CEH v12 vs CEH v13

CEH v12 vs CEH v13

Welcome to CEH.Academy's overview of the new content in CEH v13!

The Certified Ethical Hacker (CEH) v13 brings several exciting updates and new content to keep pace with the evolving cybersecurity landscape. Let's explore the key additions and changes:

1. AI-Driven Ethical Hacking:
- Introduction to AI-driven ethical hacking concepts
- AI-powered OSINT tools
- Crafting phishing emails with ChatGPT
- AI-based vulnerability assessment and exploitation

2. Cloud Security Enhancements:
- Expanded coverage of AWS, Azure, and Google Cloud Platform
- New labs for cloud reconnaissance and enumeration
- Container security and Docker vulnerability assessment

3. Advanced Mobile Hacking:
- Updated Android hacking techniques
- New tools like PhoneSploit-Pro

4. IoT and OT Security:
- Additional labs for IoT traffic analysis
- New attack scenarios, including VoIP device hacking and CAN protocol attacks

5. Web Application Security Updates:
- New labs for modern web vulnerabilities
- JWT token attack lab
- Remote Code Execution (RCE) attack lab

6. Network Security Advancements:
- Updated tools and techniques for network scanning and enumeration
- New evasion techniques for IDS/Firewall

7. Malware Analysis:
- Enhanced static and dynamic analysis techniques
- New tools for malware detection and analysis

8. Cryptography and Encryption:
- Multi-layer hashing techniques
- AI-assisted cryptographic techniques

9. Social Engineering:
- Updated phishing techniques
- AI-powered social engineering tools

10. Wireless Security:
- New tools for wireless network attacks
- Updated WPA2/WPA3 cracking techniques

Throughout the course, there's a strong emphasis on AI integration, with new labs using tools like ShellGPT for various hacking tasks. Many labs from v12 have been updated or converted to self-study modules, allowing for a more flexible learning experience.

CEH v13 also focuses on emerging technologies and threats, ensuring that certified ethical hackers are prepared for the latest challenges in cybersecurity.

This update reinforces CEH's position as a leading certification for ethical hacking and cybersecurity professionals, equipping them with cutting-edge skills and knowledge to protect organizations in an increasingly complex digital landscape.

Thank you for choosing CEH.Academy for your cybersecurity education needs!
This presentation highlights the major new additions and changes in CEH v13, focusing on the most significant updates across various modules. It's designed to give an overview of how the certification has evolved to address current cybersecurity trends and technologies.
CEHv12 CEHv13
Module 01: Introduction to Ethical Hacking Module 01: Introduction to Ethical Hacking
Information Security Overview Information Security Overview
▪ Elements of Information Security ▪ Elements of Information Security
▪ Motives, Goals, and Objectives of Information Security Attacks ▪ Information Security Attacks: Motives, Goals, and Objectives
▪ Classification of Attacks o Motives (Goals)
▪ Information Warfare o Tactics, Techniques, and Procedures (TTPs)
Hacking Methodologies and Frameworks o Vulnerability
▪ CEH Hacking Methodology (CHM) ▪ Classification of Attacks
▪ Cyber Kill Chain Methodology ▪ Information Warfare
▪ Tactics, Techniques, and Procedures (TTPs) Hacking Concepts
▪ Adversary Behavioral Identification ▪ What is Hacking?
▪ Indicators of Compromise (IoCs) ▪ Who is a Hacker?
o Categories of Indicators of Compromise ▪ Hacker and their Motivations
▪ MITRE ATT&CK Framework Ethical Hacking Concepts
▪ Diamond Model of Intrusion Analysis ▪ What is Ethical Hacking?
Hacking Concepts ▪ Why Ethical Hacking is Necessary
▪ What is Hacking? ▪ Scope and Limitations of Ethical Hacking
▪ Who is a Hacker? ▪ Skills of an Ethical Hacker
▪ Hacker Classes ▪ AI-Driven Ethical Hacking
Ethical Hacking Concepts ▪ How AI-Driven Ethical Hacking Helps Ethical Hacker?
▪ What is Ethical Hacking? ▪ Myth: AI will Replace Ethical Hackers
▪ Why Ethical Hacking is Necessary ▪ ChatGPT-Powered AI Tools for Ethical Hackers
▪ Scope and Limitations of Ethical Hacking Hacking Methodologies and Frameworks
▪ Skills of an Ethical Hacker ▪ CEH Ethical Hacking Framework
Information Security Controls ▪ Cyber Kill Chain Methodology
▪ Information Assurance (IA) o Tactics, Techniques, and Procedures (TTPs)
▪ Continual/Adaptive Security Strategy ▪ Adversary Behavioral Identification
▪ Defense-in-Depth ▪ Indicators of Compromise (IoCs)

 

CEHv12 CEHv13
▪ What is Risk? o Categories of Indicators of Compromise
▪ Risk Management ▪ MITRE ATT&CK Framework
▪ Cyber Threat Intelligence ▪ Diamond Model of Intrusion Analysis
o Threat Intelligence Lifecycle Information Security Controls
▪ Threat Modeling ▪ Information Assurance (IA)
▪ Incident Management ▪ Continual/Adaptive Security Strategy
o Incident Handling and Response ▪ Defense-in-Depth
▪ Role of AI and ML in Cyber Security ▪ What is Risk?
o How Do AI and ML Prevent Cyber Attacks? ▪ Risk Management
Information Security Laws and Standards ▪ Cyber Threat Intelligence
▪ Payment Card Industry Data Security Standard (PCI DSS) ▪ Threat Intelligence Lifecycle
▪ ISO/IEC 27001:2013 ▪ Threat Modeling
▪ Health Insurance Portability and Accountability Act (HIPAA) ▪ Incident Management
▪ Sarbanes Oxley Act (SOX) ▪ Incident Handling and Response
▪ The Digital Millennium Copyright Act (DMCA) ▪ Role of AI and ML in Cyber Security
▪ The Federal Information Security Management Act (FISMA) o How Do AI and ML Prevent Cyber Attacks?
▪ General Data Protection Regulation (GDPR) Information Security Laws and Standards
▪ Data Protection Act 2018 (DPA) ▪ Payment Card Industry Data Security Standard (PCI DSS)
▪ Cyber Law in Different Countries ▪ ISO/IEC Standards
▪ Health Insurance Portability and Accountability Act (HIPAA)
▪ Sarbanes Oxley Act (SOX)
▪ The Digital Millennium Copyright Act (DMCA)
▪ The Federal Information Security Management Act (FISMA)
▪ General Data Protection Regulation (GDPR)
▪ Data Protection Act 2018 (DPA)
▪ Cyber Law in Different Countries
Module 02: Footprinting and Reconnaissance Module 02: Footprinting and Reconnaissance
Footprinting Concepts Footprinting Concepts
▪ What is Footprinting? ▪ Reconnaissance
▪ Information Obtained in Footprinting o Types of Footprinting/Reconnaissance
▪ Footprinting Methodology ▪ Information Obtained in Footprinting
Footprinting through Search Engines ▪ Objectives of Footprinting

 

CEHv12 CEHv13
▪ Footprinting through Search Engines ▪ Footprinting Threats
▪ Footprint Using Advanced Google Hacking Techniques ▪ Footprinting Methodology
▪ Google Hacking Database Footprinting through Search Engines
▪ VPN Footprinting through Google Hacking Database ▪ Footprinting Using Advanced Google Hacking Techniques
▪ Other Techniques for Footprinting through Search Engines o What can a Hacker Do with Google Hacking?
o Google Advanced Search o Footprinting Using Advanced Google Hacking Techniques with AI
o Advanced Image Search o Google Hacking Database
o Reverse Image Search ▪ VPN Footprinting through Google Hacking Database
o Video Search Engines o VPN Footprinting through Google Hacking Database with AI
o Meta Search Engines ▪ Footprinting through SHODAN Search Engine
o FTP Search Engines ▪ Other Techniques for Footprinting through Search Engines
o IoT Search Engines Footprinting through Internet Research Services
Footprinting through Web Services ▪ Finding a Company's Top-Level Domains (TLDs) and Sub-domains
▪ Finding a Company's Top-Level Domains (TLDs) and Sub-domains o Finding a Company's Top-Level Domains (TLDs) and Sub-domains with AI
▪ Finding the Geographical Location of the Target ▪ Extracting Website Information from https://archive.org
▪ People Search on Social Networking Sites and People Search Services ▪ Footprinting through People Search Services
▪ Gathering Information from LinkedIn ▪ Footprinting through Job Sites
▪ Harvesting Email Lists ▪ Dark Web Footprinting
▪ Footprinting through Job Sites o Searching the Dark Web with Advanced Search Parameters
▪ Deep and Dark Web Footprinting ▪ Determining the Operating System
▪ Determining the Operating System ▪ Competitive Intelligence Gathering
▪ VoIP and VPN Footprinting through SHODAN o Competitive Intelligence - When Did this Company Begin? How Did it Develop?
▪ Competitive Intelligence Gathering o Competitive Intelligence - What Are the Company's Plans?
▪ Other Techniques for Footprinting through Web Services o Competitive Intelligence - What Expert Opinions Say About the Company?
o Finding the Geographical Location of the Target ▪ Other Techniques for Footprinting through Internet Research Services
o Gathering Information from Financial Services Footprinting through Social Networking Sites

 

CEHv12 CEHv13
o Gathering Information from Business Profile Sites ▪ People Search on Social Networking Sites
o Monitoring Targets Using Alerts ▪ Gathering Information from LinkedIn
o Tracking the Online Reputation of the Target ▪ Harvesting Email Lists
o Gathering Information from Groups, Forums, and Blogs o Harvesting Email Lists with AI
o Gathering Information from NNTP Usenet Newsgroups ▪ Analyzing Target Social Media Presence
o Gathering Information from Public Source-Code Repositories o Tools for Footprinting through Social Networking Sites
Footprinting through Social Networking Sites o Footprinting through Social Networking Sites with AI
▪ Collecting Information through Social Engineering on Social Networking Sites Whois Footprinting
▪ General Resources for Locating Information from Social Media Sites ▪ Whois Lookup
▪ Conducting Location Search on Social Media Sites ▪ Finding IP Geolocation Information
▪ Constructing and Analyzing Social Network Graphs DNS Footprinting
▪ Tools for Footprinting through Social Networking Sites ▪ Extracting DNS Information
Website Footprinting ▪ DNS Lookup with AI
▪ Website Footprinting ▪ Reverse DNS Lookup
▪ Website Footprinting using Web Spiders Network and Email Footprinting
▪ Mirroring Entire Website ▪ Locate the Network Range
▪ Extracting Website Information from https://archive.org ▪ Traceroute
▪ Other Techniques for Website Footprinting o Traceroute with AI
o Extracting Website Links o Traceroute Analysis
o Gathering the Wordlist from the Target Website o Traceroute Tools
o Extracting Metadata of Public Documents ▪ Tracking Email Communications
o Monitoring Web Pages for Updates and Changes o Collecting Information from Email Header
o Searching for Contact Information, Email Addresses, and Telephone Numbers from Company Website o Email Tracking Tools
o Searching for Web Pages Posting Patterns and Revision Numbers Footprinting through Social Engineering
o Monitoring Website Traffic of the Target Company

▪ Collecting Information through Social Engineering on Social Networking Sites

 

Email Footprinting ▪ Collecting Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and Impersonation

 

 

CEHv12 CEHv13
▪ Tracking Email Communications Footprinting Tasks using Advanced Tools and AI
▪ Email Tracking Tools ▪ AI-Powered OSINT Tools
Whois Footprinting ▪ Create and Run Custom Python Script to Automate Footprinting Tasks with AI
▪ Whois Lookup Footprinting Countermeasures
▪ Finding IP Geolocation Information
DNS Footprinting
▪ Extracting DNS Information
▪ Reverse DNS Lookup
Network Footprinting
▪ Locate the Network Range
▪ Traceroute
▪ Traceroute Analysis
▪ Traceroute Tools
Footprinting through Social Engineering
▪ Footprinting through Social Engineering
▪ Collect Information Using Eavesdropping, Shoulder Surfing, Dumpster Diving, and Impersonation
Footprinting Tools
▪ Footprinting Tools: Maltego and Recon-ng
▪ Footprinting Tools: FOCA and OSRFramework
▪ Footprinting Tools: OSINT Framework
▪ Footprinting Tools: Recon-Dog and BillCipher
▪ Footprinting Tools: Spyse
Footprinting Countermeasures
▪ Footprinting Countermeasures
Module 03: Scanning Networks Module 03: Scanning Networks
Network Scanning Concepts Network Scanning Concepts
▪ Overview of Network Scanning ▪ Overview of Network Scanning
▪ TCP Communication Flags ▪ TCP Communication Flags
▪ TCP/IP Communication ▪ TCP/IP Communication
Scanning Tools Scanning Tools
▪ Scanning Tools: Nmap Host Discovery
▪ Scanning Tools: Hping3 ▪ Host Discovery Techniques
o Hping Commands o ARP Ping Scan
▪ Scanning Tools o UDP Ping Scan
▪ Scanning Tools for Mobile o ICMP ECHO Ping Scan

 

CEHv12 CEHv13
Host Discovery o ICMP ECHO Ping Sweep
▪ Host Discovery Techniques o ICMP Timestamp Ping Scan
o ARP Ping Scan o ICMP Address Mask Ping Scan
o UDP Ping Scan o TCP SYN Ping Scan
o ICMP ECHO Ping Scan o TCP ACK Ping Scan
o ICMP ECHO Ping Sweep o IP Protocol Ping Scan
o ICMP Timestamp Ping Scan o Host Discovery with AI
o ICMP Address Mask Ping Scan o Ping Sweep Tools
o TCP SYN Ping Scan Port and Service Discovery
o TCP ACK Ping Scan ▪ Port Scanning Techniques
o IP Protocol Ping Scan ▪ TCP Connect/Full-Open Scan
o Ping Sweep Tools o Stealth Scan (Half-Open Scan)
Port and Service Discovery o Inverse TCP Flag Scan
▪ Port Scanning Techniques o Xmas Scan
o TCP Scanning o TCP Maimon Scan
• TCP Connect/Full Open Scan o ACK Flag Probe Scan
• Stealth Scan (Half-open Scan) o IDLE/IPID Header Scan
• Inverse TCP Flag Scan o UDP Scan
✓ Xmas Scan o SCTP INIT Scan
✓ FIN Scan o SCTP COOKIE ECHO Scan
✓ NULL Scan o SSDP and List Scan
✓ TCP Maimon Scan o IPv6 Scan
• ACK Flag Probe Scan o Port Scanning with AI
✓ TTL-Based Scan o Service Version Discovery
✓ Window-Based Scan o Service Version Discovery with AI
• IDLE/IPID Header Scan o Nmap Scan Time Reduction Techniques
o UDP Scan OS Discovery (Banner Grabbing/OS Fingerprinting)
o SCTP INIT Scan ▪ OS Discovery/Banner Grabbing
o SCTP COOKIE ECHO Scan ▪ How to Identify Target System OS
o SSDP and List Scan o OS Discovery using Nmap and Unicornscan
o IPv6 Scan o OS Discovery using Nmap Script Engine
▪ Service Version Discovery o OS Discovery using IPv6 Fingerprinting
▪ Nmap Scan Time Reduction Techniques o OS Discovery with AI
OS Discovery (Banner Grabbing/OS Fingerprinting) ▪ Create and Run Custom Script to Automate Network Scanning Tasks With AI
▪ OS Discovery/Banner Grabbing Scanning Beyond IDS and Firewall
▪ How to Identify Target System OS ▪ Packet Fragmentation
o OS Discovery using Wireshark ▪ Source Routing

 

CEHv12 CEHv13
o OS Discovery using Nmap and Unicornscan Source Port Manipulation
o OS Discovery using Nmap Script Engine ▪ IP Address Decoy
o OS Discovery using IPv6 Fingerprinting ▪ IP Address Spoofing
Scanning Beyond IDS and Firewall ▪ MAC Address Spoofing
▪ IDS/Firewall Evasion Techniques ▪ Creating Custom Packets
o Packet Fragmentation ▪ Randomizing Host Order and Sending Bad Checksums
o Source Routing ▪ Proxy Servers
o Source Port Manipulation o Proxy Chaining
o IP Address Decoy o Proxy Tools
o IP Address Spoofing ▪ Anonymizers
o MAC Address Spoofing o Censorship Circumvention Tools
o Creating Custom Packets Network Scanning Countermeasures
o Randomizing Host Order and Sending Bad Checksums ▪ Ping Sweep Countermeasures
o Proxy Servers ▪ Port Scanning Countermeasures
• Proxy Chaining ▪ Banner Grabbing Countermeasures
• Proxy Tools ▪ IP Spoofing Detection Techniques
• Proxy Tools for Mobile ▪ IP Spoofing Countermeasures
o Anonymizers ▪ Scanning Detection and Prevention Tools
• Censorship Circumvention Tools: Alkasir and Tails
Network Scanning Countermeasures
▪ Ping Sweep Countermeasures
▪ Port Scanning Countermeasures
▪ Banner Grabbing Countermeasures
▪ IP Spoofing Detection Techniques
o Direct TTL Probes
o IP Identification Number
o TCP Flow Control Method
▪ IP Spoofing Countermeasures
▪ Scanning Detection and Prevention Tools
Module 04: Enumeration Module 04: Enumeration
Enumeration Concepts Enumeration Concepts
▪ What is Enumeration? ▪ What is Enumeration?
▪ Techniques for Enumeration ▪ Techniques for Enumeration
▪ Services and Ports to Enumerate ▪ Services and Ports to Enumerate
NetBIOS Enumeration NetBIOS Enumeration

 

