or hard disks as bad.
Man-in-the-Middle Attack

Dsniff: collection of tools for network auditing and penetration testing. facilitate the
interception of network traffic normally unavailable to an attacker
4
Professional Hacking
Sniffers
















Ethereal
Snort
WinDump
EtherPeek
EtherFlood
Dsniff (Macof, mailsnarf, URLsnarf…)
Webspy
Ettercap
SMAC: Windows MAC Address Modifying Utility
MAC Changer: utility for viewing/manipulating the MAC addresses of network
interfaces
WinDNSSpoof: a simple DNS ID Spoofer for Windows 9x/2K
WinSniffer: easy to use password sniffer for Windos 95/98/NT/2000
IRIS: allows you to ‘sniff’ and record network traffic, then completely reconstruct the
data into its original format. (www.eeye.com)
NetIntercept: network forensics analysis tool, capture, analyze and discover the network
traffic (www.sandstorm.net)
SniffDet(http://sniffdet.sourceforge.net/): an OpenSource implementation of a set of tests
for remote sniffers detection in TCP/IP network environments.
WinTCPKill: The WinTCPKill is a TCP connection killer for Windows 9x/2K.; requires
the ability to use a sniffer to sniff incoming/outgoing traffic of the target. If you are in a
switched network you can to bypass the switching capabilities by using an ARP Cache
Poisoning tool like winarp_sk or winarp_mim
Denial of Service








Ping of Death
SSPing: a program that can freeze any computer connected to the Internet or on a
network running Windows 95, Windows NT, and older versions of the MacOS that are
not behind a firewall that blocks ICMP (Internet Control Message Protocol) data packets.
Land: Sending a packet to a machine with the source host/port the same as the
destination host/port crashes a lot of boxes.
Smurf: attack uses a forged ICMP (InternetControl Message Protocol) echo request.
Win Nuke: a Denial of Service (DOS) attack that completely disables networking on
many Win95 and WinNT machines.
Jolt2: variant of the Ping-of-Death attack. It sends an IP fragment that beyond the
maximum length of a legal IP packet.
Bubonic: DoS on Windows systems
Targa: freeware. It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and
winnuke into one multi-platform DoS attack.
Tools for Running DDoS Attacks









Trinoo (http://staff.washington.edu/dittrich/talks/cert/trinoo.html)
WinTrinoo (http://www.packetstormsecurity.org/distributed/razor.wintrinoo.txt)
TFN (ftp://ftp.ntua.gr/pub/security/technotronic/denial/)
TFN2K (http://security.royans.net/info/posts/bugtraq_ddos2.shtml)
Stacheldraht (http://staff.washington.edu/dittrich/misc/stacheldraht.analysis)
Shaft (http://security.royans.net/info/posts/bugtraq_ddos3.shtml)
Mstream (http://www.giac.org/practical/Michael_Murphy_GCIH.doc)
SARA (Security Auditor's Research Assistant): a third-generation security analysis
tool that is based on the SATAN model.
DdoSPing: network admin utility for remotely detecting the most common DDoS
programs. (http://www.foundstone.com/knowledge/proddesc/ddosping.html)
5
Professional Hacking


RID Remote Intrusion Detector: It locates Trinoo, Stacheldraht, TFN on network
(http://www.theorygroup.com/Software/RID)
Zombie Zapper: puts Trinoo, TFN, Stacheldraht, and Shaft xonmbies "to sleep" when
flooding (http://razor.bindview.com)
Session Hijacking





Juggernaut: a network sniffer that can also be used to hijack TCP sessions.
Hunt: Sniffer/Session Hijacker that includes a handy ARP cache poisoning feature
specifically designed to disable the isolation normally provided by Ethernet switches
TTYWatcher: a utility program that monitors and controls users on a single system. The
program can share an existing, in-use tty so that when the user types something into the
monitored window, the information will also appear on the
ttywatcher window.
IP Watcher: a network tool that can control any login session on a networkby
performing session hijacking (http://www.engarde.com/software/ipwatcher/)
T-Sight: advanced intrusion investigation and response tool to monitor network
connections in real-time (http://www.engarde.com/software/t-sight/)
Hacking Web Servers















