Pass the ECCouncil CEH v13 312-50v13 Questions and answers with ExamsMirror

Tess King is attempting to gather all DNS records from a target zone. This process is referred to as a zone transfer (AXFR), which is typically performed by secondary name servers to synchronize DNS data with the primary. If improperly secured, attackers can initiate unauthorized zone transfers to enumerate valuable information such as:

Hostnames

IP addresses

Mail servers

Name servers

CEH v13 defines a zone transfer as a crucial step in DNS enumeration.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer (AXFR) is a DNS transaction used to replicate DNS databases. Attackers can exploit this feature to extract all DNS information from an improperly secured server.”

Incorrect Options:

A. Zone harvesting is not a formal term.

C. Zone update refers to DNS dynamic update operations (e.g., DDNS).

D. Zone estimate is not a DNS-related process.

https://en.wikipedia.org/wiki/Salt_(cryptography)

A salt is random data that is used as an additional input to a one-way function that hashes data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards were developed to protect a user's password against being read from the system. A salt is one of those methods.

A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after key stretching) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking exposure of the plaintext password in the event that the authentication data store is compromised.

Salts defend against a pre-computed hash attack, e.g. rainbow tables. Since salts do not have to be memorized by humans they can make the size of the hash table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.

SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL database. The attacker injects malicious SQL code into the user input, such as a login form, that is then executed by the database server. This can allow the attacker to access, modify, or delete data, or execute commands on the database server.

The ‘UNION’ SQL keyword is often used in SQL Injection attacks to combine the results of two or more SELECT statements into a single result set. This can allow the attacker to retrieve additional data from other tables or columns that are not intended to be displayed by the application. For example, if the application uses the following query to check the user credentials:

SELECT * FROM users WHERE username = '$username' AND password = '$password'

The attacker can inject a ‘UNION’ statement to append another query, such as:

' OR 1 = 1 UNION SELECT * FROM credit_cards --

This will result in the following query being executed by the database server:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

The first part of the query will always return true, and the second part of the query will return the data from the credit_cards table. The ‘–’ symbol is a comment that will ignore the rest of the query. The attacker can then see the credit card information in the application’s response.

However, some web applications implement security measures to prevent SQL Injection attacks, such as filtering special characters in user inputs. Special characters are symbols that have a special meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters, the application can prevent the attacker from injecting malicious SQL code. For example, if the application replaces single quotes with two single quotes, the previous injection attempt will fail, as the query will become:

SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND password = '$password'

This will result in a syntax error, as the query is not valid SQL.

In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, the strategy that he is most likely to employ is to bypass the special character filter by encoding his malicious input. Encoding is a process of transforming data into a different format, such as hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous injection attempt will become:

%27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--

This will result in the following query being executed by the database server, after the application decodes the input:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

This will succeed in returning the credit card information, as the filter will not detect the special characters in the encoded input.

Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.

While the question as shown appears slightly misformatted, this closely resembles the Windows command:

ping -t 192.168.0.101

Here:

-t means to ping continuously until manually stopped.

In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

Option A. t – Correct (ping continuously)

Why Others Are Incorrect:

B. s: Not a valid option in Windows ping.

C. a: Used to resolve the hostname from an IP (not related to this).

D. n: Specifies the number of echo requests to send.

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

The described scenario is a textbook example of a Man-in-the-Middle (MITM) attack. In such attacks, the attacker stealthily places themselves between two communicating systems, intercepts their communications, and may even modify the traffic. The communicating parties remain unaware that their traffic is being monitored or altered.

Eric is using the Dsniff toolset, which is well-known for enabling MITM attacks through techniques such as:

ARP spoofing (to redirect traffic)

Credential sniffing

Packet manipulation

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a man-in-the-middle (MITM) attack, the attacker intercepts and potentially alters the communication between two systems without either party knowing. Tools like Dsniff, Cain & Abel, and Ettercap are commonly used to launch such attacks.”

Incorrect Options:

A: “Interceptor” is not a technical term in cybersecurity.

C: ARP Proxy is a network feature; while ARP spoofing can be part of a MITM attack, it’s not the attack classification itself.

D: Poisoning (like DNS or ARP poisoning) is often a technique used to initiate MITM but not the final classification.

A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks—typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.

From CEH v13 Official Courseware:

Module 13: Hacking Web Applications

Module 14: Hacking Web Servers

Module 1: Introduction to Ethical Hacking – Security Architecture Concepts

CEH v13 clearly outlines:

“A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated.”

Bob’s assumption is flawed for several reasons:

DMZs can be implemented even with stateless firewalls using strict access control rules.

Relying solely on IP-based filtering is error-prone and doesn’t offer layered defense.

A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.

Incorrect Options:

A/D: DMZ can still make sense even with stateless firewalls if properly configured.