CEHv12 CEHv13
▪ NetBIOS Enumeration ▪ NetBIOS Enumeration Tools
▪ NetBIOS Enumeration Tools ▪ Enumerating User Accounts
▪ Enumerating User Accounts ▪ Enumerating Shared Resources Using Net View
▪ Enumerating Shared Resources Using Net View ▪ NetBIOS Enumeration using AI
SNMP Enumeration SNMP Enumeration
▪ SNMP (Simple Network Management Protocol) Enumeration ▪ Working of SNMP
▪ Working of SNMP ▪ Management Information Base (MIB)
▪ Management Information Base (MIB) ▪ Enumerating SNMP using SnmpWalk
▪ Enumerating SNMP using SnmpWalk ▪ Enumerating SNMP using Nmap
▪ Enumerating SNMP using Nmap ▪ SNMP Enumeration Tools
▪ SNMP Enumeration Tools ▪ SNMP Enumeration with SnmpWalk and Nmap using AI
LDAP Enumeration LDAP Enumeration
▪ LDAP Enumeration ▪ Manual and Automated LDAP Enumeration
▪ Manual and Automated LDAP Enumeration ▪ LDAP Enumeration Tools
▪ LDAP Enumeration Tools NTP and NFS Enumeration
NTP and NFS Enumeration ▪ NTP Enumeration
▪ NTP Enumeration ▪ NTP Enumeration Commands
▪ NTP Enumeration Commands ▪ NTP Enumeration Tools
▪ NTP Enumeration Tools ▪ NFS Enumeration
▪ NFS Enumeration ▪ NFS Enumeration Tools
▪ NFS Enumeration Tools SMTP and DNS Enumeration
SMTP and DNS Enumeration ▪ SMTP Enumeration
▪ SMTP Enumeration ▪ SMTP Enumeration using Nmap
▪ SMTP Enumeration using Nmap ▪ SMTP Enumeration using Metasploit
▪ SMTP Enumeration using Metasploit ▪ SMTP Enumeration Tools
▪ SMTP Enumeration Tools ▪ SMTP Enumeration using AI
▪ DNS Enumeration Using Zone Transfer ▪ DNS Enumeration Using Zone Transfer
▪ DNS Cache Snooping ▪ DNS Cache Snooping
▪ DNSSEC Zone Walking ▪ DNSSEC Zone Walking
▪ DNS and DNSSEC Enumeration using Nmap ▪ DNS Enumeration Using OWASP Amass
Other Enumeration Techniques ▪ DNS and DNSSEC Enumeration Using Nmap
▪ IPsec Enumeration ▪ DNS Enumeration with Nmap Using AI
▪ VoIP Enumeration ▪ DNS Cache Snooping using AI
▪ RPC Enumeration Other Enumeration Techniques
▪ Unix/Linux User Enumeration ▪ IPsec Enumeration
▪ Telnet and SMB Enumeration ▪ IPsec Enumeration with AI
▪ FTP and TFTP Enumeration ▪ VoIP Enumeration

 

CEHv12 CEHv13
▪ IPv6 Enumeration ▪ RPC Enumeration
▪ BGP Enumeration ▪ Unix/Linux User Enumeration
Enumeration Countermeasures ▪ SMB Enumeration
▪ Enumeration Countermeasures ▪ SMB Enumeration with AI
▪ DNS Enumeration Countermeasures ▪ Create and Run Custom Script to Automate Network Enumeration Tasks with AI
Enumeration Countermeasures
Module 05: Vulnerability Analysis Module 05: Vulnerability Analysis
Vulnerability Assessment Concepts Vulnerability Assessment Concepts
▪ What is Vulnerability? ▪ Vulnerability Classification
o Examples of Vulnerabilities o Misconfigurations/Weak Configurations
▪ Vulnerability Research o Application Flaws
▪ Resources for Vulnerability Research o Poor Patch Management
▪ What is Vulnerability Assessment? o Design Flaws
▪ Vulnerability Scoring Systems and Databases o Third-Party Risks
▪ Vulnerability-Management Life Cycle o Default Installations/Default Configurations
o Pre-Assessment Phase o Operating System Flaws
o Vulnerability Assessment Phase o Default Passwords
o Post Assessment Phase o Zero-Day Vulnerabilities
Vulnerability Classification and Assessment Types o Legacy Platform Vulnerabilities
▪ Vulnerability Classification o System Sprawl/Undocumented Assets
o Misconfigurations/Weak Configurations o Improper Certificate and Key Management
o Application Flaws ▪ Vulnerability Scoring Systems and Databases
o Poor Patch Management o Common Vulnerability Scoring System (CVSS)
o Design Flaws o Common Vulnerabilities and Exposures (CVE)
o Third-Party Risks o National Vulnerability Database (NVD)
o Default Installations/Default Configurations o Common Weakness Enumeration (CWE)
o Operating System Flaws ▪ Vulnerability-Management Life Cycle
o Default Passwords o Pre-Assessment Phase
o Zero-Day Vulnerabilities o Vulnerability Assessment Phase
o Legacy Platform Vulnerabilities o Post Assessment Phase
o System Sprawl/Undocumented Assets ▪ Vulnerability Research
o Improper Certificate and Key Management o Resources for Vulnerability Research
▪ Types of Vulnerability Assessment ▪ Vulnerability Scanning and Analysis
Vulnerability Assessment Tools o Types of Vulnerability Scanning
▪ Comparing Approaches to Vulnerability Assessment Vulnerability Assessment Tools
▪ Characteristics of a Good Vulnerability Assessment Solution ▪ Comparing Approaches to Vulnerability Assessment

 

CEHv12 CEHv13
▪ Working of Vulnerability Scanning Solutions ▪ Characteristics of a Good Vulnerability Assessment Solution
▪ Types of Vulnerability Assessment Tools ▪ Working of Vulnerability Scanning Solutions
▪ Choosing a Vulnerability Assessment Tool ▪ Types of Vulnerability Assessment Tools
▪ Criteria for Choosing a Vulnerability Assessment Tool ▪ Choosing a Vulnerability Assessment Tool
▪ Best Practices for Selecting Vulnerability Assessment Tools ▪ Criteria for Choosing a Vulnerability Assessment Tool
▪ Vulnerability Assessment Tools: Qualys Vulnerability Management ▪ Best Practices for Selecting Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools: Nessus Professional and GFI LanGuard ▪ Vulnerability Assessment Tools
▪ Vulnerability Assessment Tools: OpenVAS and Nikto o Nessus Essentials
▪ Other Vulnerability Assessment Tools o GFI LanGuard
▪ Vulnerability Assessment Tools for Mobile o OpenVAS
Vulnerability Assessment Reports o Nikto
▪ Vulnerability Assessment Reports o Qualys Vulnerability Management
▪ Components of a Vulnerability Assessment Report ▪ AI-Powered Vulnerability Assessment Tools
▪ Vulnerability Assessment using AI
▪ Vulnerability Scan using Nmap with AI
▪ Vulnerability Assessment using Python Script with AI
▪ Vulnerability Scan using Skipfish with AI
Vulnerability Assessment Reports
▪ Components of a Vulnerability Assessment Report
Module 06: System Hacking Module 06: System Hacking
Gaining Access Gaining Access
▪ Cracking Passwords ▪ Cracking Passwords
o Microsoft Authentication o Microsoft Authentication
o How Hash Passwords Are Stored in Windows SAM? o How Hash Passwords Are Stored in Windows SAM?
o NTLM Authentication Process o Tools to Extract the Password Hashes
o Kerberos Authentication o NTLM Authentication Process
o Password Cracking o Kerberos Authentication
o Types of Password Attacks o Password Cracking
• Non-Electronic Attacks o Types of Password Attacks
• Active Online Attacks • Non-Electronic Attacks
✓ Dictionary, Brute-Force, and Rule-based Attack • Active Online Attacks
✓ Password Spraying Attack and Mask Attack ✓ Other Active Online Attacks
✓ Password Guessing • Passive Online Attacks
✓ Default Passwords • Offline Attacks
✓ Trojans/Spyware/Keyloggers o Password Recovery Tools
✓ Hash Injection/Pass-the-Hash (PtH) Attack o Password-Cracking Tools

 

CEHv12 CEHv13
✓ LLMNR/NBT-NS Poisoning o Password Salting
✓ Internal Monologue Attack o How to Defend against Password Cracking
✓ Cracking Kerberos Password o How to Defend against LLMNR/NBT-NS Poisoning
✓ Pass the Ticket Attack o Tools to Detect LLMNR/NBT-NS Poisoning
✓ Other Active Online Attacks o Detecting SMB Attacks against Windows
➢ GPU-based Attack ▪ Vulnerability Exploitation
• Passive Online Attacks o Exploit Sites
✓ Wire Sniffing o Windows Exploit Suggester - Next Generation (WES-NG)
✓ Man-in-the-Middle/Manipulator-in-the-Middle and Replay Attacks o Metasploit Framework
• Offline Attacks o Metasploit Modules
✓ Rainbow Table Attack o AI-Powered Vulnerability Exploitation Tools
o Password Recovery Tools o Buffer Overflow
o Tools to Extract the Password Hashes • Types of Buffer Overflow
o Password Cracking using Domain Password Audit Tool (DPAT) • Simple Buffer Overflow in C
o Password-Cracking Tools: L0phtCrack • Windows Buffer Overflow Exploitation
o Password-Cracking Tools: ophcrack o Return-Oriented Programming (ROP) Attack
o Password-Cracking Tools o Bypassing ASLR and DEP Security Mechanisms
o Password Salting o Heap Spraying
o How to Defend against Password Cracking o JIT Spraying
o How to Defend against LLMNR/NBT-NS Poisoning o Exploit Chaining
o Tools to Detect LLMNR/NBT-NS Poisoning o Domain Mapping and Exploitation with Bloodhound
▪ Vulnerability Exploitation o Post AD Enumeration using PowerView
o Exploit Sites o Identifying Insecurities Using GhostPack Seatbelt
o Buffer Overflow o Buffer Overflow Detection Tools
• Types of Buffer Overflow: Stack-Based Buffer Overflow o Defending against Buffer Overflows
• Types of Buffer Overflow: Heap-Based Buffer Overflow Escalating Privileges
• Simple Buffer Overflow in C ▪ Privilege Escalation
• Windows Buffer Overflow Exploitation ▪ Privilege Escalation Using DLL Hijacking
o Return-Oriented Programming (ROP) Attack ▪ Privilege Escalation by Exploiting Vulnerabilities
o Exploit Chaining ▪ Privilege Escalation Using Dylib Hijacking
o Active Directory Enumeration Using PowerView ▪ Privilege Escalation Using Spectre and Meltdown Vulnerabilities
o Domain Mapping and Exploitation with Bloodhound ▪ Privilege Escalation Using Named Pipe Impersonation
o Identifying Insecurities Using GhostPack Seatbelt ▪ Privilege Escalation by Exploiting Misconfigured Services
o Buffer Overflow Detection Tools ▪ Pivoting and Relaying to Hack External Machines
o Defending against Buffer Overflows ▪ Privilege Escalation Using Misconfigured NFS

 

CEHv12 CEHv13
Escalating Privileges ▪ Privilege Escalation by Bypassing User Account Control (UAC)
▪ Privilege Escalation ▪ Privilege Escalation by Abusing Boot or Logon Initialization Scripts
▪ Privilege Escalation Using DLL Hijacking ▪ Privilege Escalation by Modifying Domain Policy
▪ Privilege Escalation by Exploiting Vulnerabilities ▪ Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack
▪ Privilege Escalation Using Dylib Hijacking ▪ Privilege Escalation by Abusing Active Directory Certificate Services (ADCS)
▪ Privilege Escalation Using Spectre and Meltdown Vulnerabilities ▪ Other Privilege Escalation Techniques
▪ Privilege Escalation Using Named Pipe Impersonation ▪ Privilege Escalation Tools
▪ Privilege Escalation by Exploiting Misconfigured Services ▪ How to Defend against Privilege Escalation
▪ Pivoting and Relaying to Hack External Machines o Tools for Defending against DLL and Dylib Hijacking
▪ Privilege Escalation Using Misconfigured NFS o Defending against Spectre and Meltdown Vulnerabilities
▪ Privilege Escalation Using Windows Sticky Keys o Tools for Detecting Spectre and Meltdown Vulnerabilities
▪ Privilege Escalation by Bypassing User Account Control (UAC) Maintaining Access
▪ Privilege Escalation by Abusing Boot or Logon Initialization Scripts ▪ Executing Applications
▪ Privilege Escalation by Modifying Domain Policy o Remote Code Execution Techniques
▪ Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack • Tools for Executing Applications
▪ Other Privilege Escalation Techniques o Keylogger
o Parent PID Spoofing • Types of Keystroke Loggers
o Abusing Accessibility Features • Remote Keylogger Attack Using Metasploit
o SID-History Injection • Hardware Keyloggers
o COM Hijacking • Keyloggers for Windows
o Scheduled Tasks in Linux • Keyloggers for macOS
▪ Privilege Escalation Tools o Spyware
o FullPowers • Spyware Tools
o PEASS-ng • Types of Spyware
▪ How to Defend Against Privilege Escalation o How to Defend against Keyloggers
o Tools for Defending against DLL and Dylib Hijacking o Anti-Keyloggers
o Defending against Spectre and Meltdown Vulnerabilities o How to Defend against Spyware
o Tools for Detecting Spectre and Meltdown Vulnerabilities o Anti-Spyware
Maintaining Access ▪ Hiding Files
▪ Executing Applications o Rootkits
o Remote Code Execution Techniques • Types of Rootkits
• Tools for Executing Applications • How a Rootkit Works
o Keylogger • Popular Rootkits
• Types of Keystroke Loggers • Detecting Rootkits
• Remote Keylogger Attack Using Metasploit • Steps for Detecting Rootkits
• Hardware Keyloggers • How to Defend against Rootkits
• Keyloggers for Windows • Anti-Rootkits
• Keyloggers for macOS o NTFS Data Stream

 

CEHv12 CEHv13
o Spyware • How to Create NTFS Streams
• Spyware Tools: Spytech SpyAgent and Power Spy • NTFS Stream Manipulation
• Spyware Tools • How to Defend against NTFS Streams
o How to Defend Against Keyloggers • NTFS Stream Detectors
• Anti-Keyloggers o What is Steganography?
o How to Defend Against Spyware • Classification of Steganography
• Anti-Spyware • Types of Steganography based on Cover Medium
▪ Hiding Files • Whitespace Steganography
o Rootkits • Image Steganography
• Types of Rootkits • Document Steganography
• How a Rootkit Works • Video Steganography
• Popular Rootkits • Audio Steganography
✓ Purple Fox Rootkit • Folder Steganography
✓ MoonBounce • Spam/Email Steganography
✓ Dubbed Demodex Rootkit • Other Types of Steganography
• Detecting Rootkits • Steganalysis
• Steps for Detecting Rootkits • Steganalysis Methods/Attacks on Steganography
• How to Defend against Rootkits o Detecting Steganography (Text, Image, Audio, and Video Files)
• Anti-Rootkits o Steganography Detection Tools
o NTFS Data Stream ▪ Establishing Persistence
• How to Create NTFS Streams o Maintaining Persistence Using Windows Sticky Keys
• NTFS Stream Manipulation o Maintaining Persistence by Abusing Boot or Logon Autostart Executions
• How to Defend against NTFS Streams o Domain Dominance Through Different Paths
• NTFS Stream Detectors • Remote Code Execution
o What is Steganography? • Abusing Data Protection API (DPAPI)
• Classification of Steganography • Malicious Replication
• Types of Steganography based on Cover Medium • Skeleton Key Attack
✓ Whitespace Steganography • Golden Ticket Attack
✓ Image Steganography • Silver Ticket Attack
➢ Image Steganography Tools o Maintain Domain Persistence Through AdminSDHolder
✓ Document Steganography o Maintaining Persistence Through WMI Event Subscription
✓ Video Steganography o Overpass-the-Hash Attack
✓ Audio Steganography o Linux Post-Exploitation
✓ Folder Steganography o Windows Post-Exploitation
✓ Spam/Email Steganography o How to Defend against Persistence Attacks
✓ Other Types of Steganography Clearing Logs
• Steganography Tools for Mobile Phones ▪ Covering Tracks
• Steganalysis ▪ Disabling Auditing: Auditpol
• Steganalysis Methods/Attacks on Steganography ▪ Clearing Logs

 

CEHv12 CEHv13
• Detecting Steganography (Text, Image, Audio, and Video Files) ▪ Manually Clearing Event Logs
• Steganography Detection Tools ▪ Ways to Clear Online Tracks
▪ Establishing Persistence ▪ Covering BASH Shell Tracks
o Maintaining Persistence by Abusing Boot or Logon Autostart Executions ▪ Covering Tracks on a Network
o Domain Dominance through Different Paths ▪ Covering Tracks on an OS
• Remote Code Execution ▪ Delete Files using Cipher.exe
• Abusing DPAPI ▪ Disable Windows Functionality
• Malicious Replication ▪ Deleting Windows Activity History
• Skeleton Key Attack ▪ Deleting Incognito History
• Golden Ticket Attack ▪ Hiding Artifacts in Windows, Linux, and macOS
• Silver Ticket Attack ▪ Anti-forensics Techniques
o Maintain Domain Persistence Through AdminSDHolder ▪ Track-Covering Tools
o Maintaining Persistence Through WMI Event Subscription ▪ Defending against Covering Tracks
o Overpass-the-Hash Attack
o Linux Post Exploitation
o Windows Post Exploitation
o How to Defend against Persistence Attacks
Clearing Logs
▪ Covering Tracks
▪ Disabling Auditing: Auditpol
▪ Clearing Logs
▪ Manually Clearing Event Logs
▪ Ways to Clear Online Tracks
▪ Covering BASH Shell Tracks
▪ Covering Tracks on a Network
▪ Covering Tracks on an OS
▪ Delete Files using Cipher.exe
▪ Disable Windows Functionality
▪ Hiding Artifacts in Windows, Linux, and macOS
▪ Track-Covering Tools
▪ Defending against Covering Tracks
Module 07: Malware Threats Module 07: Malware Threats
Malware Concepts Malware Concepts
▪ Introduction to Malware ▪ Introduction to Malware
▪ Different Ways for Malware to Enter a System o Different Ways for Malware to Enter a System
▪ Common Techniques Attackers Use to Distribute Malware on the Web o Common Techniques Attackers Use to Distribute Malware on the Web
o RTF Injection ▪ Components of Malware
▪ Components of Malware ▪ Potentially Unwanted Application or Applications (PUAs)
▪ Potentially Unwanted Application or Applications (PUAs) o Adware
o Adware APT Concepts

