312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.

According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:

The backend database type is unknown

Error messages are suppressed

UNION queries fail

No direct data is returned in responses

In this technique, attackers inject SQL statements that deliberately introduce time delays using database-specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application’s response time to determine whether the injected condition is true or false.

For example:

' OR IF(1=1, SLEEP(5), 0) --

If the application response is delayed, it confirms that the injected SQL statement was executed successfully. CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.

Other options are incorrect because:

Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.

Union-Based SQL Injection requires knowing column count and data types.

Error-Based SQL Injection depends on database error messages being displayed.

CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.

Static Network Address Translation (Static NAT) allows a single private IP address to be mapped to a single public IP address. This one-to-one mapping ensures that the same internal machine is always reachable through the same external IP address, which is crucial for "server publishing" — making internal servers (e.g., web servers, FTP servers) accessible from the internet.

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: Network Address Translation

Section: Types of NAT

CEH v13 Study Guide states:

“Static NAT provides a fixed translation of a private IP address to a public IP address. It is commonly used when an internal server must always be accessible from the Internet using a consistent IP address — this is known as server publishing.”

Incorrect Options:

A. Overloading PAT: Multiple private IPs share a single public IP using port numbers — not suited for static mappings.

B. Dynamic PAT: Similar to overloading; used for outbound traffic only.

C. Dynamic NAT: Assigns a public IP from a pool; the mapping can change, not suitable for server publishing.

UDP scanning produces reliable "closed" results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

=

http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf

Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

[root@localhost hping2-rc3]# hping2 -1 192.168.0.100

HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes

len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms

len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms

— 192.168.0.100 hping statistic —

5 packets tramitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.5/3.7/14.9 ms

[root@localhost hping2-rc3]#

Challenge/response authentication is designed to prevent replay attacks. In this mechanism:

The server sends a random “challenge” string.

The client uses its secret (like a password or private key) to generate a response.

The server verifies that the response matches what it expected for that challenge.

Since the challenge is random and changes each time, an attacker cannot simply capture and replay previous responses to gain unauthorized access.

From CEH v13 Courseware:

Module 11: Session Hijacking

Module 6: Authentication Protocols

CEH v13 Study Guide states:

“Challenge-response authentication prevents replay attacks by using dynamically generated nonces or challenge tokens that change with each session.”

Incorrect Options:

B: Scanning attacks are not related to authentication mechanisms.

C: Session hijacking involves active takeovers, not replaying login attempts.

D: Password cracking targets password hashes, not session tokens.

While the question as shown appears slightly misformatted, this closely resembles the Windows command:

ping -t 192.168.0.101

Here:

-t means to ping continuously until manually stopped.

In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

Option A. t – Correct (ping continuously)

Why Others Are Incorrect:

B. s: Not a valid option in Windows ping.

C. a: Used to resolve the hostname from an IP (not related to this).

D. n: Specifies the number of echo requests to send.

The CEH Web Application Attacks module explains tautology-based SQL injection as an attack where input alters a conditional statement to always evaluate as TRUE (e.g., ' OR '1'='1').

Submitting a single quote often breaks query logic and allows attackers to manipulate authentication conditions.

Option D is correct.

Option A extracts data.

Option B relies on error messages.

Option C uses timing delays.

CEH identifies tautology attacks as one of the earliest and most common SQL injection techniques.

Josh is preparing to send the payload (malicious file) to the target, which clearly maps to the Delivery phase of the Cyber Kill Chain.

According to CEH v13 and the Cyber Kill Chain model (developed by Lockheed Martin and used in ethical hacking methodology):

Delivery is the third phase of the kill chain.

It involves transmitting the weaponized payload to the target via phishing emails, USB drops, or malicious links.

In this case, Josh is preparing the email with a spoofed identity and malicious attachment — representing an act of delivery.

Incorrect options:

A. Exploitation occurs after delivery, when the payload is executed.

B. Weaponization is the phase where the malicious file is created (combining exploit with a backdoor or trojan).

D. Reconnaissance involves information gathering, completed earlier in the scenario.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Cyber Kill Chain Model”

Table Reference: “Stages of a Cyber Attack”

CEH Engage Lab: “Kill Chain Simulation in Phishing Campaigns”

Mobile Remote Access Trojans (RATs) are highlighted in CEH v13 Mobile Platform Hacking as one of the most dangerous threats. Once installed, a mobile RAT provides attackers persistent, covert access to devices, allowing screen capture, keystroke logging, microphone activation, and data exfiltration.

Unlike MitM or clickjacking, RATs operate post-compromise, often disguised as legitimate apps. Jailbreaking is detectable via integrity checks, but RATs can remain hidden even on non-rooted devices.

CEH v13 emphasizes that RATs bypass traditional defenses, including antivirus and MDM, making them extremely difficult to detect. Hence, Option C is correct.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

 DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

■ HOSTMIB.MIB: Monitors and manages host resources

■ LNMIB2.MIB: Contains object types for workstation and server services

■ MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

■ WINS.MIB: For the Windows Internet Name Service (WINS)

The most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold. This option works as follows:

The Cyber Kill Chain Methodology is a framework that describes the stages of a cyberattack from the perspective of the attacker. It helps defenders to understand the attacker’s objectives, tactics, and techniques, and to design effective countermeasures. The Cyber Kill Chain Methodology consists of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives12.

The delivery stage is the third stage in the Cyber Kill Chain Methodology, and it involves sending or transmitting the weaponized payload to the target system. The delivery stage can use various methods, such as email attachments, web links, removable media, or network protocols. The delivery stage aims to reach the target system and bypass any security controls, such as firewalls, antivirus, or email filters12.

The exploitation stage is the fourth stage in the Cyber Kill Chain Methodology, and it involves executing the malicious payload on the target system. The exploitation stage can use various techniques, such as buffer overflows, code injection, or privilege escalation. The exploitation stage aims to exploit a vulnerability or a weakness in the target system and gain access to its resources, such as files, processes, or memory12.

The installation stage is the fifth stage in the Cyber Kill Chain Methodology, and it involves installing a backdoor or a malware on the target system. The installation stage can use various tools, such as rootkits, trojans, or ransomware. The installation stage aims to establish a foothold on the target system and maintain persistence, which means to survive reboots, updates, or scans12.

Therefore, the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold, because:

This action follows the logical sequence of the Cyber Kill Chain Methodology, as it is the next stage after the delivery stage.

This action is consistent with the attacker’s goal, as it allows the attacker to gain access and control over the target system and prepare for further actions.

This action is feasible, as the attacker has already delivered the malicious payload to the target system and may have bypassed some security controls.

The other options are not as probable as option B for the following reasons:

A. The attacker will attempt to escalate privileges to gain complete control of the compromised system: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the exploitation stage or the installation stage. Privilege escalation is a method of increasing the level of access or permissions on a system, such as from a normal user to an administrator. Privilege escalation can help the attacker to gain complete control of the compromised system, but it is not a mandatory step, as the attacker may already have sufficient privileges or may use other techniques to achieve the same goal12.

C. The attacker will initiate an active connection to the target system to gather more data: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the command and control stage or the actions on objectives stage. An active connection is a communication channel that allows the attacker to send commands or receive data from the target system, such as a remote shell or a botnet. An active connection can help the attacker to gather more data from the target system, but it is not a necessary step, as the attacker may already have enough data or may use other techniques to obtain more data12.

D. The attacker will start reconnaissance to gather as much information as possible about the target: This option is not probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather the first stage. Reconnaissance is the process of collecting information about the target, such as its IP address, domain name, network structure, services, vulnerabilities, or employees. Reconnaissance is usually done before the delivery stage, as it helps the attacker to identify the target and plan the attack. Reconnaissance can be done again after the delivery stage, but it is not the most likely action, as the attacker may already have enough information or may focus on other actions12.

Server-side request forgery (also called SSRF) is a net security vulnerability that allows an assaulter to induce the server-side application to make http requests to associate arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services among the organization’s infrastructure, or to external third-party systems.

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with different back-end systems that aren’t directly reachable by users. These systems typically have non-routable private informatics addresses. Since the back-end systems normally ordinarily protected by the topology, they typically have a weaker security posture. In several cases, internal back-end systems contain sensitive functionality that may be accessed while not authentication by anyone who is able to act with the systems.

In the preceding example, suppose there’s an body interface at the back-end url https://192.168.0.68/admin. Here, an attacker will exploit the SSRF vulnerability to access the executive interface by submitting the following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

stockApi=http://192.168.0.68/admin

Comprehensive and Detailed Explanation:

Wireshark on Windows requires WinPcap to operate. WinPcap is a packet capture library that allows network interfaces to operate in promiscuous mode, which is essential for sniffing traffic.

From CEH v13 Courseware:

Module 8: Sniffing → Sniffing Tools → WinPcap for Windows

CEH v13 explains that multi-vector DDoS attacks, especially those combining volumetric reflection (DNS amplification) with application-layer exhaustion (Slowloris), require multi-layered mitigation. Standard firewalls and IPS devices cannot handle large-scale distributed attacks without causing collateral damage to legitimate traffic. CEH emphasizes the need for hybrid DDoS protection, combining on-premises appliances for real-time local filtering with cloud-based scrubbing centers capable of absorbing massive volumetric floods. Cloud scrubbing removes malicious traffic upstream, while on-prem devices mitigate application-layer anomalies. Increasing bandwidth (Option A) is ineffective against reflection attacks. IPS (Option B) cannot handle Slowloris-style partial requests at scale. Blocking all external DNS/HTTP (Option C) would deny service to legitimate users. The correct CEH-aligned solution is hybrid DDoS mitigation services.

This scenario demonstrates a classic social engineering tactic often referred to as “social media quizzes” or “engagement bait”, commonly used in open-source intelligence gathering (OSINT) and pretexting attacks.

From CEH v13 Module 01: Introduction to Ethical Hacking and Module 09: Social Engineering, attackers may create seemingly innocent posts that ask users to share answers to common questions like:

What was your first pet’s name?

What’s your mother’s maiden name?

What city were you born in?

What’s your favorite food?

These questions mirror the types of security questions used by banks and other services for account recovery or authentication. By answering these in public forums or comments, users unknowingly disclose data that can be used to:

Bypass security questions

Reset passwords

Perform targeted account takeovers

Why Other Options Are Incorrect:

B. Matt's bank account login information was brute forced.

Unlikely. Most banks implement account lockout policies and multi-factor authentication that would prevent brute force attempts.

C. Matt inadvertently provided his password when responding to the post.

Incorrect. Passwords are not usually asked in public-facing posts. Users are unlikely to provide literal passwords unless heavily tricked by phishing.

D. Matt's computer was infected with a keylogger.

Possible but less likely. The context suggests that the only suspicious behavior was responding to the Facebook post, which doesn't imply malware installation or downloading.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 09 – Social Engineering, Slide: Common Social Engineering Techniques (Quizzes, Pretexting)

CEH Engage – Social Engineering Phase

EC-Council iLabs – Performing Social Engineering Attacks Simulation

CEH v13 Courseware Notes – Reconnaissance Using OSINT and Public Social Platforms

Key observations in the packet capture:

Repeated 0x90 values indicate a NOP sled (No Operation instructions), commonly used in buffer overflow payloads to guide execution to the malicious shellcode.

The presence of "/bin/sh" in ASCII indicates that the attacker intends to launch a shell (command-line access) on the victim’s system once the overflow is successful.

The payload likely contains shellcode that spawns a shell, giving the attacker command-line access.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 9: Denial-of-Service

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“A buffer overflow exploit typically involves injecting a NOP sled followed by shellcode. The string '/bin/sh' is a tell-tale sign of shell-spawning code that aims to give the attacker command access.”

Incorrect Options:

A: There's no evidence the IDS blocked the attack—only that it logged it.

B: Creating a directory would not involve a NOP sled or spawn a shell.

C: We cannot confirm success; only the intent and method are clear.

Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker’s root registry.

Web workers give two primary degrees of security instruments

Access Control Lists (ACLs)

Root index

An Access Control List is utilized in the approval cycle. It is a rundown which the web worker’s manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

The root registry is a particular index on the worker record framework in which the clients are kept. Clients can’t get to anything over this root.

For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn’t approach C:\Windows yet approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages.

This weakness can exist either in the web worker programming itself or in the web application code.

To play out a registry crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly discover any default documents and registries on the framework.

What an assailant can do if your site is defenseless

With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the client which is related with “the site”. Along these lines everything relies upon what the site client has been offered admittance to in the framework.

Illustration of a Directory Traversal assault by means of web application code

In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1

Host: test.webarticles.com

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed on the web server, show.asp retrieves the file oldarchive.html from the server’s file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1

Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal attack via web server

Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.

