Week 1 – Google Hacking and Port Scanning
My first week of ethical hacking is done and it was a great week! I spent 9 hours working on scanning and reconnaissance. As I mentioned in my post, Investing a Year in Ethical Hacking, my goal is to spend 416 hours learning ethical hacking this year. Current progress: 9 / 416.
For anybody else studying CEH (or anything else), I hope this shows you that even little investments of time can result in huge improvements when done consistently over time.
Google “hacking” is a great starting point even though it isn’t actually hacking at all. It is amazing how much OSINT (Open Source Intelligence) is out there. I searched myself to start off and even found some old forum posts of mine from years ago that I had forgotten about!
Catching Phishers with Google?
Here is just one example of the fun you can have while learning search terms. I was really excited when I stumbled on what looked like a phishing page. Keep reading to see what happened.
This was my search term: inurl:wycliffeassociates.org signin.aspx
I was attempting to find any sites that included both separate terms in the URL.
But the search term actually searched for “wycliffeassociates.org” in the URL and “signin.aspx” ANYWHERE in the page.
What I needed to use to get the result I was attempting to find is inurl:wycliffeassociates.org inurl:signin.aspx as shown below.
But my incorrect search term actually found an interesting result. See screenshot below.
Any time there is a URL and a forward slash with another URL I get VERY suspicious. This URL structure is basically always malicious. It is usually designed so people see the trusted site name and get tricked into clicking the link.
Well, I setup a throw-away virtual machine and visited the site. I honestly still don’t know what it is, something about domain valuation, but I don’t see any phishing pages so I’m moving on. Now that I think about it, I would expect phishing sites to be configured so they aren’t indexed by search engines! Otherwise they would be found and shut down very quickly.
So I didn’t catch any bad guys but it was a good experience that helped me to learn how to use Google search terms. I bet that if I took the test 11 months from now without ever studying this again, I would remember it because of the hands-on experience.
Here are two great references for Google “Hacking”
Another part of week 1 was Network Scanning with Nmap. I scanned my home network and found my phone and PlayStation. I also scanned my own PC and found a number of open ports.
Some ports were expected, but I had no clue what some of the others were so I had to do some research.
Researching ports is funny because there are always results saying the port is associated with malware and other reports saying it is legitimate. I assume this is because bad guys use legitimate ports for their purposes. So the question is, what is installed on my PC…The legitimate app or the bad stuff?
According to SpeedGuide.net, port 902 is either the NetDevil remote access Trojan or it is VMWare.
I used Netstat -aon and the built in Task Manager with the PID column to find out what REALLY had the port opened.
It turns out that I had VMWare installed and I had completely forgotten about it since I’ve been using Hyper-V.
I bet I don’t need to know what port 902 is for the CEH certification test. The beauty of pursuing this without any rushed due date is that I can spend as much time as I want going deep on a topic and just exploring.
This is the type of effort that actually makes a certification VALUABLE to your employer and to your career!
Note: I had to go back and edit my Day 1 – Ethical Hacking post where I explained my study plan for the year. Rather than rushing through the videos and then working deeply with the book, I am reversing those. I am going to study deeply with the videos as I go along. Then, I will use the book toward the end of the year for study and memorization while preparing for the actual test. The videos are just so detailed that it would be a waste not to take full advantage of those learning exercises.
Nmap.org – Book (Yes, they have a whole book completely free on Nmap!)
Does anybody have a recommended site for researching ports other than SpeedGuide or Google?