B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.

ARIN (American Registry for Internet Numbers) is a Regional Internet Registry (RIR) that provides information about IP address allocations and autonomous systems in North America. It’s used for WHOIS lookups and footprinting in reconnaissance.

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company’s website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

Comprehensive and Detailed Explanation:

In Windows SID structure:

RID 500 = Default Administrator

RID 501 = Guest Account

Therefore, “-501” at the end indicates Matthew is operating as the Guest user, which has very limited privileges. To gain full administrative control, he must escalate his privileges.

From CEH v13 Courseware:

Module 6: System Hacking → Privilege Escalation Techniques

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

Shoulder surfing is a social engineering technique that involves looking over someone’s shoulder to observe sensitive information, such as passwords, PINs, or credit card numbers, that they enter on their computer, phone, or ATM. It is the least likely method of social engineering to yield beneficial information based on the data collected by Maltego, because it requires physical proximity and access to the target’s devices, which may not be feasible or safe for the hacker. Moreover, shoulder surfing does not leverage the information obtained by Maltego, such as domains, DNS names, Netblocks, or IP addresses, which are more relevant for network-based attacks.

The other options are more likely to yield beneficial information based on the data collected by Maltego, because they involve exploiting the target’s trust, curiosity, or negligence, and using the information obtained by Maltego to craft convincing scenarios or messages. Impersonating an ISP technical support agent to trick the target into providing further network details is a form of pretexting, where the hacker creates a false identity and scenario to obtain information or access from the target. Dumpster diving in the target company’s trash bins for valuable printouts is a technique that relies on the target’s negligence or lack of proper disposal of sensitive documents, such as network diagrams, passwords, or confidential reports. Eavesdropping on internal corporate conversations to understand key topics is a technique that exploits the target’s curiosity or lack of awareness, and allows the hacker to gather information about the target’s projects, plans, or problems, which can be used for further attacks or extortion. References:

Social Engineering: Definition & 5 Attack Types

How to Use Maltego Transforms to Map Network Infrastructure: An In-Depth Guide

Social engineering: Definition, examples, and techniques

Zigbee could be a wireless technology developed as associate open international normal to deal with the unique desires of affordable, low-power wireless IoT networks. The Zigbee normal operates on the IEEE 802.15.4 physical radio specification and operates in unauthorised bands as well as a pair of.4 GHz, 900 MHz and 868 MHz.

The 802.15.4 specification upon that the Zigbee stack operates gained confirmation by the Institute of Electrical and physical science Engineers (IEEE) in 2003. The specification could be a packet-based radio protocol supposed for affordable, battery-operated devices. The protocol permits devices to speak in an exceedingly kind of network topologies and may have battery life lasting many years.

The Zigbee three.0 Protocol

The Zigbee protocol has been created and ratified by member corporations of the Zigbee Alliance.Over three hundred leading semiconductor makers, technology corporations, OEMs and repair corporations comprise the Zigbee Alliance membership. The Zigbee protocol was designed to supply associate easy-to-use wireless information answer characterised by secure, reliable wireless network architectures.

THE ZIGBEE ADVANTAGE

The Zigbee 3.0 protocol is intended to speak information through rip-roaring RF environments that area unit common in business and industrial applications. Version 3.0 builds on the prevailing Zigbee normal however unifies the market-specific application profiles to permit all devices to be wirelessly connected within the same network, no matter their market designation and performance. what is more, a Zigbee 3.0 certification theme ensures the ability of product from completely different makers. Connecting Zigbee three.0 networks to the information science domain unveil observance and management from devices like smartphones and tablets on a local area network or WAN, as well as the web, and brings verity net of Things to fruition.

Zigbee protocol options include:

Support for multiple network topologies like point-to-point, point-to-multipoint and mesh networks

Low duty cycle – provides long battery life

Low latency

Direct Sequence unfold Spectrum (DSSS)

Up to 65,000 nodes per network

128-bit AES encryption for secure information connections

Collision avoidance, retries and acknowledgements

This is another short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10–100 m.

A keylogger is a type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. Keyloggers are a common tool for cybercriminals, who use them to capture passwords, credit card numbers, personal information, and other sensitive data. Keyloggers can be installed on a device through various methods, such as phishing emails, malicious downloads, or physical access. To confirm the type of program, the security team can use a web search tool, such as Bing, to look for keylogger programs and compare their features and behaviors with the suspicious program they encountered. Alternatively, they can use a malware analysis tool, such as Malwarebytes, to scan and identify the program and its characteristics.

