312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

Comprehensive and Detailed Explanation:

Non-repudiation ensures that a sender cannot deny having sent a message. This is typically achieved through digital signatures or logs which verify the origin and integrity of communications.

From CEH v13 Courseware:

Module 10: Cryptography → Security Services

“Non-repudiation prevents entities from denying their actions, such as sending emails or digital transactions.”

A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server’s resources. The attacker can launch multiple such connections, exceeding the server’s capacity to handle concurrent requests and preventing legitimate users from accessing the web server.

The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter. 

User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website.

The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website’s structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References:

User Directed Spidering with Burp

Web Spidering - What Are Web Crawlers & How to Control Them

Web Security: Recon

Mapping the Application for Penetrating Web Applications — 1

YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References:

yarGen - A Tool to Generate YARA Rules

YARA Rules: The Basics

Why master YARA: from routine to extreme threat hunting cases

In authentication, Multi-Factor Authentication (MFA) involves using more than one category of authentication factors:

Something you know (e.g., password)

Something you have (e.g., RFID badge, token)

Something you are (e.g., biometrics like fingerprints, facial recognition, gait)

In this scenario:

The RFID badge is "something you have" (a physical object).

The gait recognition (walking pattern) captured by the camera is a biometric—"something you are" (a physical characteristic).

Together, these two methods represent two distinct authentication factors, thereby implementing true multi-factor authentication.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Topic: Authentication Mechanisms

Quote:

“Examples of multi-factor authentication include combining biometrics (something you are) with a smart card or badge (something you have). Gait recognition is considered a behavioral biometric and falls under ‘something you are’.”

Incorrect Options Explained:

A. Incorrect — gait and RFID represent two separate factor types, not one.

C. No evidence in the scenario supports high false positives.

D. Gait analysis is a recognized biometric method and can be used for identification.

Comprehensive and Detailed Explanation:

ARP Poisoning (Address Resolution Protocol Poisoning) is a classic Man-in-the-Middle (MiTM) attack in a LAN environment. It works by sending fake ARP replies to devices on a network to associate the attacker’s MAC address with the IP address of another host (typically the default gateway). As a result:

Network traffic meant for the gateway is sent to the attacker instead.

The attacker can then intercept, modify, or forward the traffic to the actual destination, performing a full MiTM.

This allows the attacker to:

Sniff sensitive data (e.g., credentials, emails)

Hijack sessions

Inject malicious payloads

From CEH v13 Courseware:

Module 8: Sniffing

Topic: MiTM Attacks → ARP Spoofing Techniques

Incorrect Options:

A. Password Sniffing is a result of MiTM but not a technique itself.

C. MAC Flooding is a switch attack that floods the CAM table to make the switch act like a hub.

D. DHCP Sniffing relates to capturing DHCP messages but is not commonly used for MiTM.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

CEH v13 Reference:

Module 5: Vulnerability Assessment – Risk Assessment Concepts

“Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited.”

=============================================================

https://blog.mailfence.com/how-do-digital-signatures-work/

https://en.wikipedia.org/wiki/Digital_signature

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or digital messages. Signers can also use them to acknowledge informed consent.

Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private and one public.

Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.

Rating CVSS Score

None 0.0

Low 0.1 - 3.9

Medium 4.0 - 6.9

High 7.0 - 8.9

Critical 9.0 - 10.0

https://www.first.org/cvss/v3.0/specification-document

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one's systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

Qualitative Severity Rating Scale

For some purposes, it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores.

The AndroidManifest.xml file contains information of your package, including components of the appliance like activities, services, broadcast receivers, content providers etc.

It performs another tasks also:

• it’s responsible to guard the appliance to access any protected parts by providing the permissions.

• It also declares the android api that the appliance goes to use.

• It lists the instrumentation classes. The instrumentation classes provides profiling and other informations. These informations are removed just before the appliance is published etc.

This is the specified xml file for all the android application and located inside the basis directory.

https://www.darknet.org.uk/2017/07/bluto-dns-recon-zone-transfer-brute-forcer/

"Attackers also use DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records." CEH Module 02 Page 138

Comprehensive and Detailed Explanation:

The correct file name is /var/log/auth.log (not auth.fesg). “auth.fesg” is a typo or does not exist by default in Linux systems.

Linux login records include:

/var/log/auth.log – authentication logs

/var/log/wtmp – records login sessions

/var/log/btmp – records failed logins

/var/log/user.log – logs user-level messages (optional)

Therefore, B is not a valid log file.

From CEH v13 Courseware:

Module 6: System Hacking → Covering Tracks in Linux

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space–time tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations.

The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm.

In CEH v13 Module 13: Hacking Web Applications, this exact payload is an example of an XXE (XML External Entity) Attack.

XXE Attack:

Exploits the way XML parsers process DOCTYPE declarations.

The payload references a local file (/etc/passwd), allowing local file inclusion.

Can result in sensitive file disclosure, SSRF, or Denial of Service (DoS).

Option Clarification:

A. XXE: Correct – targets vulnerable XML parsers.

B. SQLi: Targets SQL databases with ' OR '1'='1-type injections.

C. IDOR: Insecure Direct Object Reference, not related to XML.

D. XSS: Cross-site scripting; this is XML-based, not JavaScript injection.

“Boolean based” we mean that it is based on Boolean values, that is, true or false / true and false. AND Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Boolean-based (content-based) Blind SQLi

Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

Time-based Blind SQLi

Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

https://www.acunetix.com/websitesecurity/sql-injection2/

https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.

The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods12:

Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time.

Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information.

The other options are not as suitable as option D for the following reasons:

A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario3.

B. Attempt to compromise the system through OS-level command shell execution: This option is not relevant because it is not a SQL injection technique, but a post-exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files, or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario4.

C. Try to insert a string value where a number is expected in the input field: This option is not effective because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application does not return any detailed error messages from the database, as in this scenario5.

To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC)

Port 139 (TCP): NetBIOS Session Service

Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

These ports are commonly used for:

File sharing

RPC-based communication

Windows network services

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 4: Enumeration

CEH v13 Study Guide states:

“To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall.”

Incorrect Options:

A (110): POP3 mail service

D (161): SNMP

F (1024): High ephemeral port; not specific to NetBIOS

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats

https://www.offensive-security.com/metasploit-unleashed/msfencode/

One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

Yagi Antenna

A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

Why Other Options Are Incorrect:

B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz–VHF.

D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.

According to CEH v13 Module 06: Malware Threats, when analyzing suspicious system behavior or investigating a suspected Trojan infection, a common and effective approach is to:

Monitor system activity and network behavior using tools like netstat, Wireshark, and TCPView.

Trojans often create covert channels or backdoors for remote access, which can be identified through unexpected or unauthorized outgoing connections to remote IP addresses or domains.

Using netstat -an or netstat -ano helps identify open ports and active connections, and checking these against known IPs can indicate whether a Trojan is communicating with a Command and Control (C&C) server.

Analysis of Each Option:

A. Use ExifTool and check for malicious content

Incorrect. ExifTool is primarily used for extracting metadata from files, especially images and documents. It is not effective for analyzing executable malware or system behavior post-execution.

B. You do not check; rather, you immediately restore a previous snapshot of the operating system

Incorrect. While restoring from a snapshot might eventually be required, immediate restoration without diagnosis is not a recommended or forensically sound first step. It also prevents root cause analysis.

C. Upload the file to VirusTotal

Partially correct but not sufficient. While uploading the file to VirusTotal is a good step to confirm if the file is known malware, it does not identify whether the machine is currently infected or actively compromised.

D. Use netstat and check for outgoing connections to strange IP addresses or domains

Correct. This method helps detect if the system is making suspicious external connections that are common in Trojan infections.

Reference from CEH v13 Study Guide and Course Materials:

CEH v13 Official Module 06 – Malware Threats, Section: Types of Malware – Trojans, and System Monitoring Tools

CEH v13 eCourseware Lab Manual: "Detecting Trojan Activity using netstat and TCPView"

CEH Engage Range: Malware Investigation Phase – Trojan Behavior Detection

DNS cache snooping is an enumeration technique where the attacker queries a DNS server to check whether a specific domain has been recently resolved by the server (i.e., it exists in the cache). If a positive response is received with low latency, it indicates that the domain was visited recently.

Key points:

Used to infer user browsing habits or visited domains.

Helps attackers identify user interests or potential targets.

Incorrect Options:

A. DNS zone walking is used to list all domain names in a DNS zone (with misconfigured DNS servers), not for cached record inspection.

C. DNSSEC zone walking applies only when DNSSEC is misconfigured.

D. DNS cache poisoning is a manipulation technique, not a passive enumeration method.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “DNS Enumeration”

Subsection: “DNS Cache Snooping and Timing Analysis”

Tool Reference: dig, nslookup

===========

Footprinting is the first phase of ethical hacking and information gathering. It involves collecting as much information as possible about a target system or organization from public sources (such as websites, social media, WHOIS databases, job postings, etc.) before launching an attack or vulnerability scan.

???? Reference – CEH v13 Official Study Guide, Module 1: Introduction to Ethical Hacking

“Footprinting is the process of gathering information about a target system to find ways to intrude into the system.”

❌ Incorrect options:

A. Scanning is the next phase, involving probing the network.

C. Enumeration extracts detailed information from services like SNMP, NetBIOS, etc.

D. System Hacking is the actual exploitation phase.

These tools are all Distributed Denial of Service (DDoS) attack tools that coordinate large numbers of systems (bots) to flood target networks or services:

Trinoo – UDP flood-based DDoS tool

TFN2k (Tribe Flood Network 2000) – Supports ICMP, SYN, and other attack types

WinTrinoo – Windows variant of Trinoo

Stacheldraht – Combines features of Trinoo and TFN with encryption and auto-updating

T-Sight – DDoS control tool

From CEH v13 Official Courseware:

Module 9: Denial-of-Service Attacks

CEH v13 Study Guide states:

“These tools are classic examples of distributed DoS platforms used by attackers to launch coordinated flood attacks using compromised hosts.”

Incorrect Options:

A: Not all tools were developed by the same group.

B: Not typically used by defenders.

D/E: These tools are cross-platform (some run on Linux, others on Windows).

One may append the comment “–” operator along with the String for the username and whole avoid executing the password segment of the SQL query. Everything when the — operator would be considered as comment and not dead.

