Module 1- Introduction to Ethical Hacking

1. Definition of Ethical Hacking

• Ethical Hacking is the legal and authorized process of probing systems, applications, and networks to uncover vulnerabilities that could be exploited by attackers.
• Ethical hackers follow a structured methodology to simulate real-world attacks, identify weaknesses, and recommend fixes.
• Key principle: The difference between an ethical hacker and a malicious hacker is consent and intent.
  • Ethical hacker: Has permission, works to improve security.
  • Malicious hacker: No permission, works for personal or financial gain.

2. History and Evolution of Hacking

• 1960s–70s:
  • Early “hackers” were computer enthusiasts who experimented with mainframes and telephone systems (e.g., phone phreaking by John Draper aka Captain Crunch).
• 1980s–90s:
  • First viruses (Brain, Michelangelo) and worms (Morris Worm).
  • Hacking shifted from curiosity to financial motives and cybercrime.
• 2000s–Present:
  • Rise of cyber warfare, hacktivism, and organized cybercrime groups.
  • AI-based attacks, ransomware-as-a-service (RaaS), supply chain compromises, and cloud exploitation dominate the threat landscape.

3. Types of Hackers

1. White Hat Hackers (Ethical Hackers)
   • Authorized professionals (pen testers, red teamers).
   • Help organizations strengthen defenses.
2. Black Hat Hackers
   • Criminal hackers, unauthorized access, identity theft, ransomware, data breaches.
3. Gray Hat Hackers
   • Operate between ethical and unethical boundaries.
   • May discover vulnerabilities without permission but disclose them responsibly.
4. Other Subtypes:
   • Script Kiddies: Use ready-made tools/scripts without deep technical skill.
   • Hacktivists: Attack for political or social causes.
   • Nation-State Actors: Government-backed, highly resourced, focused on espionage and critical infrastructure.
   • Insiders: Disgruntled employees or contractors misusing privileges.

4. Five Phases of Ethical Hacking

(This is the core methodology tested heavily in CEH)

1. Reconnaissance (Footprinting)
   • Collect information (DNS records, Whois, OSINT, social media, search engines).
   • Can be active (scanning) or passive (research only).
2. Scanning and Enumeration
   • Identify live hosts, open ports, services, and system details.
   • Tools: Nmap, Nessus, Angry IP Scanner.
3. Gaining Access
   • Exploit vulnerabilities to penetrate systems (password cracking, SQL injection, buffer overflows).
   • Objective: escalate privileges, exfiltrate data.
4. Maintaining Access
   • Establish persistence using backdoors, Trojans, rootkits.
   • Goal: return later without detection.
5. Covering Tracks
   • Clear logs, hide malware, erase tool footprints.
   • Prevent detection and forensic analysis.

5. Core Security Principles (CIA Triad + More)

• Confidentiality: Protecting sensitive data from unauthorized access (encryption, ACLs).
• Integrity: Ensuring accuracy and trustworthiness of information (hashing, digital signatures).
• Availability: Ensuring data/services are accessible when needed (redundancy, failover, backups).

Additional Security Principles:

• Authentication → Verifying identity (passwords, MFA, biometrics).
• Authorization → Granting permissions after authentication.
• Non-repudiation → Ensuring actions cannot be denied (logging, digital certificates).
• Accountability → Tracking activities through audits and logs.

6. Security Terminology

• Threat: Any potential danger to an asset.
• Vulnerability: A weakness that could be exploited.
• Exploit: A tool/technique used to take advantage of a vulnerability.
• Risk: Probability × Impact of a threat exploiting a vulnerability.
• Attack Surface: All possible entry points for an attacker.
• Attack Vector: The path/means used to attack (phishing, malware, social engineering, cloud misconfigurations).

7. Common Attack Vectors in Modern Hacking

• Phishing and Spear-Phishing (email/social engineering).
• Malware Infections (viruses, ransomware, Trojans).
• Web Exploits (SQL injection, XSS, CSRF).
• Cloud Exploits (misconfigurations, shared responsibility loopholes).
• IoT Exploits (weak authentication, default passwords).
• Mobile Exploits (app vulnerabilities, rooting, jailbreaking).
• Insider Threats (employees abusing privileges).
• AI-Powered Attacks (deepfake social engineering, automated phishing).

8. Security Controls

Security is enforced using three major control types:

1. Administrative Controls
   • Policies, security awareness training, background checks.
2. Technical Controls
   • Firewalls, IDS/IPS, antivirus, DLP, encryption.
3. Physical Controls
   • CCTV, locks, biometric access, guards.

