Back to Dark Arts
EC-Council CEH v12 (312-50)

Attack Reference Guide

Comprehensive ethical hacking reference covering attack methodologies, frameworks, reconnaissance techniques, and exploitation methods.

PHASE 1 Recon
PHASE 2 Weaponize
PHASE 3 Delivery
PHASE 4 Exploit
PHASE 5 Install
PHASE 6 C2
PHASE 7 Actions

Phase 1: Reconnaissance

Information gathering about the target using passive and active techniques.

OSINT

Open source intelligence from public sources, social media, company websites

Google Dorking

Advanced search operators to find sensitive information indexed by search engines

DNS Enumeration

Subdomain discovery, zone transfers, DNS record analysis

Shodan/Censys

Internet-wide scanning databases for exposed services and devices

Phase 2: Weaponization

Creating or obtaining malicious payloads to exploit discovered vulnerabilities.

Payload Generation

Creating malware, trojans, or exploit code tailored to the target

Exploit Frameworks

Metasploit, Cobalt Strike, Empire for generating weaponized payloads

Obfuscation

Encoding, packing, and evasion techniques to bypass security controls

Phishing Kits

Creating convincing phishing pages and social engineering campaigns

Phase 3: Delivery

Transmitting the weaponized payload to the target environment.

Email (Spear Phishing)

Targeted emails with malicious attachments or links

Watering Hole

Compromising websites frequently visited by targets

USB Drop

Physical delivery via infected removable media

Web Exploits

Drive-by downloads, malvertising, exploit kits

Phase 4: Exploitation

Triggering the payload to gain initial access to the target system.

Client-Side Exploits

Browser, PDF, Office document vulnerabilities

Server-Side Exploits

Web application, service, and OS vulnerabilities

Social Engineering

Convincing users to execute malicious code

Zero-Day Exploits

Previously unknown vulnerabilities without patches

Phase 5: Installation

Establishing persistent access to the compromised system.

Backdoors

Remote access trojans (RATs), web shells, reverse shells

Persistence Mechanisms

Registry keys, scheduled tasks, services, startup items

Rootkits

Kernel-level malware to hide attacker presence

DLL Hijacking

Placing malicious DLLs in application search paths

Phase 6: Command & Control

Establishing communication channel for remote control of compromised systems.

C2 Protocols

HTTP/HTTPS, DNS tunneling, ICMP, social media APIs

Beaconing

Periodic check-ins to C2 infrastructure for commands

Domain Fronting

Using legitimate CDNs to mask C2 traffic

Dead Drops

Using third-party services for command delivery

Phase 7: Actions on Objectives

Achieving the attacker's ultimate goals.

Data Exfiltration

Stealing sensitive information, credentials, intellectual property

Lateral Movement

Moving through the network to access additional systems

Privilege Escalation

Gaining higher-level access (admin, SYSTEM, root)

Impact

Ransomware, destruction, defacement, denial of service

Frameworks
Reconnaissance
Scanning
Exploitation
Knowledge Check

Attack Methodology Frameworks

Framework Developer Purpose Key Components
Cyber Kill Chain Lockheed Martin Attack progression model 7 sequential phases from recon to actions
MITRE ATT&CK MITRE Adversary behavior knowledge base 14 Tactics, 200+ Techniques, Sub-techniques
Diamond Model US Intelligence Intrusion analysis Adversary, Capability, Infrastructure, Victim
PTES Community Penetration testing standard 7 phases with technical guidelines
OWASP Testing Guide OWASP Web app security testing 11 categories, 90+ test cases

MITRE ATT&CK Tactics (Enterprise)

TA0043
Reconnaissance
10 techniques
TA0042
Resource Development
8 techniques
TA0001
Initial Access
9 techniques
TA0002
Execution
14 techniques
TA0003
Persistence
19 techniques
TA0004
Privilege Escalation
13 techniques
TA0005
Defense Evasion
42 techniques
TA0006
Credential Access
17 techniques
TA0007
Discovery
31 techniques
TA0008
Lateral Movement
9 techniques
TA0009
Collection
17 techniques
TA0011
Command & Control
16 techniques
TA0010
Exfiltration
9 techniques
TA0040
Impact
14 techniques
Google Dorking Passive
Using advanced search operators to find sensitive information indexed by search engines.
site:target.com filetype:pdf intitle:"index of" passwords inurl:admin intext:password
OSINT Footprinting
Subdomain Enumeration Active
Discovering subdomains to expand the attack surface.
subfinder -d target.com amass enum -d target.com sublist3r -d target.com
DNS Enumeration
Shodan/Censys Passive
Internet-wide scanning databases to find exposed services and devices.
shodan search "apache" "target.com" shodan host 192.168.1.1 censys search services.http.response
IoT Exposed Services
Social Media OSINT Passive
Gathering information from social networks about employees and organization.
LinkedIn - Employee enumeration Twitter - Sentiment, announcements theHarvester -d target.com
People Social Engineering
Port Scanning Active
Identifying open ports and running services on target systems.
nmap -sS -sV -O target.com nmap -sC -sV -p- target.com masscan -p1-65535 target.com
Nmap TCP/UDP
Web App Scanning Active
Automated vulnerability scanning of web applications.
nikto -h http://target.com wpscan --url target.com nuclei -u http://target.com
Nikto OWASP
Vulnerability Scanning Active
Identifying known vulnerabilities in systems and applications.
nmap --script vuln target.com openvas (Greenbone) nessus / qualys
CVE OpenVAS
Directory Fuzzing Active
Discovering hidden directories, files, and endpoints.
gobuster dir -u http://target -w wordlist ffuf -u http://target/FUZZ -w wordlist feroxbuster -u http://target
Brute Force Content Discovery
SQL Injection Web
Injecting malicious SQL queries to manipulate databases.
sqlmap -u "http://target?id=1" --dbs ' OR '1'='1' -- UNION SELECT null,username,password FROM users
Database OWASP A03
Cross-Site Scripting (XSS) Web
Injecting client-side scripts into web pages viewed by users.
<script>alert('XSS')</script> <img src=x onerror=alert('XSS')> Reflected / Stored / DOM-based
Client-Side Session Hijack
Command Injection System
Executing arbitrary system commands through vulnerable applications.
; cat /etc/passwd | whoami $(id)
RCE Shell
Password Attacks Auth
Cracking or bypassing authentication mechanisms.
hydra -l admin -P wordlist ssh://target hashcat -m 0 hash.txt wordlist.txt john --wordlist=rockyou.txt hash
Brute Force Hash Cracking

CEH Knowledge Check

Score: 0/5