Comprehensive and Detailed Explanation:

The correct nslookup syntax to perform a zone transfer is:

ls -d domain_name

So, from the nslookup prompt:

server 192.168.10.2

ls -d abccorp.local

This will attempt to list all DNS records for the abccorp.local domain from the specified server, if zone transfers are permitted.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Zone Transfers

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

A white hat (or a white hat hacker) is an ethical computer hacker, or a computer security expert, who focuses on penetration testing and in other testing methodologies that ensures the safety of an organization’s information systems. Ethical hacking may be a term meant to imply a broader category than simply penetration testing. Contrasted with black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively. While a white hat hacker hacks under good intentions with permission, and a black hat hacker, most frequently unauthorized, has malicious intent, there’s a 3rd kind referred to as a gray hat hacker who hacks with good intentions but sometimes without permission.

White hat hackers can also add teams called “sneakers and/or hacker clubs”,red teams, or tiger teams.

While penetration testing concentrates on attacking software and computer systems from the beginning – scanning ports, examining known defects in protocols and applications running on the system and patch installations, as an example – ethical hacking may include other things. A full-blown ethical hack might include emailing staff to invite password details, searching through executive’s dustbins and typically breaking and entering, without the knowledge and consent of the targets. Only the owners, CEOs and Board Members (stake holders) who asked for such a censoring of this magnitude are aware. to undertake to duplicate a number of the destructive techniques a true attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late in the dark while systems are less critical. In most up-to-date cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software during a public area as if someone lost the tiny drive and an unsuspecting employee found it and took it.

Some other methods of completing these include:

• DoS attacks

• Social engineering tactics

• Reverse engineering

• Network security

• Disk and memory forensics

• Vulnerability research

• Security scanners such as:

– W3af

– Nessus

– Burp suite

• Frameworks such as:

– Metasploit

• Training Platforms

These methods identify and exploit known security vulnerabilities and plan to evade security to realize entry into secured areas. they’re ready to do that by hiding software and system ‘back-doors’ which will be used as a link to information or access that a non-ethical hacker, also referred to as ‘black-hat’ or ‘grey-hat’, might want to succeed in .

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing, an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the expected outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. Where white-box testing is design-driven,[1] that is, driven exclusively by agreed specifications of how each component of the software is required to behave (as in DO-178C and ISO 26262 processes) then white-box test techniques can accomplish assessment for unimplemented or missing requirements.

White-box test design techniques include the following code coverage criteria:

· Control flow testing

· Data flow testing

· Branch testing

· Statement coverage

· Decision coverage

· Modified condition/decision coverage

· Prime path testing

· Path testing

CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

Pretexting is defined in CEH v13 Social Engineering as an attack where the attacker fabricates a believable scenario and impersonates a trusted individual to gain sensitive information.

This differs from phishing (mass messaging), baiting (malicious incentives), and quid pro quo (exchange of favors).

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

This scenario clearly describes Load Balancing as a DDoS mitigation strategy, which is covered under the CEH v13 Network and Perimeter Hacking module. Load balancing distributes incoming network or application traffic across multiple servers or resources to prevent any single system from becoming overwhelmed.

According to CEH v13, modern DDoS mitigation architectures often combine hardware load balancers with cloud-based scrubbing centers or Content Delivery Networks (CDNs). These systems absorb high traffic volumes and ensure availability by spreading requests across multiple nodes. This approach aligns perfectly with the organization’s strategy of absorbing and distributing traffic rather than blocking it outright.

Other options are incorrect:

Black hole routing drops all traffic, including legitimate traffic.

Rate limiting restricts traffic volume rather than distributing it.

Sinkholing redirects traffic for analysis, not load distribution.

An iPhone client’s most noticeably terrible bad dream is to have somebody oversee his/her gadget, including the capacity to record and control all action without waiting be in a similar room. In this blog entry, we present another weakness called “Trustjacking”, which permits an aggressor to do precisely that.

This weakness misuses an iOS highlight called iTunes Wi-Fi sync, which permits a client to deal with their iOS gadget without genuinely interfacing it to their PC. A solitary tap by the iOS gadget proprietor when the two are associated with a similar organization permits an assailant to oversee the gadget. Furthermore, we will stroll through past related weaknesses and show the progressions that iPhone has made to alleviate them, and why these are adequately not to forestall comparative assaults.

After interfacing an iOS gadget to another PC, the clients are being found out if they trust the associated PC or not. Deciding to believe the PC permits it to speak with the iOS gadget by means of the standard iTunes APIs.

This permits the PC to get to the photographs on the gadget, perform reinforcement, introduce applications and considerably more, without requiring another affirmation from the client and with no recognizable sign. Besides, this permits enacting the “iTunes Wi-Fi sync” highlight, which makes it conceivable to proceed with this sort of correspondence with the gadget even after it has been detached from the PC, as long as the PC and the iOS gadget are associated with a similar organization. It is intriguing to take note of that empowering “iTunes Wi-Fi sync” doesn’t need the casualty’s endorsement and can be directed simply from the PC side.

Getting a live stream of the gadget’s screen should be possible effectively by consistently requesting screen captures and showing or recording them distantly.

It is imperative to take note of that other than the underlying single purpose of disappointment, approving the vindictive PC, there is no other component that forestalls this proceeded with access. Likewise, there isn’t anything that informs the clients that by approving the PC they permit admittance to their gadget even in the wake of detaching the USB link.

In CEH v13 Module 14: Cryptography, CAST-128 is defined as a symmetric block cipher based on a Feistel structure with:

Block size of 64 bits

12 or 16 rounds, depending on key size

Uses 8×32-bit S-boxes with complex structures (including bent functions)

Operates with modular addition/subtraction, XOR, key-dependent rotations, and masking keys (Km) and rotation keys (Kr)

All features described in the scenario match the CAST-128 algorithm.

Option Clarification:

B. AES: Operates on 128-bit blocks, uses Substitution-Permutation Network (SPN), not Feistel.

C. GOST: Russian block cipher, also Feistel-based, but structure and key use differ.

D. DES: Feistel cipher with 64-bit block size, but uses 16 rounds and simpler S-boxes.

Correct answer is A. CAST-128

«Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period, many IDS stop reassembling and handling that stream. If the application under attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session splicing attacks.»

Did you know that the EC-Council exam shows how well you know their official book? So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author of the question found it while copying Wikipedia.

https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.

By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.

NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you unverified information. According to the official tutorials, the correct answer is Nessus, but if you know anything about Wisker, please write in the QA section. Maybe this question will be updated soon, but I'm not sure about that.

A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from the volume of secret information, the length of the key, and the cipher's mathematical strength.

The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part.

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

Since the first line prohibits any TCP traffic (access-list 102 deny tcp any any), the lines below will simply be ignored by the router. Below you will find the example from CISCO documentation.

This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from NetB destined to NetA is denied, while all other IP traffic is permitted.

FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted.

access-list 102 deny tcp any any eq ftp

access-list 102 deny tcp any any eq ftp-data

access-list 102 permit ip any any

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).

The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.

Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.

CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.

The CEH Malware and Rootkit Analysis module emphasizes that kernel-level rootkits compromise the most trusted components of the operating system. Once a kernel is compromised, no tool running on that system can be fully trusted.

CEH explicitly states that the only reliable remediation for kernel-mode rootkits is:

Full system wipe

Reinstallation from a known, trusted source

Restoration of verified clean data

Option C is correct and represents CEH best practice.

Option A may work for user-mode rootkits but is unreliable for kernel-level infections.

Option B is a research tactic, not remediation.

Option D is containment, not eradication.

This Google dork uses advanced operators:

site:target.com — restricts results to pages within the target.com domain

-site:Marketing.target.com — excludes results from the marketing.target.com subdomain

accounting — the keyword to be matched

So, it returns pages from target.com (excluding the marketing subdomain) that include the word "accounting".

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Advanced search operators like site:, inurl:, intitle:, and the minus (-) operator help to include or exclude specific domains or pages when gathering public information via Google.”

Incorrect Options:

A. Opposite logic — this excludes marketing.target.com

B. Too general

C. Incorrect because marketing.target.com is excluded

=

MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

The switch enters “fail-open” mode and broadcasts traffic to all ports

The attacker can then sniff sensitive traffic

This attack effectively turns a switch into a hub, facilitating data sniffing.

Incorrect Options:

A. Evil twin is a wireless attack using rogue access points.

B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

Reference – CEH v13 Official Courseware:

Module 11: Sniffing

Section: “Switch Port Stealing and MAC Flooding”

Subsection: “Layer 2 Attacks and CAM Table Poisoning”

=

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

WEP encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping. WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm1. Therefore, you should recommend a more secure encryption method to enhance the security of the company’s wireless network.

One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard. AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks2.

WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2. PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack3.

WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:

It uses a dynamic key that changes with each session, instead of a static key that remains the same.

It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks.

It uses a longer key that provides more security, instead of a shorter key that provides less security.

It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed.

Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company’s wireless network.

Windows 2000 and newer systems use Kerberos as their default authentication protocol rather than NTLM or LM challenge/response over SMB. Kerberos is encrypted and does not rely on the older SMB logon exchange methods that L0phtCrack can sniff.

From CEH v13 Courseware:

Module 6: Malware and Password Attacks

Module 4: Enumeration

CEH v13 Study Guide states:

“Kerberos is the default authentication protocol in Windows 2000 and newer systems. It encrypts communication and is not vulnerable to the same sniffing attacks that work against LM/NTLM challenge-response mechanisms.”

Incorrect Options:

A: While a NIDS may detect traffic, it doesn't prevent sniffing.

C: Logons can be sniffed in older systems using NTLM.

D: L0phtCrack does not sniff web logons—it targets SMB and Windows logins.

A proxy server acts as a gateway between you and therefore the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy counting on your use case, needs, or company policy.

If you’re employing a proxy server, internet traffic flows through the proxy server on its thanks to the address you requested. A proxy server is essentially a computer on the web with its own IP address that your computer knows. once you send an internet request, your request goes to the proxy server first. The proxy server then makes your web request on your behalf, collects the response from the online server, and forwards you the online page data so you’ll see the page in your browser.

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

According to CEH v13 Web Application and Server Security, regular patching and updates are the most effective way to reduce server attack surfaces. Vulnerabilities in web servers, proxies, and supporting services are frequently exploited if patches are delayed.

While architectural choices and directory placement influence organization, they do not mitigate known vulnerabilities. Changing IP addresses does not prevent exploitation, and moving directories does not address underlying software flaws.

CEH v13 consistently emphasizes patch management as a primary defensive control. Therefore, Option C is correct.

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection. Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

Whaling is an advanced social engineering technique that targets high-profile individuals, such as executives, managers, or celebrities, by impersonating them or someone they trust, such as a colleague, partner, or vendor. The attacker creates a fake Linkedin profile, pretending to be a high-ranking official from a well-established company, and uses it to connect with other employees within the organization. The attacker then leverages the trust and authority of the fake profile to gain access to exclusive corporate events and proprietary project details shared within the network. This way, the attacker can launch targeted attacks against the organization, such as stealing sensitive data, compromising systems, or extorting money.

The most likely immediate threat to the organization is the loss of confidential information and intellectual property, which can damage the organization’s reputation, competitiveness, and profitability. The attacker can also use the information to launch further attacks, such as ransomware, malware, or sabotage, against the organization or its partners and customers.

The other options are not as accurate as whaling for describing this scenario. Pretexting is a social engineering technique that involves creating a false scenario or identity to obtain information or access from a victim. However, pretexting usually involves direct communication with the victim, such as a phone call or an email, rather than creating a fake Linkedin profile and connecting with the victim’s network. Spear phishing is a social engineering technique that involves sending a personalized and targeted email to a specific individual or group, usually containing a malicious link or attachment. However, spear phishing does not involve creating a fake Linkedin profile and connecting with the victim’s network. Baiting and involuntary data leakage are not social engineering techniques, but rather possible outcomes of social engineering attacks. Baiting is a technique that involves offering something enticing to the victim, such as a free download, a gift card, or a job opportunity, in exchange for information or access. Involuntary data leakage is a situation where the victim unintentionally or unknowingly exposes sensitive information to the attacker, such as by clicking on a malicious link, opening an infected attachment, or using an unsecured network. References:

Whaling: What is a whaling attack?

Advanced Social Engineering Attack Techniques

Top 8 Social Engineering Techniques and How to Prevent Them

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

DNS interrogation is a core passive and semi-active reconnaissance technique described in CEH v13 Reconnaissance Techniques. It allows ethical hackers to gather publicly available information about a target’s domain infrastructure.