By function:

• Preventive (stop incidents → firewalls, locks).
• Detective (identify incidents → IDS, monitoring).
• Corrective (remediate damage → patches, backups).

9. Laws, Standards, and Ethics in Ethical Hacking

• Need for Permission: Always operate under written scope of engagement.
• Laws & Regulations:
  • CFAA (Computer Fraud and Abuse Act – USA).
  • GDPR (Europe) for data protection.
  • HIPAA (US healthcare).
  • PCI-DSS (credit card security).
  • IT Act 2000 (India).
• Industry Standards: ISO 27001, NIST CSF, CIS Controls.

10. Key Terms and Concepts for CEH Exam

• APT (Advanced Persistent Threat): Long-term, stealthy nation-state/organized attack.
• Zero-day Exploit: Exploiting vulnerabilities not yet patched.
• Botnet: Group of compromised devices controlled remotely.
• Red Team: Offensive security (attackers).
• Blue Team: Defensive security (defenders).
• Purple Team: Collaboration between Red and Blue for maximum efficiency.
• Threat Intelligence: Gathering data on potential/current threats.

Key Tips

• Differences between White Hat, Black Hat, Gray Hat.
• Five Phases of Ethical Hacking (must know order).
• CIA Triad definitions with examples.
• Risk, Threat, Vulnerability, Exploit definitions.
• Categories of security controls.
• Legal aspects → written permission requirement.
• Modern attack vectors (cloud, IoT, AI).

Summary

Module 1 sets the foundation for CEH. It introduces ethical hacking, hacker types, core principles of information security, legal aspects, and the five-phase methodology. Most exam questions here are definition-based but some require you to identify scenarios (e.g., “John accesses a system without permission but later discloses the vulnerability responsibly. What type of hacker is he?” → Gray Hat).

Module 2- Footprinting and Reconnaissance

1. Introduction to Footprinting

• Footprinting is the first phase of ethical hacking: systematically collecting information about a target to understand its security posture.
• Aim: Create a digital blueprint of the target (organization, system, or person).
• Helps attackers (and ethical hackers) to:
  • Identify potential entry points.
  • Plan targeted attacks.
  • Reduce guesswork in later phases (scanning, exploitation).

Two Major Categories:

1. Passive Footprinting – Information gathered indirectly without touching target systems (e.g., Google search, job postings, social media).
2. Active Footprinting – Direct interaction with the target (e.g., DNS queries, traceroute, network scanning).

2. Objectives of Footprinting

• Know the target’s external security posture.
• Identify domain names, IP ranges, technologies.
• Gather employee names, emails, and roles for social engineering.
• Discover network architecture & defenses.
• Build an organization profile before active exploitation.

3. Footprinting Methodologies

Ethical hackers follow structured steps:

1. Collect Target Information
   • Identify domain, subdomains, IP ranges, WHOIS info.
2. Network Information Gathering
   • Find active IP blocks, ISPs, and network topology.
3. System Information
   • OS types, services, and applications in use.
4. Organizational Information
   • Employee details, business partners, vendors, cloud providers.
5. Create a Target Profile
   • Combine collected data into a clear profile → foundation for scanning and exploitation.

4. Techniques of Footprinting

(A) Search Engines (Google Hacking / Dorking)

• Using search operators to extract sensitive data.
• Examples:
  • site:example.com filetype:pdf confidential
  • intitle:index of password
• Tools: Google, Bing, DuckDuckGo, Shodan, Censys.

(B) WHOIS Lookup

• Retrieves domain registration data:
  • Owner, registrar, DNS servers, contact details.
• Tools: whois.domaintools.com, ICANN lookup.

(C) DNS Footprinting

• Collect DNS records (A, MX, NS, TXT, CNAME, PTR).
• Attempt DNS zone transfer (AXFR).
• Tools: nslookup, dig, Fierce, DNSdumpster.

(D) Network Footprinting

• Discover IP ranges, network blocks, and routing paths.
• Tools: ARIN, RIPE, APNIC databases; traceroute, Path Analyzer Pro.

(E) Website Footprinting

• Analyze target’s website for technologies and structure:
  • Server type, CMS, version numbers, plugins.
• Tools: Wappalyzer, Netcraft, BuiltWith, HTTrack.

(F) Email and Employee Information Gathering

• Email harvesting to plan phishing campaigns.
• Tools: theHarvester, Hunter.io, Maltego.
• Employee data via LinkedIn, Facebook, Twitter.

(G) Job Sites, Forums, and Press Releases

• Job ads often reveal internal tech (e.g., “seeking admin with AWS, Splunk, Cisco ASA”).
• Forums may leak employee posts or misconfigured credentials.