To launch such an attack, the value passed for name could be ’OR ‘1’=‘1’ ; —

Statement = “SELECT * FROM ‘CustomerDB’ WHERE ‘name’ = ‘ ”+ userName + “ ‘ AND ‘password’ = ‘ ” + passwd + “ ‘ ; ”

Statement = “SELECT * FROM ‘CustomerDB’ WHERE ‘name’ = ‘ ’ OR ‘1’=‘1‘;– + “ ‘ AND ‘password’ = ‘ ” + passwd + “ ‘ ; ”

All the records from the customer database would be listed.

Yet, another variation of the SQL Injection Attack can be conducted in dbms systems that allow multiple SQL injection statements. Here, we will also create use of the vulnerability in sure dbms whereby a user provided field isn’t strongly used in or isn’t checked for sort constraints.

This could take place once a numeric field is to be employed in a SQL statement; but, the programmer makes no checks to validate that the user supplied input is numeric.

Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as “' or '1'='1'” in any basic injection statement such as “or 1=1” or with other accepted SQL comments.

Evasion Technique: Variation Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as “' or '1'='1'” in any basic injection statement such as “or 1=1” or with other accepted SQL comments. The SQL interprets this as a comparison between two strings or characters instead of two numeric values. As the evaluation of two strings yields a true statement, similarly, the evaluation of two numeric values yields a true statement, thus rendering the evaluation of the complete query unaffected. It is also possible to write many other signatures; thus, there are infinite possibilities of variation as well. The main aim of the attacker is to have a WHERE statement that is always evaluated as “true” so that any mathematical or string comparison can be used, where the SQL can perform the same.

Comprehensive and Detailed Explanation:

Steganography allows someone to hide data (like a spreadsheet or document) within another innocuous-looking file (like an image, video, or audio). This disguises the presence of the data entirely, allowing it to bypass standard data loss prevention (DLP) systems and firewalls, which look for file types and suspicious patterns.

From CEH v13 Courseware:

Module 6: Malware Threats → Steganography and Covert Channels

We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a ‘fire and forget’ methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link). 

There are two modes of operation with SNMP – get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

SNMP traps

Since SNMP is primarily a UDP port based system, traps may be ‘lost’ when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn’t listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know.

The SNMP v2c specification introduced the idea of splitting traps into two types; the original ‘hope it gets there’ trap and the newer ‘INFORM’ traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn’t get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.

https://en.wikipedia.org/wiki/Sniffing_attack

To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users.

NOTE: I want to note that the wording "best option" is valid only for the EC-Council's exam since the other options will not help against sniffing or will only help from some specific attack vectors.

The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted - an attacker cannot understand it.

Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

For example, if the application uses the following query to display the username of a user based on the user ID:

SELECT username FROM users WHERE id = '$id'

The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

SELECT username FROM users WHERE id = '1'

The application might display an error message like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

In CEH v13 Module 06: Malware Threats, a worm is described as a self-replicating piece of malware that spreads independently from one system to another without needing to attach itself to any file or program (unlike viruses).

Key Characteristics of Worms:

Capable of network propagation without human interaction.

Often used in mass attacks (e.g., WannaCry, Conficker).

Can cause significant damage by:

Consuming bandwidth.

Spreading payloads (e.g., ransomware).

Modifying or deleting files.

Option Clarification:

A. Rootkit: Hides presence of malware or attacker activities.

B. Trojan: Disguised as legitimate software; does not replicate.

C. Worm: Correct – self-replicating and spreads automatically.

D. Adware: Primarily shows ads; not typically destructive or self-replicating.

In the context of security testing, test automation plays a critical role in improving the speed and consistency of testing activities. However, it cannot entirely replace manual testing because certain security vulnerabilities—especially logic flaws or issues with session management—often require human intuition and contextual understanding.

According to CEH v13 Official Courseware – Module 05 (Vulnerability Analysis), and confirmed in the CEH v13 Study Guide, automated testing is best suited for:

Repetitive benchmark tests

Regression testing

Scanning for known vulnerabilities

Ensuring consistency across environments

However, manual testing is still essential for:

Business logic testing

Security misconfiguration identification

Discovering zero-day flaws

Comprehensive and Detailed Explanation:

Nikto is an open-source web server scanner that:

Checks for common vulnerabilities

Detects outdated software versions

Flags insecure configurations and files

It is widely used for quick and comprehensive web vulnerability assessments.

From CEH v13 Courseware:

Module 10: Web Application Hacking → Web Vulnerability Scanning Tools

Windows 2000 and newer systems use Kerberos as their default authentication protocol rather than NTLM or LM challenge/response over SMB. Kerberos is encrypted and does not rely on the older SMB logon exchange methods that L0phtCrack can sniff.

From CEH v13 Courseware:

Module 6: Malware and Password Attacks

Module 4: Enumeration

CEH v13 Study Guide states:

“Kerberos is the default authentication protocol in Windows 2000 and newer systems. It encrypts communication and is not vulnerable to the same sniffing attacks that work against LM/NTLM challenge-response mechanisms.”

Incorrect Options:

A: While a NIDS may detect traffic, it doesn't prevent sniffing.

C: Logons can be sniffed in older systems using NTLM.

D: L0phtCrack does not sniff web logons—it targets SMB and Windows logins.

SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:

VRFY: Verifies whether a particular email address or user ID exists on the mail server.

EXPN: Reveals the actual addresses behind a mailing list or alias.

These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.

Incorrect Options:

B. Daily outgoing message limits are not typically disclosed via SMTP.

C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.

D. Mail proxy addresses are not revealed directly via SMTP enumeration.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “SMTP Enumeration Techniques”

Tool Reference: smtp-user-enum, Netcat

===========

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

Identify assets & baseline (Step 2)

Vulnerability scanning (Step 5)

Risk assessment/prioritization (Step 6)

Remediation (Step 1)

Verification (Step 3)

Continuous monitoring (Step 4)

So the correct lifecycle flow is:

2 → 5 → 6 → 1 → 3 → 4

This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.

Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:

Restricting input to specific data types (e.g., integer, string)

Limiting size, format, or allowed characters

Accepting only expected values (e.g., country codes, age ranges)

This practice is highly effective in mitigating SQL injection and other input-based attacks.

Incorrect Options:

A. Output encoding prevents XSS by encoding output but doesn't validate input.

B. Enforcing least privilege is an access control principle.

D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Input Validation and SQL Injection Mitigation”

Subsection: “Whitelist vs Blacklist Input Validation”

===========

ARIN (American Registry for Internet Numbers) is a Regional Internet Registry (RIR) that provides information about IP address allocations and autonomous systems in North America. It’s used for WHOIS lookups and footprinting in reconnaissance.

https://en.wikipedia.org/wiki/Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible authentication factors are combined to grant access to a website or application.1) something the user knows, 2) something the user has, or 3) something the user is.

The possible factors of authentication are:

· Something the User Knows:

This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user must provide information that matches the answers previously provided to the organization by that user, such as “Name the town in which you were born.”

· Something the User Has:

This involves entering a one-time password generated by a hardware authenticator. Users carry around an authentication device that will generate a one-time password on command. Users then authenticate by providing this code to the organization. Today, many organizations offer software authenticators that can be installed on the user’s mobile device.

· Something the User Is:

This third authentication factor requires the user to authenticate using biometric data. This can include fingerprint scans, facial scans, behavioral biometrics, and more.

For example: In internet security, the most used factors of authentication are:

something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication, Two-Step Verification, or 2FA.

The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of these authentication factors.

ISAPI (Internet Server Application Programming Interface) filters are DLLs used to extend the functionality of Microsoft IIS (Internet Information Services). If unnecessary or outdated ISAPI filters are enabled, they can introduce vulnerabilities or backdoors that attackers may exploit to launch web server-based attacks.

From the CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Section: Web Server Vulnerabilities

Subsection: Common Web Server Misconfigurations

CEH v13 states:

“Unnecessary ISAPI filters and extensions should be disabled or removed, as they may introduce unneeded attack surfaces on the web server. Attackers may exploit vulnerabilities in these filters to gain unauthorized access, execute code remotely, or escalate privileges on the server.”

This is part of a broader hardening strategy to reduce the web server’s attack surface.

Incorrect Options:

A. Social engineering involves manipulating people, not software vulnerabilities.

C. Jailbreaking refers to bypassing restrictions on mobile devices.

D. Wireless attacks are unrelated to web server software components.

LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

The password is converted to uppercase and padded/truncated to 14 characters.

Split into two 7-character halves.

Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")—resulting in a 16-byte LM hash.

From CEH v13 Courseware:

Module 6: Malware Threats

Topic: Windows Password Storage & Cracking

CEH v13 Study Guide states:

“LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks.”

Incorrect Options:

A: MD4 is used in NTLM hashes.

C: SHA is not used in LM.

D: SSL is a transport security protocol, not a hashing algorithm.

Well-known and widely used password-cracking tools include:

A. L0phtcrack – Windows password auditing tool that can crack LM and NTLM hashes.

E. John the Ripper – Versatile password cracker that supports many hash types on Unix, Windows, etc.

Incorrect Options:

B. NetCat – A network tool used for port scanning and data transfer.

C. “Jack the Ripper” is likely a mistaken reference to John the Ripper.

D. Netbus – A remote access Trojan, not a password cracker.

From CEH v13 Courseware:

Module 6: Password Cracking Tools

Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

Let's just disassemble this entry.

Mar 1, 2016, 7:33:28 AM - time of the request

10.240.250.23 - 54373 - client's IP and port

10.249.253.15 - server IP

- 22 - SSH port

A Multipartite Virus is designed to infect both the boot sector and executable files of a system. This makes it more complex and harder to remove than viruses that target only one area. It can spread in multiple ways and activate under different conditions depending on whether the infected file or boot sector is accessed first.

CEH v13 Official Curriculum states:

“Multipartite viruses infect both the boot sector and program files. They are difficult to remove and can reinfect the system unless both locations are cleaned simultaneously.”

Incorrect Options:

A. Polymorphic viruses change their code signatures but do not necessarily target both boot and executable areas.

B. Stealth viruses conceal their presence, often by intercepting system calls.

D. Macro viruses infect macro-enabled files, typically in Microsoft Office documents.

Reference – CEH v13 Guide:

Module 06: Malware Threats

Topic: Types of Malware – Multipartite Viruses

Before implementing auditing, it is crucial to assess how enabling this feature will impact system resources, performance, and storage. Auditing can generate significant logs and place additional load on systems, especially in environments handling sensitive data such as banking.