 

CEHv12 CEHv13
APT Concepts ▪ What are Advanced Persistent Threats?
▪ What are Advanced Persistent Threats? o Characteristics of Advanced Persistent Threats
▪ Characteristics of Advanced Persistent Threats o Advanced Persistent Threat Lifecycle
▪ Advanced Persistent Threat Lifecycle Trojan Concepts
Trojan Concepts ▪ What is a Trojan?
▪ What is a Trojan? ▪ How Hackers Use Trojans
▪ How Hackers Use Trojans ▪ Common Ports used by Trojans
▪ Common Ports used by Trojans ▪ Types of Trojans
▪ Types of Trojans o Remote Access Trojans
o Remote Access Trojans o Backdoor Trojans
o Backdoor Trojans o Botnet Trojans
o Botnet Trojans o Rootkit Trojans
o Rootkit Trojans o E-banking Trojans
o E-banking Trojans • Working of E-banking Trojans
• Working of E-banking Trojans • E-banking Trojan: CHAVECLOAK
• E-banking Trojan: Dreambot o Point-of-Sale Trojans
o Point-of-Sale Trojans o Defacement Trojans
o Defacement Trojans o Service Protocol Trojans
o Service Protocol Trojans o Mobile Trojans
o Mobile Trojans o IoT Trojans
o IoT Trojans o Security Software Disabler Trojans
o Security Software Disabler Trojans o Destructive Trojans
o Destructive Trojans o DDoS Trojans
o DDoS Trojans o Command Shell Trojans
o Command Shell Trojans ▪ How to Infect Systems Using a Trojan
▪ How to Infect Systems Using a Trojan o Creating a Trojan
o Creating a Trojan o Employing a Dropper or Downloader
o Employing a Dropper or Downloader o Employing a Wrapper
o Employing a Wrapper o Employing a Crypter
o Employing a Crypter o Propagating and Deploying a Trojan
o Propagating and Deploying a Trojan o Deploy a Trojan through Emails
o Exploit Kits o Deploy a Trojan through Covert Channels
Virus and Worm Concepts o Deploy a Trojan through Proxy Servers

 

CEHv12 CEHv13
▪ Introduction to Viruses o Deploy a Trojan through USB/Flash Drives
▪ Stages of Virus Lifecycle o Techniques for Evading Antivirus Software
▪ Working of Viruses o Exploit Kits
o How does a Computer Get Infected by Viruses? Virus and Worm Concepts
▪ Types of Viruses ▪ Introduction to Viruses
o System or Boot Sector Viruses o Stages of Virus Lifecycle
o File Viruses o Working of Viruses
o Multipartite Viruses ▪ How does a Computer Get Infected by Viruses?
o Macro Viruses ▪ Types of Viruses
o Cluster Viruses o System or Boot Sector Viruses
o Stealth Viruses/Tunneling Viruses o File Viruses
o Encryption Viruses o Multipartite Viruses
o Sparse Infector Viruses o Macro Viruses
o Polymorphic Viruses o Cluster Viruses
o Metamorphic Viruses o Stealth Viruses/Tunneling Viruses
o Overwriting File or Cavity Viruses o Encryption Viruses
o Companion/Camouflage Viruses o Sparse Infector Viruses
o Shell Viruses o Polymorphic Viruses
o File Extension Viruses o Metamorphic Viruses
o FAT Viruses o Overwriting File or Cavity Viruses
o Logic Bomb Viruses o Companion/Camouflage Viruses
o Web Scripting Virus o Shell Viruses
o E-mail Viruses o File Extension Viruses
o Armored Viruses o FAT Viruses
o Add-on Viruses o Logic Bomb Viruses
o Intrusive Viruses o Web Scripting Viruses
o Direct Action or Transient Viruses o E-mail Viruses
o Terminate and Stay Resident (TSR) Viruses o Armored Viruses
o Ransomware o Add-on Viruses
• BlackCat o Intrusive Viruses
• BlackMatter o Direct Action or Transient Viruses
▪ How to Infect Systems Using a Virus: Creating a Virus o Terminate and Stay Resident (TSR) Viruses
▪ How to Infect Systems Using a Virus: Propagating and Deploying a Virus ▪ How to Infect Systems Using a Virus
▪ Computer Worms o Propagating and Deploying a Virus
o Worm Makers o Virus Hoaxes
Fileless Malware Concepts o Fake AntiVirus
▪ What is Fileless Malware? ▪ Ransomware

 

CEHv12 CEHv13
▪ Taxonomy of Fileless Malware Threats o How to Infect Systems Using a Ransomware: Creating Ransomware
▪ How does Fileless Malware Work? ▪ Computer Worms
▪ Launching Fileless Malware through Document Exploits and In-Memory Exploits o How to Infect Systems Using a Worm
▪ Launching Fileless Malware through Script-based Injection o Worm Makers
▪ Launching Fileless Malware by Exploiting System Admin Tools Fileless Malware Concepts
▪ Launching Fileless Malware through Phishing ▪ What is Fileless Malware?
▪ Maintaining Persistence with Fileless Techniques o Taxonomy of Fileless Malware Threats
▪ Fileless Malware ▪ How does Fileless Malware Work?
o LemonDuck ▪ Launching Fileless Malware through Document Exploits
▪ Fileless Malware Obfuscation Techniques to Bypass Antivirus ▪ Launching Fileless Malware through In-Memory Exploits
Malware Analysis ▪ Launching Fileless Malware through Script-based Injection
▪ What is Sheep Dip Computer? ▪ Launching Fileless Malware by Exploiting System Admin Tools
▪ Antivirus Sensor Systems ▪ Launching Fileless Malware through Phishing
▪ Introduction to Malware Analysis ▪ Launching Fileless Malware through Windows Registry
▪ Malware Analysis Procedure: Preparing Testbed ▪ Maintaining Persistence with Fileless Techniques
▪ Static Malware Analysis ▪ Fileless Malware
o File Fingerprinting ▪ Fileless Malware Obfuscation Techniques to Bypass Antivirus
o Local and Online Malware Scanning AI-based Malware Concepts
o Performing Strings Search ▪ What is AI-based Malware?
o Identifying Packing/Obfuscation Methods o Working of AI-based Malware
• Identifying Packing/Obfuscation Method of ELF Malware ▪ Indicators of AI-based Malware
• Detect It Easy (DIE) ▪ Challenges of AI-based Malware
o Finding the Portable Executables (PE) Information ▪ Techniques Used in AI-based Malware Development
o Identifying File Dependencies o Generative Adversarial Networks (GANs)
o Malware Disassembly o Reinforcement Learning
• Ghidra o Natural Language Processing (NLP)
• x64dbg ▪ Examples of AI-based Malware
o Analyzing ELF Executable Files o AI-Generated Videos: Malware Spread Through YouTube
o Analyzing Mach Object (Mach-O) Executable Files Malware Analysis

 

CEHv12 CEHv13
o Analyzing Malicious MS Office Documents ▪ What is Sheep Dip Computer?
• Finding Suspicious Components ▪ Antivirus Sensor Systems
• Finding Macro Streams ▪ Introduction to Malware Analysis
• Dumping Macro Streams ▪ Malware Analysis Procedure
• Identifying Suspicious VBA Keywords ▪ Preparing Testbed
▪ Dynamic Malware Analysis ▪ Static Malware Analysis
o Port Monitoring o File Fingerprinting
o Process Monitoring o Local and Online Malware Scanning
o Registry Monitoring o Performing Strings Search
o Windows Services Monitoring o Identifying Packing/Obfuscation Methods
o Startup Programs Monitoring o Finding the Portable Executables (PE) Information
o Event Logs Monitoring/Analysis o Identifying File Dependencies
o Installation Monitoring o Malware Disassembly
o Files and Folders Monitoring o Analyzing ELF Executable Files
o Device Drivers Monitoring o Analyzing Mach Object (Mach-O) Executable Files
o Network Traffic Monitoring/Analysis o Analyzing Malicious MS Office Documents
o DNS Monitoring/Resolution o Analyzing Suspicious PDF Document
o API Calls Monitoring o Analyzing Suspicious Documents Using YARA
o System Calls Monitoring ▪ Dynamic Malware Analysis
▪ Virus Detection Methods o Port Monitoring
▪ Trojan Analysis: ElectroRAT o Process Monitoring
o ElectroRAT Malware Attack Phases o Registry Monitoring
• Initial propagation and Infection o Windows Services Monitoring
• Deploying Malware o Startup Programs Monitoring
• Exploitation o Event Logs Monitoring/Analysis
• Maintaining Persistence o Installation Monitoring
▪ Virus Analysis: REvil Ransomware o Files and Folders Monitoring
o REvil Ransomware Attack Stages o Device Drivers Monitoring
• Initial Access o Network Traffic Monitoring/Analysis
• Download and Execution o DNS Monitoring/Resolution
• Exploitation o API Calls Monitoring
• Lateral Movement / Defense Evasion and Discovery o System Calls Monitoring
• Credential Access and Exfiltration / Command and Control o Scheduled Tasks Monitoring
▪ Fileless Malware Analysis: SockDetour o Browser Activity Monitoring
o SockDetour Fileless Malware Attack Stages ▪ Virus Detection Methods
• Pre-exploitation ▪ Malware Code Emulation
• Initial infection ▪ Malware Code Instrumentation
• Exploitation ▪ Trojan Analysis: Coyote
• Post-exploitation o Coyote Malware Attack Phases
• Client Authentication and C2 Communication After Exploitation ▪ Virus Analysis: GhostLocker 2.0
• Plugin Loading Feature o GhostLocker 2.0 Malware Attack

 

CEHv12 CEHv13
Malware Countermeasures ▪ Fileless Malware Analysis: PyLoose
▪ Trojan Countermeasures o PyLoose Malware Attack Phases
▪ Backdoor Countermeasures ▪ AI-based Malware Analysis: FakeGPT
▪ Virus and Worm Countermeasures o FakeGPT Malware Attack Phases
▪ Fileless Malware Countermeasures Malware Countermeasures
Anti-Malware Software ▪ Trojan Countermeasures
▪ Anti-Trojan Software ▪ Backdoor Countermeasures
▪ Antivirus Software ▪ Virus and Worm Countermeasures
▪ Fileless Malware Detection Tools ▪ Fileless Malware Countermeasures
▪ Fileless Malware Protection Tools ▪ AI-based Malware Countermeasures
▪ Adware Countermeasures
▪ APT Countermeasures
Anti-Malware Software
▪ Anti-Trojan Software
▪ Antivirus Software
▪ Fileless Malware Detection Tools
▪ Fileless Malware Protection Tools
▪ AI-Powered Malware Detection and Analysis Tools
▪ Endpoint Detection and Response (EDR/XDR) Tools
Module 08: Sniffing Module 08: Sniffing
Sniffing Concepts Sniffing Concepts
▪ Network Sniffing ▪ Network Sniffing
▪ Types of Sniffing ▪ How a Sniffer Works
▪ How an Attacker Hacks the Network Using Sniffers ▪ Types of Sniffing
▪ Protocols Vulnerable to Sniffing o Passive Sniffing
▪ Sniffing in the Data Link Layer of the OSI Model o Active Sniffing
▪ Hardware Protocol Analyzers ▪ How an Attacker Hacks the Network Using Sniffers
▪ SPAN Port ▪ Protocols Vulnerable to Sniffing
▪ Wiretapping ▪ Sniffing in the Data Link Layer of the OSI Model
▪ Lawful Interception ▪ Hardware Protocol Analyzers
Sniffing Technique: MAC Attacks ▪ SPAN Port
▪ MAC Address/CAM Table ▪ Wiretapping
▪ How CAM Works ▪ Lawful Interception
▪ What Happens When a CAM Table Is Full? Sniffing Technique: MAC Attacks
▪ MAC Flooding ▪ MAC Address
▪ Switch Port Stealing ▪ CAM Table
▪ How to Defend against MAC Attacks ▪ How CAM Works

 

CEHv12 CEHv13
Sniffing Technique: DHCP Attacks ▪ What Happens when a CAM Table is Full?
▪ How DHCP Works ▪ MAC Flooding
▪ DHCP Request/Reply Messages ▪ Switch Port Stealing
▪ DHCP Starvation Attack ▪ How to Defend against MAC Attacks
▪ Rogue DHCP Server Attack Sniffing Technique: DHCP Attacks
▪ How to Defend Against DHCP Starvation and Rogue Server Attacks ▪ How DHCP Works
o MAC Limiting Configuration on Juniper Switches ▪ DHCP Request/Reply Messages
o Configuring DHCP Filtering on a Switch ▪ IPv4 DHCP Packet Format
Sniffing Technique: ARP Poisoning ▪ DHCP Starvation Attack
▪ What Is Address Resolution Protocol (ARP)? ▪ Rogue DHCP Server Attack
▪ ARP Spoofing Attack ▪ DHCP Attack Tools
▪ Threats of ARP Poisoning ▪ How to Defend Against DHCP Starvation and Rogue Server Attacks
▪ ARP Poisoning Tools Sniffing Technique: ARP Poisoning
o Habu ▪ What Is Address Resolution Protocol (ARP)?
▪ How to Defend Against ARP Poisoning ▪ ARP Spoofing Attack
▪ Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches ▪ Threats of ARP Poisoning
▪ ARP Spoofing Detection Tools ▪ ARP Spoofing/Poisoning Tools
Sniffing Technique: Spoofing Attacks ▪ How to Defend Against ARP Poisoning
▪ MAC Spoofing/Duplicating ▪ Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
▪ MAC Spoofing Technique: Windows ▪ ARP Spoofing Detection Tools
▪ MAC Spoofing Tools Sniffing Technique: Spoofing Attacks
▪ IRDP Spoofing ▪ MAC Spoofing/Duplicating
▪ VLAN Hopping ▪ MAC Spoofing Technique: Windows
▪ STP Attack ▪ MAC Spoofing Tools
▪ How to Defend Against MAC Spoofing ▪ IRDP Spoofing
▪ How to Defend Against VLAN Hopping ▪ VLAN Hopping
▪ How to Defend Against STP Attacks ▪ STP Attack
Sniffing Technique: DNS Poisoning ▪ How to Defend Against MAC Spoofing
▪ DNS Poisoning Techniques ▪ How to Defend Against VLAN Hopping
o Intranet DNS Spoofing ▪ How to Defend Against STP Attacks
o Internet DNS Spoofing Sniffing Technique: DNS Poisoning
o Proxy Server DNS Poisoning ▪ DNS Poisoning Techniques
o DNS Cache Poisoning o Intranet DNS Spoofing
• SAD DNS Attack o Internet DNS Spoofing
▪ DNS Poisoning Tools o Proxy Server DNS Poisoning
▪ How to Defend Against DNS Spoofing o DNS Cache Poisoning

 

CEHv12 CEHv13
Sniffing Tools ▪ DNS Poisoning Tools
▪ Sniffing Tool: Wireshark ▪ How to Defend Against DNS Spoofing
o Follow TCP Stream in Wireshark Sniffing Tools
o Display Filters in Wireshark ▪ Wireshark
o Additional Wireshark Filters o Follow TCP Stream in Wireshark
▪ Sniffing Tools o Display Filters in Wireshark
o RITA (Real Intelligence Threat Analytics) o Additional Wireshark Filters
▪ Packet Sniffing Tools for Mobile Phones ▪ Sniffing Tools
Sniffing Countermeasures Sniffing Countermeasures
▪ How to Defend Against Sniffing ▪ How to Defend Against Sniffing
▪ How to Detect Sniffing ▪ How to Detect Sniffing
▪ Sniffer Detection Techniques ▪ Sniffer Detection Techniques
o Ping Method ▪ Promiscuous Detection Tools
o DNS Method
o ARP Method
▪ Promiscuous Detection Tools
Module 09: Social Engineering Module 09: Social Engineering
Social Engineering Concepts Social Engineering Concepts
▪ What is Social Engineering? ▪ What is Social Engineering?
▪ Phases of a Social Engineering Attack o Common Targets of Social Engineering
Social Engineering Techniques o Impact of Social Engineering Attack on an Organization
▪ Types of Social Engineering o Behaviors Vulnerable to Attacks
▪ Human-based Social Engineering o Factors that Make Companies Vulnerable to Attacks
o Impersonation o Why is Social Engineering Effective?
o Impersonation (Vishing) ▪ Phases of a Social Engineering Attack
o Eavesdropping ▪ Types of Social Engineering
o Shoulder Surfing Human-based Social Engineering Techniques
o Dumpster Diving ▪ Impersonation
o Reverse Social Engineering ▪ Impersonation (Vishing)
o Piggybacking ▪ Eavesdropping
o Tailgating ▪ Shoulder Surfing
o Diversion Theft ▪ Dumpster Diving
o Honey Trap ▪ Reverse Social Engineering
o Baiting ▪ Piggybacking
o Quid Pro Quo ▪ Tailgating
o Elicitation ▪ Diversion Theft
▪ Computer-based Social Engineering ▪ Honey Trap
o Phishing ▪ Baiting
• Examples of Phishing Emails ▪ Quid Pro Quo

 