(H) Dark Web Reconnaissance

• Search stolen credentials, leaked databases, and underground discussions.
• Tools: Dehashed, HaveIBeenPwned, Dark web search engines.

5. Advanced Reconnaissance

• OSINT (Open Source Intelligence) → Structured collection of publicly available data.
• Social Engineering → Phishing, pretexting, impersonation to extract info.
• Cloud Footprinting → Exposed AWS buckets, Azure blobs, or Google Drive shares.
• IoT Device Discovery → Shodan searches for webcams, routers, SCADA systems.

6. Tools Used in Footprinting

• Search & OSINT: Google Dorks, Shodan, Censys, Recon-ng.
• Domain & Network: Whois, DNSstuff, ARIN/RIPE/APNIC, nslookup, dig.
• Email Harvesting: theHarvester, Maltego, Hunter.io.
• Website Analysis: Netcraft, Wappalyzer, BuiltWith, WhatWeb.
• Visualization: Maltego, SpiderFoot.

7. Countermeasures Against Footprinting

Organizations can limit exposure by:

• WHOIS Privacy → Use registrar privacy services.
• Restrict DNS Zone Transfers → Allow only authorized DNS servers.
• Limit Public Information → Avoid publishing sensitive details on websites, press releases, and job portals.
• Email Obfuscation → Use contact forms instead of posting direct addresses.
• Firewall & IPS/IDS Deployment → Detect unusual requests and probing.
• Employee Training → Prevent oversharing on social media and falling for social engineering.
• Continuous OSINT Monitoring → Use threat intelligence tools to detect exposed data.

8. Important Terms

• Footprinting: Pre-attack reconnaissance process.
• Active vs Passive: Whether the attacker interacts with target directly.
• Zone Transfer: Copying DNS zone files (should be blocked).
• Google Dorking: Special queries to find exposed files/info.
• OSINT: Gathering data from public sources.

9. Sample Attack Scenario

1. Hacker does a WHOIS lookup → gets DNS server details.
2. Runs dig axfr → retrieves complete DNS records.
3. Collects employee emails via theHarvester.
4. Finds LinkedIn profiles → maps IT team members.
5. Crafts spear-phishing emails → gains credentials → next step: scanning and exploitation.

Key Tips

• Be able to differentiate Active vs Passive footprinting.
• Remember DNS record types:
  • A = Host address
  • MX = Mail exchange
  • NS = Name server
  • TXT = Miscellaneous info (SPF, DKIM)
• Tools frequently tested: theHarvester, Maltego, Shodan, Whois, Nslookup, Dig, Recon-ng.
• Sample Question Types:
  • “Which tool is best for email harvesting?” → theHarvester.
  • “Which footprinting technique involves using Google advanced operators?” → Google Dorking.
  • “What type of footprinting gathers information without engaging the target system?” → Passive footprinting.
  • “What is the main risk of unrestricted DNS zone transfers?” → Full disclosure of DNS records.

Summary

Footprinting and reconnaissance are about information gathering before exploitation. Attackers use search engines, DNS, WHOIS, network analysis, email harvesting, and OSINT to build a profile of the target. Defenders must minimize their digital footprint, enforce security policies, and monitor external exposure.

Module 3: Scanning Networks

1. Introduction to Scanning

• Scanning = Active information gathering performed after footprinting.
• Purpose: Identify live systems, open ports, running services, OS details, and vulnerabilities.
• Why important?
  • Attackers use it to create an attack roadmap.
  • Ethical hackers use it for penetration testing & security assessments.

Footprinting = “What exists?”
Scanning = “Where and how can I enter?”

2. Goals of Network Scanning

1. Discover live hosts in the target network.
2. Identify open ports and their service states.
3. Detect running services/applications on those ports.
4. Perform OS fingerprinting (determine OS type/version).
5. Detect firewalls, IDS/IPS, filtering mechanisms.
6. Map the network structure to plan further exploitation.

3. Types of Scanning

(A) Network Scanning

• Identifies active hosts.
• Techniques:
  • Ping sweep (ICMP echo requests).
  • ARP scan (local subnet host discovery).
  • Traceroute scanning (maps hops and devices).
• Tools: Nmap (-sn), Angry IP Scanner.

(B) Port Scanning

• Discovers open, closed, or filtered ports.
• Port States:
  • Open: Accepting connections.
  • Closed: No service, but reachable.
  • Filtered: Blocked by firewall or ACL.
• Example: Open port 22 = SSH, port 80 = HTTP.

(C) Service/Version Detection

• Identifies applications and versions.
• Useful for finding vulnerable versions.
• Tool: Nmap (-sV), Netcat.