Understanding the impact helps determine if the current infrastructure can handle the overhead or if optimizations or upgrades are needed beforehand.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Section: Enabling Auditing and Logging

Quote:

“Before enabling auditing, organizations must assess the performance and storage impact. Improper implementation can result in performance degradation or missed logs.”

Incorrect Options Explained:

A. Vulnerability scanning is important but not directly related to audit implementation.

C. Cost-benefit analysis comes after understanding operational impact.

D. Staffing is a planning step, not the first technical action.

===========

Comprehensive and Detailed Explanation:

An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

From CEH v13 Courseware:

Module 19: Incident Response and Forensics → Incident Handling Procedures

IoTSeeker is a specialized tool used to identify Internet of Things (IoT) devices that are accessible over a network and are still configured with their default factory credentials. These devices often ship with insecure settings, which attackers can exploit.

From CEH v13 Official Courseware:

IoTSeeker:

Automatically scans for common IoT devices

Uses a database of known default usernames and passwords

Flags insecure devices for further investigation or exploitation

The tool is commonly used in the reconnaissance phase for identifying low-hanging vulnerabilities in IoT environments.

Incorrect options:

B. IoT Inspector monitors network traffic for smart devices but is more focused on behavior monitoring than credential scanning.

C. AT&T IoT Platform and D. Azure IoT Central are legitimate enterprise platforms for IoT device management and are not penetration testing tools.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Attack Surface”

Tool Reference: “IoTSeeker”

Practical Lab: CEH Engage IoT Device Discovery

===========

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

From CEH v13 Module 03: Scanning Networks, OS fingerprinting with Nmap (using the -O option) requires privileged access to craft raw packets (especially SYN, ACK, and ICMP). On Unix/Linux systems:

Root privileges are mandatory to perform TCP/IP stack fingerprinting.

If Nmap is run as a normal user, it fails to initiate OS scanning and exits with a message like “QUITTING!”.

So, in this case, the scan fails because the shell opened does not have elevated (root) privileges.

A keylogger is a type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. Keyloggers are a common tool for cybercriminals, who use them to capture passwords, credit card numbers, personal information, and other sensitive data. Keyloggers can be installed on a device through various methods, such as phishing emails, malicious downloads, or physical access. To confirm the type of program, the security team can use a web search tool, such as Bing, to look for keylogger programs and compare their features and behaviors with the suspicious program they encountered. Alternatively, they can use a malware analysis tool, such as Malwarebytes, to scan and identify the program and its characteristics.

To prevent the same attack from occurring in the future, the security team should employ intrusion detection systems (IDS) and regularly update the system software. An IDS is a system that monitors network traffic and system activities for signs of malicious or unauthorized behavior, such as keylogger installation or communication. An IDS can alert the security team of any potential threats and help them respond accordingly. Regularly updating the system software can help patch any vulnerabilities or bugs that keyloggers may exploit to infect the device. Additionally, the security team should also remove the keylogger program from the affected computers and change any compromised passwords or credentials. References:

Keylogger | What is a Keylogger? How to protect yourself

How to Detect and Remove a Keylogger From Your Computer

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

What is a Keylogger? | Keystroke Logging Definition | Avast

Keylogger Software: 11 Best Free to Use in 2023

The PSH (Push) flag in TCP instructs the sending system to:

Immediately deliver data to the application.

Avoid waiting for additional buffered data to form a full segment.

This is important in interactive communications like Telnet or SSH, where the delay in transmission would degrade the user experience.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flags and Packet Structure

https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

Nmap provides a scripting engine (NSE) that includes a script named http-methods. This script sends OPTIONS requests to the web server to determine which HTTP methods are supported. Identifying risky methods like PUT and DELETE helps detect misconfigured or vulnerable web servers.

Example command:

nmap --script http-methods -p 80

Reference – CEH v13 Official Study Guide:

Module 11: Hacking Web Applications

Quote:

“The Nmap script http-methods helps identify enabled HTTP methods including potentially dangerous ones like PUT and DELETE.”

Incorrect Options Explained:

B. http-enum is used to enumerate directories and applications, not methods.

C. http-headers retrieves HTTP headers.

D. http-git checks for Git repositories on web servers.

===========

https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/

Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.

L0phtCrack is a password auditing and recovery tool. It can:

Capture password hashes over the network (e.g., via SMB).

Crack password hashes using dictionary, brute-force, or hybrid attacks.

It’s particularly effective when used on SMB-based challenge-response authentication (NTLM/LM) captured via packet sniffing.

From CEH v13 Courseware:

Module 4: Enumeration

Module 6: Malware Threats

CEH v13 Study Guide states:

“L0phtCrack can sniff SMB authentication exchanges from network traffic and extract NTLM password hashes to crack them offline.”

Incorrect Options:

A: This is possible (hence A is wrong).

B: Netbus is a backdoor/trojan tool.

C: NTFSDOS is used to read NTFS partitions under DOS, not for password cracking.

Passwords are usually delineated as “hashed and salted”. salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it’s hashed, typically this “salt” is placed in front of each password.

The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used.

The use of unique salts means that common passwords shared by multiple users – like “123456” or “password” – aren’t revealed revealed when one such hashed password is known – because despite the passwords being the same the immediately and hashed values are not.

Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken.

Both hashing and salting may be repeated more than once to increase the issue in breaking the security.

A hybrid attack is a method that combines the dictionary attack with brute-force techniques. It starts with a list of known words (like in a dictionary attack) and then mutates them by:

Appending or prepending numbers (e.g., password1, 123hello)

Adding special characters (e.g., P@ssword!, admin#123)

Varying letter casing or leetspeak (e.g., h@x0r)

From CEH v13 Courseware:

Module 6: Malware Threats → Password Cracking Methods

Incorrect Options:

B: Linear is not a password cracking method.

C: Symmetric refers to encryption, not password cracking.

D: Brute-force tries every possible combination but does not start with a word list.

The SOA (Start of Authority) record is a DNS record that defines the authoritative information about a domain. Its format includes the following fields:

(domain) IN SOA (Primary Name Server) (Responsible Email)

(Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field values:

Serial: 200302028 (→ This is the version number of the zone file.)

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds

These values represent key configurations and are all part of the SOA record's operational data.

A: 200302028 = Serial/version (correct)

B: 3600 = Refresh (correct)

C: 604800 = Expire (correct)

D: 2400 = Minimum TTL (correct)

Incorrect Options:

E and F (60, 4800): Not part of the SOA record shown.

Scammers often impersonate legitimate organizations using free email services like @yahoo.com. "Yahoo Bank" is not a legitimate institution, and a real financial entity would use an official domain (e.g., @yahoobank.com). This is a textbook phishing/smishing attempt.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Attackers often use free email services and impersonate authority figures to trick users. Always verify the sender’s domain and context.”

Incorrect Options:

B. Irrelevant—legitimate people may be unknown too.

C. Responding increases risk.

D. It is not from a verified organization.

===========

Firewalking is a technique used to determine what layer 4 protocols a firewall will allow by sending crafted packets with TTL values that expire at the firewall and analyzing ICMP Time Exceeded responses. This helps in determining what ports and services are allowed through a firewall.

???? Reference – CEH v13 Study Guide, Module 11: Evading IDS, Firewalls, and Honeypots

“Firewalking is a technique used to gather information about firewalls and their rule sets by sending packets with TTL values that expire at the firewall.”

❌ Incorrect options:

A. Session hijacking refers to taking over an active session.

C. MITM attacks involve intercepting communications between two parties.

D. Network sniffing involves capturing packets, not probing firewall rules.

https://us-cert.cisa.gov/ncas/alerts/TA18-201A

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).

https://en.wikipedia.org/wiki/RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

Authentication and authorization

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials.

The RADIUS server then returns one of three responses to the NAS:

1) Access-Reject,

2) Access-Challenge,

3) Access-Accept.

Access-Reject

The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

Access-Challenge

Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

Access-Accept

The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

A white hat (or a white hat hacker) is an ethical computer hacker, or a computer security expert, who focuses on penetration testing and in other testing methodologies that ensures the safety of an organization’s information systems. Ethical hacking may be a term meant to imply a broader category than simply penetration testing. Contrasted with black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively. While a white hat hacker hacks under good intentions with permission, and a black hat hacker, most frequently unauthorized, has malicious intent, there’s a 3rd kind referred to as a gray hat hacker who hacks with good intentions but sometimes without permission.

White hat hackers can also add teams called “sneakers and/or hacker clubs”,red teams, or tiger teams.

While penetration testing concentrates on attacking software and computer systems from the beginning – scanning ports, examining known defects in protocols and applications running on the system and patch installations, as an example – ethical hacking may include other things. A full-blown ethical hack might include emailing staff to invite password details, searching through executive’s dustbins and typically breaking and entering, without the knowledge and consent of the targets. Only the owners, CEOs and Board Members (stake holders) who asked for such a censoring of this magnitude are aware. to undertake to duplicate a number of the destructive techniques a true attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late in the dark while systems are less critical. In most up-to-date cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software during a public area as if someone lost the tiny drive and an unsuspecting employee found it and took it.

Some other methods of completing these include:

• DoS attacks

• Social engineering tactics

• Reverse engineering

• Network security

• Disk and memory forensics

• Vulnerability research

• Security scanners such as:

– W3af

– Nessus

– Burp suite

• Frameworks such as:

– Metasploit

• Training Platforms

These methods identify and exploit known security vulnerabilities and plan to evade security to realize entry into secured areas. they’re ready to do that by hiding software and system ‘back-doors’ which will be used as a link to information or access that a non-ethical hacker, also referred to as ‘black-hat’ or ‘grey-hat’, might want to succeed in .

The preparation phase of incident handling is the proactive phase where organizations:

Develop and define incident response policies and rules

Assign roles and responsibilities

Design backup and disaster recovery strategies

Train staff and test response plans via drills or tabletop exercises

This phase ensures that the organization is ready to respond effectively when an incident occurs.

Reference – CEH v13 Official Study Guide:

Module 18: Incident Response and Computer Forensics

Quote:

“In the preparation phase, organizations define rules, set up an incident response team, perform training, and establish and test incident handling procedures.”

