Introduction (Modules 4–6)

Modules 4–6 of CEH v13 take us from understanding how attackers enumerate systems (gathering detailed system-level data) all the way to actively hacking into those systems and maintaining stealthy access.

Module 4 – Enumeration:
This is the bridge between scanning and exploitation. Once attackers identify open services (from scanning), they enumerate deeper details—usernames, groups, shares, SNMP data, banners, DNS records, etc. Enumeration gives the “blueprint” of the target’s internal structure.

Module 5 – Vulnerability Analysis:
With gathered data, attackers (and defenders) must identify which weaknesses exist and how severe they are. This module focuses on vulnerability scanning tools, scoring systems like CVSS, and reporting. It shifts from raw data → prioritized risks.

Module 6 – System Hacking:
This is where an attacker moves from reconnaissance into hands-on exploitation. They gain access, escalate privileges, execute malicious tasks, hide activity, and ensure persistence. This represents the core of real-world attacks and is crucial for penetration testers and red teams to simulate, and defenders to block.

Module 4: Enumeration

1. Introduction to Enumeration

• Definition:
  Enumeration is the process of extracting detailed information from target systems, applications, and services by actively engaging with them.
• Why it matters:
  After scanning (finding open ports), enumeration digs deeper into those services to pull sensitive data such as:
  • Usernames & groups
  • Machine names
  • Network shares
  • Service banners & versions
  • Policies (e.g., password restrictions, lockouts)
• Role in attack lifecycle:
  • Footprinting → Scanning → Enumeration → Exploitation
  • Enumeration bridges the gap between “where to attack” and “how to attack.”

2. Information Revealed During Enumeration

• User accounts & groups (important for brute force / privilege escalation).
• Network resources & shared folders.
• Service configurations & banners.
• Operating system details.
• System policies (password rules, account lockouts).
• Routing tables & network topology.
• SNMP data (device configs, interfaces).

⚠️ Key Exam Tip: Enumeration is often the first step where attackers begin to leave logs and traces, because it requires active interaction.

3. Common Enumeration Protocols & Services

3.1 NetBIOS / SMB Enumeration

• Port(s): 137/138 (NetBIOS), 139/445 (SMB).
• What it reveals:
  • List of users, groups, machines.
  • Shared folders/printers.
  • Security policies.
• Tools:
  • Windows: nbtstat, net view, Hyena.
  • Linux: enum4linux, rpcclient, smbmap.
• Attack use case:
  • Gaining knowledge of file shares → staging for data theft.

3.2 SNMP Enumeration

• Port(s): UDP 161 (queries), 162 (traps).
• What it reveals:
  • Device details (name, description, interfaces).
  • Routing tables.
  • ARP tables.
  • System uptime & running processes.
• Weakness:
  • SNMPv1 & v2 use plaintext “community strings” (default: public, private).
• Tools:
  • snmpwalk, snmp-check, SolarWinds.
• Exam Reminder: Always think default community strings → attacker goldmine.

3.3 LDAP Enumeration

• Port(s): 389 (LDAP), 636 (LDAPS).
• What it reveals:
  • Directory data: users, groups, policies.
  • Active Directory structure.
• Tools:
  • Softerra LDAP Browser, ldapsearch, ADExplorer.
• Attack use case:
  • Enumerating users & groups for targeted brute force or Kerberos attacks.

3.4 NFS Enumeration

• Port(s): 2049.
• What it reveals:
  • Exported file systems.
  • Mountable directories.
• Tools:
  • showmount -e target, Nmap NSE.
• Risk: Misconfigured NFS shares → attacker mounts & steals files.

3.5 SMTP Enumeration

• Port(s): 25 (SMTP), 465 (SMTPS), 587 (Submission).
• What it reveals:
  • Valid user accounts (via VRFY, EXPN, RCPT TO).
• Tools:
  • Nmap NSE SMTP scripts, Metasploit auxiliary modules.
• Attack use case:
  • Building a valid email/user list → brute force or phishing.