To prevent the same attack from occurring in the future, the security team should employ intrusion detection systems (IDS) and regularly update the system software. An IDS is a system that monitors network traffic and system activities for signs of malicious or unauthorized behavior, such as keylogger installation or communication. An IDS can alert the security team of any potential threats and help them respond accordingly. Regularly updating the system software can help patch any vulnerabilities or bugs that keyloggers may exploit to infect the device. Additionally, the security team should also remove the keylogger program from the affected computers and change any compromised passwords or credentials. References:

Keylogger | What is a Keylogger? How to protect yourself

How to Detect and Remove a Keylogger From Your Computer

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

What is a Keylogger? | Keystroke Logging Definition | Avast

Keylogger Software: 11 Best Free to Use in 2023

Spanning Tree Protocol (STP) manipulation attacks involve an attacker injecting BPDUs (Bridge Protocol Data Units) to force a switch to recognize the attacker’s system as the root bridge. Once this is achieved, the attacker can:

Redirect traffic through their own machine

Create a SPAN (Switched Port Analyzer) session to mirror traffic

Intercept, sniff, or modify data passing through the network

This is typically the next logical step in an STP attack to facilitate a Man-in-the-Middle (MITM) position.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“An attacker who becomes the root bridge using STP manipulation can redirect traffic and use SPAN ports to mirror traffic to their system for analysis or manipulation.”

Incorrect Options:

B. OSPF is a Layer 3 routing protocol, not relevant here.

C. DoS is not the goal of this specific attack.

D. Attacking all switches is inefficient and unnecessary once root access is gained.

===========

A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

The attacker’s strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using ‘r’ packets per second. The server can handle ‘h’ packets per second before it starts showing signs of strain. If ‘r’ surpasses ‘h’, it overwhelms the server, causing it to become unresponsive. The attacker selects ‘r’ as a composite number and ‘h’ as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

Considering ‘r=2010’ and different values for ‘h’, the scenario that would potentially cause the server to falter is the one where ‘h=1987’ (prime). This is because ‘r’ is greater than ‘h’ by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as ‘h’ is either greater than or very close to ‘r’, which means the server can either manage or barely cope with the incoming traffic. References:

What is a denial-of-service (DoS) attack? | Cloudflare

Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

DDoS Attack Types: Glossary of Terms

What is a Denial of Service (DoS) Attack? | Webopedia

According to CEH v13 Module 09: Social Engineering, Whaling is a specific type of phishing attack that targets senior executives and high-value individuals.

It’s called “whaling” because these individuals are the “big fish.”

Attacks are highly targeted and customized, often using knowledge of the executive’s company, responsibilities, or communication style.

The goal is to gain access to sensitive systems, financial assets, or confidential data.

Option Breakdown:

A. Spear phishing: Targeted phishing but not necessarily aimed at high-profile executives.

B. Whaling: Correct – phishing directed at C-level or VIP targets.

C. Vishing: Voice phishing – conducted over telephone/VoIP.

D. Phishing: General term – broader category.

Many network and system administrators don't pay enough attention to system clock accuracy and time synchronization. Computer clocks can run faster or slower over time, batteries and power sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing security issues to deal with, but not ensuring that the time on network devices is synchronized can cause problems. And these problems often only come to light after a security incident.

If you suspect a hacker is accessing your network, for example, you will want to analyze your log files to look for any suspicious activity. If your network's security devices do not have synchronized times, the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only will you have difficulty in tracking events, but you will also find it difficult to use such evidence in court; you won't be able to illustrate a smooth progression of events as they occurred throughout your network.

A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. The attacker has crafted an automated botnet to simultaneously send ‘s’ SYN packets per second to the server. The server can handle ‘f’ SYN packets per second without any performance issues. If ‘s’ exceeds ‘f’, the network infrastructure begins to show signs of overload. The system’s response time increases exponentially (24k), where ‘k’ represents each additional SYN packet above the ‘f’ limit.

Considering ‘s=500’ and different ‘f’ values, the scenario that is most likely to cause the server to experience overload and significantly increased response times is the one where ‘f=420’. This is because ‘s’ is greater than ‘f’ by 80 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The response time shoots up (2480 = 281,474,976,710,656 times the normal response time), indicating a system overload.

The other scenarios are less likely or less severe than the one where ‘f=420’. Option A has ‘f=510’, which is greater than ‘s’, so the system stays stable and the response time remains unaffected. Option B has ‘f=495’, which is less than ‘s’ by 5 packets per second, so the response time drastically rises (245 = 32 times the normal response time), indicating a probable system overload, but not as extreme as option D. Option C has ‘f=505’, which is less than ‘s’ by 5 packets per second, so the response time increases but not as drastically (245 = 32 times the normal response time), and the system might still function, albeit slowly. References:

SYN flood DDoS attack | Cloudflare

SYN flood - Wikipedia

What Is a SYN Flood Attack? | F5

What is a SYN flood attack and how to prevent it? | NETSCOUT

ARP Spoofing Attack ARP packets can be forged to send data to the attacker’s machine.Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. (P.1143/1127)