Incorrect Options:

B. Containment is about stopping the spread of an active incident

C. Identification is when the incident is first detected

D. Recovery is for restoring systems post-incident

===========

The Sarbanes-Oxley Act of 2002 could be a law the U.S. Congress passed on July thirty of that year to assist defend investors from fallacious money coverage by companies.Also called the SOX Act of 2002 and also the company Responsibility Act of 2002, it mandated strict reforms to existing securities rules and obligatory powerful new penalties on law breakers.

The Sarbanes-Oxley law Act of 2002 came in response to money scandals within the early 2000s involving in public listed corporations like Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds cask capitalist confidence within the trustiness of company money statements Associate in Nursingd light-emitting diode several to demand an overhaul of decades-old restrictive standards.

WHOIS is an Internet service that allows users to query domain name registries to retrieve information about registered domain names. It includes data such as:

Registrant’s name and contact information

Domain creation and expiration dates

Registrar details and name servers

WHOIS is often used during the reconnaissance phase in penetration testing.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“WHOIS databases provide public domain registration details including contact names, email addresses, and registrar information. This is useful for initial reconnaissance.”

Incorrect Options:

B. CAPTCHA is used to distinguish human users from bots.

C. IANA oversees global IP address allocation and DNS root zone management.

D. IETF is responsible for internet standards, not registrant databases.

===========

https://en.wikipedia.org/wiki/Phishing

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

Server-side request forgery (also called SSRF) is a net security vulnerability that allows an assaulter to induce the server-side application to make http requests to associate arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services among the organization’s infrastructure, or to external third-party systems.

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with different back-end systems that aren’t directly reachable by users. These systems typically have non-routable private informatics addresses. Since the back-end systems normally ordinarily protected by the topology, they typically have a weaker security posture. In several cases, internal back-end systems contain sensitive functionality that may be accessed while not authentication by anyone who is able to act with the systems.

In the preceding example, suppose there’s an body interface at the back-end url https://192.168.0.68/admin. Here, an attacker will exploit the SSRF vulnerability to access the executive interface by submitting the following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

stockApi=http://192.168.0.68/admin

Comprehensive and Detailed Explanation:

The netstat (network statistics) command is used to display:

Current TCP/UDP connections

Listening ports

Routing tables

Interface statistics

This is one of the most common tools for network troubleshooting and monitoring on Windows and Linux.

From CEH v13 Courseware:

Module 3: Scanning Networks → System and Network Utilities

According to CEH v13 Module 09: Social Engineering, Whaling is a specific type of phishing attack that targets senior executives and high-value individuals.

It’s called “whaling” because these individuals are the “big fish.”

Attacks are highly targeted and customized, often using knowledge of the executive’s company, responsibilities, or communication style.

The goal is to gain access to sensitive systems, financial assets, or confidential data.

Option Breakdown:

A. Spear phishing: Targeted phishing but not necessarily aimed at high-profile executives.

B. Whaling: Correct – phishing directed at C-level or VIP targets.

C. Vishing: Voice phishing – conducted over telephone/VoIP.

D. Phishing: General term – broader category.

Comprehensive and Detailed Explanation:

The “weakest link” in cybersecurity is almost always the human element. Even with cutting-edge technology and airtight configurations, untrained or careless users can fall for phishing attacks, use weak passwords, or mishandle sensitive data — giving hackers a path into the system.

From CEH v13 Courseware:

Module 7: Social Engineering

Topic: Human Element in Security Breaches

Types of Password Attacks - Active Online Attacks: Internal Monologue Attack Attackers perform an internal monologue(獨自) attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user.Attacker disables the security controls of NetNTLMv1, extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users. (P.594/578)

Comprehensive and Detailed Explanation From CEH v13 Guide:

The Network Time Protocol (NTP) is used by systems, including Linux servers, to synchronize their clocks with a time server. If NTP fails, time discrepancies may lead to inaccurate log records and affect security monitoring.

CEH v13 Reference:

Module 17: Evading IDS, Firewalls, and Honeypots – Log Tampering

“Accurate timekeeping is essential for proper logging and correlation. NTP ensures system time is synchronized across hosts.”

=============================================================

In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

Correct SOAP Characteristics:

Structured model for data exchange, used in SOAP envelopes.

Built on XML format.

Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

Option B is incorrect because:

While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.

The scenario describes an injection attack involving Server Side Includes (SSI). SSI directives are instructions placed in web pages that are executed by the web server before the page is sent to the user. If user input is improperly validated and directly used in an SSI-enabled environment, attackers can inject malicious SSI directives (such as file manipulation commands).

From CEH v13 Official Courseware:

Server-Side Includes (SSI) Injection occurs when attackers submit specially crafted input that is included in server responses and interpreted as SSI directives.

These directives can perform dangerous actions like:

Reading sensitive files (e.g., /etc/passwd)

Deleting or modifying files

Running shell commands via #exec directive

Incorrect options:

A. Server-side template injection is related to template engines like Jinja2 or Twig.

B. Server-side JS injection applies to environments like Node.js.

C. CRLF injection manipulates HTTP headers, not SSI parsing.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Injection Flaws”

Subsection: “SSI Injection”

Lab Reference: CEH iLabs – Web Application Exploitation

===========

This phase having the hacker uses different techniques and tools to realize maximum data from the system. they’re –

• Password cracking – Methods like Bruteforce, dictionary attack, rule-based attack, rainbow table are used. Bruteforce is trying all combinations of the password. Dictionary attack is trying an inventory of meaningful words until the password matches. Rainbow table takes the hash value of the password and compares with pre-computed hash values until a match is discovered.

• Password attacks – Passive attacks like wire sniffing, replay attack. Active online attack like Trojans, keyloggers, hash injection, phishing. Offline attacks like pre-computed hash, distributed network and rainbow. Non electronic attack like shoulder surfing, social engineering and dumpster diving.

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Expanding your network capabilities are often done well using wireless networks, but it also can be a source of harm to your data system . Deficiencies in its implementations or configurations can allow tip to be accessed in an unauthorized manner.This makes it imperative to closely monitor your wireless network while also conducting periodic Wireless Network assessment.

It identifies flaws and provides an unadulterated view of exactly how vulnerable your systems are to malicious and unauthorized accesses.

Identifying misconfigurations and inconsistencies in wireless implementations and rogue access points can improve your security posture and achieve compliance with regulatory frameworks.

To perform a thorough password assessment, Bob can use:

Hardware Keyloggers: Installed between the keyboard and computer; captures keystrokes.

Software Keyloggers: Installed on the OS; logs keystrokes and system activity.

Network Sniffing: Captures plaintext passwords from unencrypted protocols (e.g., FTP, Telnet).

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware Threats

Module 8: Sniffing

CEH v13 Study Guide states:

“A comprehensive password audit can involve passive sniffing of credentials on the wire, software keyloggers for direct input capture, and hardware keyloggers for stealthy physical surveillance.”

Incorrect Options:

B, C, D: Limiting to just one method misses out on broader techniques.

TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:

tcp.port == 21

This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.

CEH v13 states:

“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”

Incorrect Options:

B. Port 23 is used for Telnet, not FTP.

C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.

D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.

Reference – CEH v13 Guide:

Module 01: Introduction to Ethical Hacking

Subsection: Sniffing and Cleartext Protocols

Wireshark iLab: Identifying FTP Traffic

===========

A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user’s ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user’s account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References:

EC-Council CEHv12 Courseware Module 11: Hacking Webservers, page 11-24

What is a Kerberoasting Attack? – CrowdStrike

How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

Social engineering is a non-technical attack that manipulates human behavior to gain access to systems or data. It often involves deception (e.g., phishing, pretexting, baiting) and requires no technical expertise or tools, making it a low-tech yet highly effective method.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Social engineering exploits human psychology and trust to gain unauthorized access. It is considered a low-tech method because it does not require technical means.”

Incorrect Options Explained:

B. Eavesdropping may require technical tools to intercept data.

C. Scanning involves active use of tools to find vulnerabilities.

D. Sniffing is technical and requires tools to capture network traffic.

On Linux and UNIX-like systems, files or directories that begin with a period (.) are considered hidden. These files do not appear by default when a user runs the ls command, unless explicitly instructed to show hidden files using ls -a.

Example:

File named .hiddenfile will not appear with a simple ls command.

To view it, use: ls -a

This is commonly used for configuration files (e.g., .bashrc, .profile) and also by attackers or malicious users who want to conceal their scripts or payloads.

Incorrect Options:

A. Exclamation mark (!) is used in shell history and command expansion, not for hiding files.

B. Underscore (_) is a valid filename character but does not hide files.

C. Tilde (~) represents the current user's home directory; not used for hiding.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Tactics to Hide Malware Files in the OS”

Lab: CEH Engage — Creating and Hiding Files in Linux

===========

In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it’s lost.

Key Escrow Characteristics:

Common in enterprise environments for systems like BitLocker.

Keys are automatically backed up to Active Directory (AD) for future retrieval.

Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

Option Clarification:

A. Key archival: Storing old keys for audit/record-keeping.

B. Key escrow: Correct – Third-party or central storage for recovery purposes.

C. Certificate rollover: Replacement of expiring certificates.

D. Key renewal: Generating a new key after expiration or compromise.

The Blackjacking attack involves leveraging a compromised BlackBerry device and its connection through the BlackBerry Enterprise Server (BES) to tunnel back into the internal corporate network, bypassing perimeter firewalls. The tool used in this method is BBProxy.

BBProxy is installed on the BlackBerry device and establishes a covert tunnel via BES, allowing attackers to pivot into the internal LAN from outside the perimeter.

Reference – CEH v13 Official Study Guide:

Module 17: Hacking Mobile Platforms

Quote:

“Blackjacking is a technique in which attackers use BBProxy to exploit a trusted path from a BlackBerry device to the corporate LAN through BES.”

Incorrect Options Explained:

A. Paros Proxy is a web proxy used for intercepting HTTP/S traffic.

C. Blooover is used for Bluetooth security auditing.

D. BBCrack is used for password recovery on BlackBerry devices, not for tunneling.

===========

Comprehensive and Detailed Explanation:

Cryptographic hash functions provide:

Integrity: Any change in the input changes the output hash.

Collision Resistance: It is computationally infeasible to find two inputs that produce the same hash.

This ensures data is not altered during transmission.

From CEH v13 Courseware:

Module 10: Cryptography → Hashing Functions (e.g., SHA-256, MD5)

Comprehensive and Detailed Explanation:

LDAP (Lightweight Directory Access Protocol) uses a hierarchical data structure similar to a directory tree. SQL databases use a relational structure with tables, rows, and columns.