Through DNS queries, testers can retrieve:

Subdomains (via zone transfers, brute force, or DNS records)

Mail server IP addresses (via MX records)

Server IP addresses, which can then be mapped to approximate geographic locations

However, DNS does not store authentication credentials such as usernames and passwords. That information resides in authentication systems like Active Directory, LDAP, or application databases, not DNS.

Therefore, Option A is the only choice that cannot be obtained via DNS interrogation. CEH v13 clearly distinguishes between naming infrastructure data and credential-based information, reinforcing why DNS enumeration cannot reveal user credentials.

Thus, Option A is correct.

Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:

Restricting input to specific data types (e.g., integer, string)

Limiting size, format, or allowed characters

Accepting only expected values (e.g., country codes, age ranges)

This practice is highly effective in mitigating SQL injection and other input-based attacks.

Incorrect Options:

A. Output encoding prevents XSS by encoding output but doesn't validate input.

B. Enforcing least privilege is an access control principle.

D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Input Validation and SQL Injection Mitigation”

Subsection: “Whitelist vs Blacklist Input Validation”

=

The described scenario is a textbook example of a Man-in-the-Middle (MITM) attack. In such attacks, the attacker stealthily places themselves between two communicating systems, intercepts their communications, and may even modify the traffic. The communicating parties remain unaware that their traffic is being monitored or altered.

Eric is using the Dsniff toolset, which is well-known for enabling MITM attacks through techniques such as:

ARP spoofing (to redirect traffic)

Credential sniffing

Packet manipulation

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a man-in-the-middle (MITM) attack, the attacker intercepts and potentially alters the communication between two systems without either party knowing. Tools like Dsniff, Cain & Abel, and Ettercap are commonly used to launch such attacks.”

Incorrect Options:

A: “Interceptor” is not a technical term in cybersecurity.

C: ARP Proxy is a network feature; while ARP spoofing can be part of a MITM attack, it’s not the attack classification itself.

D: Poisoning (like DNS or ARP poisoning) is often a technique used to initiate MITM but not the final classification.

The scenario describes a hybrid encryption solution based on the OpenPGP standard that uses both symmetric and asymmetric encryption. The key phrase in the question is “a free implementation of the OpenPGP standard,” which directly refers to GPG.

GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP standard.

It combines symmetric encryption for data encryption (fast and efficient) and asymmetric encryption for secure key exchange (using public/private key pairs).

GPG is widely used to secure emails, files, and messages, often in conjunction with tools like Thunderbird or command-line utilities.

Incorrect Options:

A. PGP (Pretty Good Privacy) is the original proprietary implementation of OpenPGP, not free/open-source by default.

B. S/MIME (Secure/Multipurpose Internet Mail Extensions) is another email encryption standard but does not implement OpenPGP.

C. SMTP (Simple Mail Transfer Protocol) is a mail transport protocol, not an encryption method.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Hybrid Encryption and Email Encryption Tools”

Subsection: “GPG and OpenPGP-Based Encryption”

=

An evil twin may be a fraudulent Wi-Fi access point that appears to be legitimate but is about up to pay attention to wireless communications.[1] The evil twin is that the wireless LAN equivalent of the phishing scam.

This type of attack could also be wont to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves fixing a fraudulent internet site and luring people there.

The attacker snoops on Internet traffic employing a bogus wireless access point. Unwitting web users could also be invited to log into the attacker’s server, prompting them to enter sensitive information like usernames and passwords. Often, users are unaware they need been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it’s sent through their equipment. The attacker is additionally ready to hook up with other networks related to the users’ credentials.

Fake access points are found out by configuring a wireless card to act as an access point (known as HostAP). they’re hard to trace since they will be shut off instantly. The counterfeit access point could also be given an equivalent SSID and BSSID as a close-by Wi-Fi network. The evil twin are often configured to pass Internet traffic through to the legitimate access point while monitoring the victim’s connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a ‘fire and forget’ methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link). 

There are two modes of operation with SNMP – get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

SNMP traps

Since SNMP is primarily a UDP port based system, traps may be ‘lost’ when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn’t listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know.

The SNMP v2c specification introduced the idea of splitting traps into two types; the original ‘hope it gets there’ trap and the newer ‘INFORM’ traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn’t get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.

In CEH v13 Module 10: Injection Attacks, the SQL Injection technique is covered extensively. A common attack method is to manipulate the input fields so that the resulting SQL query becomes logically always true, effectively bypassing authentication.

Given the input:

Username: attack' or 1=1 --

Password: 123456

And assuming the original SQL query is:

SELECT * FROM Users WHERE UserName = '' AND UserPassword = '';

When inputs are substituted, the query becomes:

SELECT * FROM Users WHERE UserName = 'attack' or 1=1 --' AND UserPassword = '123456';

The -- sequence is used in SQL to indicate a comment. Everything after -- is ignored by the SQL engine. So the query essentially becomes:CopyEdit

SELECT * FROM Users WHERE UserName = 'attack' or 1=1;

This query is always true due to 1=1, and if the application is vulnerable, it grants access regardless of the password.

Option Analysis:

A. Incorrect – Contains '' (double quote) after attack, which would cause a syntax error due to extra quotation marks.

B. Correct – This is the accurate representation of what the SQL query would look like with a successful injection.

C. Incorrect – The input string is malformed, combining input into one literal string.

D. Incorrect – Misplacement of ' after the comment token -- invalidates the SQL syntax.

Reference from CEH v13 Study Materials:

Module 10 – Injection Attacks, Section: SQL Injection – Authentication Bypass

CEH v13 eCourseware Practical Lab: Exploiting SQL Injection Vulnerability in Login Forms

CEH Engage – Web Application Testing Phase: SQLi Exploitation in Login Panels

This scenario represents a classic baiting attack, a social engineering technique explicitly described in CEH v13 Social Engineering. In baiting, attackers exploit human curiosity or greed by leaving behind a malicious physical device—most commonly a USB drive—with an enticing label. When the victim plugs the device into a system, malware is automatically executed, leading to compromise.

Option A precisely captures this behavior. The label “Employee Salary Info 2024” is intentionally designed to entice the victim into interacting with the device. CEH v13 highlights USB baiting as particularly dangerous because it bypasses technical controls and relies solely on human behavior.

Option B describes pretexting, which involves impersonation. Option C refers to dumpster diving. Option D describes tailgating, a physical access attack. None of these match the USB-based lure described.

CEH v13 emphasizes that baiting attacks are highly effective in corporate environments and recommends strong security awareness training and disabling USB autorun features as mitigation.

A null user is a special connection made to a Windows system without providing a username or password. In older versions of Windows (NT, 2000, XP), null sessions could be used to anonymously connect to IPC$ share and enumerate:

Users

Groups

Shares

Policies

From CEH v13 Courseware:

Module 4: Enumeration → Null Sessions

CEH v13 Study Guide states:

“Null users are unauthenticated sessions used to access certain system resources without credentials. These are commonly used in enumeration attacks.”

MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain. Each MX record has a priority value.

Important concept:

A lower number indicates a higher priority.

Email servers attempt delivery to the mail server with the lowest priority first.

For example:

If MX records are:

10 mail1.example.com

20 mail2.example.com

Then mail1 will be tried first. If it fails, mail2 will be used.

So the statement “MX record priority increases as the number increases” is false.

Web server footprinting is part of the reconnaissance phase in ethical hacking. It involves gathering detailed information about a web server’s structure, external links, available directories, scripts, and technologies in use.

Techniques include:

Spidering the site to map all accessible URLs and file paths

Identifying hidden directories or backup files

Analyzing page structures and URL patterns

This information helps attackers identify areas to target for further scanning or exploitation.

Incorrect Options:

A. Vulnerability scanning is active testing, not passive footprinting.

C. System-level data is gathered in OS or network footprinting.

D. Brute-force attacks are exploitation techniques, not reconnaissance.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “Web Server Footprinting Techniques”

Tool Reference: HTTrack, Burp Spider, OWASP ZAP

=

From CEH v13 Module 03: Scanning Networks, OS fingerprinting with Nmap (using the -O option) requires privileged access to craft raw packets (especially SYN, ACK, and ICMP). On Unix/Linux systems:

Root privileges are mandatory to perform TCP/IP stack fingerprinting.

If Nmap is run as a normal user, it fails to initiate OS scanning and exits with a message like “QUITTING!”.

So, in this case, the scan fails because the shell opened does not have elevated (root) privileges.

The given rule syntax is consistent with Snort, a popular open-source Intrusion Detection System (IDS). This rule alerts when any TCP traffic from any source IP and port is sent to IPs within the 192.168.100.0/24 subnet on port 21 (FTP), triggering the alert message: “FTP on the network!”

The Snort rule format is:

alert protocol source_IP source_port -> destination_IP destination_port (rule_options)

CEH v13 course materials teach this rule format under IDS/IPS configuration.

From CEH v13 Guide:

“Snort rules are used in IDS/IPS to define suspicious traffic patterns. An example rule: alert tcp any any -> 192.168.1.0/24 21 (msg: 'FTP detected') triggers an alert on FTP traffic within a subnet.”

Incorrect Options:

A/C. IP tables are used in firewalls and routers but follow a completely different syntax.

B. FTP servers do not use such alerting rules.

Reference – CEH v13 Study Guide:

Module 12: Evading IDS, Firewalls, and Honeypots

Section: Snort IDS Configuration

=

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization's infrastructure.

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.

IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

Client-side controls, such as JavaScript validation and CAPTCHA enforcement, are explicitly described in CEH v13 as inherently untrustworthy, since they run on the user’s device. The most effective way to bypass them is by intercepting and modifying HTTP requests after client-side validation but before server-side processing.

Using a proxy tool (such as Burp Suite) allows the tester to manipulate parameters invisibly, without disabling JavaScript or injecting code that could raise alarms. This makes Option B the most stealthy and effective method.

Disabling JavaScript (Option A) is noisy and easily detected. Injecting JavaScript (Option C) may trigger client-side protections. Reverse-engineering encryption (Option D) is complex and unnecessary.

CEH v13 emphasizes proxy-based manipulation as the preferred technique for bypassing client-side security mechanisms. Therefore, Option B is correct.

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Expanding your network capabilities are often done well using wireless networks, but it also can be a source of harm to your data system . Deficiencies in its implementations or configurations can allow tip to be accessed in an unauthorized manner.This makes it imperative to closely monitor your wireless network while also conducting periodic Wireless Network assessment.

It identifies flaws and provides an unadulterated view of exactly how vulnerable your systems are to malicious and unauthorized accesses.

Identifying misconfigurations and inconsistencies in wireless implementations and rogue access points can improve your security posture and achieve compliance with regulatory frameworks.

https://en.wikipedia.org/wiki/Web_application_firewall

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus, widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.

Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.

Other options are less realistic or less persistent in modern enterprise environments.

This scenario aligns with a Replay Attack against RF-based smart key systems, covered in CEH v13 IoT and OT Hacking. Attackers capture radio-frequency signals transmitted by key fobs and replay them to unlock vehicles.

CEH v13 emphasizes that detecting and preventing such attacks requires monitoring wireless RF signals for anomalies such as signal replay, interference, or jamming patterns. RF analysis helps confirm unauthorized signal capture and retransmission.

Firmware updates may mitigate future vulnerabilities, but confirmation requires RF monitoring. Physical surveillance and smartphone malware controls are unrelated to RF replay attacks. Therefore, option D is correct.

The preparation phase of incident handling is the proactive phase where organizations:

Develop and define incident response policies and rules

Assign roles and responsibilities

Design backup and disaster recovery strategies

Train staff and test response plans via drills or tabletop exercises

This phase ensures that the organization is ready to respond effectively when an incident occurs.

Reference – CEH v13 Official Study Guide:

Module 18: Incident Response and Computer Forensics

Quote:

“In the preparation phase, organizations define rules, set up an incident response team, perform training, and establish and test incident handling procedures.”

Incorrect Options:

B. Containment is about stopping the spread of an active incident

C. Identification is when the incident is first detected

D. Recovery is for restoring systems post-incident

=

CEH describes FIN scans as stealthy scans that send packets with the FIN flag without initiating a TCP handshake. According to TCP RFC behavior, closed ports respond with RST packets while open ports ignore the probe, producing no response. This allows enumeration of port states while evading IDS systems that typically monitor SYN-based scans.

This scenario is a textbook example of a Whaling Attack, a highly targeted phishing technique described in the CEH v13 Social Engineering module. Whaling specifically targets senior executives or high-ranking individuals, exploiting their authority, access privileges, and decision-making roles.

