312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

A null user is a special connection made to a Windows system without providing a username or password. In older versions of Windows (NT, 2000, XP), null sessions could be used to anonymously connect to IPC$ share and enumerate:

Users

Groups

Shares

Policies

From CEH v13 Courseware:

Module 4: Enumeration → Null Sessions

CEH v13 Study Guide states:

“Null users are unauthenticated sessions used to access certain system resources without credentials. These are commonly used in enumeration attacks.”

The CEH v13 courseware states that insecure communication occurs when mobile applications transmit sensitive data over unencrypted or weakly encrypted channels, exposing information to interception. When an application uses plain HTTP or does not properly validate certificates, attackers can place themselves between the client and server using a man-in-the-middle (MitM) attack. This allows them to read session tokens, credentials, API keys, or personal user data as it travels across the network. CEH materials emphasize that MitM attacks are the primary exploitation technique for insecure data transmission because they exploit weaknesses in transport-layer security rather than weaknesses in backend code or authentication mechanisms. SQL injection and CSRF attacks target web application logic, not transport encryption. Brute-force attacks target authentication mechanisms and are unrelated to how data is transmitted. Therefore, the most effective exploitation method is intercepting traffic via MitM to capture or manipulate unencrypted communications.

The File Transfer Protocol (FTP) is a standard organization convention utilized for the exchange of PC records from a worker to a customer on a PC organization. FTP is based on a customer worker model engineering utilizing separate control and information associations between the customer and the server.[1] FTP clients may validate themselves with an unmistakable book sign-in convention, ordinarily as a username and secret key, however can interface namelessly if the worker is designed to permit it. For secure transmission that ensures the username and secret phrase, and scrambles the substance, FTP is frequently made sure about with SSL/TLS (FTPS) or supplanted with SSH File Transfer Protocol (SFTP).

The primary FTP customer applications were order line programs created prior to working frameworks had graphical UIs, are as yet dispatched with most Windows, Unix, and Linux working systems.[2][3] Many FTP customers and mechanization utilities have since been created for working areas, workers, cell phones, and equipment, and FTP has been fused into profitability applications, for example, HTML editors.

CEH v13 identifies kernel-level rootkits as among the most dangerous malware types. Because they operate at the lowest OS level, they can hide processes, files, and system calls.

CEH v13 states that the only guaranteed remediation is a complete system wipe and clean OS reinstallation from a trusted source. Attempting removal risks incomplete eradication.

Powering down alone does not remove the rootkit. Honeypots are for detection, not remediation. Tailored removal tools may fail at kernel depth.

Thus, Option C is correct.

A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud consumers and cloud providers.

Cloud carriers provide access to consumers through network, telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc.

The distribution of cloud services is often provided by network and telecommunication carriers or a transport agent, wherever a transport agent refers to a business organization that provides physical transport of storage media like high-capacity hard drives.

Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure connections between cloud consumers and cloud providers.

Comprehensive and Detailed Explanation:

Containers share the same host operating system kernel, unlike VMs which run isolated kernels. This shared kernel increases the attack surface — a compromise in one container can potentially affect the entire host if kernel-level access is obtained.

From CEH v13 Courseware:

Module 14: Hacking Web Applications → Container Security

“Containers are less secure because they share the host kernel. Attackers compromising the container can exploit vulnerabilities in the shared OS.”

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.

Comprehensive and Detailed Explanation:

Subnet 10.1.4.0/23 includes addresses from:

10.1.4.0 to 10.1.5.255

Total = 512 IPs (510 usable)

Last 100 usable IPs would be:

Start: 10.1.5.155 to 10.1.5.254

Only option C (10.1.5.200) falls within that range.

From CEH v13 Courseware:

Module 3: Subnetting & IP Addressing

ARP (Address Resolution Protocol) spoofing/poisoning is a common attack in which an attacker sends falsified ARP messages to associate their MAC address with the IP address of another host. To defend against ARP spoofing:

A. Port Security: Limits the number of MAC addresses per port; prevents MAC flooding and spoofing.

B. ARPwatch: Monitors ARP traffic and alerts on unusual changes.

D. Static ARP Entries: Prevent ARP responses from overwriting MAC-IP mappings, effective in small networks.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

Module 20: Network Security

Incorrect Options:

C: Firewalls operate at Layer 3+; ARP is a Layer 2 protocol, so firewalls don’t prevent ARP spoofing.