(D) OS Fingerprinting

• Detects Operating System using TCP/IP stack signatures.
• Active Fingerprinting: Sends crafted packets, observes replies. (e.g., Nmap -O)
• Passive Fingerprinting: Observes network traffic (e.g., p0f).

(E) Vulnerability Scanning

• Detects known weaknesses.
• Tools: Nessus, OpenVAS, Nexpose, Qualys.

4. Scanning Methodology

Standard Ethical Hacking Scanning Workflow

1. Check for live hosts (ping sweep, ARP scan).
2. Identify open ports (TCP/UDP scans).
3. Perform service detection (banner grabbing).
4. Do OS fingerprinting.
5. Scan for vulnerabilities.
6. Draw network topology.

5. Port Scanning Techniques (Nmap Focus)

TCP Scans:

• TCP Connect Scan (-sT)
  • Completes 3-way handshake.
  • Easy to detect in logs.
• SYN Scan / Half-Open Scan (-sS)
  • Sends SYN, waits for SYN-ACK, then sends RST.
  • Stealthier, faster.
  • Most popular scan.

UDP Scan (-sU):

• Checks UDP-based services (DNS, SNMP, TFTP).
• Slower since no handshake.
• Often uses ICMP Port Unreachable messages.

Stealth/Advanced Scans:

• ACK Scan (-sA) – Maps firewall rules (filtered vs unfiltered).
• FIN Scan (-sF), Null Scan (-sN), Xmas Scan (-sX)
  • Exploit RFC 793 (closed ports reply RST, open ports ignore).
  • Stealthy, bypass some firewalls.
• Idle Scan (-sI) – Uses a third-party zombie host for full stealth.
• Fragmentation Scan (-f) – Splits packets into fragments to bypass firewalls.

6. Banner Grabbing

• Technique to detect service versions.
• Active: Sends custom requests (e.g., nc <IP> 80).
• Passive: Captures banners in traffic.
• Example:
  • Telnet to port 25 may return 220 mail.example.com ESMTP Postfix 2.3.

7. Scanning Tools

• Nmap → #1 tool for scanning (port discovery, service detection, OS fingerprinting, NSE scripts).
• Netcat → Banner grabbing, port scanning, backdoors.
• Hping3 → Custom packet crafting, firewall evasion.
• Masscan → Fast Internet-wide scanning.
• Unicornscan → Asynchronous port scanning.
• Angry IP Scanner → GUI-based host scanner.
• Vulnerability Scanners: Nessus, OpenVAS, Qualys, Nexpose.

8. Evasion Techniques (Anti-IDS/IPS Scanning)

Attackers try to avoid detection by:

• IP Spoofing → Fakes source IP.
• Decoy Scan (-D) → Sends traffic from multiple fake IPs.
• Fragmentation (-f) → Splits packets into smaller fragments.
• Timing options (-T0–-T5) → Slow scans to avoid alerts.
• Anonymization → Tor, proxy chains, VPNs.

9. Countermeasures (Defensive Actions)

• Configure firewalls & ACLs to block unnecessary ports.
• Disable unused services & ports.
• Block or restrict ICMP traffic (prevents ping sweeps).
• Deploy IDS/IPS to detect scan attempts.
• Use honeypots to mislead scanners.
• Patch management → Keep services updated.
• Log monitoring & alerting → Detect unusual scan patterns.

Key Tips

• Ping Sweep → Detect live hosts.
• SYN Scan → Half-open stealth scan.
• ACK Scan → Firewall mapping.
• Xmas Scan → Stealth scan using FIN/URG/PSH flags.
• Zombie Scan → Idle host used for stealth scanning.
• Banner Grabbing → Service & version identification.

Summary

• Scanning is the bridge between reconnaissance and exploitation.
• Attackers use it to enumerate hosts, services, ports, and vulnerabilities.
• Tools like Nmap, Netcat, Hping3, Masscan dominate scanning tasks.
• Defenders must implement firewalls, IDS/IPS, honeypots, patching, and monitoring to mitigate risks.

Closing Insights

Module 1 gives big picture awareness of hacking.

Module 2 focuses on information collection (without touching the target much).

Module 3 goes deeper into active probing (interacting with the target network).

Together, they form the first 3 stages of an attack lifecycle:

1. Understand & define the battlefield (Module 1).
2. Collect intelligence (Module 2).
3. Probe for weaknesses (Module 3).

Memory Hack (Exam Quick Recall):

M1 → Who & Why (Hacker types, CIA triad).

M2 → What can I find out silently (Recon).

M3 → What can I touch actively (Scanning