In the given case, the attacker crafts a personalized email, impersonates the CEO, and uses legitimate corporate branding to build trust. The malicious PDF attachment delivers a backdoor, aligning with CEH v13 descriptions of advanced spear-phishing techniques used against executives.

CEH v13 differentiates whaling from other phishing types:

Broad phishing targets large groups indiscriminately.

Pharming redirects users via DNS manipulation.

Email clone attacks copy legitimate emails but typically target peers, not executives.

Whaling attacks are particularly dangerous because executives often bypass security scrutiny and possess elevated system access. CEH v13 emphasizes executive awareness training as a key mitigation strategy.

Therefore, the correct answer is Whaling attack aimed at high-ranking personnel.

A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. The attacker has crafted an automated botnet to simultaneously send ‘s’ SYN packets per second to the server. The server can handle ‘f’ SYN packets per second without any performance issues. If ‘s’ exceeds ‘f’, the network infrastructure begins to show signs of overload. The system’s response time increases exponentially (24k), where ‘k’ represents each additional SYN packet above the ‘f’ limit.

Considering ‘s=500’ and different ‘f’ values, the scenario that is most likely to cause the server to experience overload and significantly increased response times is the one where ‘f=420’. This is because ‘s’ is greater than ‘f’ by 80 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The response time shoots up (2480 = 281,474,976,710,656 times the normal response time), indicating a system overload.

The other scenarios are less likely or less severe than the one where ‘f=420’. Option A has ‘f=510’, which is greater than ‘s’, so the system stays stable and the response time remains unaffected. Option B has ‘f=495’, which is less than ‘s’ by 5 packets per second, so the response time drastically rises (245 = 32 times the normal response time), indicating a probable system overload, but not as extreme as option D. Option C has ‘f=505’, which is less than ‘s’ by 5 packets per second, so the response time increases but not as drastically (245 = 32 times the normal response time), and the system might still function, albeit slowly. References:

SYN flood DDoS attack | Cloudflare

SYN flood - Wikipedia

What Is a SYN Flood Attack? | F5

What is a SYN flood attack and how to prevent it? | NETSCOUT

Comprehensive and Detailed Explanation:

The attack shown is a Directory Traversal Attack. It uses URL encoding (hexadecimal obfuscation) to bypass input filters and access unauthorized files such as /etc/passwd.

%2e = . (dot)

%2f = / (forward slash)

So, ../../../etc/passwd becomes %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

The best protection against this attack is to:

Normalize and sanitize user input on the server.

Deny directory traversal patterns, whether encoded or not.

Specifically reject or deny hex-encoded path characters (%2e, %2f, etc.)

Option A directly mitigates this by preventing the server from decoding and processing hex-encoded directory traversal attempts.

From CEH v13 Courseware:

Module 10: Web Application Hacking

Topic: Directory Traversal and Input Validation

Incorrect Options:

B: IDS can alert, but it’s reactive rather than preventative.

C: SSL encrypts communication but does not prevent path traversal.

D: Active script detection is unrelated to path traversal attacks.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

CEH v13 explains that SQL injection typically occurs when user inputs are concatenated into SQL queries without proper validation or parameterization. The login form is one of the most common injection targets, and testers use specific test payloads designed to manipulate the authentication query. A classic test string such as ' OR '1'='1 exploits conditional logic to force the SQL statement to evaluate as true, effectively bypassing authentication if the application is vulnerable. CEH notes that this technique is a standard initial test because it is low-risk, easily detectable if vulnerable, and directly confirms improper sanitization. JavaScript injection (Option A) tests for XSS, not SQLi. Directory traversal (Option C) targets file path vulnerabilities rather than SQL queries. Brute-force attacks (Option D) rely on guessing credentials and do not test input sanitization. Therefore, using a logical SQL injection payload is the most appropriate and CEH-aligned method.

SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as “1 OR 1=1 —” is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology for identifying insecure input handling and improper query construction.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it’s lost.

Key Escrow Characteristics:

Common in enterprise environments for systems like BitLocker.

Keys are automatically backed up to Active Directory (AD) for future retrieval.

Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

Option Clarification:

A. Key archival: Storing old keys for audit/record-keeping.

B. Key escrow: Correct – Third-party or central storage for recovery purposes.

C. Certificate rollover: Replacement of expiring certificates.

D. Key renewal: Generating a new key after expiration or compromise.

A service-based solution offered by an auditing firm would be the most appropriate type of vulnerability assessment solution for the large e-commerce organization, given their requirements. A service-based solution is a type of vulnerability assessment that is performed by external experts who have the skills, tools, and experience to conduct a thorough and comprehensive analysis of the target system or network. A service-based solution can imitate the outside view of attackers, as the experts are not familiar with the internal details or configurations of the organization. A service-based solution can also perform well-organized inference-based testing, which is a type of testing that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. A service-based solution can scan automatically against continuously updated databases, as the experts have access to the latest security intelligence and threat feeds. A service-based solution can also support multiple networks, as the experts can use different techniques and tools to scan different types of networks, such as wired, wireless, cloud, or hybrid12.

The other options are not as appropriate as option B for the following reasons:

A. Inference-based assessment solution: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Inference-based testing is a testing method that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. Inference-based testing can be performed by service-based, product-based, or tree-based solutions, depending on the scope, objectives, and resources of the assessment3.

C. Tree-based assessment approach: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Tree-based testing is a testing method that uses a hierarchical structure to organize and prioritize the vulnerabilities based on their severity, impact, and exploitability. Tree-based testing can be performed by service-based, product-based, or inference-based solutions, depending on the scope, objectives, and resources of the assessment4.

D. Product-based solution installed on a private network: This option is a type of vulnerability assessment solution, but it may not meet all the requirements of the large e-commerce organization. A product-based solution is a type of vulnerability assessment that is performed by using software or hardware tools that are installed on the organization’s own network. A product-based solution can scan automatically against continuously updated databases, as the tools can be configured to download and apply the latest security updates and patches. However, a product-based solution may not imitate the outside view of attackers, as the tools may have limited access or visibility to the external network or the internet. A product-based solution may also not perform well-organized inference-based testing, as the tools may rely on predefined rules or signatures to detect and report vulnerabilities, rather than using logical reasoning and deduction. A product-based solution may also not support multiple networks, as the tools may be designed or optimized for a specific type of network, such as wired, wireless, cloud, or hybrid .

Just like any other service that accepts usernames and passwords for logging in, AWS users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any other method of social engineering, may find yourself with an AWS users’ credentials within the hands of an attacker.

If a user only uses API keys for accessing AWS, general phishing techniques could still use to gain access to other accounts or their pc itself, where the attacker may then pull the API keys for aforementioned AWS user.

With basic opensource intelligence (OSINT), it’s usually simple to collect a list of workers of an organization that use AWS on a regular basis. This list will then be targeted with spear phishing to do and gather credentials. an easy technique may include an email that says your bill has spiked 500th within the past 24 hours, “click here for additional information”, and when they click the link, they’re forwarded to a malicious copy of the AWS login page designed to steal their credentials.

An example of such an email will be seen within the screenshot below. it’s exactly like an email that AWS would send to you if you were to exceed the free tier limits, except for a few little changes. If you clicked on any of the highlighted regions within the screenshot, you’d not be taken to the official AWS web site and you’d instead be forwarded to a pretend login page setup to steal your credentials.

These emails will get even more specific by playing a touch bit additional OSINT before causing them out. If an attacker was ready to discover your AWS account ID on-line somewhere, they could use methods we at rhino have free previously to enumerate what users and roles exist in your account with none logs contact on your side. they could use this list to more refine their target list, further as their emails to reference services they will know that you often use.

For reference, the journal post for using AWS account IDs for role enumeration will be found here and the journal post for using AWS account IDs for user enumeration will be found here.

During engagements at rhino, we find that phishing is one in all the fastest ways for us to achieve access to an AWS environment.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

The CEH SQL Injection module defines stacked (piggybacked) queries as attacks where an attacker appends an additional SQL statement using a statement delimiter such as a semicolon.

In this scenario, the attacker executed a second query (DROP TABLE users) after the original query, resulting in destructive behavior.

Option B is correct.

Option A retrieves data, not execute destructive commands.

Option C infers logic outcomes.

Option D relies on error messages for data extraction.

CEH classifies stacked queries as high-impact SQL injection attacks.

https://en.wikipedia.org/wiki/Subnetwork

This is a fairly simple question. You must to understand what a subnet mask is and how it works.

A subnetwork or subnet is a logical subdivision of an IP network.The practice of dividing a network into two or more networks is called subnetting.

Computers that belong to the same subnet are addressed with an identical most-significant bit-group in their IP addresses. This results in the logical division of an IP address into two fields: the network number or routing prefix and the rest field or host identifier. The rest field is an identifier for a specific host or network interface.

The routing prefix may be expressed in Classless Inter-Domain Routing (CIDR) notation written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network. The IPv6 address specification 2001:db8::/32 is a large address block with 296 addresses, having a 32-bit routing prefix.

For IPv4, a network may also be characterized by its subnet mask or netmask, which is the bitmask that when applied by a bitwise AND operation to any IP address in the network, yields the routing prefix. Subnet masks are also expressed in dot-decimal notation like an address. For example, 255.255.255.0 is the subnet mask for the prefix 198.51.100.0/24.

CEH v13 emphasizes that IoT and smart city environments are highly sensitive and safety-critical. When an IoT device shows anomalous outbound traffic and unauthorized open ports, this strongly indicates device compromise.

The correct immediate response is to isolate the affected device to prevent lateral movement and protect public safety. CEH v13 further stresses the importance of firmware analysis, as IoT malware often resides at the firmware level to maintain persistence.

Attempting reverse connections (Option A) is risky and may violate operational safety. Firewall changes alone (Option C) do not address an already compromised device. A full penetration test (Option D) is appropriate later but not as an immediate containment step.

Therefore, Option B aligns with CEH v13 incident handling best practices for IoT and OT environments.

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

In CEH v13 Module 04: Enumeration and Module 06: Malware Threats, when investigating Command-and-Control (C2) communication, it is important to determine whether the communication actually occurred and what data was sent.

C. Internet Firewall/Proxy log

Best source to confirm outbound connections to external IPs.

Proxy logs show which internal host made the connection, the timestamp, and sometimes even URL and payload.

Firewalls can indicate port usage, traffic volume, and connection duration.

This data gives a direct view of how severe the incident is, whether data exfiltration occurred, and which internal system is affected.

Why Other Options Are Less Effective Initially:

A. IDS Log: Only tells you that an alert was generated. May be false positive or triggered by a failed connection.

B. Event logs on Domain Controller: Useful for user account behavior, but not for network connections.

D. Event logs on the PC: May lack detail or be tampered with by malware.

In CEH v13 Module 06: Malware Threats, code emulation is defined as a technique used by modern antivirus software where a virtual CPU and memory are created to safely execute and analyze malware in a sandboxed environment.

This allows the detection engine to observe runtime behavior of suspicious code without risking the actual system.

It’s more effective than signature-based detection for catching polymorphic and obfuscated malware.

The described method is a classic example of a Side-Channel Attack, specifically a Timing Attack.

Key characteristics:

It exploits variations in response time from a system to infer sensitive information, such as the correct number of characters in a password.

In this scenario, if a correct character causes a longer processing time, the attacker can deduce the correct sequence iteratively.

According to CEH v13:

Side-channel attacks do not directly break encryption but rely on observing system behavior like timing, power consumption, or electromagnetic leaks.

These attacks are effective against poorly implemented authentication mechanisms or embedded systems like ICS/SCADA.

Incorrect Options:

B. Denial-of-service is aimed at making systems unavailable, not extracting credentials.

C. HMI-based attacks involve manipulating the human-machine interface of ICS systems.

D. Buffer overflow exploits memory handling flaws, not timing behavior.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Cryptanalysis and Side-Channel Attacks”

Subsection: “Timing Attacks and Password Recovery”

The Certified Ethical Hacker (CEH) Footprinting and Reconnaissance module defines Google Hacking, also known as Google Dorking, as the use of advanced search operators to uncover sensitive information unintentionally exposed on the public internet. This technique remains passive, making it ideal during early reconnaissance.

Google Hacking can reveal:

Exposed configuration files

Backup files (.bak, .old, .zip)

Error messages and stack traces

Source code fragments and scripting errors

These findings often indicate coding weaknesses or insecure configurations within a web application. CEH explicitly highlights Google Dorking as an effective way to identify web application weaknesses without scanning or exploiting the target directly.

Option C is correct because Google Hacking is commonly used to identify coding and configuration weaknesses exposed through indexed files.

Option A may be possible indirectly but is not the primary justification.

Option B is incorrect because Google does not index the Deep Web.

