Pass the ECCouncil CEH v13 312-50v13 Questions and answers with ExamsMirror

https://en.wikipedia.org/wiki/MAC_filtering

MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices.

It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network.

The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network's security, but not all are useful. Media access control may seem advantageous, but there are certain flaws.

On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources.

MAC address filtering adds an extra layer of security that checks the device’s MAC address against a list of agreed addresses. If the client’s address matches one on the router’s list, access is granted; otherwise, it doesn’t join the network.

In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

Correct SOAP Characteristics:

Structured model for data exchange, used in SOAP envelopes.

Built on XML format.

Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

Option B is incorrect because:

While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.

*REST is not a specification, tool, or framework, but instead is an architectural style for web services that serves as a communication medium between various systems on the web. *RESTful APIs, which are also known as RESTful services, are designed using REST principles and HTTP communication protocols RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

RESTful API: RESTful API is a RESTful service that is designed using REST principles and HTTP communication protocols. RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE. RESTful API is also designed to make applications independent to improve the overall performance, visibility, scalability, reliability, and portability of an application. APIs with the following features can be referred to as to RESTful APIs: o Stateless: The client end stores the state of the session; the server is restricted to save data during the request processing o Cacheable: The client should save responses (representations) in the cache. This feature can enhance API performance pg. 1920 CEHv11 manual.

https://cloud.google.com/files/apigee/apigee-web-api-design-the-missing-link-ebook.pdf

The HTTP methods GET, POST, PUT or PATCH, and DELETE can be used with these templates to read, create, update, and delete description resources for dogs and their owners. This API style has become popular for many reasons. It is straightforward and intuitive, and learning this pattern is similar to learning a programming language API. APIs like this one are commonly called RESTful APIs, although they do not display all of the characteristics that define REST (more on REST later).

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing, an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the expected outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. Where white-box testing is design-driven,[1] that is, driven exclusively by agreed specifications of how each component of the software is required to behave (as in DO-178C and ISO 26262 processes) then white-box test techniques can accomplish assessment for unimplemented or missing requirements.

White-box test design techniques include the following code coverage criteria:

· Control flow testing

· Data flow testing

· Branch testing

· Statement coverage

· Decision coverage

· Modified condition/decision coverage

· Prime path testing

· Path testing

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

IoTSeeker is a specialized tool used to identify Internet of Things (IoT) devices that are accessible over a network and are still configured with their default factory credentials. These devices often ship with insecure settings, which attackers can exploit.

From CEH v13 Official Courseware:

IoTSeeker:

Automatically scans for common IoT devices

Uses a database of known default usernames and passwords

Flags insecure devices for further investigation or exploitation

The tool is commonly used in the reconnaissance phase for identifying low-hanging vulnerabilities in IoT environments.

Incorrect options:

B. IoT Inspector monitors network traffic for smart devices but is more focused on behavior monitoring than credential scanning.

C. AT&T IoT Platform and D. Azure IoT Central are legitimate enterprise platforms for IoT device management and are not penetration testing tools.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Attack Surface”

Tool Reference: “IoTSeeker”

Practical Lab: CEH Engage IoT Device Discovery

===========

DNS tunneling may be a method wont to send data over the DNS protocol, a protocol which has never been intended for data transfer. due to that, people tend to overlook it and it’s become a well-liked but effective tool in many attacks.

Most popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports, hotels, or if you are feeling patient the not-so-cheap on the wing Wi-Fi.

On those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS traffic is usually still allowed within the background: we will encode our HTTP traffic over DNS and voilà, we’ve internet access.

This sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.

Another more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP appliances…) to line up an immediate and unmonitored communications channel on an organisation’s network. Possibilities here are endless: Data exfiltration, fixing another penetration testing tool… you name it.

To make it even more worrying, there’s an outsized amount of easy to use DNS tunneling tools out there.

There’s even a minimum of one VPN over DNS protocol provider (warning: the planning of the web site is hideous, making me doubt on the legitimacy of it).

As a pentester all this is often great, as a network admin not such a lot .

How does it work:

For those that ignoramus about DNS protocol but still made it here, i feel you deserve a really brief explanation on what DNS does: DNS is sort of a phonebook for the web , it translates URLs (human-friendly language, the person’s name), into an IP address (machine-friendly language, the phone number). That helps us remember many websites, same as we will remember many people’s names.