3.6 DNS Enumeration

• Port(s): 53.
• What it reveals:
  • DNS records (A, MX, TXT, NS, PTR).
  • Entire zone data if misconfigured.
• Technique: Attempt a zone transfer (AXFR) from secondary DNS.
• Tools:
  • nslookup, dig, DNSRecon, Fierce.
• Exam Tip: Zone transfer = complete DNS leakage (very common CEH test question).

3.7 Other Services

• Telnet (23): Banner grabbing, default login attempts.
• FTP (21): Anonymous login, directory listing.
• RDP (3389): Valid username detection (lockout errors).
• Kerberos (88): User enumeration in Active Directory.
• SIP (5060): VoIP account discovery.

4. Enumeration Techniques

• Banner Grabbing: Collect service & version info.
• Default Credentials: Test default usernames/passwords.
• Brute Force/Dictionaries: Try common account names.
• Zone Transfers: For DNS servers.
• SNMP Brute Force: Using community string wordlists.
• LDAP queries: Extracting directory info.

5. Tools for Enumeration

• Windows: Nbtstat, NetBIOS tools, Hyena.
• Linux: enum4linux, rpcclient, smbmap.
• Cross-platform:
  • Nmap NSE (scripts for SNMP, LDAP, SMB, SMTP).
  • Nessus / OpenVAS (vulnerability scanning + enumeration).
  • Metasploit auxiliary modules.
• Cloud/SaaS enumeration:
  • AWS CLI (list buckets, IAM users).
  • Azure AD enumeration tools.

6. Countermeasures

• Disable unnecessary services (NetBIOS, SMBv1, SNMPv1/v2).
• Change defaults (community strings, admin accounts).
• Strong Authentication: Complex passwords + MFA.
• Restrict Access: Segment networks, firewall filtering.
• Monitor Logs: Detect failed queries & enumeration attempts.
• DNS Security: Disable AXFR (zone transfer) unless required.
• Least Privilege: Restrict account rights.

7. Real-world Example

• An attacker finds port 161 (SNMP) open during scanning.
• Enumeration with snmpwalk reveals community string “public.”
• Extracted routing table shows entire network topology.
• Attacker now knows exact internal IP structure, making lateral movement easier.

8. Key Takeaways

• Enumeration = active probing for deeper system info.
• Critical stage for building an attack roadmap.
• More invasive than scanning → higher chance of detection.
• CEH Exam Focus:
  • Know which protocol reveals what.
  • Recognize tools used for enumeration.
  • Understand countermeasures (disable services, secure configs).

9. Memory Hook

• Footprinting (M2): I know your public info.
• Scanning (M3): I know your open doors.
• Enumeration (M4): I know your users & secrets.

Module 5: Vulnerability Analysis

1. Understanding Vulnerability Analysis

• Definition:
  Vulnerability Analysis is the process of systematically identifying, classifying, and prioritizing security weaknesses across IT assets.
• Goal:
  • Discover security gaps before attackers do.
  • Provide actionable insights for patching and mitigation.
• Why It Matters:
  • Organizations run complex systems → vulnerabilities are inevitable.
  • A single unpatched flaw can lead to catastrophic breaches (e.g., Equifax breach via Apache Struts vulnerability).

2. Difference Between Vulnerability Analysis & Penetration Testing

💡 Exam Tip: CEH often asks: “Which phase identifies system weaknesses without exploiting them?” → Answer: Vulnerability Analysis.

3. Types of Vulnerabilities

1. Host-based
   • Outdated OS patches.
   • Weak user accounts, default passwords.
   • Unnecessary services (FTP, Telnet).
2. Network-based
   • Open/unused ports.
   • Poorly configured firewalls/routers.
   • Weak encryption protocols (e.g., SSL v2, WEP).
3. Application-level
   • OWASP Top 10 flaws (SQL injection, XSS, insecure deserialization).
   • Poor session management.
   • Missing input validation.
4. Database-level
   • Default DB credentials.
   • SQL injection vulnerabilities.
   • Lack of least privilege.
5. Cloud-based
   • Misconfigured S3 buckets (public data exposure).
   • Weak IAM roles.
   • Overly permissive firewall security groups.
6. Zero-day
   • Unknown vulnerabilities (no vendor patch yet).
   • High risk since attackers exploit before defenders know.

