CEH Ethical Hacking: Methodology, Exploitation, and Evasion Techniques

Ethical hacking operates within a strict legal framework. A penetration test begins with written authorisation — the Rules of Engagement (RoE) document defines scope (IP ranges, systems, techniques permitted), timeline, emergency contacts, and reporting requirements. Without explicit written authorisation, penetration testing is illegal under the Computer Fraud and Abuse Act (CFAA) in the US and equivalent laws globally. The CEH methodology follows five phases: Reconnaissance (passive and active information gathering), Scanning (discover live hosts, open ports, services), Enumeration (extract detailed information — users, shares, routes), System Hacking (gain access, escalate privileges), and Post-Exploitation (maintain access, pivot, cover tracks, report). This lifecycle mirrors real attacker behaviour — understanding it helps defenders anticipate and detect at each phase.

Passive reconnaissance collects information without touching the target — using only publicly available sources. OSINT tools: Shodan (internet-connected device search engine — reveals exposed services, default credentials, vulnerabilities), Maltego (visual link analysis for domains, emails, IP addresses, organisations), theHarvester (email, subdomain, IP harvesting from search engines and WHOIS), FOCA (extract metadata from public documents), Google dorking (advanced operators: site:, filetype:, intitle:, inurl: to find exposed files and admin panels). DNS reconnaissance: nslookup, dig, dnsrecon — zone transfers (AXFR) expose all DNS records if misconfigured. WHOIS lookup reveals registrant, registrar, and name servers. Active reconnaissance directly probes the target: ping sweeps, port scanning, OS fingerprinting — detectable and potentially alerting.

Scanning identifies live hosts and open ports. Nmap is the universal scanner: nmap -sS (TCP SYN scan — half-open, less detectable), nmap -sV (service version detection), nmap -O (OS fingerprinting), nmap -A (aggressive: version + script + OS + traceroute), nmap --script vuln (run vulnerability detection scripts), nmap -p- (all 65535 ports). Enumeration extracts detail from discovered services: NetBIOS enumeration (nbtscan, enum4linux — users, groups, shares, password policy on Windows), SNMP enumeration (snmpwalk with default community strings 'public'/'private'), LDAP enumeration (ldapsearch — AD users and groups), SMB enumeration (smbclient, CrackMapExec — shares, logged-in users). Vulnerability scanning tools: Nessus (comprehensive, authenticated scans), OpenVAS (open-source alternative), Nikto (web server specific — identifies misconfigurations and known CVEs). Correlate scan results with CVE database to identify exploitable weaknesses.

Exploitation converts discovered vulnerabilities into access. Metasploit Framework is the industry-standard exploitation platform: search for modules (search type:exploit platform:windows), set options (RHOSTS, RPORT, LHOST, LPORT), run exploit, receive shell or Meterpreter session. Password attacks: brute force (try all combinations — Hydra, Medusa for online attacks), dictionary attacks (wordlists — rockyou.txt, custom wordlists), credential stuffing (breached credentials from one service against another — 55% success rate on users who reuse passwords), pass-the-hash (capture NTLM hash and use directly without cracking — Mimikatz, PsExec). Privilege escalation: kernel exploits (patch gap between release and deployment), misconfigured sudo rules, SUID binaries, unquoted service paths (Windows), token impersonation (Meterpreter getsystem). SQL injection: ' OR '1'='1 -- tests for injection; sqlmap automates extraction.

Post-exploitation extends access and extracts value. Lateral movement: Pass-the-Hash, Pass-the-Ticket (Kerberos golden ticket attack — forged TGTs using KRBTGT hash), PsExec, WMI, and PowerShell remoting. Persistence mechanisms: scheduled tasks, registry run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run), service installation, DLL hijacking, WMI subscriptions. Data exfiltration: DNS tunnelling (data encoded in DNS queries to attacker-controlled domain — bypasses many firewalls), HTTPS C2 (blend with normal web traffic), ICMP tunnelling. Evasion techniques: signature-based AV evasion (encode payload — shikata_ga_nai encoder in Metasploit), polymorphic code, process injection (inject shellcode into legitimate processes like svchost.exe), living off the land (use built-in OS tools — PowerShell, WMI, certutil — that are less likely to be blocked). Evidence removal: clear Windows event logs (wevtutil cl Security), delete bash history (history -c), timestomping (modify file timestamps to confuse forensics).