CEH Practical Exam Review

Anon Tuttu Venus
6 min readJul 12, 2020

--

Hey Guys!!!! It’s me Anon Tuttu Venus Once again with a small writeup. This time with a Certification review.

I am so happy that I have recently completed my C|EH -Practical Exam, since I already have Ansi C|EH, I have received my C|EH Master Certificate.

Started my Exam at 6 PM IST and Submitted my Exam at 11:55 PM [ Just 5mint before]

Ec-Council was providing a $550,000 Ethical Hacking Scholarship and I have enrolled for the same. After waiting for 1 week to receive my scholarship, I needed to pay 99$ to get the same. Without wasting much time I have enrolled for it.

Link to Scholarship: https://www.eccouncil.org/ethical-hacking-scholarship/

YOU MUST NEED A GOOD INTERNET CONNECTION FOR THIS EXAM

Exam Difficulty Level: Medium [ If you don’t have iLABs Offical content]

Exam Difficulty Level: Easy [ If you have iLABs Offical content & covered all topics]

Now let’s dive into the content.

What is EC-Council’s CEH Practical?

It is a 6 hours practical exam built to exacting specifications by subject matter experts in the Ethical Hacking field. Professionals that possess the CEH credential can sit for the exam that will test their limits in unearthing vulnerabilities across major operating systems, databases, and networks. To those who meet and exceed the skills level set, they will earn the new industry required certification — the CEH Practical certification (“Certified Ethical Hacker Master: CEH Master: EC-Council”).

What is the difference between CEH and CEH Practical?

The CEH Exam[ANSI] is a multiple-choice exam consist of 125 questions and a time duration of 4 hours to complete and is a closed-book test. The CEH Practical is a hands-on exam consist of 20 challenges, a time duration of 6 hours, delivered through EC-Council’s Aspen — iLabs environment and is an open-book (open internet) test.

Exam Information

  • Certification Name: Certified Ethical Hacker (Practical)
  • Number of Practical Challenges — 20
  • Test Format: iLabs Cyber Range
  • Passing score: 70%
  • Test Duration: 6 Hours

Exam Details:

  • The exam is completely on iLAB Environment not on our machine
  • You can access your iLabs machines from your browser
  • You will be provided with 2 machines, 1 Windows machine, and 1 Kali box, there won’t be any Internet access on these machines.
  • You can google stuff from your host not from the VM:s.
  • You are required to use both machines because some questions will be related to Windows machines and others will be related to Kali Machine.
  • The exam is Open Book, which means you can search on Google and refer written notes as well but you are not allowed to talk to anyone during the exam.
  • You need a webcam, headphones, and a microphone. They record the whole session.

What you can expect on the Exam?

  • Vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems, etc.
  • System hacking, steganography
  • Network scanning to identify live and vulnerable machines in a network.
  • OS banner grabbing, service, and user enumeration.
  • Different types of cryptography attacks.
  • SQL injection attacks.
  • Packet sniffing.

Exam Preparation :

While I was preparing for the exam I didn’t have any idea what will be the questions and how tough it will be the exam, because there were not many resources on the internet regarding prep for the exam. I searched people on LinkedIn who completed CEH- Practical and asked them about the exam. Steven Chan and Kamaljeet Sharma are the ones I found on LinkedIn and they gave me an overview of the Exam.

Preparation I took before the exam:

  1. Brushed up my Nmap skills — A must need to tool.
  2. Brushed up my sqlmap — Another must needed tool.
  3. Brushed up skills on Password brute-forcing tools — Hyrda is my favorite
  4. Brushed up wpscan skills — Another must needed tool
  5. Brushed up John The Ripper

6. Learned hashcat

7. Learned Wireshark — You must learn this

8. Learned Responder

9. Watched some Zero to Root videos — Which is not required for the exam but still, it will give you many hints.

10. Did some challenges on HTB — Stegno challenges

You must learn windows based tool , when I preapared I havent done that, I thought that I can do everything on my kali, but for some questions you need windows macine

Some Resources :

  1. https://www.stationx.net/nmap-cheat-sheet/
  2. https://www.poftut.com/how-to-scan-wordpress-sites-with-wpscan-tutorial-for-security-vulnerabilities/
  3. https://www.hackingarticles.in/database-penetration-testing-using-sqlmap-part-1/
  4. https://securitytutorials.co.uk/brute-forcing-passwords-with-thc-hydra/
  5. https://linuxconfig.org/password-cracking-with-john-the-ripper-on-linux
  6. https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/
  7. https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/

My Initial way of approaching Exam/ Vuln CTF Boxes:

  1. netdiscover -i eth0 — This will help me to get the machines available on our network. [ eth0 may differ if VPN network I will be tun0 ]
  2. Once I get the IP’s I will run my Nmap on all those IP’s.
  3. nmap -p- 10.10.10.10 [ Any IP ]

Once I ran the above command I will get all the opened port on that target and then with that open port, I will run another nmap, for example, if port 443,80,53,135,8080,8888 are opened then my nmap command will be.

4. nmap -p443,80,53,135,8080,8888 -A -O -sV -sC -T4 -oN nmapOutput 10.10.10.10

This will find out the OS version, service version, and ran default nmap script and store the output. Storing output is very important, you may need to refer it many times.

5. While nmap is running I will open all the IPs on browser and will see whether any web service is running on not, if Yes then I will run gobuster or dirb.

gobuster -e -u http://10.10.10.10 -w wordlsit.txt

dirb http://10.10.10.10 wordlist.txt

6. If I find any login page I will try SQLi manually

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1—

7. Brute Forcing services !! and making custom wordlists is always an added advantage but make sure the service won’t be down OR lock you out from trying again.

Some of the default password list:

Making custom wordlist from website keywords:

  • cewl example.com -m 5 -w words.txt

where cewl is the tool, example.com is the site, -m is to specify the minimum length of the word , -w is to specify the output file

Some of the service brute force with hydra:

  • hydra -l root -P passwords.txt [-t 32] <IP> ftp
  • hydra -L usernames.txt -P pass.txt <IP> mysql
  • hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
  • hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
  • hydra -P common-snmp-community-strings.txt target.com snmp
  • hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
  • hydra -l root -P passwords.txt <IP> ssh

Searchsploit useful commands:

  • searchsploit “Linux Kernel”
  • searchsploit -m 7618 — Paste the exploit in the current directory
  • searchsploit -p 7618[.c] — Show complete path
  • searchsploit — nmap file.xml — Search vulns inside a Nmap XML result

RECON AND ENUMERATION ARE THE KEY!!!!!

GATHER AS MUCH AS DETAILS!!!!!

GOOGLE IS YOU BEST BEST BUDDY!!!!!

Verify BADGE:

CEH Practical

CEH Master

--

--