Jill32: Exploit c code for hacking Win2K IIS servers
IIS5-Koei: IIS 5.0 remote win32 exploit for the null.printer buffer overflow.
(http://www.packetstormsecurity.org/filedesc/IIS5-Koei.zip.html)
IIS5Hack: (content.443.ch/pub/security/blackhat/Exploits/IIS/IIS5hack/readme.txt)
another printer overflow exploit
LogAnalyzer: Web site traffic analysis software
IISExploit (http://www.bluealien.org/rickdogg/misc/iisexploit.txt) used to view the SAM
file on a server which is vulnerable to a certain IIS hole.
UnicodeUploader.pl (http://www.giac.org/practical/Mark_Maher_GCIH.doc): unicode
vulnerability exploit script
cmdasp.asp
IISCrack.dll (http://securityresponse.symantec.com/avcenter/venc/data/
pf/backdoor.iiscrack.dll.html ) Backdoor allowing upload via http.
ispc.exe: IIS privilege escalation tool-- makes use of the IIS 5.0 + SP0 (SP1, SP2)
privilege checking hole to obtain SYSTEM privilege; all you have to do is upload idq.dll
to an executable directory, of IIS, and you can obtain SYSTEM privilege using the
ispc.exe client (http://www.der-keiler.de/Mailing-Lists/securityfocus/pen-test/200109/0081.html)
UpdateExpert (www.stbernard.com/products/updateexpert/products_updateexpert.asp)
Windows software patch management tool that helps you secure your systems by
remotely managing service packs and hotfixes.
Cacls utility: Resource Kit Utility for changing permissions
Whisker (http://www.wiretrip.net/rfp/p/doc.asp/i1/d21.htm): a Very stealthy CGI scanner
that is scriptable.
N-Stealth Scanner (http://www.nstalker.com/press/nstealth35.php): HTTP security
scanning tool.
WebInspect (http://www.spidynamics.com/webinspect.html): comprehensive and
intuitive Web application scanner
Shadow Security Scanner (http://www.safety-lab.com/en2/products/1.htm): designed to
identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities,
and report possible security holes within a network's internet, intranet, and extranet
environments
6
Professional Hacking
Web Application Vulnerabilities




Lynx (http://lynx.browser.org/): text browser for the World Wide Web
Wget(http://www.gnu.org/software/wget/wget.html): a free software package for
retrieving files using HTTP, HTTPS and FTP, the most widely-used Internet protocols.
Black Widow: 'Black Widow' is a common name used for rogue Java applets available in
the WWW
WebSleuth (http://www.sandsprite.com/Sleuth): Web application security auditing
tool
Cookie Stealing

IEEN (http://www.securityfriday.com/ToolDownload/IEen/ieen_doc.html) IE'en
remotely controls Internet Explorer using DCOM. Captures data sent and received using
Internet Explorer. Even on SSL encrypted websites (e.g. Hotmail), IE'en can capture user
ID and password in plain text.
Web Based Password Cracking Techniques






WinSSLMiM(http://www.securiteam.com/tools/6E001156AK.html):WinSSLMiM is an
HTTPS Man in the Middle attacking tool. It includes FakeCert, a tool to make fake
certificates (like the DCA of sslmim found in Phrack 57). It can be used to exploit the
Certificate Chain vulnerability in Internet Explorer. The tool works under Windows
9x/2000.
WebCracker (http://www.tlsecurity.net/windows/cracker/webcracker.htm):This program
exploits a rather large hole in web site authentication methods. Password protected
websites can be easily brute-force hacked, because there is no set limit on the number of
time an incorrect password or User ID can be tried.
Brutus (http://www.hoobie.net/brutus/): flexible remote password cracker
ObiWan (http://www.phenoelit.de/obiwan/) brute force authentication attack against
Webserver with authentication requests
Munga Bunga (http://www.hackology.com/programs/mbhttpbf/ginfo.shtml):a utility
utilizing the HTTP protocol to brute force into any login mechanism/system that requires
a username and password, on a web page (or HTML form)
CURL(http://curl.haxx.se/):Curl is a tool for transferring files with URL syntax,
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP.
Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, kerberos,
HTTP form based upload, proxies, cookies, user+password authentication, file transfer
resume, http proxy tunneling and a busload of other useful tricks.
Stealing Cookies



CookieSpy(http://www.codeproject.com/shell/cookiespy.asp): CookieSpy is a custom
explorer bar. This extension was created for the monitoring of cookie activity and for the
possibility to add and edit cookies.
ReadCookies (http://www.seps.org/cvoracle/SupportBin/cookiea): Displays cookie
information
SnadBoy(http://www.snadboy.com/): Pulls passwords from cookies
SQL Injection