Because of its hierarchical nature:

LDAP is excellent for parent-child relationships.

It struggles with representing many-to-many or many-to-one relationships efficiently.

From CEH v13 Courseware:

Module 4: Enumeration → LDAP Basics

Comprehensive and Detailed Explanation:

Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.

The best approach:

Google the product name and URL.

Check reputable forums, antivirus vendors, or security advisories.

Look for phishing warnings or reports of malware.

From CEH v13 Courseware:

Module 7: Social Engineering and Phishing Scams

Module 6: Malware Threats → Rogue Software

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

https://www.eccouncil.org/what-is-social-engineering/

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

"A quid pro quo attack (aka something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action." https://resources.infosecinstitute.com/topic/common-social-engineering-attacks/#:~:text=A%20quid%20pro%20quo%20attack,execution%20of%20a%20specific%20action.

Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

https://www.wireshark.org/

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

How is it done?

Basically, it’s attempting each single word that’s already ready. it’s done victimization machine-controlled tools that strive all the possible words within the dictionary.

Some password Cracking Software:

• John the ripper

• L0phtCrack

• Aircrack-ng

Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user’s action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.

In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.

Key Features of Burp Suite:

Captures all HTTP requests and responses.

Allows for manual testing of input parameters, headers, and cookies.

Includes tools such as Intruder, Repeater, Scanner, and Decoder.

Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.

Option Review:

A. Maskgen: Used for generating masks, not a web proxy.

B. Dimitry: A footprinting tool, not used for request/response testing.

C. Burpsuite: Correct. Designed for web application vulnerability analysis.

D. Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.

Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security.

In such a system, any person can encrypt a message using the intended receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client's openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client's private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography.

With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key).

Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today's cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.

Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

Regional Internet Registries (RIRs):

ARIN (American Registry for Internet Numbers)

AFRINIC (African Network Information Center)

APNIC (Asia Pacific Network Information Center)

RIPE (Réseaux IP Européens Network Coordination Centre)

LACNIC (Latin American and Caribbean Network Information Center)

In CEH v13 Module 14: Cryptography, IPSec (Internet Protocol Security) is defined as a framework used to establish secure communication channels over IP networks, particularly in VPNs.

IPSec supports encryption, authentication, and integrity.

Operates in Tunnel Mode (VPNs) or Transport Mode (End-to-End).

Core protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload).

Option Analysis:

A. PEM: Privacy Enhanced Mail (email encryption).

B. PPP: Point-to-Point Protocol (data link layer, not encryption).

C. IPSEC: VPN encryption protocol.

D. SET: Secure Electronic Transaction (used in payment systems, obsolete).

Pharming is a cyberattack technique in which malicious code is used to redirect a website’s traffic to a fraudulent or malicious website without the user's knowledge. This redirection typically occurs through:

DNS poisoning or host file modification

Exploitation of vulnerabilities in DNS servers or user machines

Pharming aims to collect sensitive data (like usernames, passwords, credit card details) by making users believe they are interacting with a legitimate website when, in fact, they are on a fake one.

As per CEH v13 Official Courseware:

Pharming is a server-side or client-side attack that manipulates how URLs are resolved.

It differs from phishing in that it does not rely on fake emails or social engineering but rather on redirecting web traffic via compromised DNS infrastructure or local configuration.

Incorrect Options:

A. Spimming is the use of spam over instant messaging.

C. Phishing involves tricking users through fake emails or messages.

D. Spear-phishing is a targeted version of phishing directed at specific individuals or roles.

Reference – CEH v13 Official Courseware:

Module 09: Social Engineering

Section: “Phishing and Pharming Attacks”

Subsection: “Differences Between Phishing and Pharming”

In CEH v13 Module 01: Introduction to Ethical Hacking, the types of law applicable to cybersecurity incidents are discussed. When executives fail to protect their company’s information systems and this leads to financial loss, data breaches, or negligence, the resulting liability is considered under civil law.

Civil law deals with non-criminal disputes such as negligence, liability, and contractual breaches.

A company or affected party may file a civil lawsuit for damages.

Executives can be held civilly liable for failing in their duty of care, especially when regulations like GDPR, SOX, or HIPAA are involved.

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

In CEH v13 Module 03: Scanning Networks, service version detection is achieved using the -sV option in Nmap.

-sV: Enables version detection of open ports by sending probes to determine the service name and version (e.g., Apache 2.4.49).

Helps identify potential vulnerabilities in specific software versions.

Option Clarification:

A. -SN: Ping scan (host discovery only).

B. -SX: Invalid/undefined option.

C. -sV: Correct option for service version detection.

D. -SF: Sends FIN packets (used in stealth scans), not for version discovery.

The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as ‘+’ or ‘||’. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword ‘OR’ with ‘O’||‘R’ or ‘O’+‘R’ in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

The other options are not as effective as option D for the following reasons:

A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as ‘0x41’ for ‘A’. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical SQL injection pattern.

In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

related: operator is used to find websites similar to a given domain or webpage.

This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

Example:

related:example.com

Will return a list of sites Google deems related to example.com.

Option Clarification:

A. inurl: – Searches for a keyword in the URL.

B. related: – Correct – Finds similar or related websites.

C. info: – Provides Google’s cached and indexed data about a URL.

D. site: – Restricts search to a specific domain or site.

A Kernel-level rootkit operates at the core of the operating system (OS kernel), enabling the attacker to:

Modify or replace kernel code

Load malicious kernel modules

Hide files, processes, and backdoors at a level that is difficult for standard security tools to detect

According to CEH v13:

Kernel-mode rootkits are highly stealthy and dangerous because they run with the highest privileges.

These rootkits modify system calls and memory structures in the kernel space to conceal malicious activity.

Incorrect Options:

A. User-mode rootkits operate at the application layer and are less stealthy than kernel-level rootkits.

B. Library-level rootkits manipulate standard libraries (like libc) to intercept calls.

D. Hypervisor-level rootkits run beneath the OS (e.g., via virtualization) and are extremely rare and complex.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Rootkits”

Subsection: “Kernel-Mode Rootkits vs. User-Mode Rootkits”

Comprehensive and Detailed Explanation From CEH v13 Guide:

Grey-box testing is a hybrid method where the tester has partial knowledge of the internal workings of the system, allowing for a more focused and efficient assessment of security vulnerabilities compared to black-box (no knowledge) and white-box (full knowledge). This approach simulates an insider threat or a user with limited access rights.

CEH v13 Reference:

Module 15: Hacking Web Applications – Types of Penetration Testing

“Gray-box testing assumes partial knowledge of internal structures, combining elements of both black-box and white-box testing.”

=============================================================

Source: https://www.flowmon.com

Flowmon empowers manufacturers and utility companies to ensure the reliability of

their industrial networks confidently to avoid downtime and disruption of service

continuity. This can be achieved by continuous monitoring and anomaly detection so

that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or

malware, can be reported and remedied as quickly as possible.

In CEH v13 Module 14: Cryptography, Serpent is detailed as one of the finalists in the Advanced Encryption Standard (AES) competition, known for its strong security characteristics.

Key Features of Serpent:

128-bit block size, and key sizes of 128, 192, or 256 bits.

Uses 32 rounds of substitution and permutation.

Operates on four 32-bit words per block.

Employs 8 different S-boxes, each with a 4-bit input and 4-bit output.

Designed to provide high security and resistance against differential cryptanalysis.

Option Clarification:

A. TEA: Uses a Feistel structure with simple operations, but not 32 rounds with S-boxes.

B. CAST-128: Has 64-bit block size and fewer rounds.

C. RC5: Variable block and key sizes but doesn’t use 32 rounds with fixed S-box design.

D. Serpent: Matches all given features.

The scenario describes an API vulnerability where unauthorized users are able to view, modify, or delete sensitive data by interacting with API objects. This indicates a failure in access control—specifically, a lack of Attribute-Based Access Control (ABAC) validation.

Attribute-Based Access Control (ABAC):

ABAC is an advanced access control model that evaluates access permissions based on attributes of the user, the resource, and the environment (e.g., user role, data sensitivity, location, etc.).

When ABAC is not properly implemented ("No ABAC validation"), APIs may allow users to access or manipulate objects they shouldn't have access to.

In APIs, this typically results in vulnerabilities like Insecure Direct Object Reference (IDOR), where users can tamper with object identifiers (IDs) to access or alter data that doesn’t belong to them.

This is one of the top risks highlighted by the OWASP API Security Top 10 (e.g., Broken Object Level Authorization).

Incorrect Options:

A. Code injection refers to injecting malicious code (e.g., SQLi, XSS), not improper access control.

B. Improper use of CORS (Cross-Origin Resource Sharing) may lead to unauthorized data exposure but doesn’t describe unauthorized object access in an API.

D. Business logic flaws relate to weaknesses in application workflows and rules, not direct access control failures.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "API Security Threats"

Subsection: "Access Control Failures in APIs (IDOR, BOLA, ABAC-related flaws)"

OWASP API Security Top 10: 2023 – A1: Broken Object Level Authorization

CEH iLabs and CEH Engage also demonstrate API-based attack vectors exploiting access control weaknesses.

Comprehensive and Detailed Explanation:

An Information Security Policy (ISP) is a high-level document that defines:

What employees can and cannot do with IT systems.

What data is protected and how.

The consequences of policy violations.

The company's commitment to security.

It must be signed by users to enforce compliance and protect organizational assets.

From CEH v13 Courseware:

Module 20: Information Security Policies

Module 1: Governance, Risk, and Compliance

snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent’s MIB and affect its functionality or security. References:

snmp-check - The SNMP enumerator

SNMP Enumeration | Ethical Hacking - GreyCampus

SNMP Enumeration - GeeksforGeeks

Nmap - the Network Mapper - Free Security Scanner

OpUtils - Network Monitoring & Management Toolset

SnmpWalk - SNMP MIB Browser

The command C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood is the correct one to spoof IP addresses for anonymity during probing. This command sends SYN packets (-S) to the target IP 192.168.1.1 with a spoofed source IP (-a) 192.168.1.254 on port 22 (-p) and floods the target with packets (-flood). This way, the CEH can hide his real IP address and avoid detection by the target’s firewall or IDS12.

The other commands are incorrect for the following reasons:

A. Hping3 -110.0.0.25 --ICMP: This command sends ICMP packets (–ICMP) to the target IP 10.0.0.25, but does not spoof the source IP. Therefore, the CEH’s real IP address will be exposed to the target.