E: Static IP addresses do not prevent ARP poisoning.

A NOP (No Operation) instruction tells the CPU to do nothing for one instruction cycle. In exploit development:

A NOP sled is a long sequence of NOPs (0x90) that increases the chance of the instruction pointer landing before the shellcode.

0x90 is the x86 opcode for the NOP instruction.

From CEH v13 Courseware:

Module 6: Malware Threats → Shellcode and Buffer Overflow

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker's code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.

The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets.

Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it's not a failsafe—and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress.

While LDAP encryption isn't standard, there is a nonstandard version of LDAP called Secure LDAP, also known as "LDAPS" or "LDAP over SSL" (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security).

LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

In CEH v13 Module 14: Cryptography, VPN (Virtual Private Network) technology is described as the method that allows users to securely transmit data over an insecure (public) network by establishing a secure, encrypted tunnel.

VPN Features:

Encrypts all traffic between the user's device and the target network.

Prevents session hijacking, eavesdropping, and man-in-the-middle (MITM) attacks.

Common protocols: IPSec, L2TP, SSL VPN, and OpenVPN.

Option Clarification:

A. DMZ: A network segmentation strategy, not an encryption method.

B. SMB signing: Ensures integrity for SMB protocol, but not for remote tunneling.

C. VPN: Correct. Used to securely tunnel over public networks.

D. Switch network: Refers to network segmentation using switches, unrelated to tunneling.

ISAPI (Internet Server Application Programming Interface) filters are DLLs used to extend the functionality of Microsoft IIS (Internet Information Services). If unnecessary or outdated ISAPI filters are enabled, they can introduce vulnerabilities or backdoors that attackers may exploit to launch web server-based attacks.

From the CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Section: Web Server Vulnerabilities

Subsection: Common Web Server Misconfigurations

CEH v13 states:

“Unnecessary ISAPI filters and extensions should be disabled or removed, as they may introduce unneeded attack surfaces on the web server. Attackers may exploit vulnerabilities in these filters to gain unauthorized access, execute code remotely, or escalate privileges on the server.”

This is part of a broader hardening strategy to reduce the web server’s attack surface.

Incorrect Options:

A. Social engineering involves manipulating people, not software vulnerabilities.

C. Jailbreaking refers to bypassing restrictions on mobile devices.

D. Wireless attacks are unrelated to web server software components.

This scenario illustrates physical impersonation, a social engineering tactic discussed in CEH v13 Social Engineering. The attacker exploits trust in appearance and role assumption, dressing as a network technician to gain access without challenge.

Unlike tailgating (which involves following someone), this attack relies on assumed authority and familiarity. CEH v13 categorizes this under impersonation attacks, where attackers pose as employees, contractors, or vendors.

Other options describe different social engineering vectors:

A: Phone-based pretexting

B: Dumpster diving

C: Vishing

Physical impersonation is particularly dangerous because it bypasses technical controls entirely. Option D best matches the scenario.

A NULL scan is a type of TCP scan where no TCP flags are set in the packet. This unconventional packet is used to evade firewalls and intrusion detection systems and to determine the state of a port based on the response.

Behavior:

Open port → No response

Closed port → RST (Reset)

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: TCP Flag Scanning Methods

CEH v13 Study Guide states:

“A NULL scan sends a TCP packet with all flags turned off. The system’s response (or lack thereof) allows the attacker to infer whether a port is open or closed, especially on UNIX-based systems.”

Incorrect Options:

B: Vague and inaccurate

C: Refers to Xmas scan (URG, PSH, FIN)

D/E: Irrelevant to TCP flags

Command Breakdown:

nc: Netcat utility

-l: Listen mode

-u: Use UDP protocol

-p 55555: Listen on port 55555

< /etc/passwd: Redirects the contents of /etc/passwd into the socket

This means that when a connection is made to UDP port 55555, the contents of /etc/passwd will be sent to the connecting host.

From CEH v13 Courseware:

Module 8: Sniffing & Network Communication Tools

CEH v13 Study Guide states:

“Netcat can be used to serve files, open shells, or transfer data. Using input redirection, it can stream file contents to anyone who connects.”

Incorrect Options:

A: Does not log; it outputs /etc/passwd

C: The opposite; it serves the file, doesn’t grab it

D: Netcat does not delete files with this syntax