CEHv12 CEHv13
• Types of Phishing ▪ Elicitation
✓ Spear Phishing ▪ Bait and Switching
✓ Whaling Computer-based Social Engineering Techniques
✓ Pharming ▪ Phishing
✓ Spimming o Examples of Phishing Emails
✓ Angler Phishing o Types of Phishing
✓ Catfishing Attack o Phishing Tools
✓ Deepfake Attacks ▪ Crafting Phishing Emails with ChatGPT
o Phishing Tools ▪ Other Techniques for Computer-based Social Engineering
▪ Mobile-based Social Engineering ▪ Perform Impersonation using AI: Create Deepfake Videos
o Publishing Malicious Apps ▪ Perform Impersonation using AI: Voice Cloning
o Repackaging Legitimate Apps ▪ Perform Impersonation on Social Networking Sites
o Fake Security Applications ▪ Impersonation on Facebook
o SMiShing (SMS Phishing) ▪ Social Networking Threats to Corporate Networks
Insider Threats ▪ Identity Theft
▪ Insider Threats/Insider Attacks o Types of Identity Theft
▪ Types of Insider Threats o Common Techniques Attackers Use to Obtain Personal Information for Identity Theft
o Accidental Insider o Indications of Identity Theft
▪ Behavioral Indications of an Insider Threat Mobile-based Social Engineering Techniques
Impersonation on Social Networking Sites ▪ Publishing Malicious Apps
▪ Social Engineering through Impersonation on Social Networking Sites ▪ Repackaging Legitimate Apps
▪ Impersonation on Facebook ▪ Fake Security Applications
▪ Social Networking Threats to Corporate Networks ▪ SMiShing (SMS Phishing)
Identity Theft ▪ QRLJacking
▪ Identity Theft Social Engineering Countermeasures
Social Engineering Countermeasures ▪ Social Engineering Countermeasures
▪ Social Engineering Countermeasures ▪ How to Defend against Phishing Attacks?
▪ How to Defend against Phishing Attacks? ▪ Identity Theft Countermeasures
▪ Detecting Insider Threats ▪ Voice Cloning Countermeasures
▪ Insider Threats Countermeasures ▪ Deepfake Attack Countermeasures
▪ Identity Theft Countermeasures ▪ How to Detect Phishing Emails?
▪ How to Detect Phishing Emails? ▪ Anti-Phishing Toolbar
▪ Anti-Phishing Toolbar ▪ Common Social Engineering Targets and Defense Strategies
▪ Common Social Engineering Targets and Defense Strategies ▪ Audit Organization's Security for Phishing Attacks using OhPhish
▪ Social Engineering Tools
▪ Audit Organization's Security for Phishing Attacks using OhPhish

 

CEHv12 CEHv13
Module 10: Denial-of-Service Module 10: Denial-of-Service
DoS/DDoS Concepts DoS/DDoS Concepts
▪ What is a DoS Attack? ▪ What is a DoS Attack?
▪ What is a DDoS Attack? ▪ What is a DDoS Attack?
Botnets o How do DDoS Attacks Work?
▪ Organized Cyber Crime: Organizational Chart Botnets
▪ Botnets ▪ Organized Cyber Crime: Organizational Chart
▪ A Typical Botnet Setup ▪ Botnets
▪ Botnet Ecosystem ▪ A Typical Botnet Setup
▪ Scanning Methods for Finding Vulnerable Machines ▪ Botnet Ecosystem
▪ How Does Malicious Code Propagate? ▪ Scanning Methods for Finding Vulnerable Machines
DoS/DDoS Attack Techniques ▪ How Does Malicious Code Propagate?
▪ Basic Categories of DoS/DDoS Attack Vectors DDoS Case Study
o Volumetric Attacks ▪ DDoS Attack
• UDP Flood Attack ▪ Hackers Advertise Links for Downloading Botnets
• ICMP Flood Attack ▪ Use of Mobile Devices as Botnets for Launching DDoS Attacks
• Ping of Death and Smurf Attacks ▪ DDoS Case Study: HTTP/2 'Rapid Reset' Attack on Google Cloud
• Pulse Wave and Zero-Day DDoS Attacks DoS/DDoS Attack Techniques
o Protocol Attacks ▪ Basic Categories of DoS/DDoS Attack Vectors
• SYN Flood Attack ▪ DoS/DDoS Attack Techniques
• Fragmentation Attack o UDP Flood Attack
• Spoofed Session Flood Attack o ICMP Flood Attack
o Application Layer Attacks o Ping of Death Attack
• HTTP GET/POST and Slowloris Attacks o Smurf Attack
• UDP Application Layer Flood Attack o Pulse Wave DDoS Attack
▪ Multi-Vector Attack o Zero-Day DDoS Attack
▪ Peer-to-Peer Attack o NTP Amplification Attack
▪ Permanent Denial-of-Service Attack o SYN Flood Attack
▪ TCP SACK Panic o Fragmentation Attack
▪ Distributed Reflection Denial-of-Service (DRDoS) Attack o Spoofed Session Flood Attack
▪ DDoS Extortion/Ransom DDoS (RDDoS) Attack o HTTP GET/POST Attack
▪ DoS/DDoS Attack Tools o Slowloris Attack
▪ DoS and DDoS Attack Tools for Mobiles o UDP Application Layer Flood Attack
DDoS Case Study o Multi-Vector Attack
▪ DDoS Attack o Peer-to-Peer Attack
▪ Hackers Advertise Links for Downloading Botnets o Permanent Denial-of-Service Attack
▪ Use of Mobile Devices as Botnets for Launching DDoS Attacks o TCP SACK Panic Attack
▪ DDoS Case Study: DDoS Attack on Microsoft Azure o Distributed Reflection Denial-of-Service (DRDoS) Attack

 

CEHv12 CEHv13
DoS/DDoS Attack Countermeasures o DDoS Extortion/Ransom DDoS (RDDoS) Attack
▪ Detection Techniques ▪ DoS/DDoS Attack Toolkits in the Wild
▪ DoS/DDoS Countermeasure Strategies DoS/DDoS Attack Countermeasures
▪ DDoS Attack Countermeasures ▪ Detection Techniques
o Protect Secondary Victims ▪ DoS/DDoS Countermeasure Strategies
o Detect and Neutralize Handlers ▪ DDoS Attack Countermeasures
o Prevent Potential Attacks o Protect Secondary Victims
o Deflect Attacks o Detect and Neutralize Handlers
o Mitigate Attacks o Prevent Potential Attacks
o Post-Attack Forensics o Deflect Attacks
▪ Techniques to Defend against Botnets o Mitigate Attacks
▪ Additional DoS/DDoS Countermeasures o Post-Attack Forensics
▪ DoS/DDoS Protection at ISP Level ▪ Techniques to Defend against Botnets
▪ Enabling TCP Intercept on Cisco IOS Software ▪ Additional DoS/DDoS Countermeasures
▪ Advanced DDoS Protection Appliances ▪ DoS/DDoS Protection at ISP Level
▪ DoS/DDoS Protection Tools ▪ Enabling TCP Intercept on Cisco IOS Software
▪ DoS/DDoS Protection Services ▪ Advanced DDoS Protection Appliances
▪ DoS/DDoS Protection Tools
▪ DoS/DDoS Protection Services
Module 11: Session Hijacking Module 11: Session Hijacking
Session Hijacking Concepts Session Hijacking Concepts
▪ What is Session Hijacking? ▪ What is Session Hijacking?
▪ Why is Session Hijacking Successful? ▪ Why is Session Hijacking Successful?
▪ Session Hijacking Process ▪ Session Hijacking Process
▪ Packet Analysis of a Local Session Hijack ▪ Packet Analysis of a Local Session Hijack
▪ Types of Session Hijacking ▪ Types of Session Hijacking
▪ Session Hijacking in OSI Model ▪ Session Hijacking in OSI Model
▪ Spoofing vs. Hijacking ▪ Spoofing vs. Hijacking
Application-Level Session Hijacking Application-Level Session Hijacking
▪ Application-Level Session Hijacking ▪ Compromising Session IDs Using Sniffing
▪ Compromising Session IDs using Sniffing and by Predicting Session Token ▪ Compromising Session IDs by Predicting Session Token
o How to Predict a Session Token o How to Predict a Session Token
▪ Compromising Session IDs Using Man-in-the-Middle/Manipulator-in-the-Middle Attack ▪ Compromising Session IDs Using Man-in-the-Middle/Manipulator-in-the-Middle Attack
▪ Compromising Session IDs Using Man-in-the-Browser/Manipulator-in-the-Browser Attack ▪ Compromising Session IDs Using Man-in-the-Browser/Manipulator-in-the- Browser Attack
o Steps to Perform Man-in-the-Browser Attack ▪ Compromising Session IDs Using Client-side Attacks
▪ Compromising Session IDs Using Client-side Attacks ▪ Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack

 

CEHv12 CEHv13
▪ Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack ▪ Compromising Session IDs Using Client-side Attacks: Cross-site Request Forgery Attack
▪ Compromising Session IDs Using Client-side Attacks: Cross-site Request Forgery Attack ▪ Compromising Session IDs Using Session Replay Attacks
▪ Compromising Session IDs Using Session Replay Attacks ▪ Compromising Session IDs Using Session Fixation
▪ Compromising Session IDs Using Session Fixation ▪ Session Hijacking Using Proxy Servers
▪ Session Hijacking Using Proxy Servers ▪ Session Hijacking Using CRIME Attack
▪ Session Hijacking Using CRIME Attack ▪ Session Hijacking Using Forbidden Attack
▪ Session Hijacking Using Forbidden Attack ▪ Session Hijacking Using Session Donation Attack
▪ Session Hijacking Using Session Donation Attack Network-Level Session Hijacking
▪ PetitPotam Hijacking ▪ Three-way Handshake
Network-Level Session Hijacking ▪ TCP/IP Hijacking
▪ Network Level Session Hijacking ▪ IP Spoofing: Source Routed Packets
▪ TCP/IP Hijacking ▪ RST Hijacking
▪ IP Spoofing: Source Routed Packets ▪ Blind Hijacking
▪ RST Hijacking ▪ UDP Hijacking
▪ Blind and UDP Hijacking ▪ MITM Attack Using Forged ICMP and ARP Spoofing
▪ MiTM Attack Using Forged ICMP and ARP Spoofing ▪ PetitPotam Hijacking
Session Hijacking Tools Session Hijacking Tools
▪ Session Hijacking Tools Session Hijacking Countermeasures
o Hetty ▪ Session Hijacking Detection Methods
▪ Session Hijacking Tools for Mobile Phones ▪ Protecting against Session Hijacking
Session Hijacking Countermeasures ▪ Web Development Guidelines to Prevent Session Hijacking
▪ Session Hijacking Detection Methods ▪ Web User Guidelines to Prevent Session Hijacking
▪ Protecting against Session Hijacking ▪ Session Hijacking Detection Tools
▪ Web Development Guidelines to Prevent Session Hijacking ▪ Approaches to Prevent Session Hijacking
▪ Web User Guidelines to Prevent Session Hijacking ▪ Approaches to Prevent MITM Attacks
▪ Session Hijacking Detection Tools ▪ IPsec
▪ Approaches Causing Vulnerability to Session Hijacking and their Preventative Solutions ▪ Session Hijacking Prevention Tools
▪ Approaches to Prevent Session Hijacking
o HTTP Referrer Header
▪ Approaches to Prevent MITM Attacks
o DNS over HTTPS
o Password Manager
o Zero-trust Principles
▪ IPsec
o IPsec Authentication and Confidentiality
▪ Session Hijacking Prevention Tools

 

CEHv12 CEHv13
Module 12: Evading IDS, Firewalls, and Honeypots Module 12: Evading IDS, Firewalls, and Honeypots
IDS, IPS, Firewall, and Honeypot Concepts IDS, IPS, and Firewall Concepts
▪ Intrusion Detection System (IDS) ▪ Intrusion Detection System (IDS)
o How an IDS Detects an Intrusion? o Intrusion Prevention System (IPS)
o General Indications of Intrusions o How an IDS Detects an Intrusion?
o Types of Intrusion Detection Systems o General Indications of Intrusions
o Types of IDS Alerts o Types of Intrusion Detection Systems
▪ Intrusion Prevention System (IPS) o Types of IDS Alerts
▪ Firewall ▪ Firewall
o Firewall Architecture o Firewall Architecture
o Demilitarized Zone (DMZ) o Demilitarized Zone (DMZ)
o Types of Firewalls o Types of Firewalls
o Firewall Technologies • Types of Firewalls Based on Configuration
• Packet Filtering Firewall • Types of Firewalls Based on Working Mechanism
• Circuit-Level Gateway Firewall o Packet Filtering Firewall
• Application-Level Firewall o Circuit-Level Gateway Firewall
• Stateful Multilayer Inspection Firewall o Application-Level Firewall
• Application Proxy o Stateful Multilayer Inspection Firewall
• Network Address Translation (NAT) o Application Proxy
• Virtual Private Network o Network Address Translation (NAT)
o Firewall Limitations o Virtual Private Network
▪ Honeypot o Next-Generation Firewalls (NGFWs)
o Types of Honeypots o Firewall Limitations
IDS, IPS, Firewall, and Honeypot Solutions IDS, IPS, and Firewall Solutions
▪ Intrusion Detection using YARA Rules ▪ Intrusion Detection using YARA Rules
▪ Intrusion Detection Tools ▪ Intrusion Detection Tools
o Snort ▪ Intrusion Prevention Tools
• Snort Rules ▪ Firewalls
• Snort Rules: Rule Actions and IP Protocols Evading IDS/Firewalls
• Snort Rules: The Direction Operator and IP Addresses ▪ IDS/Firewall Evasion Techniques
• Snort Rules: Port Numbers o IDS/Firewall Identification
• Intrusion Detection Tools o IP Address Spoofing
o Intrusion Detection Tools for Mobile Devices o Source Routing
▪ Intrusion Prevention Tools o Tiny Fragments
▪ Firewalls o Bypass Blocked Sites Using an IP Address in Place of a URL
o Firewalls for Mobile Devices o Bypass Blocked Sites Using Anonymous Website Surfing Sites
▪ Honeypot Tools o Bypass an IDS/Firewall Using a Proxy Server

 

CEHv12 CEHv13
Evading IDS o Bypassing an IDS/Firewall through the ICMP Tunneling Method
▪ IDS Evasion Techniques o Bypassing an IDS/Firewall through the ACK Tunneling method
o Insertion Attack o Bypassing an IDS/Firewall through the HTTP Tunneling Method
o Evasion o Bypassing Firewalls through the SSH Tunneling Method
o Denial-of-Service Attack (DoS) o Bypassing Firewalls through the DNS Tunneling Method
o Obfuscating o Bypassing an IDS/Firewall through External Systems
o False Positive Generation o Bypassing an IDS/Firewall through MITM Attacks
o Session Splicing o Bypassing an IDS/Firewall through Content
o Unicode Evasion Technique o Bypassing an IDS/WAF using an XSS Attack
o Fragmentation Attack o Other Techniques for Bypassing WAF
o Overlapping Fragments o Bypassing an IDS/Firewall through HTML Smuggling
o Time-To-Live Attacks o Evading an IDS/Firewall through Windows BITS
o Invalid RST Packets ▪ Other Techniques for IDS Evasion
o Urgency Flag o Insertion Attack
o Polymorphic Shellcode o Evasion
o ASCII Shellcode o Denial-of-Service Attack (DoS)
o Application-Layer Attacks o Obfuscating
o Desynchronization o False Positive Generation
o Other Types of Evasion o Session Splicing
Evading Firewalls o Unicode Evasion Technique
▪ Firewall Evasion Techniques o Fragmentation Attack
o Firewall Identification o Time-To-Live Attacks
o IP Address Spoofing o Urgency Flag
o Source Routing o Invalid RST Packets
o Tiny Fragments o Polymorphic Shellcode
o Bypass Blocked Sites Using an IP Address in Place of a URL o ASCII Shellcode
o Bypass Blocked Sites Using Anonymous Website Surfing Sites o Application-Layer Attacks
o Bypass a Firewall Using a Proxy Server o Desynchronization
o Bypassing Firewalls through the ICMP Tunneling Method o Domain Generation Algorithms (DGA)
o Bypassing Firewalls through the ACK Tunneling Method o Encryption
o Bypassing Firewalls through the HTTP Tunneling Method o Flooding
• Why do I Need HTTP Tunneling? Evading NAC and Endpoint Security
• HTTP Tunneling Tools ▪ NAC and Endpoint Security Evasion Techniques
o Bypassing Firewalls through the SSH Tunneling Method ▪ Bypassing NAC using VLAN Hopping
• SSH Tunneling Tools: Bitvise and Secure Pipes ▪ Bypassing NAC using Pre-authenticated Device

 