4. Vulnerability Analysis Process

Step 1: Planning & Scoping

• Define systems in-scope (servers, apps, IoT, cloud).
• Determine scanning frequency (monthly, quarterly).
• Establish rules of engagement.

Step 2: Information Gathering

• Collect target info from CVE databases, vendor advisories, and threat intelligence.

Step 3: Vulnerability Detection

• Automated tools (Nessus, OpenVAS, Qualys).
• Manual verification (config reviews, code review).

Step 4: Analysis & Verification

• Validate scanner results.
• Remove false positives (e.g., flagged SSL cert that’s actually secure).

Step 5: Risk Classification

• Assign severity using CVSS or organizational risk models.

Step 6: Reporting

• Vulnerability details:
  • Description.
  • Impact (confidentiality, integrity, availability).
  • CVSS score.
  • Proof (screenshots/logs).
  • Recommended fixes.

Step 7: Remediation & Revalidation

• Apply patches, change configs, disable unused services.
• Re-scan to confirm fix.

5. Vulnerability Scoring Systems

1. CVSS (Common Vulnerability Scoring System)
   • Standard scoring framework (0–10 scale).
   • Categories:
     • Low (0–3.9)
     • Medium (4.0–6.9)
     • High (7.0–8.9)
     • Critical (9.0–10.0)
   • Factors considered:
     • Attack Vector (local/remote).
     • Attack Complexity (low/high).
     • Privileges required.
     • Impact on CIA triad.
2. CVE (Common Vulnerabilities and Exposures)
   • Unique identifier for each known vulnerability (e.g., CVE-2017-0144 → EternalBlue).
3. NVD (National Vulnerability Database)
   • Maintains CVE entries + CVSS scoring.
4. OWASP Risk Rating
   • Web/app-focused scoring system.
   • Considers exploitability and business impact.

6. Vulnerability Analysis Tools

• Network Scanning Tools:
  • Nessus, Nexpose, OpenVAS, Qualys.
• Web Vulnerability Tools:
  • Burp Suite, Acunetix, Nikto, Netsparker.
• Database Tools:
  • SQLMap, AppDetective, DbProtect.
• Cloud Security Tools:
  • ScoutSuite, Prowler, Prisma Cloud.
• Exploit Verification:
  • Metasploit, Exploit-DB.

💡 Exam Tip: Nessus and OpenVAS are the most frequently mentioned vulnerability scanners.

7. Challenges in Vulnerability Analysis

• False Positives: Wastes remediation effort.
• False Negatives: Leaves real threats undetected.
• Zero-day Attacks: Scanners can’t detect unknown flaws.
• Large Attack Surface: Complex environments (cloud + IoT + on-prem).
• Prioritization Issues: Too many vulnerabilities vs. limited resources.

8. Best Practices for Vulnerability Management

• Maintain asset inventory (know what to scan).
• Run regular automated scans.
• Cross-check findings with threat intelligence feeds.
• Integrate into DevSecOps pipelines (continuous scanning in CI/CD).
• Implement patch management lifecycle.
• Apply network segmentation to contain risks.
• Re-test after remediation.

9. Real-World Example

• Vulnerability Scan → Nessus identifies SMB v1 enabled on Windows Server.
• CVE Reference → CVE-2017-0144 (EternalBlue).
• Risk → Exploitable by WannaCry ransomware → Remote Code Execution.
• Remediation → Disable SMBv1 + apply Microsoft patch MS17-010.
• Lesson → Regular scanning could prevent ransomware outbreaks.