Option D involves internal network discovery, which Google Hacking cannot directly achieve.

CEH emphasizes Google Hacking as a powerful passive reconnaissance technique for discovering exposed vulnerabilities.

The command uses sqlmap, a powerful SQL injection and database penetration testing tool. The flag -u specifies the target URL, and -dbs instructs sqlmap to enumerate the available databases on the DBMS behind that URL.

Command Breakdown:

-u: Target URL with injectable parameters

-dbs: Retrieve and enumerate all available database names

This is a common first step in identifying vulnerable DBMS structures after confirming SQL injection.

Incorrect Options:

A. Backdoor creation is not the default function of sqlmap.

C. Retrieving SQL statements would require additional options like --trace or --sql-query.

D. Option D is not technically accurate—sqlmap is used for injection and enumeration, not searching statements.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “SQL Injection Tools and Automation”

Tool Reference: sqlmap usage and options

=

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

Risk Mitigation

Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.

Risk Acceptance

Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

The attacker has most likely used RST hijacking, which is a type of network-level session hijacking technique that exploits the TCP reset (RST) mechanism. TCP reset is a way of terminating an established TCP connection by sending a packet with the RST flag set, indicating that the sender does not want to continue the communication. RST hijacking involves sending a forged RST packet to one or both ends of a TCP connection, using a spoofed source IP address and a guessed acknowledgment number, to trick them into believing that the other end has closed the connection. As a result, the victim’s connection is reset and the attacker can take over the session or launch a denial-of-service attack12.

The other options are not correct for the following reasons:

A. TCP/IP hijacking: This option is a general term that refers to any type of network-level session hijacking technique that targets TCP/IP connections. RST hijacking is a specific type of TCP/IP hijacking, but not the only one. Other types of TCP/IP hijacking include SYN hijacking, source routing, and sequence prediction3.

B. UDP hijacking: This option is not applicable because UDP is a connectionless protocol that does not use TCP reset mechanism. UDP hijacking is a type of network-level session hijacking technique that targets UDP connections, such as DNS or VoIP. UDP hijacking involves intercepting and modifying UDP packets to redirect or manipulate the communication between the sender and the receiver4.

D. Blind hijacking: This option is not accurate because blind hijacking is a type of network-level session hijacking technique that does not require injecting RST packets. Blind hijacking involves guessing the sequence and acknowledgment numbers of a TCP connection without being able to see the responses from the target. Blind hijacking can be used to inject malicious data or commands into an active TCP session, but not to reset the connection5.

Comprehensive and Detailed Explanation:

A covert channel is any communication path that allows data to be transferred in violation of a system’s security policy. It’s commonly used by malware or Trojans to exfiltrate data or send commands undetected.

Examples include:

Encoding data in TCP headers (unused bits)

Timing of packets (timing channel)

Use of legitimate protocols to piggyback malicious traffic

From CEH v13 Courseware:

Module 6: Malware Threats → Trojans and Covert Channels

This is a textbook case of Intranet DNS Poisoning, often combined with ARP spoofing, as described in CEH v13 Network Sniffing and MITM Attacks. The attacker positions themselves inside the local network, intercepts DNS requests, and responds faster than the legitimate DNS server.

ARP spoofing enables the attacker to perform a Man-in-the-Middle attack, allowing sniffing and modification of DNS traffic. CEH v13 notes that faster rogue responses are a strong indicator of local DNS poisoning.

CEH’s social engineering principles highlight psychological manipulation techniques such as authority, urgency, trust exploitation, and impersonation. In this scenario, the attacker leverages “perceived authority,” a powerful influence tactic where the social engineer poses as someone with legitimate power or sanctioned access—such as a technician, auditor, or vendor representative. CEH emphasizes that referencing real employee names, using technical terminology, and impersonating trusted third-party partners increases believability and reduces verification resistance. The receptionist’s acceptance of the attacker’s presence without verifying credentials matches classical authority-based exploitation. Leaked credentials, physical security logs, and network segmentation issues do not relate to human-layer social engineering. The situation clearly reflects the manipulation of trust and authority as described in CEH’s psychological attack vectors.

To perform a thorough password assessment, Bob can use:

Hardware Keyloggers: Installed between the keyboard and computer; captures keystrokes.

Software Keyloggers: Installed on the OS; logs keystrokes and system activity.

Network Sniffing: Captures plaintext passwords from unencrypted protocols (e.g., FTP, Telnet).

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware Threats

Module 8: Sniffing

CEH v13 Study Guide states:

“A comprehensive password audit can involve passive sniffing of credentials on the wire, software keyloggers for direct input capture, and hardware keyloggers for stealthy physical surveillance.”

Incorrect Options:

B, C, D: Limiting to just one method misses out on broader techniques.

Before implementing auditing, it is crucial to assess how enabling this feature will impact system resources, performance, and storage. Auditing can generate significant logs and place additional load on systems, especially in environments handling sensitive data such as banking.

Understanding the impact helps determine if the current infrastructure can handle the overhead or if optimizations or upgrades are needed beforehand.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Section: Enabling Auditing and Logging

Quote:

“Before enabling auditing, organizations must assess the performance and storage impact. Improper implementation can result in performance degradation or missed logs.”

Incorrect Options Explained:

A. Vulnerability scanning is important but not directly related to audit implementation.

C. Cost-benefit analysis comes after understanding operational impact.

D. Staffing is a planning step, not the first technical action.

=

CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR '1'='1 to test whether unauthorized data is returned. However, within CEH’s theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

Comprehensive and Detailed Explanation:

In Windows SID structure:

RID 500 = Default Administrator

RID 501 = Guest Account

Therefore, “-501” at the end indicates Matthew is operating as the Guest user, which has very limited privileges. To gain full administrative control, he must escalate his privileges.

From CEH v13 Courseware:

Module 6: System Hacking → Privilege Escalation Techniques

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

Comprehensive and Detailed Explanation:

An Xmas scan is a type of stealth TCP scan that sets the FIN, PSH, and URG flags. According to RFC 793:

If the port is closed, the target responds with a TCP RST (Reset) packet.

If the port is open or filtered, there is no response.

Thus, receiving a RST response indicates a closed port.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flag Scanning Techniques

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

https://en.wikipedia.org/wiki/Phishing

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker's code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

PGP (Pretty Good Privacy), SSL (Secure Sockets Layer), and IKE (Internet Key Exchange) use Public Key Cryptography for secure communication. They utilize:

Public and private key pairs

Asymmetric encryption for key exchange

Symmetric encryption for data confidentiality (after key exchange)

These protocols ensure secure data transfer over insecure networks.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Public key cryptography uses asymmetric key pairs for encryption and authentication. Protocols like PGP, SSL/TLS, and IKE rely on this to exchange keys and establish trust.”

Incorrect Options:

A & D. Digest/hash algorithms (e.g., MD5, SHA) ensure integrity, not encryption

B. Secret key refers to symmetric encryption, which is used after the public key exchange, not as the basis for these protocols

SOX stands for Sarbanes-Oxley Act of 2002. It is a U.S. federal law enacted to protect shareholders and the general public from accounting errors and corporate fraud.

Key points:

Requires strict internal controls and financial disclosures in publicly traded companies.

Mandates regular audits and IT security controls related to financial data.

Applies especially to accounting systems, databases, access controls, and IT procedures related to financial reporting.

Incorrect Options:

A. PCI-DSS relates to securing credit card data.

B. FISMA pertains to federal agency cybersecurity standards.

D. ISO/IEC 27001:2013 is an international information security standard, not a legal requirement for financial integrity.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Compliance and Legal Concepts”

Table: "Major Laws and Regulations in Information Security"

=

In CEH v13 Module 14: Cryptography, VPN (Virtual Private Network) technology is described as the method that allows users to securely transmit data over an insecure (public) network by establishing a secure, encrypted tunnel.

VPN Features:

Encrypts all traffic between the user's device and the target network.

Prevents session hijacking, eavesdropping, and man-in-the-middle (MITM) attacks.

Common protocols: IPSec, L2TP, SSL VPN, and OpenVPN.

Option Clarification:

A. DMZ: A network segmentation strategy, not an encryption method.

B. SMB signing: Ensures integrity for SMB protocol, but not for remote tunneling.

C. VPN: Correct. Used to securely tunnel over public networks.

D. Switch network: Refers to network segmentation using switches, unrelated to tunneling.

The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking. KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets, even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic. Weak RNG issues are unrelated to WPA2 replay.

Thus, Option B is correct.

The scenario describes an API vulnerability where unauthorized users are able to view, modify, or delete sensitive data by interacting with API objects. This indicates a failure in access control—specifically, a lack of Attribute-Based Access Control (ABAC) validation.

Attribute-Based Access Control (ABAC):

ABAC is an advanced access control model that evaluates access permissions based on attributes of the user, the resource, and the environment (e.g., user role, data sensitivity, location, etc.).

When ABAC is not properly implemented ("No ABAC validation"), APIs may allow users to access or manipulate objects they shouldn't have access to.

In APIs, this typically results in vulnerabilities like Insecure Direct Object Reference (IDOR), where users can tamper with object identifiers (IDs) to access or alter data that doesn’t belong to them.

This is one of the top risks highlighted by the OWASP API Security Top 10 (e.g., Broken Object Level Authorization).

Incorrect Options:

A. Code injection refers to injecting malicious code (e.g., SQLi, XSS), not improper access control.

B. Improper use of CORS (Cross-Origin Resource Sharing) may lead to unauthorized data exposure but doesn’t describe unauthorized object access in an API.

D. Business logic flaws relate to weaknesses in application workflows and rules, not direct access control failures.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "API Security Threats"

Subsection: "Access Control Failures in APIs (IDOR, BOLA, ABAC-related flaws)"

OWASP API Security Top 10: 2023 – A1: Broken Object Level Authorization

CEH iLabs and CEH Engage also demonstrate API-based attack vectors exploiting access control weaknesses.

DNS cache snooping is an enumeration technique where the attacker queries a DNS server to check whether a specific domain has been recently resolved by the server (i.e., it exists in the cache). If a positive response is received with low latency, it indicates that the domain was visited recently.

Key points:

Used to infer user browsing habits or visited domains.

Helps attackers identify user interests or potential targets.

Incorrect Options:

A. DNS zone walking is used to list all domain names in a DNS zone (with misconfigured DNS servers), not for cached record inspection.

C. DNSSEC zone walking applies only when DNSSEC is misconfigured.

D. DNS cache poisoning is a manipulation technique, not a passive enumeration method.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “DNS Enumeration”

Subsection: “DNS Cache Snooping and Timing Analysis”

Tool Reference: dig, nslookup

=

CEH defines ethical hacking as the authorized, structured, and permission-based process of identifying vulnerabilities to strengthen an organization’s security posture. Ethical hackers operate under a signed scope-of-work and follow legal boundaries. Malicious hackers, by contrast, exploit systems without permission, often with harmful or criminal intent. CEH emphasizes that both ethical and malicious hackers may use similar tools, techniques, and methodologies; the distinction lies entirely in authorization, intent, and legality. Ethical hacking is conducted to improve defenses, while malicious hacking targets exploitation, theft, or disruption. Nothing in CEH materials suggests that toolsets or work styles distinguish the two groups; permission and lawful operation remain the central differentiators.

An untethered jailbreak is one that allows a telephone to finish a boot cycle when being pwned with none interruption to jailbreak-oriented practicality.

Untethered jailbreaks area unit the foremost sought-after of all, however they’re additionally the foremost difficult to attain due to the powerful exploits and organic process talent they need. associate unbound jailbreak is sent over a physical USB cable association to a laptop or directly on the device itself by approach of associate application-based exploit, like a web site in campaign.

Upon running associate unbound jailbreak, you’ll be able to flip your pwned telephone off and on once more while not running the jailbreak tool once more. all of your jailbreak tweaks and apps would then continue in operation with none user intervention necessary.

It’s been an extended time since IOS has gotten the unbound jailbreak treatment. the foremost recent example was the computer-based Pangu break, that supported most handsets that ran IOS nine.1. We’ve additionally witnessed associate unbound jailbreak within the kind of JailbreakMe, that allowed users to pwn their handsets directly from the mobile campaign applications programme while not a laptop.

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

Shoulder surfing is a social engineering technique that involves looking over someone’s shoulder to observe sensitive information, such as passwords, PINs, or credit card numbers, that they enter on their computer, phone, or ATM. It is the least likely method of social engineering to yield beneficial information based on the data collected by Maltego, because it requires physical proximity and access to the target’s devices, which may not be feasible or safe for the hacker. Moreover, shoulder surfing does not leverage the information obtained by Maltego, such as domains, DNS names, Netblocks, or IP addresses, which are more relevant for network-based attacks.