CEHv12 CEHv13
o Bypassing Firewalls through the DNS Tunneling Method ▪ Bypassing Endpoint Security using Ghostwriting
o Bypassing Firewalls through External Systems ▪ Bypassing Endpoint Security using Application Whitelisting
o Bypassing Firewalls through MITM Attacks ▪ Bypassing Endpoint Security by Dechaining Macros
o Bypassing Firewalls through Content ▪ Bypassing Endpoint Security by Clearing Memory Hooks
o Bypassing the WAF using an XSS Attack ▪ Bypassing Endpoint Security by Process Injection
o Other Techniques for Bypassing WAF ▪ Bypassing the EDR using LoLBins
• Using HTTP Header Spoofing ▪ Bypassing Endpoint Security by CPL (Control Panel) Side-Loading
• Using Blacklist Detection ▪ Bypassing Endpoint Security using ChatGPT
• Using Fuzzing/Bruteforcing ▪ Bypassing Antivirus using Metasploit Templates
• Abusing SSL/TLS ciphers ▪ Bypassing Windows Antimalware Scan Interface (AMSI)
o Bypassing Firewalls through HTML Smuggling ▪ Other Techniques for Bypassing Endpoint Security
o Bypassing Firewalls through Windows BITS IDS/Firewall Evading Tools
Evading NAC and Endpoint Security ▪ Packet Fragment Generator Tools
▪ Bypassing NAC using VLAN Hopping Honeypot Concepts
▪ Bypassing NAC using Pre-authenticated Device ▪ Honeypot
▪ Bypassing Endpoint Security using Ghostwriting o Types of Honeypots
▪ Bypassing Endpoint Security using Application Whitelisting o Honeypot Tools
▪ Bypassing Endpoint Security using XLM Weaponization ▪ Detecting Honeypots
▪ Bypassing Endpoint Security by Dechaining Macros ▪ Detecting and Defeating Honeypots
▪ Bypassing Endpoint Security by Clearing Memory Hooks ▪ Honeypot Detection Tools
▪ Bypassing Antivirus using Metasploit Templates IDS/Firewall Evasion Countermeasures
▪ Bypassing Symantec Endpoint Protection ▪ How to Defend Against IDS Evasion
▪ Other Techniques for Bypassing Endpoint Security ▪ How to Defend Against Firewall Evasion
o Hosting Phishing Sites ▪ How to Defend Against Endpoint Security Evasion
o Passing Encoded Commands ▪ How to Defend Against NAC Evasion
o Fast Flux DNS Method ▪ How to Defend Against Anti-virus Evasion
o Timing-based Evasion
o Signed Binary Proxy Execution
IDS/Firewall Evading Tools
▪ IDS/Firewall Evading Tools
▪ Packet Fragment Generator Tools
Detecting Honeypots
▪ Detecting Honeypots
o Detecting and Defeating Honeypots
▪ Honeypot Detection Tools: Send-Safe Honeypot Hunter
IDS/Firewall Evasion Countermeasures
▪ How to Defend Against IDS Evasion
▪ How to Defend Against Firewall Evasion

 

CEHv12 CEHv13
Module 13: Hacking Web Servers Module 13: Hacking Web Servers
Web Server Concepts Web Server Concepts
▪ Web Server Operations ▪ Web Server Operations
▪ Web Server Security Issues ▪ Web Server Security Issues
▪ Why are Web Servers Compromised? ▪ Why are Web Servers Compromised?
Web Server Attacks ▪ Apache Web Server Architecture
▪ DNS Server Hijacking o Apache Vulnerabilities
▪ DNS Amplification Attack ▪ IIS Web Server Architecture
▪ Directory Traversal Attacks o IIS Vulnerabilities
▪ Website Defacement ▪ NGINX Web Server Architecture
▪ Web Server Misconfiguration o NGINX Vulnerabilities
▪ HTTP Response-Splitting Attack Web Server Attacks
▪ Web Cache Poisoning Attack ▪ DNS Server Hijacking
▪ SSH Brute Force Attack ▪ DNS Amplification Attack
o Web Server Password Cracking ▪ Directory Traversal Attacks
▪ Other Web Server Attacks ▪ Website Defacement
o DoS/DDoS Attacks ▪ Web Server Misconfiguration
o Man-in-the-Middle Attack ▪ HTTP Response-Splitting Attack
o Phishing Attacks ▪ Web Cache Poisoning Attack
o Web Application Attacks ▪ SSH Brute Force Attack
Web Server Attack Methodology ▪ FTP Brute Force with AI
▪ Information Gathering ▪ HTTP/2 Continuation Flood Attack
o Information Gathering from Robots.txt File ▪ Frontjacking Attack
▪ Web Server Footprinting/Banner Grabbing ▪ Other Web Server Attacks
o Web Server Footprinting Tools o Web Server Password Cracking
o Enumerating Web Server Information Using Nmap o DoS/DDoS Attacks
▪ Website Mirroring o Man-in-the-Middle Attack
o Finding Default Credentials of Web Server o Phishing Attacks
o Finding Default Content of Web Server o Web Application Attacks
o Finding Directory Listings of Web Server Web Server Attack Methodology
• Dirhunt ▪ Information Gathering
▪ Vulnerability Scanning o Information Gathering from Robots.txt File
o Finding Exploitable Vulnerabilities ▪ Web Server Footprinting/Banner Grabbing
▪ Session Hijacking o Web Server Footprinting Tools
▪ Web Server Password Hacking o Web Server Footprinting with AI
▪ Using Application Server as a Proxy o Web Server Footprinting using Netcat with AI
▪ Web Server Attack Tools ▪ IIS Information Gathering using Shodan
o Metasploit ▪ Abusing Apache mod_userdir to Enumerate User Accounts

 

CEHv12 CEHv13
• Metasploit Exploit Module ▪ Enumerating Web Server Information Using Nmap
• Metasploit Payload and Auxiliary Modules ▪ Finding Default Credentials of Web Server
• Metasploit NOPS Module ▪ Finding Default Content of Web Server
o Web Server Attack Tools ▪ Directory Brute Forcing
Web Server Attack Countermeasures o Directory Brute Forcing with AI
▪ Place Web Servers in Separate Secure Server Security Segment on Network ▪ Vulnerability Scanning
▪ Countermeasures o NGINX Vulnerability Scanning using Nginxpwner
o Patches and Updates ▪ Finding Exploitable Vulnerabilities
o Protocols and Accounts o Finding Exploitable Vulnerabilities with AI
o Files and Directories ▪ Session Hijacking
▪ Detecting Web Server Hacking Attempts ▪ Web Server Password Hacking
▪ How to Defend Against Web Server Attacks ▪ Using Application Server as a Proxy
▪ How to Defend against HTTP Response-Splitting and Web Cache Poisoning ▪ Path Traversal via Misconfigured NGINX Alias
▪ How to Defend against DNS Hijacking ▪ Web Server Attack Tools
▪ Web Server Security Tools Web Server Attack Countermeasures
o Web Application Security Scanners ▪ Place Web Servers in Separate Secure Server Security Segment on Network
o Web Server Security Scanners ▪ Countermeasures: Patches and Updates
o Web Server Malware Infection Monitoring Tools ▪ Countermeasures: Protocols and Accounts
o Web Server Security Tools ▪ Countermeasures: Files and Directories
o Web Server Pen Testing Tools ▪ Detecting Web Server Hacking Attempts
Patch Management ▪ How to Defend against Web Server Attacks
▪ Patches and Hotfixes ▪ How to Defend against HTTP Response-Splitting and Web Cache Poisoning
▪ What is Patch Management? ▪ How to Defend against DNS Hijacking
▪ Installation of a Patch ▪ Web Application Security Scanners
▪ Patch Management Tools ▪ Web Server Security Scanners
▪ Web Server Malware Infection Monitoring Tools
▪ Web Server Security Tools
▪ Web Server Pen Testing Tools
Patch Management
▪ Patches and Hotfixes
▪ What is Patch Management?
▪ Installation of a Patch
▪ Patch Management Best Practices
▪ Patch Management Tools

 

 

CEHv12 CEHv13
Module 14: Hacking Web Applications Module 14: Hacking Web Applications
Web Application Concepts Web Application Concepts
▪ Introduction to Web Applications ▪ Introduction to Web Applications
▪ Web Application Architecture ▪ Web Application Architecture
▪ Web Services ▪ Web Services
▪ Vulnerability Stack ▪ Vulnerability Stack
Web Application Threats Web Application Threats
▪ OWASP Top 10 Application Security Risks - 2021 ▪ OWASP Top 10 Application Security Risks – 2021
o A01 - Broken Access Control o A01 – Broken Access Control
o A02 - Cryptographic Failures/Sensitive Data Exposure o A02 – Cryptographic Failures/Sensitive Data Exposure
o A03 - Injection Flaws o A03 – Injection Flaws
• SQL Injection Attacks o A04 – Insecure Design
• Command Injection Attacks o A05 – Security Misconfiguration
• Command Injection Example o A06 – Vulnerable and Outdated Components/Using Components with Known Vulnerabilities
• File Injection Attack o A07 – Identification and Authentication Failures/Broken Authentication
• LDAP Injection Attacks o A08 – Software and Data Integrity Failures
• Other Injection Attacks o A09 – Security Logging and Monitoring Failures/Insufficient Logging and Monitoring
✓ JNDI Injection o A10 – Server-Side Request Forgery (SSRF)
• Cross-Site Scripting (XSS) Attacks ▪ Web Application Attacks
✓ Cross-Site Scripting Attack Scenario: Attack via Email o Directory Traversal
✓ XSS Attack in Blog Posting o Hidden Field Manipulation Attack
✓ XSS Attack in Comment Field o Pass-the-Cookie Attack
o A04 - Insecure Design o Same-Site Attack
o A05 - Security Misconfiguration o SQL Injection Attacks
• XML External Entity (XXE) o Command Injection Attacks
o A06 - Vulnerable and Outdated Components/Using Components with Known Vulnerabilities o Command Injection Example
o A07 - Identification and Authentication Failures/Broken Authentication o File Injection Attack
o A08 - Software and Data Integrity Failures o LDAP Injection Attacks
• Insecure Deserialization o Other Injection Attacks
o A09 - Security Logging and Monitoring Failures/Insufficient Logging and Monitoring o Cross-Site Scripting (XSS) Attacks
o A10 - Server-Side Request Forgery (SSRF) o Cross-Site Scripting Attack Scenario: Attack via Email
• Types of Server-Side Request Forgery (SSRF) Attack o XSS Attack in Blog Posting
✓ Injecting SSRF payload o XSS Attack in Comment Field
✓ Cross-Site Port Attack (XSPA) o Techniques to Evade XSS Filters

 

 

CEHv12 CEHv13
▪ Other Web Application Threats o Web-based Timing Attacks
o Directory Traversal o XML External Entity (XXE) Attack
o Unvalidated Redirects and Forwards o Unvalidated Redirects and Forwards
• Open Redirection o Magecart Attack
• Header-Based Open Redirection o Watering Hole Attack
• JavaScript-Based Open Redirection o Cross-Site Request Forgery (CSRF) Attack
o Watering Hole Attack o Cookie/Session Poisoning
o Cross-Site Request Forgery (CSRF) Attack o Insecure Deserialization
o Cookie/Session Poisoning o Web Service Attack
o Web Service Attack o Web Service Footprinting Attack
o Web Service Footprinting Attack o Web Service XML Poisoning
o Web Service XML Poisoning o DNS Rebinding Attack
o Hidden Field Manipulation Attack o Clickjacking Attack
o Web-based Timing Attacks o MarioNet Attack
o MarioNet Attack o Other Web Application Attacks
o Clickjacking Attack Web Application Hacking Methodology
o DNS Rebinding Attack ▪ Footprint Web Infrastructure
o Same-Site Attack o Server Discovery
o Pass-the-cookie Attack o Server Discovery: Banner Grabbing
Web Application Hacking Methodology o Port and Service Discovery
▪ Web Application Hacking Methodology o Detecting Web App Firewalls and Proxies on Target Site
▪ Footprint Web Infrastructure o WAF Detection with AI
o Server Discovery o Hidden Content Discovery
o Service Discovery o Detect Load Balancers
o Server Identification/Banner Grabbing o Detecting Load Balancers using AI
o Detecting Web App Firewalls and Proxies on Target Site o Detecting Web App Technologies
o Hidden Content Discovery o WebSockets Enumeration
o Detect Load Balancers ▪ Analyze Web Applications
▪ Analyze Web Applications o Website Mirroring
o Identify Entry Points for User Input o Website Mirroring with AI
o Identify Server-Side Technologies o Website Mirroring using Httrack with AI
o Identify Server-Side Functionality o Identify Entry Points for User Input
o Identify Files and Directories o Identify Server-Side Technologies
o Identify Web Application Vulnerabilities o Identify Server Side Technologies using AI
o Map the Attack Surface o Identify Server-Side Functionality
▪ Bypass Client-side Controls o Identify Files and Directories
o Attack Hidden Form Fields o Identify Files and Directories with AI
o Attack Browser Extensions o Identify Web Application Vulnerabilities

 

 

CEHv12 CEHv13
• Attack Google Chrome Browser Extensions o Identify Web Application Vulnerabilities with AI
o Perform Source Code Review ▪ Bypass Client-side Controls
o Evade XSS Filters o Attack Hidden Form Fields
▪ Attack Authentication Mechanism o Attack Browser Extensions
o Design and Implementation Flaws in Authentication Mechanism o Attack Google Chrome Browser Extensions
o Username Enumeration o Perform Source Code Review
o Password Attacks: Password Functionality Exploits ▪ Attack Authentication Mechanism
o Password Attacks: Password Guessing and Brute-forcing o Design Flaws in Authentication Mechanism
o Password Attacks: Attack Password Reset Mechanism o Implementation Flaws in Authentication Mechanism
o Session Attacks: Session ID Prediction/Brute-forcing o Username Enumeration
o Cookie Exploitation: Cookie Poisoning o Password Attacks: Password Functionality Exploits
o Bypass Authentication: Bypass SAML-based SSO o Password Attacks: Brute-forcing
▪ Attack Authorization Schemes o Password Attacks: Attack Password Reset Mechanism
o Authorization Attack: HTTP Request Tampering o Session Attacks: Session ID Prediction/Brute-forcing
o Authorization Attack: Cookie Parameter Tampering o Cookie Exploitation: Cookie Poisoning
▪ Attack Access Controls o Bypass Authentication: Bypass SAML-based SSO
▪ Attack Session Management Mechanism o Bypass Authentication: Bypass Rate Limit
o Attacking Session Token Generation Mechanism o Bypass Authentication: Bypass Multi-Factor Authentication
o Attacking Session Tokens Handling Mechanism: Session Token Sniffing ▪ Attack Authorization Schemes
▪ Perform Injection/Input Validation Attacks o Authorization Attack
o Perform Local File Inclusion (LFI) o HTTP Request Tampering
▪ Attack Application Logic Flaws o Cookie Parameter Tampering
▪ Attack Shared Environments ▪ Attack Access Controls
▪ Attack Database Connectivity o Exploiting Insecure Access Controls
o Connection String Injection o Access Controls Attack Methods
o Connection String Parameter Pollution (CSPP) Attacks ▪ Attack Session Management Mechanism
o Connection Pool DoS o Session Management Attack
▪ Attack Web Application Client o Attacking Session Token Generation Mechanism
▪ Attack Web Services o Attacking Session Tokens Handling Mechanism: Session Token Sniffing
o Web Services Probing Attacks o Manipulating WebSocket Traffic
o Web Service Attacks: SOAP Injection ▪ Perform Injection/Input Validation Attacks
o Web Service Attacks: SOAPAction Spoofing o Injection Attacks/Input Validation Attacks
o Web Service Attacks: WS-Address Spoofing o Perform Local File Inclusion (LFI)
o Web Service Attacks: XML Injection ▪ Attack Application Logic Flaws
o Web Services Parsing Attacks ▪ Attack Shared Environments
o Web Service Attack Tools ▪ Attack Database Connectivity
▪ Additional Web Application Hacking Tools o Connection String Injection
o TIDoS-Framework o Connection String Parameter Pollution (CSPP) Attacks

 

CEHv12 CEHv13
Web API, Webhooks, and Web Shell o Connection Pool DoS
▪ What is Web API? ▪ Attack Web Application Client
o Web Services APIs ▪ Attack Web Services
▪ What are Webhooks? o Web Services Probing Attacks
▪ OWASP Top 10 API Security Risks o Web Service Attacks: SOAP Injection
▪ API Vulnerabilities o Web Service Attacks: SOAPAction Spoofing
▪ Web API Hacking Methodology o Web Service Attacks: WS-Address Spoofing
o Identify the Target o Web Service Attacks: XML Injection
o Detect Security Standards o Web Services Parsing Attacks
o Identify the Attack Surface o Web Service Attack Tools
• Analyze Web API Requests and Responses ▪ Additional Web Application Hacking Tools
o Launch Attacks ▪ Create and Run Custom Scripts to Automate Web Application Hacking Tasks With AI
• Fuzzing and Invalid Input Attacks Web API and Webhooks
• Malicious Input Attacks ▪ Web API
• Injection Attacks o Web Service APIs
• Exploiting Insecure Configurations ▪ Webhooks
• Login/ Credential Stuffing Attacks ▪ OWASP Top 10 API Security Risks
• API DDoS Attacks ▪ Webhooks Security Risks
• Authorization Attacks on API: OAuth Attacks ▪ API Vulnerabilities
✓ SSRF using Dynamic Client Registration endpoint ▪ Web API Hacking Methodology
✓ WebFinger User Enumeration o Identify the Target
✓ Exploit Flawed Scope Validation o Detect Security Standards
• Other Techniques to Hack an API o API Enumeration
o REST API Vulnerability Scanning o Identify the Attack Surface
o Bypassing IDOR via Parameter Pollution o Launch Attacks
▪ Web Shells • Other Techniques to Hack an API
o Web Shell Tools o REST API Vulnerability Scanning
▪ How to Prevent Installation of a Web Shell o Bypassing IDOR via Parameter Pollution
▪ Web Shell Detection Tools ▪ Secure API Architecture
▪ Secure API Architecture ▪ API Security Risks and Solutions
o Implementing Layered Security in an API ▪ Best Practices for API Security
▪ API Security Risks and Solutions ▪ Best Practices for Securing Webhooks
▪ Best Practices for API Security Web Application Security
▪ Best Practices for Securing Webhooks ▪ Web Application Security Testing
Web Application Security ▪ Web Application Fuzz Testing
▪ Web Application Security Testing ▪ Web Application Fuzz Testing with AI
▪ Web Application Fuzz Testing ▪ AI-Powered Fuzz Testing
▪ Source Code Review ▪ AI-Powered Static Application Security Testing (SAST)

 

 