B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4: This command performs a stealthy SYN scan (-sS) on all ports (-p-) of the target without pinging it (-Pn) or resolving DNS names (-n). It also enables verbose output (-v), packet tracing (–packet-trace), and discovery scripts (–script discovery) with an aggressive timing (-T4). However, this command does not spoof the source IP, and in fact, reveals more information about the scan to the target by using packet tracing and discovery scripts.

D. Hping3-210.0.0.25-p 80: This command sends TCP packets (default) to the target IP 10.0.0.25 on port 80 (-p), but does not spoof the source IP. Therefore, the CEH’s real IP address will be exposed to the target.

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

STARTTLS is an SMTP command that allows the client to upgrade an existing insecure connection to a secure, encrypted TLS connection. It is widely supported by SMTP servers and used to protect email transmissions from interception.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Section: Secure Email Communication

Quote:

“STARTTLS is an SMTP command used to initiate encryption on an existing plaintext connection using TLS.”

Incorrect Options:

A. Opportunistic TLS is a concept, not a command

B & C. UPGRADETLS and FORCETLS are not valid SMTP commands

Hashing algorithms (such as SHA-256 or MD5) are used to generate a unique digital fingerprint of a file or message. Once the CFO approves the financial statement, generating a hash value for the document ensures that if any modification occurs (even a single bit), the hash value will change, indicating a breach in data integrity.

This solution directly addresses integrity — one of the three components of the CIA triad (Confidentiality, Integrity, Availability). Password protection or transferring via USB does not ensure integrity; they offer access control and delivery security.

https://en.wikipedia.org/wiki/MAC_filtering

MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices.

It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network.

The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network's security, but not all are useful. Media access control may seem advantageous, but there are certain flaws.

On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources.

MAC address filtering adds an extra layer of security that checks the device’s MAC address against a list of agreed addresses. If the client’s address matches one on the router’s list, access is granted; otherwise, it doesn’t join the network.

The most effective attack method for the penetration tester to exploit these vulnerabilities and attempt unauthorized access would be to execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials. A Brute Force attack is a hacking method that uses trial and error to crack passwords, login credentials, or encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks1. In this scenario, the tester can take advantage of the fact that the application does not lock out users after multiple failed login attempts, which means the tester can try as many combinations as possible without being blocked. The tester can also use the detailed error messages that disclose whether the username or password entered is incorrect, which can help narrow down the search space and reduce the number of guesses needed. For example, if the tester enters a wrong username and a wrong password, and the application responds with “Invalid username”, the tester can eliminate that username from the list of candidates and focus on finding the correct one. Similarly, if the tester enters a correct username and a wrong password, and the application responds with “Invalid password”, the tester can confirm that username and focus on finding the correct password. By using automated tools or scripts, the tester can perform a Brute Force attack faster and more efficiently.

The other options are not as effective or feasible as option A for the following reasons:

B. The tester could exploit a potential SQL Injection vulnerability to manipulate the application’s database: This option is not feasible because there is no indication that the application is vulnerable to SQL Injection, which is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database2. The application uses form-based authentication, which does not necessarily involve SQL queries, and the error messages do not reveal any SQL syntax or structure. Moreover, even if the application was vulnerable to SQL Injection, the tester would need to craft a malicious SQL query that can bypass the authentication mechanism and grant access to the application, which may not be possible or easy depending on the database design and configuration.

C. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection: This option is not effective because there is no evidence that the application is vulnerable to XSS, which is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application by injecting malicious scripts3. The application uses HTTP headers to prevent clickjacking attacks, which are a type of attack that tricks a user into clicking on a hidden or disguised element on a web page4. However, this does not imply that the application is vulnerable to XSS, which requires a different type of injection point and payload. Moreover, even if the application was vulnerable to XSS, the tester would need to find a way to deliver the malicious script to a legitimate user who is already authenticated, and then capture the stolen session cookies from the user’s browser, which may not be feasible or easy depending on the application’s design and security measures.

D. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack: This option is not feasible because a MitM attack is a type of attack that requires the attacker to insert themselves between two parties who believe that they are directly communicating with each other, and then relay or alter the communications between them5. In this scenario, the tester would need to intercept the HTTP traffic between the user and the application, and then modify the HTTP headers to remove or weaken the clickjacking protection. However, this would require the tester to have access to the network infrastructure or the user’s device, which may not be possible or easy depending on the network security and encryption. Moreover, even if the tester could perform a MitM attack, the tester would still need to trick the user into clicking on a malicious element on a web page, which may not be possible or easy depending on the user’s awareness and behavior.

TCP port 48101 uses the Transmission management Protocol. transmission control protocol is one in all the most protocols in TCP/IP networks. transmission control protocol could be a connection-oriented protocol, it needs acknowledgement to line up end-to-end communications. only a association is about up user’s knowledge may be sent bi-directionally over the association.

Attention! transmission control protocol guarantees delivery of knowledge packets on port 48101 within the same order during which they were sent. bonded communication over transmission control protocol port 48101 is that the main distinction between transmission control protocol and UDP. UDP port 48101 wouldn’t have bonded communication as transmission control protocol.

UDP on port 48101 provides Associate in Nursing unreliable service and datagrams might arrive duplicated, out of order, or missing unexpectedly. UDP on port 48101 thinks that error checking and correction isn’t necessary or performed within the application, avoiding the overhead of such process at the network interface level.

UDP (User Datagram Protocol) could be a borderline message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).

Application examples that always use UDP: vocalisation IP (VoIP), streaming media and period multiplayer games. several internet applications use UDP, e.g. the name System (DNS), the Routing info Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the straightforward Network Management Protocol (SNMP).

https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

A man-in-the-middle attack using forged ICMP and ARP spoofing is a type of network-level session hijacking attack where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets and intercept or modify the data exchanged between the client and the server.

A man-in-the-middle attack using forged ICMP and ARP spoofing works as follows1:

The attacker sends a forged ICMP redirect message to the client, claiming to be the gateway. The ICMP redirect message tells the client to use the attacker’s machine as the next hop for reaching the server’s network. The client updates its routing table accordingly and starts sending packets to the attacker’s machine instead of the gateway.

The attacker also sends a forged ARP reply message to the client, claiming to be the server. The ARP reply message associates the attacker’s MAC address with the server’s IP address. The client updates its ARP cache accordingly and starts sending packets to the attacker’s MAC address instead of the server’s MAC address.

The attacker receives the packets from the client and forwards them to the server, acting as a relay. The attacker can also monitor, modify, or drop the packets as they wish. The server responds to the packets and sends them back to the attacker, who then forwards them to the client. The client and the server are unaware of the attacker’s presence and think they are communicating directly with each other.

Therefore, Jake is studying a man-in-the-middle attack using forged ICMP and ARP spoofing, which is a type of network-level session hijacking attack.

According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ:

Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction.

Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks).

Reconnaissance is the first phase of ethical hacking and also part of the cyber kill chain. It involves gathering publicly available information about a target, such as employee names, company structure, and branding, which is later used in social engineering or phishing attacks.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Reconnaissance involves gathering information from public sources such as websites, social networks, and press releases. This is used to craft targeted phishing messages or exploit organizational weaknesses.”

Incorrect Options Explained:

A & B. Not formal terms in ethical hacking.

D. Enumeration involves interacting with systems to extract technical data.

In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.

Let’s evaluate the options:

A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.

B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.

C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn’t match your user's location, it raises red flags.

D. ARP (Address Resolution Protocol): ❌ ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.

Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.

According to CEH v13 Module 08: Sniffing, the attack described is a classic example of ARP spoofing/poisoning which leads to Man-in-the-Middle (MITM) scenarios. In such attacks, a malicious actor sends forged ARP responses to associate their MAC address with the IP address of a target system, redirecting traffic through their machine.

Tool Used: BetterCAP

BetterCAP is a powerful, modular MITM framework.

It can:

Perform ARP spoofing

Intercept and manipulate HTTP/HTTPS traffic

Modify packets in real-time

Carry out credential harvesting and session hijacking

Miley's actions match the default behavior of BetterCAP during an ARP spoofing attack:

Spoof ARP to redirect traffic.

Intercept and analyze (or manipulate) traffic.

Option Clarification:

A. Gobbler: An older ARP tool, but mostly for ARP scanning, not modern MITM attacks.

B. KDerpNSpoof: Incorrect or misspelled; not a recognized CEH tool.

C. BetterCAP: Correct – used for ARP spoofing and traffic manipulation.

D. Wireshark: Passive sniffer; cannot perform ARP spoofing or MITM.

Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit them. Information collected through footprinting techniques ncludes IP address, hostname, ISP, device location, banner of the target IoT device, FCC ID information, certification granted to the device, etc. pg. 5052 ECHv11 manual

https://en.wikipedia.org/wiki/FCC_mark

An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must:

· Have the device evaluated by an independent lab to ensure it conforms to FCC standards

· Provide documentation to the FCC of the lab results

· Provide User Manuals, Documentation, and Photos relating to the device

· Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application)

The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.

Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild–Lawrence Berkeley National Laboratory received ten throughout the past year.

DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers–because each came knock on everyone’s door!

“Clearing tracks” is a post-exploitation phase in the ethical hacking methodology in which the attacker removes or alters system evidence to hide their activities and avoid detection. This may include:

Deleting or modifying event logs

Clearing bash history or command history

Removing malware traces

Disabling auditing

From CEH v13:

Corrupting or erasing event logs ensures that system administrators or forensic investigators cannot trace the intrusion or determine how the system was compromised.

Incorrect Options:

A. Creating a backdoor is part of the "Maintaining Access" phase, not "Clearing Tracks."

B. Injecting a rootkit is part of the "Gaining or Maintaining Access" stage.

C. Exploiting a vulnerability is part of the "Gaining Access" phase.

Reference – CEH v13 Official Courseware:

Module 05: System Hacking

Section: “Clearing Logs and Erasing Evidence”

Subsection: “Track-Clearing Techniques”

Lab: Log Manipulation and Covering Tracks

A pharming attacker tries to send a web site’s traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

Though they share similar goals, pharming uses a special technique from phishing. “Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site,” explains David Emm, principal security man of science at Kaspersky. “When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different.”

An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System.

Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level.

Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.

http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf

Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

[root@localhost hping2-rc3]# hping2 -1 192.168.0.100

HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes

len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms

len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms

len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms

— 192.168.0.100 hping statistic —

5 packets tramitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.5/3.7/14.9 ms

[root@localhost hping2-rc3]#

Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt's unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit.