The other options are more likely to yield beneficial information based on the data collected by Maltego, because they involve exploiting the target’s trust, curiosity, or negligence, and using the information obtained by Maltego to craft convincing scenarios or messages. Impersonating an ISP technical support agent to trick the target into providing further network details is a form of pretexting, where the hacker creates a false identity and scenario to obtain information or access from the target. Dumpster diving in the target company’s trash bins for valuable printouts is a technique that relies on the target’s negligence or lack of proper disposal of sensitive documents, such as network diagrams, passwords, or confidential reports. Eavesdropping on internal corporate conversations to understand key topics is a technique that exploits the target’s curiosity or lack of awareness, and allows the hacker to gather information about the target’s projects, plans, or problems, which can be used for further attacks or extortion. References:

Social Engineering: Definition & 5 Attack Types

How to Use Maltego Transforms to Map Network Infrastructure: An In-Depth Guide

Social engineering: Definition, examples, and techniques

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

Comprehensive and Detailed Explanation:

Social engineering is a psychological manipulation technique used by attackers to trick individuals into divulging confidential or personal information that may be used for fraudulent purposes.

It relies on human interaction and may involve tactics such as:

Impersonation

Pretexting

Phishing

Baiting

Rather than attacking systems directly, attackers exploit human trust and error.

From CEH v13 Courseware:

Module 7: Social Engineering

Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

Domain registrant details (name, email, phone, and address)

Domain registration and expiry dates

Name servers and registrar information

Administrative and technical contact data

According to CEH v13:

Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

Incorrect Options:

A. VPN footprinting refers to identifying VPN gateways or configurations — not related to domain data.

B. Email footprinting involves gathering information from or about email systems.

C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “WHOIS Footprinting”

Tools: Whois lookup tools, ICANN WHOIS, DomainTools

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

While perimeter defenses like firewalls and IPS provide a layer of protection, internal systems (such as network elements) must also be hardened. This includes:

Enforcing strong authentication

Applying regular patches and updates

Conducting vulnerability assessments and security audits

Security should be layered (defense in depth), and reliance on perimeter defense alone is insufficient.

Reference – CEH v13 Official Study Guide:

Module 3: Scanning Networks / Module 18: Incident Response

Quote:

“Internal systems must be hardened with secure configurations and tested regularly. A layered security approach is required even in protected environments.”

Incorrect Options:

B & C. Relying only on perimeter or physical security is not sufficient

D. While backup sites are part of DR, they don’t replace proactive protection

=

A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

Appending or prepending numbers or symbols

Changing case (e.g., admin → Admin1!)

Leetspeak substitutions (e.g., p@ssw0rd)

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Password Cracking Methods

CEH v13 Study Guide states:

“A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks.”

Incorrect Options:

A/B/D: These are not standard terminology in cryptographic or password auditing literature.

A digital signature is created by hashing the document and encrypting that hash with the sender’s private key. Since the hash is specific to the original content, any change to the document invalidates the signature, making it non-transferable to another document.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Digital signatures are based on hashing the document and signing the digest with the private key. This makes each signature unique to the document and ensures tamper resistance.”

Incorrect Options:

B. Incorrect — signature is tied to one document.

C. Hashes are not plain; they are encrypted.

D. Keys can be reused, but signatures are document-specific.

Banner grabbing is a technique wont to gain info about a computer system on a network and the services running on its open ports. administrators will use this to take inventory of the systems and services on their network. However, an to find will use banner grabbing so as to search out network hosts that are running versions of applications and operating systems with known exploits.

Some samples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 severally. Tools normally used to perform banner grabbing are Telnet, nmap and Netcat.

For example, one may establish a connection to a target internet server using Netcat, then send an HTTP request. The response can usually contain info about the service running on the host:

This information may be used by an administrator to catalog this system, or by an intruder to narrow down a list of applicable exploits.

To prevent this, network administrators should restrict access to services on their networks and shut down unused or unnecessary services running on network hosts. Shodan is a search engine for banners grabbed from portscanning the Internet.

The SOA (Start of Authority) record contains key DNS parameters, including TTL (Time To Live). The components of an SOA record are in this order:

(domain) IN SOA (Primary Name Server) (Responsible party) (Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field breakdown:

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds ← This is the TTL value

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration and Zone Transfers

Subsection: Understanding DNS Records

CEH v13 Study Guide states:

“In an SOA record, the last value is the Minimum TTL — the amount of time other DNS servers should cache resource records for the zone.”

Incorrect Options:

A: Serial number

B: Refresh interval

C: Expiry interval

E/F: Arbitrary, not part of the SOA shown

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.

In CEH v13 Module 03: Scanning Networks, service version detection is achieved using the -sV option in Nmap.

-sV: Enables version detection of open ports by sending probes to determine the service name and version (e.g., Apache 2.4.49).

Helps identify potential vulnerabilities in specific software versions.

Option Clarification:

A. -SN: Ping scan (host discovery only).

B. -SX: Invalid/undefined option.

C. -sV: Correct option for service version detection.

D. -SF: Sends FIN packets (used in stealth scans), not for version discovery.

This scenario describes a worm infection, as defined in CEH v13 Malware Threats. Worms are self-replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic, system crashes, and resource exhaustion, which aligns with the symptoms described.

CEH v13 differentiates worms from other malware:

Ransomware encrypts data but does not self-propagate aggressively.

Trojans require user execution.

Rootkits focus on stealth and persistence rather than replication.

The appropriate response prioritizes containment and eradication. Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

Launching Fileless Malware through Phishing Attackers commonly use social engineering techniques such as phishing to spread fileless malware to the target systems. Fileless malware exploits vulnerabilities in system tools to load and run malicious payloads on the victim’s machine to compromise the sensitive information stored in the process memory. (P.978/962)

ESP (Encapsulating Security Payload) in transport mode is used for end-to-end communication between hosts within the same LAN. It encrypts only the payload, not the header, ensuring confidentiality and integrity while maintaining efficient routing.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“In ESP transport mode, only the data payload is encrypted, making it ideal for secure communication within a LAN where the IP header must remain intact for routing.”

Incorrect Options Explained:

B & C. Not valid IPSec modes.

D. AH tunnel mode ensures integrity but does not provide encryption.

=

TCP NULL scanning is a stealth scanning technique covered in CEH v13 Reconnaissance and Network Scanning. In a NULL scan, all TCP flags are set to zero. According to RFC 793 and CEH documentation, closed ports must respond with a TCP RST (Reset) packet.

If the port is open, the target typically does not respond, making this technique useful for firewall evasion. Therefore:

RST response = Closed port

No response = Open or filtered port

Other options do not apply to NULL scans:

SYN/ACK is associated with SYN scans.

ICMP errors may indicate filtering, not port state.

The Shellshock vulnerability (CVE-2014-6271) allows attackers to execute arbitrary commands via crafted environment variables in Bash. In this example, the malicious command cat /etc/passwd is executed, displaying the contents of the file (which contains system user account info).

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Shellshock allows remote code execution through environment variables processed by Bash. Exploits can be used to run commands like cat /etc/passwd on a vulnerable system.”

Incorrect Options:

A. No file deletion occurs.

B. It doesn’t change passwords.

C. No user addition occurs.

=

In CEH’s Cloud Computing module, one of the most common real-world causes of cloud data exposure is misconfiguration, especially overly permissive network access controls. Cloud platforms commonly use constructs like security groups / firewall rules / network ACLs to define inbound and outbound access. CEH highlights that exposing sensitive services (databases, storage endpoints, admin panels) to the public internet—whether by “0.0.0.0/0” rules, overly broad ports, or unintended administrative access—frequently results in unauthorized access and data leakage even without sophisticated exploit chains.

Option D is therefore the most likely, because misconfigured security groups can directly expose customer data stores or management interfaces, enabling data theft through normal connectivity rather than exploiting a rare hypervisor flaw.

Option A (hypervisor side-channel attack) is advanced and less common; it typically requires high attacker capability and conditions not implied here. Option B (DoS) impacts availability, not confidentiality, so it doesn’t best explain data exposure. Option C (brute force passwords) is possible, but the question emphasizes an “unknown vulnerability” in the cloud environment—CEH teaching often frames “unknown vulnerability” in cloud incidents as misconfiguration or uncontrolled exposure rather than authentication guessing alone.

CEH countermeasures include least-privilege security group rules, segmentation, continuous configuration monitoring, cloud security posture management, and auditing publicly exposed resources.

Comprehensive and Detailed Explanation:

The “weakest link” in cybersecurity is almost always the human element. Even with cutting-edge technology and airtight configurations, untrained or careless users can fall for phishing attacks, use weak passwords, or mishandle sensitive data — giving hackers a path into the system.

From CEH v13 Courseware:

Module 7: Social Engineering

Topic: Human Element in Security Breaches

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

The command shown is a Windows batch loop that attempts to mount a hidden administrative share (c$) on a remote machine (\10.1.2.3) using the username "Administrator" and a list of passwords from the file hackfile.txt.

for /f "tokens=1 %%a in (hackfile.txt) → Reads one password per line from the file

do net use * \10.1.2.3\c$ /user:"Administrator" %%a → Tries to authenticate to the share using the Administrator account and each password

This is a classic brute-force password attack attempting to crack the Administrator account using a wordlist.

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware and Password Cracking Techniques

CEH v13 Study Guide states:

“Tools and scripts that automate login attempts using SMB shares and administrative credentials can be used to brute force user accounts. An attacker attempts access using a list of passwords (dictionary attack).”

Incorrect Options:

A: The connection attempt is made, but the success is dependent on password cracking.

B: This command does not enumerate users.

D: No null session involved; this is a brute-force attempt, not privilege escalation.

On Linux and UNIX-like systems, files or directories that begin with a period (.) are considered hidden. These files do not appear by default when a user runs the ls command, unless explicitly instructed to show hidden files using ls -a.

Example:

File named .hiddenfile will not appear with a simple ls command.

To view it, use: ls -a

This is commonly used for configuration files (e.g., .bashrc, .profile) and also by attackers or malicious users who want to conceal their scripts or payloads.

Incorrect Options:

A. Exclamation mark (!) is used in shell history and command expansion, not for hiding files.

B. Underscore (_) is a valid filename character but does not hide files.

C. Tilde (~) represents the current user's home directory; not used for hiding.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Tactics to Hide Malware Files in the OS”

Lab: CEH Engage — Creating and Hiding Files in Linux

=

https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom

Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run ‘set payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it’s pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.

Example for Windows:

- msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

According to the CEH Vulnerability Assessment and Incident Response modules, vulnerabilities with high CVSS scores and potential RCE must be treated as active threats.

CEH best practices recommend:

Immediate containment (network isolation)

Investigation and impact analysis

Patch application

Recovery

Option D follows the CEH incident response lifecycle precisely.

Option C is incomplete without containment.

Options A and B are unsafe.

CEH emphasizes containment before remediation.

Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization’s network presence. Specficially, it allows attackers to draw a map or outline of the target organization’s network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)

CEH v13 classifies application-layer DoS attacks as the most difficult to detect and mitigate. A distributed SQL injection-based DoS exploits database query processing by overwhelming backend systems with malicious but syntactically valid requests.

Unlike volumetric attacks, this method generates low-bandwidth, high-impact traffic that appears legitimate. Traditional DDoS protections often fail to identify such traffic, especially when it targets authenticated services like online banking.

UDP floods, Smurf attacks, and ICMP-based attacks are well-known and more easily mitigated with rate limiting and filtering. Zero-day exploits cause service disruption but are not primarily DoS techniques.

CEH v13 highlights that application-layer DoS attacks blend seamlessly with normal traffic patterns, making them exceptionally challenging. Thus, option A is correct.

According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping, a Layer 2 security feature that classifies switch ports as either trusted or untrusted. DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers. DHCP snooping directly mitigates this threat.

A digital signature mechanism is a cryptographic concept that you should propose to the team to verify the integrity of the data upon retrieval. A digital signature mechanism works as follows:

A digital signature is a mathematical scheme that allows the sender of a message to sign the message with their private key, and allows the receiver of the message to verify the signature with the sender’s public key. A digital signature provides two security services: authentication and non-repudiation. Authentication means that the receiver can confirm the identity of the sender, and non-repudiation means that the sender cannot deny sending the message12.

A digital signature mechanism consists of three algorithms: key generation, signing, and verification. Key generation produces a pair of keys: a private key for the sender and a public key for the receiver. Signing takes the message and the private key as inputs, and outputs a signature. Verification takes the message, the signature, and the public key as inputs, and outputs a boolean value indicating whether the signature is valid or not12.

