312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

Telnetting into port 25 allows users to manually issue SMTP commands. While not necessarily malicious, it can be abused (e.g., for spamming or probing).

You don’t want to shut down SMTP (as that’s required for email), and you can’t block port 25 entirely. The best approach is to secure the service by requiring:

SMTP authentication (username/password)

Possibly TLS encryption

From CEH v13 Courseware:

Module 5: Vulnerability Analysis

Module 20: Secure Protocols

CEH v13 Study Guide states:

“To prevent unauthorized SMTP access, require SMTP AUTH. This allows only authenticated users to send email, mitigating abuse of open mail relays.”

Incorrect Options:

A: Blocks all SMTP, affecting email functionality.

B: Disables mail service entirely.

D: Switching platforms doesn’t solve the underlying issue.

E: Not appropriate—there is a clear solution.

Agent Smith Attack

Agent Smith attacks are carried out by luring victims into downloading and installing malicious

apps designed and published by attackers in the form of games, photo editors, or other

attractive tools from third-party app stores such as 9Apps. Once the user has installed the app,

the core malicious code inside the application infects or replaces the legitimate apps in the

victim's mobile device C&C commands. The deceptive application replaces legitimate apps such

as WhatsApp, SHAREit, and MX Player with similar infected versions. The application sometimes

also appears to be an authentic Google product such as Google Updater or Themes. The

attacker then produces a massive volume of irrelevant and fraudulent advertisements on the

victim's device through the infected app for financial gain. Attackers exploit these apps to steal

critical information such as personal information, credentials, and bank details, from the

victim's mobile device through C&C commands.

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

https://en.wikipedia.org/wiki/IPsec

Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the Application layer, IPsec can automatically secure applications at the IP layer.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

CEH v13 Reference:

Module 5: Vulnerability Assessment – Risk Assessment Concepts

“Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited.”

=============================================================

Comprehensive and Detailed Explanation:

The attack shown is a Directory Traversal Attack. It uses URL encoding (hexadecimal obfuscation) to bypass input filters and access unauthorized files such as /etc/passwd.

%2e = . (dot)

%2f = / (forward slash)

So, ../../../etc/passwd becomes %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

The best protection against this attack is to:

Normalize and sanitize user input on the server.

Deny directory traversal patterns, whether encoded or not.

Specifically reject or deny hex-encoded path characters (%2e, %2f, etc.)

Option A directly mitigates this by preventing the server from decoding and processing hex-encoded directory traversal attempts.

From CEH v13 Courseware:

Module 10: Web Application Hacking

Topic: Directory Traversal and Input Validation

Incorrect Options:

B: IDS can alert, but it’s reactive rather than preventative.

C: SSL encrypts communication but does not prevent path traversal.

D: Active script detection is unrelated to path traversal attacks.

The idle scan could be a communications protocol port scan technique that consists of causing spoofed packets to a pc to seek out out what services square measure obtainable. this can be accomplished by impersonating another pc whose network traffic is extremely slow or nonexistent (that is, not transmission or receiving information). this might be associate idle pc, known as a “zombie”.

This action are often done through common code network utilities like nmap and hping. The attack involves causing solid packets to a particular machine target in an attempt to seek out distinct characteristics of another zombie machine. The attack is refined as a result of there’s no interaction between the offender pc and also the target: the offender interacts solely with the “zombie” pc.

This exploit functions with 2 functions, as a port scanner and a clerk of sure informatics relationships between machines. The target system interacts with the “zombie” pc and distinction in behavior are often discovered mistreatment totally different|completely different “zombies” with proof of various privileges granted by the target to different computers.

The overall intention behind the idle scan is to “check the port standing whereas remaining utterly invisible to the targeted host.”

The first step in execution associate idle scan is to seek out associate applicable zombie. It must assign informatics ID packets incrementally on a worldwide (rather than per-host it communicates with) basis. It ought to be idle (hence the scan name), as extraneous traffic can raise its informatics ID sequence, confusing the scan logic. The lower the latency between the offender and also the zombie, and between the zombie and also the target, the quicker the scan can proceed.

Note that once a port is open, IPIDs increment by a pair of. Following is that the sequence:

offender to focus on -> SYN, target to zombie ->SYN/ACK, Zombie to focus on -> RST (IPID increment by 1)

currently offender tries to probe zombie for result. offender to Zombie ->SYN/ACK, Zombie to offender -> RST (IPID increment by 1)

So, during this method IPID increments by a pair of finally.

When associate idle scan is tried, tools (for example nmap) tests the projected zombie and reports any issues with it. If one does not work, attempt another. Enough net hosts square measure vulnerable that zombie candidates are not exhausting to seek out. a standard approach is to easily execute a ping sweep of some network. selecting a network close to your supply address, or close to the target, produces higher results. you’ll be able to attempt associate idle scan mistreatment every obtainable host from the ping sweep results till you discover one that works. As usual, it’s best to raise permission before mistreatment someone’s machines for surprising functions like idle scanning.

Simple network devices typically create nice zombies as a result of {they square measure|they’re} normally each underused (idle) and designed with straightforward network stacks that are susceptible to informatics ID traffic detection.