Web Server Security Tools - Web Application Security Scanners The Syhunt Hybrid scanner automates web application security testing and guards the organization’s web infrastructure against web application security threats. Syhunt Dynamic crawls websites and detects XSS, directory transversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks. (P.1713/1697)

Comprehensive and Detailed Explanation From CEH v13 Guide:

R-U-Dead-Yet? (RUDY) is a DoS tool that targets web applications by sending slow HTTP POST requests with large Content-Length headers. This consumes server resources, leading to a denial of service.

CEH v13 Reference:

Module 9: Denial-of-Service – DoS Tools

“R-U-Dead-Yet? (RUDY) sends long-form POST requests to consume server-side sessions and exhaust resources without completing the transaction.”

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

Key Indicators from the Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

Reference to CVE-2003-0352

Class type: attempted-admin

The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

From CEH v13 Courseware:

Module 6: Malware Threats

Module 11: Session Hijacking

Discussion of historic worms and their exploit signatures, including MS Blaster.

Incorrect Options:

A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

In this attack KRACK is an acronym for Key Reinstallation Attack. KRACK may be a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to take advantage of a vulnerability in WPA2. When in close range of a possible victim, attackers can access and skim encrypted data using KRACK.

How KRACK Works

Your Wi-Fi client uses a four-way handshake when attempting to attach to a protected network. The handshake confirms that both the client — your smartphone, laptop, et cetera — and therefore the access point share the right credentials, usually a password for the network. This establishes the Pairwise passkey (PMK), which allows for encoding .

Overall, this handshake procedure allows for quick logins and connections and sets up a replacement encryption key with each connection. this is often what keeps data secure on Wi-Fi connections, and every one protected Wi-Fi connections use the four-way handshake for security. This protocol is that the reason users are encouraged to use private or credential-protected Wi-Fi instead of public connections.

KRACK affects the third step of the handshake, allowing the attacker to control and replay the WPA2 encryption key to trick it into installing a key already in use. When the key’s reinstalled, other parameters related to it — the incremental transmit packet number called the nonce and therefore the replay counter — are set to their original values.

Rather than move to the fourth step within the four-way handshake, nonce resets still replay transmissions of the third step. This sets up the encryption protocol for attack, and counting on how the attackers replay the third-step transmissions, they will take down Wi-Fi security.

Why KRACK may be a Threat

Think of all the devices you employ that believe Wi-Fi. it isn’t almost laptops and smartphones; numerous smart devices now structure the web of Things (IoT). due to the vulnerability in WPA2, everything connected to Wi-Fi is in danger of being hacked or hijacked.

Attackers using KRACK can gain access to usernames and passwords also as data stored on devices. Hackers can read emails and consider photos of transmitted data then use that information to blackmail users or sell it on the Dark Web.

Theft of stored data requires more steps, like an HTTP content injection to load malware into the system. Hackers could conceivably take hold of any device used thereon Wi-Fi connection. Because the attacks require hackers to be on the brink of the target, these internet security threats could also cause physical security threats.

On the opposite hand, the necessity to be in close proximity is that the only excellent news associated with KRACK, as meaning a widespread attack would be extremely difficult.

Victims are specifically targeted. However, there are concerns that a experienced attacker could develop the talents to use HTTP content injection to load malware onto websites to make a more widespread affect.

Everyone is in danger from KRACK vulnerability. Patches are available for Windows and iOS devices, but a released patch for Android devices is currently in question (November 2017). There are issues with the discharge , and lots of question if all versions and devices are covered.

The real problem is with routers and IoT devices. These devices aren’t updated as regularly as computer operating systems, and for several devices, security flaws got to be addressed on the manufacturing side. New devices should address KRACK, but the devices you have already got in your home probably aren’t protected.

The best protection against KRACK is to make sure any device connected to Wi-Fi is patched and updated with the newest firmware. that has checking together with your router’s manufacturer periodically to ascertain if patches are available.

The safest connection option may be a private VPN, especially when publicly spaces. If you would like a VPN for private use, avoid free options, as they need their own security problems and there’ll even be issues with HTTPs. Use a paid service offered by a trusted vendor like Kaspersky. Also, more modern networks use WPA3 for better security.

Avoid using public Wi-Fi, albeit it’s password protection. That password is out there to almost anyone, which reduces the safety level considerably.

All the widespread implications of KRACK and therefore the WPA2 vulnerability aren’t yet clear. what’s certain is that everybody who uses Wi-Fi is in danger and wishes to require precautions to guard their data and devices.

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.

The purpose of this idea is to permit multiple customers to figure on joint projects and applications that belong to the community, where it’s necessary to possess a centralized clouds infrastructure. In other words, Community Cloud may be a distributed infrastructure that solves the precise problems with business sectors by integrating the services provided by differing types of clouds solutions.

The communities involved in these projects, like tenders, business organizations, and research companies, specialise in similar issues in their cloud interactions. Their shared interests may include concepts and policies associated with security and compliance considerations, and therefore the goals of the project also .

Community Cloud computing facilitates its users to spot and analyze their business demands better. Community Clouds could also be hosted during a data center, owned by one among the tenants, or by a third-party cloud services provider and may be either on-site or off-site.

Community Cloud Examples and Use Cases

Cloud providers have developed Community Cloud offerings, and a few organizations are already seeing the advantages . the subsequent list shows a number of the most scenarios of the Community Cloud model that’s beneficial to the participating organizations.

Multiple governmental departments that perform transactions with each other can have their processing systems on shared infrastructure. This setup makes it cost-effective to the tenants, and may also reduce their data traffic.

Benefits of Community Clouds

Community Cloud provides benefits to organizations within the community, individually also as collectively. Organizations don’t need to worry about the safety concerns linked with Public Cloud due to the closed user group.

This recent cloud computing model has great potential for businesses seeking cost-effective cloud services to collaborate on joint projects, because it comes with multiple advantages.

Openness and Impartiality

Community Clouds are open systems, and that they remove the dependency organizations wear cloud service providers. Organizations are able to do many benefits while avoiding the disadvantages of both public and personal clouds.

Flexibility and Scalability

Ensures compatibility among each of its users, allowing them to switch properties consistent with their individual use cases. They also enable companies to interact with their remote employees and support the utilization of various devices, be it a smartphone or a tablet. This makes this sort of cloud solution more flexible to users’ demands.

Consists of a community of users and, as such, is scalable in several aspects like hardware resources, services, and manpower. It takes under consideration demand growth, and you simply need to increase the user-base.

High Availability and Reliability

Your cloud service must be ready to make sure the availability of knowledge and applications in the least times. Community Clouds secure your data within the same way as the other cloud service, by replicating data and applications in multiple secure locations to guard them from unforeseen circumstances.

Cloud possesses redundant infrastructure to form sure data is out there whenever and wherever you would like it. High availability and reliability are critical concerns for any sort of cloud solution.

Security and Compliance

Two significant concerns discussed when organizations believe cloud computing are data security and compliance with relevant regulatory authorities. Compromising each other’s data security isn’t profitable to anyone during a Community Cloud.

Users can configure various levels of security for his or her data. Common use cases:

the power to dam users from editing and downloading specific datasets.

Making sensitive data subject to strict regulations on who has access to Sharing sensitive data unique to a specific organization would bring harm to all or any the members involved.

What devices can store sensitive data.

Convenience and Control

Conflicts associated with convenience and control don’t arise during a Community Cloud. Democracy may be a crucial factor the Community Cloud offers as all tenants share and own the infrastructure and make decisions collaboratively. This setup allows organizations to possess their data closer to them while avoiding the complexities of a personal Cloud.

Less Work for the IT Department

Having data, applications, and systems within the cloud means you are doing not need to manage them entirely. This convenience eliminates the necessity for tenants to use extra human resources to manage the system. Even during a self-managed solution, the work is split among the participating organizations.

Environment Sustainability

In the Community Cloud, organizations use one platform for all their needs, which dissuades them from investing in separate cloud facilities. This shift introduces a symbiotic relationship between broadening and shrinking the utilization of cloud among clients. With the reduction of organizations using different clouds, resources are used more efficiently, thus resulting in a smaller carbon footprint.

A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch’s MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.

The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it. 

Zone transfers (AXFR) are DNS operations used to replicate DNS data from a primary to a secondary server. If improperly configured, attackers can request these transfers and retrieve valuable DNS information, including hostnames and IPs.

Correct Statements:

A: Zone transfers are DNS protocol operations.

C: They transfer the entire DNS zone file (records for the domain).

E: Zone transfers use TCP port 53. Blocking it can prevent unauthorized transfers.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer is a mechanism used by DNS servers to replicate databases. It can be used by attackers to retrieve detailed DNS information if not properly restricted. Zone transfers occur over TCP port 53.”

Incorrect Statements:

B/D: nslookup is a query tool; it doesn’t perform or manage zone transfers.

F: Zone transfers can happen on the internet if DNS servers are misconfigured.

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

Btlejack is a tool used for attacking Bluetooth Low Energy (BLE) connections, including sniffing, jamming, and hijacking.

The -f option specifies the access address of the BLE connection.

The -j option is used to hijack an active BLE connection.

Therefore, the correct syntax to hijack a BLE connection is:

btlejack -f [access_address] -j

This matches Option A: btlejack -f 0x129f3244 -j

Incorrect Options:

B. -c any is used for sniffing any advertising packet but not for hijacking.

C. -d specifies device paths; -s starts a scan but does not hijack.

D. This is likely a malformed or unrelated command in the context of hijacking.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “Bluetooth Low Energy (BLE) Attacks”

Tool Focus: “Btlejack Command Usage”

CEH iLab: Btlejacking with micro:bit

The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

The other options are not as effective as option A for the following reasons:

B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

A hybrid encryption system is a system that combines the advantages of both asymmetric and symmetric encryption algorithms. Asymmetric encryption, such as RSA, uses a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide key exchange, authentication, and non-repudiation, but it is slower and less efficient than symmetric encryption. Symmetric encryption, such as AES, uses a single key to encrypt and decrypt data. Symmetric encryption is faster and more efficient than asymmetric encryption, but it requires a secure way to share the key.

In a hybrid encryption system, RSA encryption is used for key exchange, and AES encryption is used for data encryption. This way, the system can benefit from the security of RSA and the speed of AES. However, the system also depends on the key sizes of both algorithms, which affect the security and performance of the system.

