Pass the ECCouncil CEH v13 312-50v13 Questions and answers with ExamsMirror

A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. A vulnerability assessment can be performed using various tools and techniques, depending on the scope and objectives of the assessment.

Considering the potential vulnerability sources, the best initial approach to vulnerability assessment is to check for hardware and software misconfigurations to identify any possible loopholes. Hardware and software misconfigurations are common sources of vulnerabilities that can expose the system to unauthorized access, data breaches, or service disruptions. Hardware and software misconfigurations can include:

Insecure default settings, such as weak passwords, open ports, unnecessary services, or verbose error messages.

Improper access control policies, such as granting excessive privileges, allowing anonymous access, or failing to revoke access for terminated users.

Lack of encryption or authentication mechanisms, such as using plain text protocols, storing sensitive data in clear text, or transmitting data without verifying the identity of the sender or receiver.

Outdated or incompatible software versions, such as using unsupported or deprecated software, failing to apply security patches, or having software conflicts or dependencies.

Checking for hardware and software misconfigurations can help identify any possible loopholes that could be exploited by attackers to compromise the system or the data. Checking for hardware and software misconfigurations can be done using various tools, such as:

Configuration management tools, such as Ansible, Puppet, or Chef, that can automate the deployment and maintenance of consistent and secure configurations across the system.

Configuration auditing tools, such as Nipper, Lynis, or OpenSCAP, that can scan the system for deviations from the desired or expected configurations and report any issues or vulnerabilities.

Configuration testing tools, such as Inspec, Serverspec, or Testinfra, that can verify the system’s compliance with the specified configuration rules and standards.

Therefore, checking for hardware and software misconfigurations is the best initial approach to vulnerability assessment, as it can help identify and eliminate any possible loopholes that could pose a security risk to the system or the data.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

===========

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats

The honey trap is a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.

Baiting is a technique in which attackers offer end users something alluring in exchange for

important information such as login details and other sensitive data. This technique relies on

the curiosity and greed of the end-users. Attackers perform this technique by leaving a physical

device such as a USB flash drive containing malicious files in locations where people can easily

find them, such as parking lots, elevators, and bathrooms. This physical device is labeled with a

legitimate company's logo, thereby tricking end-users into trusting it and opening it on their

systems. Once the victim connects and opens the device, a malicious file downloads. It infects

the system and allows the attacker to take control.

For example, an attacker leaves some bait in the form of a USB drive in the elevator with the

label "Employee Salary Information 2019" and a legitimate company's logo. Out of curiosity and

greed, the victim picks up the device and opens it up on their system, which downloads the

bait. Once the bait is downloaded, a piece of malicious software installs on the victim's system,

giving the attacker access.

https://nmap.org/nsedoc/scripts/enip-info.html

Example Usage enip-info:

- nmap --script enip-info -sU -p 44818

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Device Type, Vendor ID, Product name, Serial Number, Product code, Revision Number, status, state, as well as the Device IP.

This script was written based of information collected by using the the Wireshark dissector for CIP, and EtherNet/IP, The original information was collected by running a modified version of the ethernetip.py script (https://github.com/paperwork/pyenip)

STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm.

STP is a hierarchical tree-like topology with a “root” switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/TCA) using bridge protocol data units (BPDU).

An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker’s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

https://www.darknet.org.uk/2017/07/bluto-dns-recon-zone-transfer-brute-forcer/

"Attackers also use DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records." CEH Module 02 Page 138

Operational Threat Intelligence provides insights into specific attacker methodologies, motivations, and campaigns. It involves gathering contextual information from real-world attacks, open-source intelligence (OSINT), social media, dark web forums, chat rooms, and human intelligence (HUMINT).

As per CEH v13 Official Courseware:

Operational intelligence is primarily used by security teams to anticipate specific incoming attacks.

It helps provide actionable information such as:

Who is attacking?

Why are they attacking?

What methods are they using?

What infrastructure is involved?

Incorrect Options:

A. Strategic Threat Intelligence is high-level, focusing on long-term trends and business risks.

B. Tactical Threat Intelligence is focused on TTPs (Tactics, Techniques, and Procedures) of known threats, primarily for defenders and analysts.

D. Technical Threat Intelligence includes IoCs like IPs, hashes, and URLs, often short-lived and used for detection systems.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: "Types of Threat Intelligence"

Table: “Strategic vs Tactical vs Operational vs Technical Intelligence”

===========

In CEH v13 Module 03: Scanning Networks, banner grabbing is defined as a technique used during reconnaissance to capture service banners that provide information about:

Web server version

Operating system

Service details

In This Case:

The engineer used Netcat to connect to port 80 (HTTP).

The response reveals the web server software (Microsoft-IIS/6), which is typical of a banner returned in the server's HTTP response headers.

This technique helps identify vulnerable versions of services.

Other Options:

B. SQL injection: Involves sending SQL payloads — unrelated here.

C. Whois query: Provides domain registration info — unrelated.

D. Cross-site scripting: Requires injecting scripts into a web app — not relevant here.

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.

The location: operator is the least useful in providing the attacker with sensitive VPN-related information, because it does not directly relate to VPN configuration, credentials, or vulnerabilities. The location: operator finds information for a specific location, such as a city, country, or region. For example, location:paris would return results related to Paris, France. However, this operator does not help the attacker to identify or access VPN servers or clients, unless they are specifically named or indexed by their location, which is unlikely.

The other operators are more useful in providing the attacker with sensitive VPN-related information, because they can help the attacker to find pages or files that contain VPN configuration, credentials, or vulnerabilities. The intitle: operator restricts results to only the pages containing the specified term in the title. For example, intitle:vpn would return pages with VPN in their title, which may include VPN guides, manuals, or tutorials. The inurl: operator restricts the results to only the pages containing the specified word in the URL. For example, inurl:vpn would return pages with VPN in their URL, which may include VPN login portals, configuration files, or directories. The link: operator searches websites or pages that contain links to the specified website or page. For example, link:vpn.com would return pages that link to vpn.com, which may include VPN reviews, comparisons, or recommendations. References:

Google Search Operators: The Complete List (44 Advanced Operators)

Footprinting through search engines

Module 02: Footprinting and Reconnaissance

https://nmap.org/book/man-output.html

-oX - Requests that XML output be directed to the given filename.

Comprehensive and Detailed Explanation From CEH v13 Guide:

The Network Time Protocol (NTP) is used by systems, including Linux servers, to synchronize their clocks with a time server. If NTP fails, time discrepancies may lead to inaccurate log records and affect security monitoring.

CEH v13 Reference:

Module 17: Evading IDS, Firewalls, and Honeypots – Log Tampering

“Accurate timekeeping is essential for proper logging and correlation. NTP ensures system time is synchronized across hosts.”

=============================================================

In CEH v13 Module 03: Scanning Networks, service version detection is achieved using the -sV option in Nmap.

-sV: Enables version detection of open ports by sending probes to determine the service name and version (e.g., Apache 2.4.49).

Helps identify potential vulnerabilities in specific software versions.

Option Clarification:

A. -SN: Ping scan (host discovery only).

B. -SX: Invalid/undefined option.

C. -sV: Correct option for service version detection.

D. -SF: Sends FIN packets (used in stealth scans), not for version discovery.