CEHv12 CEHv13
▪ Encoding Schemes ▪ AI-Powered Dynamic Application Security Testing (DAST)
▪ Whitelisting vs. Blacklisting Applications ▪ Source Code Review
o Application Whitelisting and Blacklisting Tools ▪ Encoding Schemes
▪ How to Defend Against Injection Attacks ▪ Whitelisting vs. Blacklisting Applications
▪ Web Application Attack Countermeasures o Application Whitelisting and Blacklisting Tools
▪ How to Defend Against Web Application Attacks ▪ Content Filtering Tools
▪ RASP for Protecting Web Servers ▪ How to Defend Against Injection Attacks
▪ Bug Bounty Programs ▪ Web Application Attack Countermeasures
▪ Web Application Security Testing Tools ▪ How to Defend Against Web Application Attacks
▪ Web Application Firewalls ▪ Best Practices for Securing WebSocket Connections
▪ RASP for Protecting Web Servers
▪ Web Application Security Testing Tools
▪ Web Application Firewalls
Module 15: SQL Injection Module 15: SQL Injection
SQL Injection Concepts SQL Injection Concepts
▪ What is SQL Injection? ▪ What is SQL Injection?
▪ SQL Injection and Server-side Technologies ▪ SQL Injection and Server-side Technologies
▪ Understanding HTTP POST Request ▪ Understanding HTTP POST Request
▪ Understanding Normal SQL Query ▪ Understanding Normal SQL Query
▪ Understanding an SQL Injection Query ▪ Understanding an SQL Injection Query
▪ Understanding an SQL Injection Query – Code Analysis ▪ Understanding an SQL Injection Query—Code Analysis
▪ Example of a Web Application Vulnerable to SQL Injection: BadProductList.aspx ▪ Example of a Web Application Vulnerable to SQL Injection: BadProductList.aspx
▪ Example of a Web Application Vulnerable to SQL Injection: Attack Analysis ▪ Example of a Web Application Vulnerable to SQL Injection: Attack Analysis
▪ Examples of SQL Injection ▪ Examples of SQL Injection
Types of SQL Injection Types of SQL Injection
▪ Types of SQL injection ▪ In-Band SQL Injection
o In-Band SQL Injection o Error Based SQL Injection
• Error Based SQL Injection o Union SQL Injection
• Union SQL Injection ▪ Blind/Inferential SQL Injection
o Blind/Inferential SQL Injection o No Error Message Returned
• Blind SQL Injection: No Error Message Returned o Time-based SQL Injection
• Blind SQL Injection: WAITFOR DELAY (YES or NO Response) o Boolean Exploitation
• Blind SQL Injection: Boolean Exploitation and Heavy Query o Heavy Query
o Out-of-Band SQL injection ▪ Out-of-Band SQL injection

 

CEHv12 CEHv13
SQL Injection Methodology SQL Injection Methodology
▪ Information Gathering and SQL Injection Vulnerability Detection ▪ Information Gathering and SQL Injection Vulnerability Detection
o Information Gathering o Information Gathering
o Identifying Data Entry Paths o Identifying Data Entry Paths
o Extracting Information through Error Messages o Extracting Information through Error Messages
o SQL Injection Vulnerability Detection: Testing for SQL Injection o SQL Injection Vulnerability Detection
o Additional Methods to Detect SQL Injection o Additional Methods to Detect SQL Injection
o SQL Injection Black Box Pen Testing o SQL Injection Black Box Pen Testing
o Source Code Review to Detect SQL Injection Vulnerabilities o Source Code Review to Detect SQL Injection Vulnerabilities
o Testing for Blind SQL Injection Vulnerability in MySQL and MSSQL o Testing for Blind SQL Injection Vulnerability in MySQL and MSSQL
▪ Launch SQL Injection Attacks ▪ Launch SQL Injection Attacks
o Perform Union SQL Injection o Perform Error Based SQL Injection
o Perform Error Based SQL Injection o Perform Error Based SQL Injection using Stored Procedure Injection
o Perform Error Based SQL Injection using Stored Procedure Injection o Perform Union SQL Injection
o Bypass Website Logins Using SQL Injection o Bypass Website Logins Using SQL Injection
o Perform Blind SQL Injection – Exploitation (MySQL) o Perform Blind SQL Injection – Boolean Exploitation (MySQL)
o Blind SQL Injection - Extract Database User o Blind SQL Injection—Extract Database User
o Blind SQL Injection - Extract Database Name o Blind SQL Injection—Extract Database Name
o Blind SQL Injection - Extract Column Name o Blind SQL Injection—Extract Column Name
o Blind SQL Injection - Extract Data from ROWS o Blind SQL Injection—Extract Data from ROWS
o Perform Double Blind SQL Injection – Classical Exploitation (MySQL) o Exporting a Value with Regular Expression Attack
o Perform Blind SQL Injection Using Out-of-Band Exploitation Technique o Perform Double Blind SQL Injection
o Exploiting Second-Order SQL Injection o Perform Blind SQL Injection Using Out-of-Band Exploitation Technique
o Bypass Firewall using SQL Injection o Exploiting Second-Order SQL Injection
o Perform SQL Injection to Insert a New User and Update Password o Bypass Firewall to Perform SQL Injection
o Exporting a Value with Regular Expression Attack o Bypassing WAF using JSON-based SQL Injection Attack
▪ Advanced SQL Injection o Perform SQL Injection to Insert a New User and Update Password
o Database, Table, and Column Enumeration ▪ Advanced SQL Injection
o Advanced Enumeration o Database, Table, and Column Enumeration
o Features of Different DBMSs o Advanced Enumeration

 

CEHv12 CEHv13
o Creating Database Accounts o Creating Database Accounts
o Password Grabbing o Password Grabbing
o Grabbing SQL Server Hashes o Grabbing SQL Server Hashes
o Transfer Database to Attacker's Machine o Transfer Database to Attacker's Machine
o Interacting with the Operating System o Interacting with the Operating System
o Interacting with the File System o Interacting with the File System
o Network Reconnaissance Using SQL Injection o Network Reconnaissance Using SQL Injection
o Network Reconnaissance Full Query o Network Reconnaissance Full Query
o Finding and Bypassing Admin Panel of a Website o Finding and Bypassing Admin Panel of a Website
o PL/SQL Exploitation o PL/SQL Exploitation
o Creating Server Backdoors using SQL Injection o Creating Server Backdoors using SQL Injection
o HTTP Header-Based SQL Injection o HTTP Header-Based SQL Injection
o DNS Exfiltration using SQL Injection o DNS Exfiltration using SQL Injection
o MongoDB Injection/NoSQL Injection Attack o MongoDB Injection/NoSQL Injection Attack
o Case Study: SQL Injection Attack and Defense ▪ SQL Injection Tools
SQL Injection Tools ▪ Discovering SQL Injection Vulnerabilities with AI
▪ SQL Injection Tools ▪ Checking for Boolean based SQL Injection with AI
▪ SQL Injection Tools for Mobile Devices ▪ Checking for Error based SQL Injection with AI
Evasion Techniques ▪ Checking for Time-based SQL Injection with AI
▪ Evading IDS ▪ Checking for UNION based SQL Injection with AI
▪ Types of Signature Evasion Techniques Evasion Techniques
o In-line Comment and Char Encoding ▪ Evading IDS
o String Concatenation and Obfuscated Code ▪ Types of Signature Evasion Techniques
o Manipulating White Spaces and Hex Encoding o Evasion Techniques
o Sophisticated Matches and URL Encoding o In-line Comment
o Null Byte and Case Variation o Char Encoding
o Declare Variables and IP Fragmentation o String Concatenation
o Variation o Obfuscated Code
SQL Injection Countermeasures o Manipulating White Spaces
▪ How to Defend Against SQL Injection Attacks o Hex Encoding
o Use Type-Safe SQL Parameters o Sophisticated Matches
o Defenses in the Application o URL Encoding
• LIKE Clauses o Null Byte
• Wrapping Parameters with QUOTENAME() and REPLACE() o Case Variation
▪ Detecting SQL Injection Attacks o Declare Variables
▪ SQL Injection Detection Tools o IP Fragmentation

 

CEHv12 CEHv13
o OWASP ZAP and Damn Small SQLi Scanner (DSSS) o Variation
o Snort SQL Injection Countermeasures
o SQL Injection Detection Tools ▪ How to Defend Against SQL Injection Attacks
▪ Defenses in the Application
▪ Detecting SQL Injection Attacks
▪ SQL Injection Detection Tools
Module 16: Hacking Wireless Networks Module 16: Hacking Wireless Networks
Wireless Concepts Wireless Concepts
▪ Wireless Terminology ▪ Wireless Terminology
▪ Wireless Networks ▪ Wireless Networks
▪ Wireless Standards ▪ Wireless Standards
▪ Service Set Identifier (SSID) ▪ Service Set Identifier (SSID)
▪ Wi-Fi Authentication Modes ▪ Wi-Fi Authentication Process
▪ Wi-Fi Authentication Process Using a Centralized Authentication Server ▪ Types of Wireless Antennas
▪ Types of Wireless Antennas Wireless Encryption
Wireless Encryption ▪ Wireless Encryption
▪ Types of Wireless Encryption o Wired Equivalent Privacy (WEP)
o Wired Equivalent Privacy (WEP) Encryption o Wi-Fi Protected Access (WPA)
o Wi-Fi Protected Access (WPA) Encryption o WPA2
o WPA2 Encryption o WPA3
o WPA3 Encryption ▪ Comparison of WEP, WPA, WPA2, and WPA3
▪ Comparison of WEP, WPA, WPA2, and WPA3 ▪ Issues with WEP, WPA, WPA2, and WPA3
▪ Issues in WEP, WPA, and WPA2 Wireless Threats
Wireless Threats ▪ Access Control Attacks
▪ Wireless Threats ▪ Integrity Attacks
o Rogue AP Attack ▪ Confidentiality Attacks
o Client Mis-association ▪ Availability Attacks
o Misconfigured AP Attack ▪ Authentication Attacks
o Unauthorized Association ▪ Honeypot AP Attack
o Ad-Hoc Connection Attack ▪ Wormhole Attack
o Honeypot AP Attack ▪ Sinkhole Attack
o AP MAC Spoofing ▪ Inter-Chip Privilege Escalation/Wireless Co-Existence Attack
o Denial-of-Service Attack Wireless Hacking Methodology
o Key Reinstallation Attack (KRACK) ▪ Wi-Fi Discovery
o Jamming Signal Attack o Wireless Network Footprinting

 

CEHv12 CEHv13
• Wi-Fi Jamming Devices o Finding Wi-Fi Networks in Range to Attack
o aLTEr Attack o Wi-Fi Discovery Tools
o Wormhole and Sinkhole Attacks o Mobile-based Wi-Fi Discovery Tools
o Inter-Chip Privilege Escalation/Wireless Co-Existence Attack o Finding WPS-Enabled APs
o GNSS Spoofing ▪ Wireless Traffic Analysis
Wireless Hacking Methodology o Choosing the Optimal Wi-Fi Card
▪ Wireless Hacking Methodology o Perform Spectrum Analysis
▪ Wi-Fi Discovery ▪ Launch of Wireless Attacks
o Wireless Network Footprinting o Aircrack-ng Suite
o Finding Wi-Fi Networks in Range to Attack o Detection of Hidden SSIDs
o Finding WPS-Enabled APs o Denial-of-Service
o Wi-Fi Discovery Tools o Man-in-the-Middle Attack
o Mobile-based Wi-Fi Discovery Tools o MITM Attack Using Aircrack-ng
▪ GPS Mapping o MAC Spoofing Attack
o GPS Mapping Tools o Wireless ARP Poisoning Attack
o Wi-Fi Hotspot Finder Tools o ARP Poisoning Attack Using Ettercap
o Wi-Fi Network Discovery Through WarDriving o Rogue APs
▪ Wireless Traffic Analysis o Creation of a Rogue AP Using MANA Toolkit
o Choosing the Optimal Wi-Fi Card o Evil Twin
o Sniffing Wireless Traffic o Key Reinstallation Attack (KRACK)
o Perform Spectrum Analysis o Jamming Signal Attack
▪ Launch of Wireless Attacks o Wi-Fi Jamming Devices
o Aircrack-ng Suite o aLTEr Attack
o Detection of Hidden SSIDs o Wi-Jacking Attack
o Fragmentation Attack o RFID Cloning Attack
o MAC Spoofing Attack o Wi-Fi Encryption Cracking
o Denial-of-Service: Disassociation and De-authentication Attacks o WPA/WPA2 Encryption Cracking
o Man-in-the-Middle Attack o Cracking WPA/WPA2 Using Aircrack-ng
o MITM Attack Using Aircrack-ng o WPA Brute Forcing Using Fern Wifi Cracker
o Wireless ARP Poisoning Attack o WPA3 Encryption Cracking
• ARP Poisoning Attack Using Ettercap o Cracking WPA3 Using Aircrack-ng and hashcat
o Rogue APs o Cracking WPS Using Reaver
• Creation of a Rogue AP Using MANA Toolkit Wireless Attack Countermeasures
o Evil Twin ▪ Wireless Security Layers
• Set Up of a Fake Hotspot (Evil Twin) ▪ Defense Against WPA/WPA2/WPA3 Cracking
o aLTEr Attack ▪ Defense Against KRACK Attacks
o Wi-Jacking Attack ▪ Defense Against aLTEr Attacks

 

CEHv12 CEHv13
o RFID Cloning Attack ▪ Detection and Blocking of Rogue APs
▪ Wi-Fi Encryption Cracking ▪ Defense Against Wireless Attacks
o WEP Encryption Cracking ▪ Wireless Intrusion Prevention Systems
o Cracking WEP Using Aircrack-ng ▪ WIPS Deployment
o WPA/WPA2 Encryption Cracking ▪ Wi-Fi Security Auditing Tools
o Cracking WPA-PSK Using Aircrack-ng ▪ Wi-Fi IPSs
o Cracking WPA/WPA2 Using Wifiphisher
o Cracking WPS Using Reaver
o WPA3 Encryption Cracking
o WEP Cracking and WPA Brute Forcing Using Wesside-ng and Fern Wifi Cracker
Wireless Hacking Tools
▪ WEP/WPA/WPA2 Cracking Tools
▪ WEP/WPA/WPA2 Cracking Tools for Mobile
▪ Wi-Fi Packet Sniffers
▪ Wi-Fi Traffic Analyzer Tools
▪ Other Wireless Hacking Tools
Bluetooth Hacking
▪ Bluetooth Stack
▪ Bluetooth Hacking
▪ Bluetooth Threats
▪ Bluejacking
▪ Bluetooth Reconnaissance Using Bluez
▪ Btlejacking Using BtleJack
▪ Cracking BLE Encryption Using crackle
▪ Bluetooth Hacking Tools
Wireless Attack Countermeasures
▪ Wireless Security Layers
▪ Defense Against WPA/WPA2/WPA3 Cracking
▪ Defense Against KRACK and aLTEr Attacks
▪ Detection and Blocking of Rogue APs
▪ Defense Against Wireless Attacks
▪ Defense Against Bluetooth Hacking
Wireless Security Tools
▪ Wireless Intrusion Prevention Systems
▪ WIPS Deployment
▪ Wi-Fi Security Auditing Tools
▪ Wi-Fi IPSs
▪ Wi-Fi Predictive Planning Tools

 

CEHv12 CEHv13
▪ Wi-Fi Vulnerability Scanning Tools
▪ Bluetooth Security Tools
▪ Wi-Fi Security Tools for Mobile
Module 17: Hacking Mobile Platforms Module 17: Hacking Mobile Platforms
Mobile Platform Attack Vectors Mobile Platform Attack Vectors
▪ Vulnerable Areas in Mobile Business Environment ▪ Vulnerable Areas in Mobile Business Environment
▪ OWASP Top 10 Mobile Risks – 2016 ▪ OWASP Top 10 Mobile Risks - 2024
▪ Anatomy of a Mobile Attack ▪ Anatomy of a Mobile Attack
▪ How a Hacker can Profit from Mobile Devices that are Successfully Compromised ▪ How a Hacker can Profit from Mobile Devices that are Successfully Compromised
▪ Mobile Attack Vectors and Mobile Platform Vulnerabilities ▪ Mobile Attack Vectors and Mobile Platform Vulnerabilities
▪ Security Issues Arising from App Stores ▪ Security Issues Arising from App Stores
▪ App Sandboxing Issues ▪ App Sandboxing Issues
▪ Mobile Spam ▪ Mobile Spam
▪ SMS Phishing Attack (SMiShing) (Targeted Attack Scan) ▪ SMS Phishing Attack (SMiShing) (Targeted Attack Scan)
o SMS Phishing Attack Examples ▪ SMS Phishing Attack Examples
▪ Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections ▪ Pairing Mobile Devices on Open Bluetooth and Wi-Fi Connections
▪ Agent Smith Attack ▪ Agent Smith Attack
▪ Exploiting SS7 Vulnerability ▪ Exploiting SS7 Vulnerability
▪ Simjacker: SIM Card Attack ▪ Simjacker: SIM Card Attack
▪ OTP Hijacking/Two-Factor Authentication Hijacking ▪ Call Spoofing
▪ Camera/Microphone Capture Attacks ▪ OTP Hijacking/Two-Factor Authentication Hijacking
o Camfecting Attack ▪ OTP Hijacking Tools
o Android Camera Hijack Attack ▪ Camera/Microphone Capture Attacks
Hacking Android OS ▪ Camera/Microphone Hijacking Tools
▪ Android OS Hacking Android OS
o Android Device Administration API ▪ Android OS
▪ Android Rooting o Android Device Administration API
o Rooting Android Using KingoRoot ▪ Android Rooting
o Android Rooting Tools o Rooting Android Using KingoRoot
▪ Hacking Android Devices o Android Rooting Tools
o Blocking Wi-Fi Access Using NetCut ▪ Hacking Android Devices
o Identifying Attack Surfaces Using drozer o Identifying Attack Surfaces Using drozer
o Hacking with zANTI and Network Spoofer o Bypassing FRP on Android Phones Using 4ukey