A digital signature mechanism can be implemented using various cryptographic techniques, such as hash-based signatures, RSA signatures, or elliptic curve signatures. A common method is to use a hash function to compress the message into a fixed-length digest, and then use an asymmetric encryption algorithm to encrypt the digest with the private key. The encrypted digest is the signature, which can be decrypted with the public key and compared with the hash of the message to verify the integrity12.

A digital signature mechanism can ensure the integrity of the data upon retrieval, because:

A digital signature is unique to the message and the sender, and it cannot be forged or altered by anyone else. If the message or the signature is modified in any way, the verification will fail and the receiver will know that the data is corrupted or tampered with12.

A digital signature is independent of the encryption or hashing of the data, and it can be applied to any type of data, regardless of its format or size. The encryption or hashing of the data can provide confidentiality and efficiency, but they cannot provide integrity or authentication by themselves. A digital signature can complement the encryption or hashing of the data by providing an additional layer of security12.

The other options are not as suitable as option B for the following reasons:

A. Implement a block cipher mode of operation: This option is not relevant because it does not address the integrity verification issue, but the encryption issue. A block cipher mode of operation is a method of applying a block cipher, which is a symmetric encryption algorithm that operates on fixed-length blocks of data, to a variable-length message. A block cipher mode of operation can provide different security properties, such as confidentiality, integrity, or authenticity, depending on the mode. However, a block cipher mode of operation cannot provide a digital signature, which is a form of asymmetric encryption that uses a pair of keys3 .

C. Suggest using salt with hashing: This option is not sufficient because it does not provide a digital signature, but only a hash value. Salt is a random value that is added to the input of a hash function, which is a one-way function that maps any data to a fixed-length digest. Salt can enhance the security of hashing by making it harder to perform brute-force attacks or dictionary attacks, which are methods of finding the input that produces a given hash value. However, salt cannot provide a digital signature, which is a two-way function that uses a pair of keys to sign and verify a message .

D. Switch to elliptic curve cryptography: This option is not specific because it does not specify a digital signature mechanism, but only a type of cryptography. Elliptic curve cryptography is a branch of cryptography that uses mathematical curves to generate keys and perform operations. Elliptic curve cryptography can be used to implement various cryptographic techniques, such as encryption, hashing, or digital signatures. However, elliptic curve cryptography is not a digital signature mechanism by itself, but rather a tool that can be used to create one .

According to CEH v13 Cloud Computing, backup integrity and resilience are critical components of cloud security. The 3-2-1 backup model is a widely recommended best practice to mitigate unauthorized access, data corruption, and ransomware-related incidents.

The 3-2-1 rule dictates that organizations should maintain:

3 copies of critical data

Stored on 2 different media types

With 1 copy stored offsite or offline

This approach ensures that even if one backup is compromised, altered, or deleted—as described in the scenario—clean and trusted versions of the data remain available for restoration. CEH v13 emphasizes that offline or immutable backups significantly reduce the impact of malicious modification.

Option A focuses on physical security, which does not protect cloud backups. Option B addresses availability, not integrity. Option C is relevant to web application security, not backup protection.

CEH v13 explicitly highlights backup segregation and redundancy as key countermeasures against cloud data compromise. Therefore, Option D is the most direct and effective mitigation strategy.

In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM) could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager (LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|completely different} versions of Windows have different default settings. NTLM passwords area unit thought-about weak as a result of they will be brute-forced very simply with fashionable hardware.

NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity is desired.

First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the consumer.

Finally, the consumer responds to the challenge with Associate in Nursing AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain controller), and that through a scarcity of seasoning area unit word equivalent, that means that if you grab the hash price from the server, you’ll evidence while not knowing the particular word. the 2 area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16 Unicode password). each hash values area unit sixteen bytes (128 bits) every.

The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version. National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate (LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).

SHA-256 is a cryptographic hash function, and CEH v13 clearly states that hash functions alone provide data integrity, but not authenticity or non-repudiation. If attackers can modify data and recompute the hash, integrity checks will still pass.

The issue arises because SHA-256 does not prove who created or modified the data. To address this weakness, CEH v13 recommends using digital signatures, which combine hashing with asymmetric cryptography. A digital signature ensures:

Integrity (data has not changed)

Authentication (data was signed by a known entity)

Non-repudiation (the signer cannot deny the action)

Digital signatures work by hashing the data and encrypting the hash with the sender’s private key. Any modification to the data invalidates the signature.

Encryption alone (Options A and C) protects confidentiality, not integrity or authenticity. SSL/TLS (Option B) secures data in transit but does not protect stored data from tampering.

CEH v13 explicitly identifies digital signatures as the correct cryptographic control when integrity mechanisms alone are insufficient. Therefore, Option D is correct.

Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.

However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent’s MIB and affect its functionality or security. References:

snmp-check - The SNMP enumerator

SNMP Enumeration | Ethical Hacking - GreyCampus

SNMP Enumeration - GeeksforGeeks

Nmap - the Network Mapper - Free Security Scanner

OpUtils - Network Monitoring & Management Toolset

SnmpWalk - SNMP MIB Browser

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

This refers to the CVSS (Common Vulnerability Scoring System), which CEH v13 identifies as the industry standard for vulnerability prioritization. A score of 9.8 indicates critical severity, combining metrics such as exploitability, impact, privileges required, and scope.

CVSS helps organizations prioritize remediation objectively, focusing resources on vulnerabilities with the highest business risk. It also allows consistent communication between technical and management teams.

Options B, C, and D misrepresent CVSS functionality. Therefore, Option A is correct.

In CEH v13 Module 14: Cryptography, IPSec (Internet Protocol Security) is defined as a framework used to establish secure communication channels over IP networks, particularly in VPNs.

IPSec supports encryption, authentication, and integrity.

Operates in Tunnel Mode (VPNs) or Transport Mode (End-to-End).

Core protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload).

Option Analysis:

A. PEM: Privacy Enhanced Mail (email encryption).

B. PPP: Point-to-Point Protocol (data link layer, not encryption).

C. IPSEC: VPN encryption protocol.

D. SET: Secure Electronic Transaction (used in payment systems, obsolete).

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

A covert channel is a communication method used to transfer information in a way that violates security policy, often by repurposing legitimate protocols or functions for unauthorized communication.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Covert Communication and Data Exfiltration Techniques

CEH v13 Study Guide states:

“A covert channel exploits unintended uses of legitimate communication protocols. It allows data to be transmitted without detection by hiding the communication inside seemingly benign traffic.”

Incorrect Options:

A: A non-standard port may aid in hiding services, but doesn’t constitute a covert channel.

C: Multiplexing is a normal communication mechanism.

D: WEP is insecure, but this isn’t related to covert channels.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR '1'='1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR '1'='1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.

A honeypot may be a trap that an IT pro lays for a malicious hacker, hoping that they will interact with it during a way that gives useful intelligence. It’s one among the oldest security measures in IT, but beware: luring hackers onto your network, even on an isolated system, are often a dangerous game.

honeypot may be a good starting place: “A honeypot may be a computer or computing system intended to mimic likely targets of cyberattacks.” Often a honeypot are going to be deliberately configured with known vulnerabilities in situation to form a more tempting or obvious target for attackers. A honeypot won’t contain production data or participate in legitimate traffic on your network — that’s how you’ll tell anything happening within it’s a results of an attack. If someone’s stopping by, they’re up to no good.

That definition covers a various array of systems, from bare-bones virtual machines that only offer a couple of vulnerable systems to ornately constructed fake networks spanning multiple servers. and therefore the goals of these who build honeypots can vary widely also , starting from defense thorough to academic research. additionally , there’s now an entire marketing category of deception technology that, while not meeting the strict definition of a honeypot, is certainly within the same family. But we’ll get thereto during a moment.

honeypots aim to permit close analysis of how hackers do their dirty work. The team controlling the honeypot can watch the techniques hackers use to infiltrate systems, escalate privileges, and otherwise run amok through target networks. These sorts of honeypots are found out by security companies, academics, and government agencies looking to look at the threat landscape. Their creators could also be curious about learning what kind of attacks are out there, getting details on how specific sorts of attacks work, or maybe trying to lure a specific hackers within the hopes of tracing the attack back to its source. These systems are often inbuilt fully isolated lab environments, which ensures that any breaches don’t end in non-honeypot machines falling prey to attacks.

Production honeypots, on the opposite hand, are usually deployed in proximity to some organization’s production infrastructure, though measures are taken to isolate it the maximum amount as possible. These honeypots often serve both as bait to distract hackers who could also be trying to interrupt into that organization’s network, keeping them faraway from valuable data or services; they will also function a canary within the coalpit , indicating that attacks are underway and are a minimum of partially succeeding.

Operational Threat Intelligence provides insights into specific attacker methodologies, motivations, and campaigns. It involves gathering contextual information from real-world attacks, open-source intelligence (OSINT), social media, dark web forums, chat rooms, and human intelligence (HUMINT).

As per CEH v13 Official Courseware:

Operational intelligence is primarily used by security teams to anticipate specific incoming attacks.

It helps provide actionable information such as:

Who is attacking?

Why are they attacking?

What methods are they using?

What infrastructure is involved?

Incorrect Options:

A. Strategic Threat Intelligence is high-level, focusing on long-term trends and business risks.

B. Tactical Threat Intelligence is focused on TTPs (Tactics, Techniques, and Procedures) of known threats, primarily for defenders and analysts.

D. Technical Threat Intelligence includes IoCs like IPs, hashes, and URLs, often short-lived and used for detection systems.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: "Types of Threat Intelligence"

Table: “Strategic vs Tactical vs Operational vs Technical Intelligence”

=

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud consumers and cloud providers.

Cloud carriers provide access to consumers through network, telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc.

The distribution of cloud services is often provided by network and telecommunication carriers or a transport agent, wherever a transport agent refers to a business organization that provides physical transport of storage media like high-capacity hard drives.

Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure connections between cloud consumers and cloud providers.

A hybrid attack combines a dictionary and brute-force approach. Given that:

Passwords are required to be complex

Users still often choose predictable variations (e.g., Password123!, Welcome@2024)

A hybrid attack is best suited because it applies common mutations to known words—much faster than full brute force and more effective than a plain dictionary attack.

From CEH v13 Courseware:

Module 6: Password Cracking → Attack Techniques

CEH v13 Study Guide states:

“Hybrid attacks combine the speed of dictionary attacks with some of the thoroughness of brute-force. It’s ideal when users use complex but predictable passwords.”

Incorrect Options:

A: Online attacks are slow and may trigger account lockouts.

B: Plain dictionary attacks won’t cover variations like “P@ssw0rd!”

C: Brute-force would be too slow for complex passwords.

In active session hijacking, after identifying a valid session, the attacker must desynchronize the legitimate communication between the client and the server. To do this, Bob should:

Knock one of the parties offline (typically the client).

Then spoof the session by injecting crafted packets using the guessed sequence number.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 Study Guide states:

“After identifying a session and predicting its sequence number, the attacker forces the original user offline, allowing them to assume control over the connection using spoofed packets.”

Incorrect Options:

A: Taking over the session is the ultimate goal, but the necessary step before that is disconnecting the original participant.

B: Sequence prediction is already done.

C: Sequence number has already been guessed.

Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks.”

Incorrect Options Explained:

A & D. Wireshark and Tcpdump are passive sniffers with no injection capability.

C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

=

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

CHNTPW (Change NT Password) is a Linux-based utility that allows attackers or administrators to:

Reset Windows user account passwords

Unlock disabled or locked user accounts

Remove password protection without knowing the original password

It works by editing the Windows SAM (Security Account Manager) file located in the Windows system directory.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Quote:

“CHNTPW is a tool that can reset or change passwords on Windows systems by directly editing the SAM database. It is commonly run from a Linux LiveCD.”

Incorrect Options:

A. John the Ripper is for cracking passwords, not resetting them directly.

B. SET (Social Engineering Toolkit) is for phishing and payloads, not password resets.

D. Cain & Abel is a password recovery tool for Windows but runs on Windows, not Linux.

=

Source: https://www.flowmon.com

Flowmon empowers manufacturers and utility companies to ensure the reliability of

their industrial networks confidently to avoid downtime and disruption of service

continuity. This can be achieved by continuous monitoring and anomaly detection so

that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or

malware, can be reported and remedied as quickly as possible.

CEH v13 follows the Incident Response Lifecycle, which prioritizes identification and analysis before containment, unless there is immediate risk of catastrophic damage. In this scenario, the attacker has escalated privileges, but the organization still needs to understand what actions are being taken, what systems are affected, and whether lateral movement is occurring.