10. Key Takeaways

• Vulnerability Analysis = early detection of security weaknesses.
• CVSS scoring helps prioritize fixes.
• Scanners are powerful, but manual validation is essential.
• Must be continuous, not one-time.
• CEH Exam will test:
  • Tools (Nessus, OpenVAS).
  • CVSS/CVE concepts.
  • Process flow (scan → verify → report → remediate).
  • Difference from pentesting.

Memory Hook:

• Footprinting = What do I know about you?
• Scanning = What’s open?
• Enumeration = Who’s there?
• Vulnerability Analysis = What’s weak?

Module 6: System Hacking

1. Overview

• System Hacking = post-exploitation phase.
• It covers breaking into a system, escalating rights, running malicious tasks, hiding evidence, and persisting.
• A successful attacker often goes through these five pillars:
  1. Gaining Access
  2. Privilege Escalation
  3. Executing Applications
  4. Hiding Files / Covering Tracks
  5. Maintaining Access

This is where attackers actually “own” the system.
Defenders must understand these methods to design prevention and detection strategies.

2. Step 1 – Gaining Access

• Objective: Break initial barrier and log into the system.
• Techniques:
  • Password Attacks
    • Dictionary Attack → Uses a list of common words.
    • Brute Force → Exhaustive trial of all combinations (slow but guaranteed).
    • Hybrid → Combines dictionary + brute force (e.g., appending numbers/symbols).
    • Password Spraying → One common password tried against many accounts (avoids lockouts).
    • Credential Stuffing → Leverages leaked/stolen credentials on other systems.
  • Exploiting Vulnerabilities → Exploit unpatched software, buffer overflows, remote code execution flaws.
  • Social Engineering → Phishing, pretexting, malicious attachments, USB drops.
  • Keylogging / Spyware → Capture keystrokes & passwords in real time.
  • Session Hijacking / MITM → Capture session tokens, replay credentials.

Tools: Hydra, Medusa, John the Ripper, Hashcat, Cain & Abel.

3. Step 2 – Privilege Escalation

• Objective: Elevate from normal user to admin/root.
• Why important? → Admin rights = unrestricted control.

Techniques

• Exploiting OS flaws or unpatched kernel vulnerabilities.
• Misconfigured services with weak permissions.
• DLL Hijacking → inserting malicious DLLs in Windows path.
• Token Manipulation (Windows) → impersonate high-privileged tokens (Mimikatz).
• SUID/SGID Exploits (Linux/Unix) → run commands with elevated rights.
• Registry modification in Windows.

Tools:

• Windows: Mimikatz, PowerSploit, Windows Exploit Suggester.
• Linux: LinPEAS, Linux Privilege Escalation Scripts.

4. Step 3 – Executing Applications

• Objective: Run malicious tools or commands on the system.
• Methods:
  • Remote command execution: PsExec, WMIExec, SMBexec.
  • Uploading and launching payloads from Metasploit.
  • Dropping malware, keyloggers, ransomware.
  • Scripting tasks (PowerShell, Bash scripts).

Tools: Metasploit Framework, Empire, PsExec.

5. Step 4 – Hiding Files & Covering Tracks

• Objective: Avoid detection by users, admins, and security tools.

Techniques

• Log Tampering: Delete event logs (e.g., wevtutil cl in Windows).
• Rootkits: Hide files, processes, network connections.
  • Kernel-mode rootkits → modify kernel calls.
  • User-mode rootkits → alter system libraries.
  • Bootkits → infect MBR/UEFI.
• Steganography: Hide malicious files within images/audio/video.
• Alternate Data Streams (NTFS): Store malicious code invisibly in Windows.
• Timestomping: Modify file timestamps to evade forensic tracking.

Tools: RootkitRevealer, GMER, chkrootkit, OpenStego.

6. Step 5 – Maintaining Access

• Objective: Ensure long-term control after initial compromise.