For those that know what DNS is i might suggest looking here for a fast refresh on DNS protocol, but briefly what you would like to understand is:

• A Record: Maps a website name to an IP address.

example.com ? 12.34.52.67

• NS Record (a.k.a. Nameserver record): Maps a website name to an inventory of DNS servers, just in case our website is hosted in multiple servers.

example.com ? server1.example.com, server2.example.com

Who is involved in DNS tunneling?

• Client. Will launch DNS requests with data in them to a website .

• One Domain that we will configure. So DNS servers will redirect its requests to an outlined server of our own.

• Server. this is often the defined nameserver which can ultimately receive the DNS requests.

The 6 Steps in DNS tunneling (simplified):

1. The client encodes data during a DNS request. The way it does this is often by prepending a bit of knowledge within the domain of the request. for instance : mypieceofdata.server1.example.com

2. The DNS request goes bent a DNS server.

3. The DNS server finds out the A register of your domain with the IP address of your server.

4. The request for mypieceofdata.server1.example.com is forwarded to the server.

5. The server processes regardless of the mypieceofdata was alleged to do. Let’s assume it had been an HTTP request.

6. The server replies back over DNS and woop woop, we’ve got signal.

Bypassing Firewalls through the DNS Tunneling Method DNS operates using UDP, and it has a 255-byte limit on outbound queries. Moreover, it allows only alphanumeric characters and hyphens. Such small size constraints on external queries allow DNS to be used as an ideal choice to perform data exfiltration by various malicious entities. Since corrupt or malicious data can be secretly embedded into the DNS protocol packets, even DNSSEC cannot detect the abnormality in DNS tunneling. It is effectively used by malware to bypass the firewall to maintain communication between the victim machine and the C&C server. Tools such as NSTX (https://sourceforge.net), Heyoka (http://heyoka.sourceforge.netuse), and Iodine (https://code.kryo.se) use this technique of tunneling traffic across DNS port 53. CEH v11 Module 12 Page 994

Key observations in the packet capture:

Repeated 0x90 values indicate a NOP sled (No Operation instructions), commonly used in buffer overflow payloads to guide execution to the malicious shellcode.

The presence of "/bin/sh" in ASCII indicates that the attacker intends to launch a shell (command-line access) on the victim’s system once the overflow is successful.

The payload likely contains shellcode that spawns a shell, giving the attacker command-line access.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 9: Denial-of-Service

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“A buffer overflow exploit typically involves injecting a NOP sled followed by shellcode. The string '/bin/sh' is a tell-tale sign of shell-spawning code that aims to give the attacker command access.”

Incorrect Options:

A: There's no evidence the IDS blocked the attack—only that it logged it.

B: Creating a directory would not involve a NOP sled or spawn a shell.

C: We cannot confirm success; only the intent and method are clear.

https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/

Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.

File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that are executed.

BASH_HISTORY files are hidden files with no filename prefix. They always use the filename .bash_history.

NOTE: Bash is that the shell program employed by Apple Terminal.

Our goal is to assist you understand what a file with a *.bash_history suffix is and the way to open it.

The Bash History file type, file format description, and Mac and Linux programs listed on this page are individually researched and verified by the FileInfo team. we attempt for 100% accuracy and only publish information about file formats that we’ve tested and validated.

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

Simple Network Management Protocol (SNMP) enumeration involves querying devices on the network for information such as routing tables, interface statistics, and system details.

Useful tools include:

A. SNMPUtil: A command-line Microsoft utility for sending SNMP requests.

B. SNScan: Tool from Foundstone for SNMP scanning and enumeration.

C. SNMPScan: Lightweight tool for scanning networks for SNMP-enabled devices.

D. SolarWinds IP Network Browser: A commercial tool for graphical SNMP enumeration.

From CEH v13 Courseware:

Module 4: Enumeration

Subsection: SNMP Enumeration Tools

Incorrect Option:

E. NMap can detect SNMP services, but is not specialized for SNMP enumeration like the others.

The TPM is a chip that's part of your computer's motherboard — if you bought an off-the-shelf PC, it's soldered onto the motherboard. If you built your own computer, you can buy one as an add-on module if your motherboard supports it. The TPM generates encryption keys, keeping part of the key to itself

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space–time tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations.

The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm.

Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user’s action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.