While distinguishing an acceptable zombie takes some initial work, you’ll be able to keep re-using the nice ones. as an alternative, there are some analysis on utilizing unplanned public internet services as zombie hosts to perform similar idle scans. leverage the approach a number of these services perform departing connections upon user submissions will function some quite poor’s man idle scanning.

The AndroidManifest.xml file contains information of your package, including components of the appliance like activities, services, broadcast receivers, content providers etc.

It performs another tasks also:

• it’s responsible to guard the appliance to access any protected parts by providing the permissions.

• It also declares the android api that the appliance goes to use.

• It lists the instrumentation classes. The instrumentation classes provides profiling and other informations. These informations are removed just before the appliance is published etc.

This is the specified xml file for all the android application and located inside the basis directory.

The security strategy that you would likely suggest is to adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. This strategy is based on the concept of continuous monitoring and improvement of the security posture of an organization, using a feedback loop that integrates various security activities and technologies. A Continual/Adaptive Security Strategy aims to proactively identify and mitigate emerging threats, vulnerabilities, and risks, as well as to respond effectively and efficiently to security incidents and breaches. A Continual/Adaptive Security Strategy can help enhance the organization’s security stance by providing the following benefits12:

It can reduce the attack surface and the exposure time of the organization’s network infrastructure, by applying timely patches, updates, and configurations, as well as by implementing security controls and policies.

It can increase the visibility and awareness of the organization’s network activity and behavior, by collecting, analyzing, and correlating data from various sources, such as logs, sensors, alerts, and reports.

It can improve the detection and prevention capabilities of the organization, by using advanced tools and techniques, such as artificial intelligence, machine learning, threat intelligence, and behavioral analytics, to identify and block malicious or anomalous patterns and indicators.

It can enhance the response and recovery processes of the organization, by using automated and orchestrated actions, such as isolation, quarantine, remediation, and restoration, to contain and resolve security incidents and breaches, as well as by conducting lessons learned and root cause analysis to prevent recurrence.

The other options are not as appropriate as option C for the following reasons:

A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization: This option is not sufficient because risk management is only one aspect of a comprehensive security strategy, and it does not address the dynamic and evolving nature of cyber threats and vulnerabilities. Risk management is a process of identifying, analyzing, evaluating, and treating the risks that may affect the organization’s objectives and operations, as well as monitoring and reviewing the effectiveness of the risk treatment measures3. Risk management can help the organization prioritize and allocate resources for security, but it cannot guarantee the prevention or detection of security incidents and breaches, nor the response and recovery from them.

B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack: This option is not optimal because defense-in-depth is a traditional and static approach to security, and it may not be able to cope with the sophisticated and persistent attacks that exploit unknown or zero-day vulnerabilities. Defense-in-depth is a strategy of implementing multiple and diverse security controls and mechanisms at different layers of the organization’s network infrastructure, such as perimeter, network, endpoint, application, and data, to provide redundancy and resilience against attacks4. Defense-in-depth can help the organization protect its assets and systems from unauthorized access or damage, but it cannot ensure the timely detection and response to security incidents and breaches, nor the continuous improvement of the security posture.

D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems: This option is not comprehensive because information assurance is a subset of cybersecurity, and it does not cover all the aspects of a holistic security strategy. Information assurance is a discipline of managing the risks associated with the use, processing, storage, and transmission of information and data, and ensuring the protection of the information and data from unauthorized access, use, disclosure, modification, or destruction5. Information assurance can help the organization safeguard its information and data from compromise or loss, but it does not address the prevention, detection, and response to security incidents and breaches, nor the adaptation and innovation of the security technologies and processes.

A NULL scan is a type of TCP stealth scan where no flags are set in the TCP header. It is used to identify open or closed ports based on how the target responds to this unexpected packet.

Behavior:

If the port is closed → Target responds with RST (Reset)

If the port is open → No response (on compliant systems like Unix-based OSes)

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: TCP Flag Scanning

Subsection: NULL Scan

CEH v13 Study Guide states:

“In a NULL scan, if a target port is closed, the system responds with an RST packet as per RFC 793. If the port is open, it typically does not respond, which allows stealthy enumeration of services.”

Incorrect Options:

A. SYN: Initiated by a SYN scan.

B. ACK: Used in ACK scans.

C/D: Not applicable for NULL scans.

F. No response occurs for open ports, not closed ones.

A pharming attacker tries to send a web site’s traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

Though they share similar goals, pharming uses a special technique from phishing. “Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site,” explains David Emm, principal security man of science at Kaspersky. “When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different.”

This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:

The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

%c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character “/” when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).

This type of attack attempts to:

Traverse out of the web root directory (via encoded ../ sequences)

Access cmd.exe in the Windows system32 directory

Execute operating system commands such as dir c: (list contents of drive C)

From CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Topic: Unicode Directory Traversal Vulnerability (IIS-specific)

CEH v13 Study Guide states:

“A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32.”

Incorrect Options:

A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.

B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.

C. Multiple Domain Traversal: Not a valid or recognized attack type.

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.

In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.

Several counter-measures could be in place to avoid this vulnerability. Common defenses:

- SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.

- Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.

- Ask for the password user to authorise the action.

- Resolve a captcha

- Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with:

http://mal.net?orig=http://example.com (ends with the url)

http://example.com.mal.net (starts with the url)

- Modify the name of the parameters of the Post or Get request

- Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.