 

CEHv12 CEHv13
o Launch DoS Attack using Low Orbit Ion Cannon (LOIC) o Hacking with zANTI and Kali NetHunter
o Session Hijacking Using DroidSheep o Launch DoS Attack using Low Orbit Ion Cannon (LOIC)
o Hacking with Orbot Proxy o Hacking with Orbot Proxy
o Exploiting Android Device through ADB Using PhoneSploit o Exploiting Android Device through ADB Using PhoneSploit Pro
o Android-based Sniffers o Launching Man-in-the-Disk Attack
o Launching Man-in-the-Disk Attack o Launching Spearphone Attack
o Launching Sphearphone Attack o Exploiting Android Devices Using Metasploit
o Exploiting Android Devices Using Metasploit o Analyzing Android Devices
o Other Techniques for Hacking Android Devices o Other Techniques for Hacking Android Devices
o Android Trojans o Android Malware
▪ OTP Hijacking Tools ▪ Android Hacking Tools
▪ Camera/Microphone Hijacking Tools ▪ Android-based Sniffers
▪ Android Hacking Tools ▪ Securing Android Devices
▪ Securing Android Devices ▪ Android Security Tools
▪ Android Security Tools o Android Device Tracking Tools
o Android Device Tracking Tools: Google Find My Device o Android Vulnerability Scanners
o Android Device Tracking Tools o Static Analysis of Android APK
o Android Vulnerability Scanners o Online Android Analyzers
o Online Android Analyzers Hacking iOS
Hacking iOS ▪ Apple iOS
▪ Apple iOS ▪ Jailbreaking iOS
▪ Jailbreaking iOS o Jailbreaking Techniques
o Jailbreaking Techniques o Jailbreaking iOS Using Hexxa Plus
o Jailbreaking iOS Using Hexxa Plus o Jailbreaking Tools
o Jailbreaking Tools ▪ Hacking iOS Devices
▪ Hacking iOS Devices o Hacking using Spyzie
o Hacking using Spyzie o iOS Trustjacking
o Hacking Network using Network Analyzer Pro o Post-exploitation on iOS Devices Using SeaShell Framework
o iOS Trustjacking o Analyzing and Manipulating iOS Applications
o Analyzing and Manipulating iOS Applications o Analyzing iOS Devices
• Manipulating an iOS Application Using cycript o iOS Malware
• iOS Method Swizzling o iOS Hacking Tools
• Extracting Secrets Using Keychain Dumper ▪ Securing iOS Devices
• Analyzing an iOS Application Using objection ▪ iOS Device Security Tools
o iOS Malware o iOS Device Tracking Tools
o iOS Hacking Tools Mobile Device Management
▪ Securing iOS Devices ▪ Mobile Device Management (MDM)
▪ iOS Device Security Tools ▪ Mobile Device Management Solutions
▪ iOS Device Tracking Tools ▪ Bring Your Own Device (BYOD)

 

CEHv12 CEHv13
Mobile Device Management o BYOD Risks
▪ Mobile Device Management (MDM) o BYOD Policy Implementation
▪ Mobile Device Management Solutions: IBM MaaS360 o BYOD Security Guidelines
o Mobile Device Management Solutions Mobile Security Guidelines and Tools
▪ Bring Your Own Device (BYOD) ▪ Mobile Security Guidelines
o BYOD Risks ▪ OWASP Top 10 Mobile Risks and Solutions
o BYOD Policy Implementation ▪ General Guidelines for Mobile Platform Security
o BYOD Security Guidelines ▪ Mobile Device Security Guidelines for the Administrator
Mobile Security Guidelines and Tools ▪ SMS Phishing Countermeasures
▪ OWASP Top 10 Mobile Controls ▪ OTP Hijacking Countermeasures
▪ General Guidelines for Mobile Platform Security ▪ Critical Data Storage in Android and iOS: KeyStore and Keychain Recommendations
▪ Mobile Device Security Guidelines for Administrator ▪ Reverse Engineering Mobile Applications
▪ SMS Phishing Countermeasures ▪ Mobile Security Tools
▪ Critical Data Storage in Android and iOS: KeyStore and Keychain Recommendations o Source Code Analysis Tools
▪ Mobile Security Tools o Reverse Engineering Tools
o Source Code Analysis Tools o App Repackaging Detectors
o Reverse Engineering Tools o Mobile Protection Tools
o App Repackaging Detector o Mobile Anti-Spyware
o Mobile Protection Tools o Mobile Pen Testing Toolkits
o Mobile Anti-Spyware
o Mobile Pen Testing Toolkit: ImmuniWeb® MobileSuite
Module 18: IoT and OT Hacking Module 18: IoT and OT Hacking
IoT Hacking IoT Hacking
IoT Concepts IoT Concepts and Attacks
▪ What is the IoT? ▪ What is the IoT?
▪ How the IoT Works ▪ How the IoT Works
▪ IoT Architecture ▪ IoT Architecture
▪ IoT Application Areas and Devices ▪ IoT Application Areas and Devices
▪ IoT Technologies and Protocols ▪ IoT Technologies and Protocols
▪ IoT Communication Models ▪ IoT Communication Models
▪ Challenges of IoT ▪ Challenges of IoT
▪ Threat vs Opportunity ▪ Threat vs Opportunity
IoT Attacks ▪ IoT Security Problems
▪ IoT Security Problems ▪ OWASP Top 10 IoT Threats
▪ OWASP Top 10 IoT Threats ▪ OWASP IoT Attack Surface Areas
▪ OWASP IoT Attack Surface Areas ▪ IoT Vulnerabilities
▪ IoT Vulnerabilities ▪ IoT Threats
▪ IoT Threats ▪ Hacking IoT Devices: General Scenario

 

 

CEHv12 CEHv13
▪ Hacking IoT Devices: General Scenario ▪ DDoS Attack
▪ IoT Attacks ▪ Exploit HVAC
o DDoS Attack ▪ Rolling Code Attack
o Exploit HVAC ▪ BlueBorne Attack
o Rolling Code Attack ▪ Jamming Attack
o BlueBorne Attack ▪ Hacking Smart Grid/Industrial Devices: Remote Access using Backdoor
o Jamming Attack ▪ SDR-Based Attacks on IoT
o Hacking Smart Grid/Industrial Devices: Remote Access using Backdoor ▪ Identifying and Accessing Local IoT Devices
o SDR-Based Attacks on IoT ▪ Fault Injection Attacks
o Identifying and Accessing Local IoT Devices ▪ Other IoT Attacks
o Fault Injection Attacks ▪ IoT Attacks in Different Sectors
o Other IoT Attacks ▪ IoT Malware
▪ IoT Attacks in Different Sectors ▪ Case Study: IZ1H9
▪ Case Study: Enemybot IoT Hacking Methodology
IoT Hacking Methodology ▪ What is IoT Device Hacking?
▪ What is IoT Device Hacking? ▪ IoT Hacking Methodology
▪ IoT Hacking Methodology o Information Gathering
o Information Gathering Using Shodan o Information Gathering using Shodan
o Information Gathering using MultiPing o Information Gathering using MultiPing
o Information Gathering using FCC ID Search o Information Gathering using FCC ID Search
o Discovering IoT Devices with Default Credentials using IoTSeeker o Information-Gathering Tools
o Vulnerability Scanning using Nmap o Information Gathering through Sniffing
o Vulnerability Scanning using RIoT Vulnerability Scanner o Sniffing using Cascoda Packet Sniffer
o Sniffing using Foren6 o Sniffing Tools
o Sniffing using Wireshark o Vulnerability Scanning
o Analyzing Spectrum and IoT Traffic o Vulnerability Scanning using IoTSeeker
o Rolling code Attack using RFCrack o Vulnerability Scanning using Genzai
o Hacking Zigbee Devices with Attify Zigbee Framework o Vulnerability Scanning using Nmap
o BlueBorne Attack Using HackRF One o Vulnerability-Scanning Tools
o Replay Attack using HackRF One o Analyzing Spectrum and IoT Traffic
o SDR-Based Attacks using RTL-SDR and GNU Radio o Tools to Perform SDR-Based Attacks
o Side Channel Attack using ChipWhisperer ▪ Launch Attacks
o Identifying IoT Communication Buses and Interfaces o Rolling Code Attack using RFCrack
o NAND Glitching o Hacking Zigbee Devices with Open Sniffer
o Gaining Remote Access using Telnet o BlueBorne Attack Using HackRF One
o Maintain Access by Exploiting Firmware o Replay Attack using HackRF One
• Firmware Analysis and Reverse Engineering o SDR-Based Attacks using RTL-SDR and GNU Radio
✓ Emulate Firmware for Dynamic Testing o Side-Channel Attack using ChipWhisperer

 

CEHv12 CEHv13
▪ IoT Hacking Tools o Identifying IoT Communication Buses and Interfaces
o Information-Gathering Tools o NAND Glitching
o Sniffing Tools o Exploiting Cameras using CamOver
o Vulnerability-Scanning Tools ▪ Gain Remote Access
o Tools to Perform SDR-Based Attacks o Gaining Remote Access using Telnet
o IoT Hacking Tools o Maintain Access
IoT Attack Countermeasures o Maintain Access by Exploiting Firmware
▪ How to Defend Against IoT Hacking o Firmware Analysis and Reverse Engineering
▪ General Guidelines for IoT Device Manufacturing Companies ▪ IoT Hacking Tools
▪ OWASP Top 10 IoT Vulnerabilities Solutions o IoT Hacking Tools
▪ IoT Framework Security Considerations IoT Attack Countermeasures
▪ IoT Hardware Security Best Practices ▪ How to Defend Against IoT Hacking
▪ IoT Device Management ▪ General Guidelines for IoT Device Manufacturers
▪ IoT Security Tools ▪ OWASP Top 10 IoT Vulnerabilities Solutions
OT Hacking ▪ IoT Framework Security Considerations
OT Concepts ▪ IoT Hardware Security Best Practices
▪ What is OT? ▪ Secure Development Practices for IoT Applications
▪ Essential Terminology ▪ IoT Device Management
▪ IT/OT Convergence (IIOT) ▪ IoT Security Tools
▪ The Purdue Model OT Hacking
▪ Challenges of OT OT Concepts and Attacks
▪ Introduction to ICS ▪ What is OT?
▪ Components of an ICS ▪ Essential Terminology
o Distributed Control System (DCS) ▪ Introduction to ICS
o Supervisory Control and Data Acquisition (SCADA) ▪ Components of an ICS
o Programmable Logic Controller (PLC) ▪ IT/OT Convergence (IIOT)
o Basic Process Control System (BPCS) ▪ The Purdue Model
o Safety Instrumented Systems (SIS) ▪ OT Technologies and Protocols
▪ OT Technologies and Protocols ▪ Challenges of OT
OT Attacks ▪ OT Vulnerabilities
▪ OT Vulnerabilities ▪ MITRE ATT&CK for ICS
▪ MITRE ATT&CK for ICS ▪ OT Threats
▪ OT Threats ▪ HMI-based Attacks
▪ OT Attacks ▪ Side-Channel Attacks
o HMI-based Attacks ▪ Hacking Programmable Logic Controller (PLC)
o Side-Channel Attacks ▪ Evil PLC Attack
o Hacking Programmable Logic Controller (PLC) ▪ Hacking Industrial Systems through RF Remote Controllers
o Hacking Industrial Systems through RF Remote Controllers ▪ OT Supply Chain Attacks

 

CEHv12 CEHv13
o OT Malware ▪ OT Malware
▪ OT Malware Analysis: INDUSTROYER.V2 ▪ OT Malware Analysis: COSMICENERGY
OT Hacking Methodology OT Hacking Methodology
▪ What is OT Hacking? ▪ What is OT Hacking?
▪ OT Hacking Methodology ▪ OT Hacking Methodology
o Identifying ICS/SCADA Systems using Shodan ▪ Information Gathering
o Gathering Default Passwords using CRITIFENCE o Identifying ICS/SCADA Systems using Shodan
o Scanning ICS/SCADA Systems using Nmap o Gathering Default Passwords using CIRT.net
o Vulnerability Scanning using Nessus o Information-Gathering Tools
o Vulnerability Scanning using Skybox Vulnerability Control o Scanning ICS/SCADA Systems using Nmap
o Fuzzing ICS Protocols o Sniffing using NetworkMiner
o Sniffing using NetworkMiner o Analyzing Modbus/TCP Traffic using Wireshark
o Analyzing Modbus/TCP Traffic Using Wireshark o Discovering ICS/SCADA Network Protocols using Malcolm
o Discovering ICS/SCADA Network Topology using GRASSMARLIN o Vulnerability Scanning
o Hacking ICS Hardware o Vulnerability Scanning Using Nessus
o Hacking Modbus Slaves using Metasploit o Vulnerability Scanning using Skybox Vulnerability Control
o Hacking PLC using modbus-cli o Sniffing and Vulnerability-Scanning Tools
o Gaining Remote Access using DNP3 o Fuzzing ICS Protocols
▪ OT Hacking Tools ▪ Launch Attacks
o Information-Gathering Tools o Hacking ICS Hardware
o Sniffing and Vulnerability-Scanning Tools o Hacking Modbus Slaves using Metasploit
o OT Hacking Tools o Hacking PLC using modbus-cli
OT Attack Countermeasures ▪ Gain and Maintain Remote Access
▪ How to Defend Against OT Hacking o Gaining Remote Access using DNP3
▪ OT Vulnerabilities and Solutions ▪ OT Hacking Tools
▪ How to Secure an IT/OT Environment o OT Hacking Tools
▪ Implementing a Zero-Trust Model for ICS/SCADA OT Attack Countermeasures
▪ International OT Security Organizations and Frameworks ▪ How to Defend Against OT Hacking
o OTCSA ▪ OT Vulnerabilities and Solutions
o OT-ISAC ▪ How to Secure an IT/OT Environment
o NERC ▪ Implementing a Zero-Trust Model for ICS/SCADA
o Industrial Internet Security Framework (IISF) ▪ International OT Security Organizations
o ISA/IEC-62443 ▪ OT Security Solutions
▪ OT Security Solutions ▪ OT Security Tools
▪ OT Security Tools

 

CEHv12 CEHv13
Module 19: Cloud Computing Module 19: Cloud Computing
Cloud Computing Concepts Cloud Computing Concepts
▪ Introduction to Cloud Computing ▪ Introduction to Cloud Computing
▪ Types of Cloud Computing Services ▪ Types of Cloud Computing Services
o Infrastructure-as-a-Service (IaaS) ▪ Shared Responsibilities in Cloud
o Platform-as-a-Service (PaaS) ▪ Cloud Deployment Models
o Software-as-a-Service (SaaS) ▪ NIST Cloud Deployment Reference Architecture
o Identity-as-a-Service (IDaaS) ▪ Cloud Storage Architecture
o Security-as-a-Service (SECaaS) ▪ Virtual Reality and Augmented Reality on Cloud
o Container-as-a-Service (CaaS) ▪ Fog Computing
o Function-as-a-Service (FaaS) ▪ Edge Computing
o Anything-as-a-Service (XaaS) ▪ Cloud vs. Fog Computing vs. Edge Computing
o Firewalls-as-a-Service (FWaaS) ▪ Cloud Computing vs. Grid Computing
o Desktop-as-a-Service (DaaS) ▪ Cloud Service Providers
o Mobile Backend-as-a-Service (MBaaS) Container Technology
o Machines-as-a-Service (MaaS) Business Model ▪ What is a Container?
▪ Separation of Responsibilities in Cloud o Containers Vs. Virtual Machines
▪ Cloud Deployment Models ▪ What is Docker?
o Public Cloud o Microservices Vs. Docker
o Private Cloud ▪ Docker Networking
o Community Cloud ▪ Container Orchestration
o Hybrid Cloud ▪ What is Kubernetes?
o Multi Cloud ▪ Clusters and Containers
o Distributed Cloud ▪ Container Security Challenges
o Poly Cloud ▪ Container Management Platforms
▪ NIST Cloud Deployment Reference Architecture ▪ Kubernetes Platforms
▪ Cloud Storage Architecture Serverless Computing
▪ Role of AI in Cloud Computing ▪ What is Serverless Computing?
▪ Virtual Reality and Augmented Reality on Cloud ▪ Serverless Vs. Containers
▪ Fog Computing ▪ Serverless Computing Frameworks
▪ Edge Computing Cloud Computing Threats
▪ Cloud vs. Fog Computing vs. Edge Computing ▪ OWASP Top 10 Cloud Security Risks
▪ Cloud Computing vs. Grid Computing ▪ OWASP Top 10 Kubernetes Risks
▪ Cloud Service Providers ▪ OWASP Top 10 Serverless Security Risks
Container Technology ▪ Cloud Computing Threats
▪ What is a Container? o Data Security
▪ Containers Vs. Virtual Machines o Cloud Service Misuse
▪ What is Docker? o Interface and API Security
o Microservices Vs. Docker o Operational Security
o Docker Networking o Infrastructure and System Configuration

 