SQLDict (http://ntsecurity.nu/toolbox/sqldict/):a dictionary attack tool for SQL Server
SQLExec (http://www.snoopsoft.com/sqlexec/use.html):
SQLbf (http://www.sqlsecurity.com/scripts.asp): SQL Server password brute force tool
SQLSmack (http://www.securiteam.com/tools/5GP081P75C.html): a UNIX Based
Remote Command Execution for MSSQL
SQL2.exe (http://www.packetstormsecurity.org/0211-exploits/indexdate.shtml):
MSSQL Server 2000 SP0 - SP2 remote exploit which uses UDP to overflow a buffer and
send a shell to tcp port 53. Windows binary, C++ source code
7
Professional Hacking
Hacking Wireless Networks





NetStumbler (http://www.netstumbler.com/download.php):
AirSnort (http://airsnort.shmoo.com/): WLAN tool which recovers encryption keys
AiroPeek (http://www.wildpackets.com/products/airopeek_nx): wireless protocol
analyzer and security auditor
Kismet (http://www.kismetwireless.net/): an 802.11 wireless network sniffer
WIDZ- Wireless IDS (http://www.securiteam.com/tools/5WP001F8VO.html):IDS
system for 802.11 that guards an AP(s) and Monitors local frequencies for potentially
malevolent activity. It detects scans, association floods, and bogus/Rogue AP's. It can
easily be integrated with SNORT or RealSecure.
Linux Hacking


SARA (Security Auditor's Research Assistant): a third-generation security analysis
tool that is based on the SATAN model.
TARA (Tiger Analytical Research Assistant )(http://www-arc.com/tara/): a set of scripts
that scan a Un*x system looking for security problems
Buffer Overflows


StackGuard (http://immunix.org/): a compiler that emits programs hardened against
"stack smashing" attacks
Immunix (http://immunix.org/): a family of tools designed to enhance system integrity
by hardening system components and platforms against security attacks. Immunix
secures a Linux OS and applications. Immunix works by hardening existing software
components and platforms so that attempts to exploit security vulnerabilities will fail
safe, i.e. the compromised process halts instead of giving control to the attacker, and then
is restarted. The software components are effectively "laminated" with Immunix
technologies to harden them against attack.
Novell Hacking













Chknull (http://www.nmrc.org/files/netware/chknull.zip) Checks for users that have no
password. For both Netware 3.x and 4.x.
nwpcrack (http://www.nmrc.org/files/netware/nwpcrack.zip) simple bruteforce hacker
Pandora (http://www.nmrc.org/pandora/pandora3.zip) tools for the opening of Novell's
Netware Directory Services
userdump (ftp://ftp.cdrom.com/.1/novell/userdump.zip) UserDump simply lists all users
in the Bindery.
Bindery/BinCrack (http://www.computercraft.com/docs/nohck.shtml) Novell hacking
and cracking tool
Burglar (http://security.tsu.ru/netware/) NLM which will create supervisor account from
server.
Getit (http://security.tsu.ru/netware/) TSR program for recording typed passwords.
Gobbler (http://www.computercraft.com/docs/nohck.shtml) popular Packet Sniffers for
Ethernet networks
Kock (http://security.tsu.ru/netware/) brute force cracker.
NOVELBFH (http://www.computercraft.com/docs/nohck.shtml)brute force cracker
Novelffs (http://security.tsu.ru/netware/) emulates a fake Novell file server
SETPWD.NLM (http://www.computercraft.com/docs/nohck.shtml) resets any user
password, including that of supervisor
Spooflog (http://www.nmrc.org/faqs/netware/a-06.html) Login spoofing utility for all
versions of NetWare
8
Professional Hacking
IDS, Firewalls and Honeypots






SNORT
Fragrouter (http://packages.debian.org/unstable/net/fragrouter.html): network intrusion
detection evasion toolkit
TCPReplay (http://tcpreplay.sourceforge.net/): tool to replay saved tcpdump or snoop
files at arbitrary speeds.
SideStep (http://www.robertgraham.com/tmp/sidestep.html): an IDS evasion tool
NIDSbench (http://packetstorm.widexs.nl/UNIX/IDS/nidsbench/nidsbench.html): a
network intrusion detection system test suite
ADMutate (http://www.ktwo.ca/security.html ): API that can mask buffer overflow
exploit signatures from Network IDS systems so that they are more difficult to detect.
9