Option C aligns with CEH v13 best practices. Real-time monitoring and documentation allow analysts to:

Identify attacker techniques and tools

Preserve volatile evidence

Understand scope and impact

Implement targeted containment

Immediately powering down the server (Option B) may destroy volatile forensic evidence and disrupt services unnecessarily. Engaging forensic teams (Option A) is important but premature without initial analysis. Running vulnerability scans (Option D) does not address the active threat.

CEH v13 stresses that informed containment is more effective than reactive shutdowns. Therefore, Option C is correct.

https://en.wikipedia.org/wiki/Private_network

In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

· 10.0.0.0 – 10.255.255.255

· 172.16.0.0 – 172.31.255.255

· 192.168.0.0 – 192.168.255.255

Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

· Mediation servers like IRC, Usenet, SMTP and Proxy server

· Network address translation (NAT)

· Tunneling protocol

NOTE: So, the problem is just one of these technologies.

Split DNS (also known as Split-Horizon DNS) is a configuration where internal users and external users receive different DNS responses. Typically, one DNS server resides in the DMZ for public access, and another is inside the network for internal name resolution.

???? Reference – CEH v13 Official Study Guide, Module 9: System Hacking / Perimeter Security

“Split DNS allows different DNS records to be presented based on whether the requester is from inside or outside the organization’s network.”

❌ Incorrect options:

A. DynDNS is a dynamic DNS provider.

B. DNS Scheme is a non-standard term.

C. DNSSEC is a security extension for DNS, not a deployment model.

Comprehensive and Detailed Explanation:

Non-repudiation ensures that a sender cannot deny having sent a message. This is typically achieved through digital signatures or logs which verify the origin and integrity of communications.

From CEH v13 Courseware:

Module 10: Cryptography → Security Services

“Non-repudiation prevents entities from denying their actions, such as sending emails or digital transactions.”

Side-channel attacks, as explained in CEH v13 OT and SCADA Security, extract sensitive information by observing physical characteristics of a system rather than exploiting software flaws directly. These characteristics may include power consumption, electromagnetic emissions, timing variations, or thermal output.

In SCADA environments, side-channel attacks are especially dangerous because they bypass traditional network defenses. The most reliable way to confirm such an attack is by analyzing hardware-level anomalies—such as unexpected power usage spikes or irregular signal emissions during normal device operations.

Option B directly aligns with CEH v13 guidance.

Options A, C, and D focus on software, cryptography, or network behavior, which are not primary indicators of side-channel exploitation.

Therefore, Option B is correct.

In CEH v13 Module 06: Malware Threats, the Cyber Kill Chain is broken down into its seven stages:

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Actions on Objectives

Step 3 – Delivery:

Refers to the transmission of the malicious payload to the victim.

Can occur through email, web downloads, USB drives, etc.

Correct Example:

A. “An intruder sends a malicious attachment via email to a target” — This is delivery.

Other Options:

B. Weaponization

C. Exploitation

D. Installation

Comprehensive and Detailed Explanation:

Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.

The best approach:

Google the product name and URL.

Check reputable forums, antivirus vendors, or security advisories.

Look for phishing warnings or reports of malware.

From CEH v13 Courseware:

Module 7: Social Engineering and Phishing Scams

Module 6: Malware Threats → Rogue Software

According to CEH v13 Network Scanning and Enumeration, ICMP Echo Requests (ping) are commonly filtered by firewalls and intrusion prevention systems to reduce network reconnaissance exposure. When ICMP Echo Replies are not returned but other services remain operational, the most likely explanation is ICMP filtering rather than host unavailability or compromise.

CEH v13 explicitly states that many organizations configure firewalls to block ICMP Echo Requests while allowing other ICMP types or higher-layer protocols. This practice helps prevent attackers from easily mapping live hosts during the reconnaissance phase.

The other options are incorrect because:

Unused IPs would not necessarily have active services.

A breach would typically present additional symptoms.

Network congestion would affect multiple protocols, not just ICMP.

Thus, blocked ICMP is the correct interpretation.

According to CEH v13 Module 04: Enumeration and Module 08: Sniffing, packet sniffers such as Wireshark, tcpdump, and EtherApe are designed to capture and analyze network traffic at the data link (Layer 2) and network (Layer 3) layers of the OSI model.

At Layer 2 (Data Link), sniffers capture Ethernet frames, including MAC addresses and frame type.

At Layer 3 (Network), sniffers interpret IP headers, IP addresses, and transport layer protocols (TCP, UDP).

They do not operate at Layer 1 (Physical) as they do not deal with raw electrical signals.

Packet sniffers also do not manipulate traffic but passively monitor and capture packets that traverse the network.

Therefore, the correct statement is:

Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

Option Analysis:

A. Layer 1: ❌ Incorrect. Layer 1 is the physical layer (electrical, optical signals).

B. Layer 2: ❌ Partially correct but incomplete.

C. Both Layer 2 & Layer 3: Correct. Full coverage of packet sniffing capabilities.

D. Layer 3: ❌ Partially correct but incomplete.

Reference from CEH v13 Courseware:

Module 08 – Sniffing, Section: How Packet Sniffers Work

CEH iLabs: Capturing Ethernet Frames and IP Packets Using Wireshark

OSI Model Mapping in CEH Official eBook

Implementing regular firmware updates for all IoT devices is the primary recommendation to prevent DDoS attacks on the smart city project. Firmware updates can fix security vulnerabilities, patch bugs, and improve performance of the IoT devices, making them less susceptible to malware infections and botnet recruitment12. Firmware updates can also enable new security features, such as encryption, authentication, and firewall, that can protect the IoT devices from unauthorized access and data theft3. Firmware updates should be done automatically or remotely, without requiring user intervention, to ensure timely and consistent security across the IoT network4.

The other options are not as effective or feasible as firmware updates for the following reasons:

B. Deploying network intrusion detection systems (IDS) across the IoT network can help detect and alert DDoS attacks, but not prevent them. IDS can monitor network traffic and identify malicious patterns, such as high volume, spoofed IP addresses, or unusual protocols, that indicate a DDoS attack5. However, IDS cannot block or mitigate the attack, and may even be overwhelmed by the flood of traffic, resulting in false positives or missed alerts. Moreover, deploying IDS across a vast network of IoT devices can be costly, complex, and resource-intensive, as it requires dedicated hardware, software, and personnel.

C. Establishing strong, unique passwords for each IoT device can prevent unauthorized access and brute-force attacks, but not DDoS attacks. Passwords can protect the IoT devices from being compromised by hackers who try to guess or crack the default or weak credentials. However, passwords cannot prevent DDoS attacks that exploit known or unknown vulnerabilities in the IoT devices, such as buffer overflows, command injections, or protocol flaws. Moreover, establishing and managing strong, unique passwords for each IoT device can be challenging and impractical, as it requires user awareness, memory, and effort.

D. Implementing IP address whitelisting for all IoT devices can restrict network access and communication to trusted sources, but not DDoS attacks. IP address whitelisting can filter out unwanted or malicious traffic by allowing only the predefined IP addresses to connect to the IoT devices. However, IP address whitelisting cannot prevent DDoS attacks that use spoofed or legitimate IP addresses, such as reflection or amplification attacks, that bypass the whitelisting rules. Moreover, implementing IP address whitelisting for all IoT devices can be difficult and risky, as it requires constant updating, testing, and monitoring of the whitelist, and may block legitimate or emergency traffic by mistake.

In CEH v13 Module 06: Malware Threats, stealth viruses are covered as advanced malware that can evade detection by:

Intercepting system calls related to file access.

Masking their presence in files, memory, or on disk.

Restoring original code temporarily to fool signature-based scanners.

These capabilities allow stealth viruses to:

Avoid detection by antivirus scanners.

Operate undisturbed until triggered.

Option Clarification:

A. Cavity virus: Hides in unused file space but doesn't evade as effectively.

C. File-extension virus: Exploits deceptive file names but is often detected.

D. Macro virus: Targets office documents, not highly evasive.

Correct answer is B. Stealth virus.

Webhooks are one of a few ways internet applications will communicate with one another.

It allows you to send real-time data from one application to another whenever a given event happens.

For example, let’s say you’ve created an application using the Foursquare API that tracks when people check into your restaurant. You ideally wish to be able to greet customers by name and provide a complimentary drink when they check in.

What a webhook will is notify you any time someone checks in, therefore you’d be able to run any processes that you simply had in your application once this event is triggered.

The data is then sent over the web from the application wherever the event originally occurred, to the receiving application that handles the data.

Here’s a visual representation of what that looks like:

A webhook url is provided by the receiving application, and acts as a phone number that the other application will call once an event happens.

Only it’s more complicated than a phone number, because data about the event is shipped to the webhook url in either JSON or XML format. this is known as the “payload.”

Here’s an example of what a webhook url looks like with the payload it’s carrying:

What are Webhooks? Webhooks are user-defined HTTP callback or push APIs that are raised based on events triggered, such as comment received on a post and pushing code to the registry. A webhook allows an application to update other applications with the latest information. Once invoked, it supplies data to the other applications, which means that users instantly receive real-time information. Webhooks are sometimes called “Reverse APIs” as they provide what is required for API specification, and the developer should create an API to use a webhook. A webhook is an API concept that is also used to send text messages and notifications to mobile numbers or email addresses from an application when a specific event is triggered. For instance, if you search for something in the online store and the required item is out of stock, you click on the “Notify me” bar to get an alert from the application when that item is available for purchase. These notifications from the applications are usually sent through webhooks.

To ensure both confidentiality and non-repudiation for secure email communication, you need to use a combination of symmetric and asymmetric cryptography. Symmetric encryption is a method of encrypting and decrypting data using the same secret key, which is faster and more efficient than asymmetric encryption. Asymmetric encryption is a method of encrypting and decrypting data using a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide authentication, integrity, and non-repudiation, as well as key distribution.

The cryptographic technique that would best serve the purpose is to apply asymmetric encryption with RSA and use the private key for signing. RSA is a widely used algorithm for asymmetric encryption, which is based on the difficulty of factoring large numbers. RSA can be used to encrypt data, as well as to generate digital signatures, which are a way of proving the identity and authenticity of the sender and the integrity of the message.

The steps to implement this technique are as follows1:

Generate a pair of keys for each user: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret and protected by the user.

When a user wants to send an email to another user, they first encrypt the email content with a symmetric key, such as AES, which is a strong and efficient algorithm for symmetric encryption. The symmetric key is then encrypted with the recipient’s public key, using RSA. The encrypted email and the encrypted symmetric key are then sent to the recipient.

The sender also generates a digital signature for the email, using their private key and a hash function, such as SHA-256, which is a secure and widely used algorithm for generating hashes. A hash function is a mathematical function that takes any input and produces a fixed-length output, called a hash or a digest, that uniquely represents the input. A digital signature is a hash of the email that is encrypted with the sender’s private key, using RSA. The digital signature is then attached to the email and sent to the recipient.

When the recipient receives the email, they first decrypt the symmetric key with their private key, using RSA. They then use the symmetric key to decrypt the email content, using AES. They also verify the digital signature by decrypting it with the sender’s public key, using RSA, and comparing the resulting hash with the hash of the email, using the same hash function. If the hashes match, it means that the email is authentic and has not been tampered with.

Using this technique, the email communication is secure because:

The confidentiality of the email content is ensured by the symmetric encryption with AES, which is hard to break without knowing the symmetric key.

The symmetric key is also protected by the asymmetric encryption with RSA, which is hard to break without knowing the recipient’s private key.

The non-repudiation of the email is ensured by the digital signature with RSA, which is hard to forge without knowing the sender’s private key.

The digital signature also provides authentication and integrity of the email, as it proves that the email was sent by the sender and has not been altered in transit.

IoT devices often suffer from weak or missing encryption protocols, creating opportunities for attackers to intercept sensitive information. CEH courseware highlights that when device-to-app communication occurs in plaintext, a man-in-the-middle attack becomes one of the most effective exploitation methods. By positioning themselves between the device and the mobile application, the attacker can observe all transmitted data, including configuration updates, authentication tokens, and personal information. Tools such as Wireshark, mitmproxy, and specialized IoT interception frameworks allow testers to capture packets, decode protocols, and reconstruct application logic. The CEH curriculum stresses the importance of evaluating IoT device communication channels, because many rely on unsecured HTTP or proprietary plaintext protocols. Brute-force attempts, SQL injection, or dictionary attacks do not directly target the device–app communication pathway and would not exploit the fundamental weakness present here: lack of encryption. A MitM attack directly takes advantage of this flaw and provides comprehensive visibility into all transmitted data, making it the most effective and CEH-aligned method of exploitation.

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.

3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.