CEHv12 CEHv13
▪ Container Orchestration o Network Security
▪ What is Kubernetes? o Governance and Legal Risks
o Kubernetes Vs. Docker o Development and Resource Management
▪ Clusters and Containers ▪ Container Vulnerabilities
▪ Container Security Challenges ▪ Kubernetes Vulnerabilities
▪ Container Management Platforms ▪ Cloud Attacks
▪ Kubernetes Platforms o Service Hijacking using Social Engineering
Serverless Computing o Service Hijacking using Network Sniffing
▪ What is Serverless Computing? o Side-Channel Attacks or Cross-guest VM Breaches
▪ Serverless Vs. Containers o Wrapping Attack
▪ Serverless Computing Frameworks o Man-in-the-Cloud (MITC) Attack
Cloud Computing Threats o Cloud Hopper Attack
▪ OWASP Top 10 Cloud Security Risks o Cloud Cryptojacking
▪ OWASP Top 10 Serverless Security Risks o Cloudborne Attack
▪ Cloud Computing Threats o Instance Metadata Service (IMDS) Attack
▪ Container Vulnerabilities o Cache Poisoned Denial of Service (CPDoS)/Content Delivery Network (CDN) Cache Poisoning Attack
▪ Kubernetes Vulnerabilities o Cloud Snooper Attack
▪ Cloud Attacks o Golden SAML Attack
o Service Hijacking using Social Engineering o Living Off the Cloud Attack (LotC)
o Service Hijacking using Network Sniffing o Other Cloud Attacks
o Side-Channel Attacks or Cross-guest VM Breaches ▪ Cloud Malware
o Wrapping Attack Cloud Hacking
o Man-in-the-Cloud (MITC) Attack ▪ Cloud Hacking
o Cloud Hopper Attack ▪ Cloud Hacking Methodology
o Cloud Cryptojacking o Identifying Target Cloud Environment
o Cloudborne Attack o Discovering Open Ports and Services Using Masscan
o Instance Metadata Service (IMDS) Attack o Vulnerability Scanning Using Prowler
o Cache Poisoned Denial of Service (CPDoS)/Content Delivery Network (CDN) Cache Poisoning Attack o Identifying Misconfigurations in Cloud Resources Using CloudSploit
o Cloud Snooper Attack o Cleanup and Maintaining Stealth
o Golden SAML Attack AWS Hacking
o Other Cloud Attacks ▪ Enumerating S3 Buckets
▪ Cloud Malware o Enumerating S3 Buckets using SScanner
Cloud Hacking o Enumerating S3 Bucket Permissions using BucketLoot
▪ What is Cloud Hacking? o Enumerating S3 Buckets using CloudBrute
▪ Hacking Cloud ▪ Enumerating EC2 Instances
o Container Vulnerability Scanning using Trivy ▪ Enumerating AWS RDS Instances

 

CEHv12 CEHv13
o Kubernetes Vulnerability Scanning using Sysdig ▪ Enumerating AWS Account IDs
o Enumerating S3 Buckets ▪ Enumerating IAM Roles
o Identifying Open S3 Buckets using S3Scanner ▪ Enumerating Weak IAM Policies Using Cloudsplaining
o Enumerating AWS Account IDs ▪ Enumerating AWS Cognito
o Enumerating IAM Roles ▪ Enumerating DNS Records of AWS Accounts using Ghostbuster
o Enumerating Bucket Permissions using S3Inspector ▪ Enumerating Serverless Resources in AWS
o Enumerating Kubernetes etcd ▪ Discovering Attack Paths using Cartography
o Enumerating Azure Active Directory (AD) Accounts ▪ Discovering Attack Paths using CloudFox
o Gathering Cloud Keys Through IMDS Attack ▪ Identify Security Groups Exposed to the Internet
o Exploiting Amazon Cloud Infrastructure using Nimbostratus ▪ AWS Threat Emulation using Stratus Red Team
o Exploiting Misconfigured AWS S3 Buckets ▪ Gathering Cloud Keys Through IMDS Attack
o Compromising AWS IAM Credentials ▪ Exploiting Misconfigured AWS S3 Buckets
o Hijacking Misconfigured IAM Roles using Pacu ▪ Compromising AWS IAM Credentials
o Cracking AWS Access Keys using DumpsterDiver ▪ Hijacking Misconfigured IAM Roles using Pacu
o Exploiting Docker Containers on AWS using Cloud Container Attack Tool (CCAT) ▪ Scanning AWS Access Keys using DumpsterDiver
o Serverless-Based Attacks on AWS Lambda ▪ Exploiting Docker Containers on AWS using Cloud Container Attack Tool (CCAT)
o Exploiting Shadow Admins in AWS ▪ Exploiting Shadow Admins in AWS
o Exploiting Docker Remote API ▪ Gaining Access by Exploiting SSRF Vulnerabilities
o Hacking Container Volumes ▪ Attacks on AWS Lambda
o CloudGoat 2 – Vulnerable by Design AWS Deployment Tool ▪ AWS IAM Privilege Escalation Techniques
o Gaining Access by Exploiting SSRF Vulnerability ▪ Creating Backdoor Accounts in AWS
o AWS IAM Privilege Escalation Techniques ▪ Maintaining Access and Covering Tracks on AWS Cloud Environment by Manipulating the CloudTrail Service
o Escalating Privileges of Google Storage Buckets using GCPBucketBrute ▪ Establishing Persistence on EC2 Instances
o Privilege Escalation Using Misconfigured User Accounts in Azure AD ▪ Lateral Movement: Moving Between AWS Accounts and Regions
o Creating Backdoor Accounts in AWS ▪ AWSGoat: A Damn Vulnerable AWS Infrastructure
o Backdooring Docker Images using dockerscan Microsoft Azure Hacking
o Maintaining Access and Covering Tracks on AWS Cloud Environment by Manipulating CloudTrial Service ▪ Azure Reconnaissance Using AADInternals
▪ AWS Hacking Tool: AWS pwn ▪ Identifying Azure Services and Resources
Cloud Security ▪ Enumerating Azure Active Directory (AD) Accounts
▪ Cloud Security Control Layers ▪ Identifying Attack Surface using Stormspotter
▪ Cloud Security is the Responsibility of both Cloud Provider and Consumer ▪ Collecting Data from AzureAD and AzureRM using AzureHound
▪ Cloud Computing Security Considerations ▪ Accessing Publicly Exposed Blob Storage using Goblob
▪ Placement of Security Controls in the Cloud ▪ Identifying Open Network Security Groups (NSGs) in Azure

 

 

CEHv12 CEHv13
o Container Vulnerability Scanning using Trivy ▪ Exploiting Managed Identities and Azure Functions
o Kubernetes Vulnerability Scanning using Sysdig ▪ Privilege Escalation Using Misconfigured User Accounts in Azure AD
o Enumerating S3 Buckets ▪ Creating Persistent Backdoors in Azure AD Using Service Principals
o Identifying Open S3 Buckets using S3Scanner ▪ Exploiting VNet Peering Connections
o Enumerating AWS Account IDs ▪ AzureGoat – Vulnerable by Design Azure Infrastructure
o Enumerating IAM Roles Google Cloud Hacking
o Enumerating Bucket Permissions using S3Inspector ▪ Enumerating GCP Resources using Google Cloud CLI
o Enumerating Kubernetes etcd o Enumerating GCP Organizations, Projects, and Cloud Storage Buckets
o Enumerating Azure Active Directory (AD) Accounts o Enumerating Google Cloud Service Accounts
o Gathering Cloud Keys Through IMDS Attack o Enumerating Google Cloud resources
o Exploiting Amazon Cloud Infrastructure using Nimbostratus o Enumerating Google Cloud IAM Roles and Policies
o Exploiting Misconfigured AWS S3 Buckets o Enumerating Google Cloud Services using gcp_service_enum
o Compromising AWS IAM Credentials o Enumerating GCP Resources using GCP Scanner
o Hijacking Misconfigured IAM Roles using Pacu o Enumerating Google Cloud Storage Buckets using cloud_enum
o Cracking AWS Access Keys using DumpsterDiver ▪ Enumerating Privilege Escalation Vulnerabilities using GCP Privilege Escalation Scanner
o Exploiting Docker Containers on AWS using Cloud Container Attack Tool (CCAT) ▪ Escalating Privileges of Google Storage Buckets using GCPBucketBrute
o Serverless-Based Attacks on AWS Lambda ▪ Maintaining Access: Creating Backdoors with IAM Roles in GCP
o Exploiting Shadow Admins in AWS ▪ GCPGoat: Vulnerable by Design GCP Infrastructure
o Exploiting Docker Remote API Container Hacking
o Hacking Container Volumes ▪ Information Gathering using kubectl
o CloudGoat 2 – Vulnerable by Design AWS Deployment Tool ▪ Enumerating Registries
o Gaining Access by Exploiting SSRF Vulnerability ▪ Container/Kubernetes Vulnerability Scanning
o AWS IAM Privilege Escalation Techniques ▪ Exploiting Docker Remote API
o Escalating Privileges of Google Storage Buckets using GCPBucketBrute ▪ Hacking Container Volumes
o Privilege Escalation Using Misconfigured User Accounts in Azure AD ▪ LXD/LXC Container Group Privilege Escalation
o Creating Backdoor Accounts in AWS ▪ Post Enumeration on Kubernetes etcd
o Backdooring Docker Images using dockerscan Cloud Security
o Maintaining Access and Covering Tracks on AWS Cloud Environment by Manipulating CloudTrial Service ▪ Cloud Security Control Layers
▪ AWS Hacking Tool: AWS pwn ▪ Cloud Security is the Responsibility of both Cloud Provider and Consumer
Cloud Security ▪ Cloud Computing Security Considerations
▪ Cloud Security Control Layers ▪ Placement of Security Controls in the Cloud
▪ Cloud Security is the Responsibility of both Cloud Provider and Consumer ▪ Assessing Cloud Security using Scout Suite
▪ Cloud Computing Security Considerations ▪ Best Practices for Securing the Cloud
▪ Placement of Security Controls in the Cloud ▪ Best Practices for Securing AWS Cloud

 

CEHv12 CEHv13
▪ Best Practices for Securing Cloud ▪ Best Practices for Securing Microsoft Azure
▪ NIST Recommendations for Cloud Security ▪ Best Practices for Securing Google Cloud Platform
▪ Security Assertion Markup Language (SAML) ▪ NIST Recommendations for Cloud Security
▪ Cloud Network Security ▪ Security Assertion Markup Language (SAML)
o Virtual Private Cloud (VPC) ▪ Cloud Network Security
o Public and Private Subnets ▪ Cloud Security Controls
o Transit Gateways ▪ Kubernetes Vulnerabilities and Solutions
o VPC Endpoint ▪ Serverless Security Risks and Solutions
▪ Cloud Security Controls ▪ Best Practices for Container Security
o Cloud Application Security ▪ Best Practices for Docker Security
o High Availability Across Zones ▪ Best Practices for Kubernetes Security
o Cloud Integration and Auditing ▪ Best Practices for Serverless Security
o Security Groups ▪ Zero Trust Networks
o Instance Awareness ▪ Organization/Provider Cloud Security Compliance Checklist
▪ Kubernetes Vulnerabilities and Solutions ▪ International Cloud Security Organizations
▪ Serverless Security Risks and Solutions ▪ Shadow Cloud Asset Discovery Tools
▪ Best Practices for Container Security ▪ Cloud Security Tools
▪ Best Practices for Docker Security ▪ Container Security Tools
▪ Best Practices for Kubernetes Security ▪ Kubernetes Security Tools
▪ Best Practices for Serverless Security ▪ Serverless Application Security Solutions
▪ Zero Trust Networks ▪ Cloud Access Security Broker (CASB)
▪ Organization/Provider Cloud Security Compliance Checklist ▪ CASB Solutions
▪ International Cloud Security Organizations ▪ Next-Generation Secure Web Gateway (NG SWG)
▪ Shadow Cloud Asset Discovery Tools
▪ Cloud Security Tools
▪ Container Security Tools
▪ Kubernetes Security Tools
▪ Serverless Application Security Solutions
▪ Cloud Access Security Broker (CASB)
o CASB Solutions
• Forcepoint CASB
▪ Next-Generation Secure Web Gateway (NG SWG)
o NG SWG Solutions

 

 

CEHv12 CEHv13
Module 20: Cryptography Module 20: Cryptography
Cryptography Concepts Cryptography Concepts and Encryption Algorithms
▪ Cryptography ▪ Cryptography
▪ Government Access to Keys (GAK) ▪ Government Access to Keys (GAK)
Encryption Algorithms ▪ Ciphers
▪ Ciphers ▪ Symmetric Encryption Algorithms
▪ Data Encryption Standard (DES) and Advanced Encryption Standard (AES) ▪ Data Encryption Standard (DES)
▪ RC4, RC5, and RC6 Algorithms ▪ Triple Data Encryption Standard (DES)
▪ Twofish and Threefish ▪ Advanced Encryption Standard (AES)
▪ Serpent and TEA ▪ RC4, RC5, and RC6 Algorithms
▪ CAST-128 ▪ Blowfish
▪ GOST Block Cipher and Camellia ▪ Twofish
▪ DSA and Related Signature Schemes ▪ Threefish
▪ Rivest Shamir Adleman (RSA) ▪ Serpent
▪ Diffie-Hellman ▪ TEA
▪ YAK ▪ CAST-128
▪ Message Digest (One-Way Hash) Functions ▪ GOST Block Cipher
o Message Digest Function: MD5 and MD6 ▪ Camellia
o Message Digest Function: Secure Hashing Algorithm (SHA) ▪ Asymmetric Encryption Algorithms
o RIPEMD – 160 and HMAC ▪ DSA and Related Signature Schemes
▪ Other Encryption Techniques ▪ Rivest Shamir Adleman (RSA)
o Post-quantum Cryptography ▪ Diffie–Hellman
o Lightweight Cryptography ▪ Elliptic Curve Cryptography (ECC)
▪ Comparison of Cryptographic Algorithms ▪ YAK
▪ Cipher Modes of Operation ▪ Message Digest (One-way Hash) Functions
o Electronic Code Book (ECB) Mode ▪ Message Digest Functions
o Cipher Block Chaining (CBC) Mode ▪ Message Digest Function: MD5 and MD6
o Cipher Feedback (CFB) Mode ▪ Message Digest Function: Secure Hashing Algorithm (SHA)
o Counter Mode ▪ RIPEMD-160
▪ Modes of Authenticated Encryption ▪ HMAC
o Authenticated Encryption with Message Authentication Code (MAC) ▪ CHAP
o Authenticated Encryption with Associated Data (AEAD) ▪ EAP
▪ Applications of Cryptography - Blockchain ▪ GOST – Hash Function
o Types of Blockchain ▪ Message Digest Functions Calculators

 

CEHv12 CEHv13
Cryptography Tools ▪ Multi-layer Hashing Calculators
▪ MD5 and MD6 Hash Calculators ▪ Hardware-Based Encryption
▪ Hash Calculators for Mobile ▪ Quantum Cryptography
▪ Cryptography Tools ▪ Other Encryption Techniques
▪ Cryptography Tools for Mobile ▪ Cipher Modes of Operation
Public Key Infrastructure (PKI) ▪ Modes of Authenticated Encryption
▪ Public Key Infrastructure (PKI) ▪ Cryptography Tools
o Certification Authorities Applications of Cryptography
o Signed Certificate (CA) Vs. Self Signed Certificate ▪ Public Key Infrastructure (PKI)
Email Encryption ▪ Certification Authorities
▪ Digital Signature ▪ Signed Certificate (CA) vs. Self-Signed Certificate
▪ Secure Sockets Layer (SSL) ▪ Digital Signature
▪ Transport Layer Security (TLS) ▪ Secure Sockets Layer (SSL)
▪ Cryptography Toolkits ▪ Transport Layer Security (TLS)
▪ Pretty Good Privacy (PGP) ▪ Cryptography Toolkits
▪ GNU Privacy Guard (CPG) ▪ Pretty Good Privacy (PGP)
▪ Web of Trust (WOT) ▪ GNU Privacy Guard (GPG)
▪ Encrypting Email Messages in Outlook ▪ Web of Trust (WOT)
o S/MIME Encryption ▪ Encrypting Email Messages in Outlook
o Microsoft 365 Message Encryption ▪ Signing/Encrypting Email Messages on Mac
▪ Signing/Encrypting Email Messages on Mac ▪ Encrypting/Decrypting Email Messages Using OpenPGP
▪ Encrypting/Decrypting Email Messages Using OpenPGP ▪ Email Encryption Tools
▪ Email Encryption Tools ▪ Disk Encryption
Disk Encryption ▪ Disk Encryption Tools
▪ Disk Encryption ▪ Disk Encryption Tools for Linux
▪ Disk Encryption Tools: VeraCrypt and Symantec Drive Encryption ▪ Disk Encryption Tools for macOS
▪ Disk Encryption Tools ▪ Blockchain
▪ Disk Encryption Tools for Linux Cryptanalysis
▪ Disk Encryption Tools for macOS ▪ Cryptanalysis Methods
Cryptanalysis ▪ Cryptography Attacks
▪ Cryptanalysis Methods ▪ Code Breaking Methodologies
o Quantum Cryptanalysis ▪ Brute-Force Attack
▪ Code Breaking Methodologies ▪ Birthday Attack
▪ Cryptography Attacks ▪ Birthday Paradox: Probability
o Brute-Force Attack ▪ Brute-Forcing VeraCrypt Encryption
o Birthday Attack ▪ Meet-in-the-Middle Attack on Digital Signature Schemes
o Birthday Paradox: Probability ▪ Side-Channel Attack
o Meet-in-the-Middle Attack on Digital Signature Schemes ▪ Hash Collision Attack

 

CEHv12 CEHv13
o Side-Channel Attack ▪ DUHK Attack
o Hash Collision Attack ▪ DROWN Attack
o DUHK Attack ▪ Rainbow Table Attack
o Rainbow Table Attack ▪ Related-Key Attack
o Related-Key Attack ▪ Padding Oracle Attack
o Padding Oracle Attack ▪ Attacks on Blockchain
o DROWN Attack ▪ Quantum Computing Risks
▪ Cryptanalysis Tools ▪ Quantum Computing Attacks
▪ Online MD5 Decryption Tools ▪ Cryptanalysis Tools
Cryptography Attack Countermeasures ▪ Online MD5 Decryption Tools
▪ How to Defend Against Cryptographic Attacks Cryptography Attack Countermeasures
▪ Key Stretching ▪ How to Defend Against Cryptographic Attacks
▪ Key Stretching

 

CEH v12 vs CEH v13 AI 

Back to blog