Persistence Techniques

• Install backdoors (Netcat listener, Metasploit persistence module).
• Create hidden admin accounts.
• Trojanized software → programs bundled with malware.
• Scheduled tasks (Windows) / Cron jobs (Linux).
• Remote Access Trojans (RATs) → DarkComet, njRAT.

Tools: Netcat, Metasploit, Empire, Back Orifice, DarkComet RAT.

7. Password Cracking in Depth

• Online Attacks → Performed against live systems (slow, noisy).
• Offline Attacks → Against stolen hashes (fast, stealthier).
• Rainbow Tables → Precomputed hash libraries → faster lookups.
• Salting → Adding random values to passwords before hashing → defeats rainbow tables.

Tools: Hashcat, Ophcrack (rainbow table tool), John the Ripper.

8. Keyloggers & Spyware

• Hardware Keyloggers: USB inline devices → undetectable by AV.
• Software Keyloggers: Installed via trojans → record keystrokes, screenshots, clipboard.

Defense:

• Endpoint detection & response (EDR).
• Virtual keyboards / password managers.
• Monitor suspicious processes.

9. Rootkits – Deep Dive

• Definition: Malware that hides itself and its activities.
• Types:
  • User-mode, Kernel-mode, Bootkits, Firmware rootkits.
• Danger: Can survive OS reinstallation (firmware rootkits).

Detection Tools:

• RootkitRevealer (Windows).
• GMER.
• chkrootkit & rkhunter (Linux).

10. Steganography

• Definition: Concealing secret data inside non-suspicious files.
• Example: Hiding malware inside a JPEG or MP3.
• Tools: Steghide, OpenStego.
• Detection: Statistical analysis, steganalysis tools.

11. Countermeasures (Defense Strategy)

1. Password Security → enforce strong, unique, MFA.
2. Patch Management → update OS and software regularly.
3. Access Control → Principle of Least Privilege, role-based access.
4. Security Monitoring → SIEM, centralized logs, anomaly detection.
5. Endpoint Security → Antivirus + EDR solutions.
6. User Awareness → phishing drills, security training.
7. Incident Response → predefined IR playbooks for system compromises.

12. Real-World Case Studies

• WannaCry (2017): Gained access via SMB exploit (EternalBlue), escalated privileges, installed ransomware, wiped traces.
• SolarWinds (2020): Attackers inserted backdoors in Orion updates, maintained persistence for months.

13. Key Takeaways

• Attack Lifecycle: Gain Access → Escalate → Execute → Hide → Maintain.
• Common Tools: John the Ripper, Hashcat, Hydra, Mimikatz, Metasploit, Netcat.
• Defense: Strong authentication, patching, monitoring, least privilege.
• Memory Hook: GEHEM (Gain → Escalate → Hide → Execute → Maintain).

Exam Tip: If a question asks about hiding data inside files, the answer is Steganography. If it’s about hiding processes and registry keys, the answer is Rootkits.

Closing Notes (Modules 4–6)

Enumeration (Module 4) teaches that information is power. Attackers can do more damage with detailed usernames and network shares than with simple IP scans.

Vulnerability Analysis (Module 5) emphasizes that not all vulnerabilities are equal. Prioritization (CVSS, exploitability, business impact) is key for both attackers (choosing easy entry points) and defenders (patch management).

System Hacking (Module 6) demonstrates the life cycle of compromise. Attackers follow a systematic flow—gain access, escalate, hide, maintain—and defenders must disrupt any link in this chain to prevent damage.

Key Takeaways Across Modules 4–6:

1. Attackers move methodically—data gathering before exploitation.

2. Enumeration reveals the “who/what/where” of the target—users, shares, services.

3. Vulnerability scanning bridges the gap between knowledge and action.

4. Exploitation doesn’t end at entry—privilege escalation and persistence are equally dangerous.

Memory Hook:

-》EVA-SH → Enumeration → Vulnerability Analysis → System Hacking.
-》This sequence is at the core of CEH methodology and will appear in exam scenarios.