The key size of RSA encryption determines the number of bits in the public and private keys. The larger the key size, the more secure the encryption, but also the slower the key generation and encryption/decryption processes. The time complexity of generating an RSA key pair is O(n*2), where n is the key size in bits. This means that the time required to generate an RSA key pair increases quadratically with the key size. For example, if it takes 1 second to generate a 1024-bit RSA key pair, it will take 4 seconds to generate a 2048-bit RSA key pair, and 16 seconds to generate a 4096-bit RSA key pair.

The key size of AES encryption determines the number of bits in the symmetric key. The larger the key size, the more secure the encryption, but also the more rounds of encryption/decryption are needed. The time complexity of AES encryption is O(n), where n is the key size in bits. This means that the time required to encrypt/decrypt data increases linearly with the key size. For example, if it takes 1 second to encrypt/decrypt data with a 128-bit AES key, it will take 2 seconds to encrypt/decrypt data with a 256-bit AES key, and 4 seconds to encrypt/decrypt data with a 512-bit AES key.

An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA encryption. This means that the time required to break RSA encryption decreases exponentially with the key size. For example, if it takes 1 second to break a 1024-bit RSA encryption, it will take 0.25 seconds to break a 2048-bit RSA encryption, and 0.0625 seconds to break a 4096-bit RSA encryption. This makes RSA encryption vulnerable to quantum attacks, unless the key size is very large.

Given n=4000 and variable AES key size, the scenario that is likely to provide the best balance of security and performance is C. AES key size=192 bits. This configuration is a compromise between options A and B, providing moderate security and performance. Option A, AES key size=128 bits, provides less security than option C, but RSA key generation and AES encryption will be faster. Option B, AES key size=256 bits, provides more security than option C, but RSA key generation may be slow. Option D, AES key size=512 bits, provides the highest level of security, but at a significant performance cost due to the large AES key size.

In CEH v13 Module 03: Scanning Networks, ICMP scan types are covered under host discovery techniques in Nmap/Zenmap.

The -PP option in Nmap is used to perform an ICMP timestamp request scan.

This method sends an ICMP timestamp request and listens for a timestamp reply from the target.

It helps analysts determine the system uptime and verify whether the host is alive (for stealthy discovery).

Option Clarification:

A. -PY: SCTP INIT Ping (used for SCTP-based hosts).

B. -PU: UDP Ping (sends UDP packets).

C. -PP: ICMP Timestamp Ping — correct answer.

D. -Pn: Skips host discovery (treats all hosts as alive), not a ping type.

The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router transmits this name to surrounding devices. Its primary function is to make your network visible and easily accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID broadcast, you need to change your router’s settings.

Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides the name, not the network itself. You cannot disguise the router's activity, so hackers can still attack it.

With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-FI password to your guests is no longer enough. They have to configure their settings manually by including the network name, security mode, and other relevant info.

Disabling SSID might be a small step towards online security, but by no means should it be your final one. Before considering it as a security measure, consider the following aspects:

- Disabling SSID broadcast will not hide your network completely

Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly transmits so-called beacon frames to announce the presence of a wireless network. They contain essential information about the network and help the device connect.

- Third-party software can easily trace a hidden network

Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to see how easy it is to find available networks – hidden or not.

- You might attract unwanted attention.

Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides something, they have a reason to do so. Thus, some hackers might be attracted to your network.

In CEH v13 Module 09: Social Engineering, spear-phishing is described as a targeted email-based attack in which malicious actors craft highly personalized emails to specific individuals within an organization.

Characteristics from the scenario:

The attacker sends a fraudulent email to an employee.

The email contains a malicious attachment.

Once opened, malware is installed, targeting ICS/SCADA components.

The attack spreads and ultimately damages industrial systems.

This is a classic spear-phishing attack used as the initial infection vector in Advanced Persistent Threats (APT) targeting industrial control systems.

Why Others Are Incorrect:

B. SMiShing: SMS-based phishing; not email-related.

C. Reconnaissance: Pre-attack information gathering, not execution.

D. HMI-based attack: Targets Human-Machine Interface devices, but that’s not how the attack started here.

Trident is a highly sophisticated spyware tool used in mobile surveillance operations. It exploits multiple zero-day vulnerabilities to jailbreak iPhones remotely and grant full control to the attacker. It is famously associated with the Pegasus spyware, which was able to:

Record calls and ambient sound

Capture screenshots

Read SMS, emails, and contacts

Monitor GPS and application use

As per CEH v13:

Trident uses a chain of exploits to compromise iOS devices without physical access.

It was used in highly targeted attacks against journalists, activists, and government officials.

Incorrect Options:

A. DroidSheep is an Android tool for session hijacking on unsecured Wi-Fi.

B. Androrat is a RAT for Android devices.

C. Zscaler is a cloud security platform, not malware.

Reference – CEH v13 Official Courseware:

Module 17: Hacking Mobile Platforms

Section: “iOS Malware”

Subsection: “Spyware like Trident and Pegasus”

===========

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

In CEH v13 Module 05: System Hacking, and Module 14: Access Control, Identity Management, and Cryptography, Single Sign-On (SSO) is defined as a system that allows users to authenticate once and gain access to multiple systems without re-entering credentials.

SSO uses a Central Authentication Server (CAS).

Common technologies: Kerberos, OAuth, SAML, AD Federation Services.

Improves user convenience and centralized credential management.

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

Risk assessment is a key process in security management that identifies, evaluates, and prioritizes risks to organizational operations and assets. It considers various controls and safeguards to mitigate those risks.

Administrative safeguards are part of the components used in risk assessments and include:

Policies

Procedures

Training

Security awareness programs

Incident response planning

From CEH v13:

Module 1: Introduction to Ethical Hacking

Module 20: Cryptography (as it discusses risk management and governance)

Topic: Security Controls and Risk Management Frameworks

CEH v13 Official Courseware states:

“Administrative controls, also known as administrative safeguards, form a critical component of risk assessments. These include documented security policies, user training, security audits, and incident response plans that help an organization manage and reduce risks.”

Incorrect Options:

B. Physical security is a type of safeguard but not typically referred to as a "component" of a risk assessment itself.

C. DMZ (Demilitarized Zone) is a network architecture concept, not a risk assessment component.

D. Logical interface refers to system architecture and network segmentation—not risk assessment methodology.

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

Google hacking or Google dorking https://en.wikipedia.org/wiki/Google_hacking

It is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

Search syntax https://en.wikipedia.org/wiki/Google_Search

Google’s search engine has its own built-in query language. The following list of queries can be run to find a list of files, find information about your competition, track people, get information about SEO backlinks, build email lists, and of course, discover web vulnerabilities.

- [site:] - Search within a specific website

A Collision attack is a type of cryptographic attack that targets the hash function. The goal of this attack is to find two different inputs that produce the same hash output. This undermines the integrity of the hashing algorithm, as hash functions are expected to produce a unique output for each unique input.

In practical terms, if two different documents (inputs) produce the same hash value (collision), an attacker can replace a legitimate file with a malicious one without detection, assuming the system validates integrity only via the hash.

CEH v13 defines a collision attack as follows:

"A collision attack focuses on finding two different messages (M1 and M2) that produce the same hash value. This can compromise digital signatures, certificates, and other security protocols."

Reference – CEH v13 Study Guide:

Module 20: Cryptography, Section: “Hashing Algorithms and Attacks”, Subsection: “Collision Attacks”

Incorrect Options Explained:

A: Public keys are part of asymmetric encryption, not relevant to collisions.

B/C: These are incorrect descriptions; collision attacks are not about breaking hashes into parts to retrieve plaintext or private keys.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

The host-based vulnerability assessment (VA) resolution arose from the auditors’ got to periodically review systems. Arising before the net becoming common, these tools typically take an “administrator’s eye” read of the setting by evaluating all of the knowledge that an administrator has at his or her disposal.

Uses

Host VA tools verify system configuration, user directories, file systems, registry settings, and all forms of other info on a number to gain information about it. Then, it evaluates the chance of compromise. it should also live compliance to a predefined company policy so as to satisfy an annual audit. With administrator access, the scans area unit less possible to disrupt traditional operations since the computer code has the access it has to see into the complete configuration of the system.

What it Measures Host

VA tools will examine the native configuration tables and registries to spot not solely apparent vulnerabilities, however additionally “dormant” vulnerabilities – those weak or misconfigured systems and settings which will be exploited when an initial entry into the setting. Host VA solutions will assess the safety settings of a user account table; the access management lists related to sensitive files or data; and specific levels of trust applied to other systems. The host VA resolution will a lot of accurately verify the extent of the danger by determinant however way any specific exploit could also be ready to get.

Types of Vulnerability Assessment Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. 
Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. (P.528/512)

Comprehensive and Detailed Explanation:

Containers share the same host operating system kernel, unlike VMs which run isolated kernels. This shared kernel increases the attack surface — a compromise in one container can potentially affect the entire host if kernel-level access is obtained.

From CEH v13 Courseware:

Module 14: Hacking Web Applications → Container Security

“Containers are less secure because they share the host kernel. Attackers compromising the container can exploit vulnerabilities in the shared OS.”

An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.

The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:

Intellectual property thieving (e.g., trade secrets or patents)

Compromised sensitive info (e.g., worker and user personal data)

The sabotaging of essential structure infrastructures (e.g., information deletion)

Total website takeovers

Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.

APT attacks dissent from ancient internet application threats, in that:

They’re considerably additional advanced.

They’re not hit and run attacks—once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.

They’re manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.

They typically aim to infiltrate a complete network, as opposition one specific half.

More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.

A multihomed firewall refers to a firewall with two or more network interfaces (NICs), each connected to different network segments. The purpose of a multihomed firewall is to allow filtering and segmentation of traffic between multiple network zones, such as:

External network (e.g., Internet)

Internal network (e.g., LAN)

To qualify as multihomed, the system must have at least two network interfaces. This allows it to sit between two networks and inspect/filter traffic passing through it.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Section: Firewall Architecture

Quote:

“A multihomed firewall is a system with two or more NICs connected to different networks, typically used to control traffic between internal and external networks. The minimum number of interfaces is two.”

Incorrect Options Explained:

A. 3 interfaces may be used in advanced setups (e.g., with a DMZ), but not the minimum.

B & C. 4 or 5 connections are not required unless designing more complex segmentation.

===========