312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

In CEH v13 Module 13: Hacking Web Applications, this exact payload is an example of an XXE (XML External Entity) Attack.

XXE Attack:

Exploits the way XML parsers process DOCTYPE declarations.

The payload references a local file (/etc/passwd), allowing local file inclusion.

Can result in sensitive file disclosure, SSRF, or Denial of Service (DoS).

Option Clarification:

A. XXE: Correct – targets vulnerable XML parsers.

B. SQLi: Targets SQL databases with ' OR '1'='1-type injections.

C. IDOR: Insecure Direct Object Reference, not related to XML.

D. XSS: Cross-site scripting; this is XML-based, not JavaScript injection.

WHOIS is an Internet service that allows users to query domain name registries to retrieve information about registered domain names. It includes data such as:

Registrant’s name and contact information

Domain creation and expiration dates

Registrar details and name servers

WHOIS is often used during the reconnaissance phase in penetration testing.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“WHOIS databases provide public domain registration details including contact names, email addresses, and registrar information. This is useful for initial reconnaissance.”

Incorrect Options:

B. CAPTCHA is used to distinguish human users from bots.

C. IANA oversees global IP address allocation and DNS root zone management.

D. IETF is responsible for internet standards, not registrant databases.

===========

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

A keylogger is a type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. Keyloggers are a common tool for cybercriminals, who use them to capture passwords, credit card numbers, personal information, and other sensitive data. Keyloggers can be installed on a device through various methods, such as phishing emails, malicious downloads, or physical access. To confirm the type of program, the security team can use a web search tool, such as Bing, to look for keylogger programs and compare their features and behaviors with the suspicious program they encountered. Alternatively, they can use a malware analysis tool, such as Malwarebytes, to scan and identify the program and its characteristics.

To prevent the same attack from occurring in the future, the security team should employ intrusion detection systems (IDS) and regularly update the system software. An IDS is a system that monitors network traffic and system activities for signs of malicious or unauthorized behavior, such as keylogger installation or communication. An IDS can alert the security team of any potential threats and help them respond accordingly. Regularly updating the system software can help patch any vulnerabilities or bugs that keyloggers may exploit to infect the device. Additionally, the security team should also remove the keylogger program from the affected computers and change any compromised passwords or credentials. References:

Keylogger | What is a Keylogger? How to protect yourself

How to Detect and Remove a Keylogger From Your Computer

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

What is a Keylogger? | Keystroke Logging Definition | Avast

Keylogger Software: 11 Best Free to Use in 2023

The scenario describes a method used to make a cryptographic key more secure by making it harder to brute-force. This process is called Key Stretching.

Key Stretching:

Takes a weak or short key and processes it through a function (often repeatedly) to produce a stronger, longer key.

Commonly used in password hashing (e.g., bcrypt, PBKDF2, scrypt).

Increases the computational time required to test each guess in a brute-force attack, effectively reducing attack feasibility.

Incorrect Options:

A. Key derivation function (KDF) is related but more general; key stretching is a specific technique often implemented within KDFs.

B. Key reinstallation is associated with WPA2 KRACK attacks.

C. Public key infrastructure (PKI) is a system of digital certificates, not a key strengthening technique.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Password Hashing and Key Stretching Techniques”

Subsection: “bcrypt, PBKDF2, and Key Strengthening”

CEH iLab: Password Hashing and Cracking Simulations

The VRFY commands enables SMTP clients to send an invitation to an SMTP server to verify that mail for a selected user name resides on the server. The VRFY command is defined in RFC 821.

The server sends a response indicating whether the user is local or not, whether mail are going to be forwarded, and so on. A response of 250 indicates that the user name is local; a response of 251 indicates that the user name isn’t local, but the server can forward the message. The server response includes the mailbox name.

Comprehensive and Detailed Explanation:

The AAAA (Quad A) record is the DNS record type used to map a domain name to an IPv6 address. It is the IPv6 equivalent of an A (Address) record, which maps to an IPv4 address.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Record Types

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

In a man-in-the-middle (MITM) attack, an attacker intercepts communication between two parties and can read, alter, or inject data without either party knowing. Susan's actions — intercepting and modifying her boss's session data before relaying it to the server — is the classic MITM pattern.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a MITM attack, the attacker positions themselves between two communicating parties, relaying and possibly altering communications while maintaining the illusion that the parties are communicating directly.”

Incorrect Options:

A: Sniffing only involves passive listening.

B: Spoofing may involve impersonation but not necessarily interception and relay.

D: DoS is about service disruption, not data interception.

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

Identify assets & baseline (Step 2)

Vulnerability scanning (Step 5)

Risk assessment/prioritization (Step 6)

Remediation (Step 1)

Verification (Step 3)

Continuous monitoring (Step 4)

So the correct lifecycle flow is:

2 → 5 → 6 → 1 → 3 → 4

This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.

Well-known and widely used password-cracking tools include:

A. L0phtcrack – Windows password auditing tool that can crack LM and NTLM hashes.

E. John the Ripper – Versatile password cracker that supports many hash types on Unix, Windows, etc.

Incorrect Options:

B. NetCat – A network tool used for port scanning and data transfer.

C. “Jack the Ripper” is likely a mistaken reference to John the Ripper.

D. Netbus – A remote access Trojan, not a password cracker.

From CEH v13 Courseware:

Module 6: Password Cracking Tools

document.write(); (Cookie and session ID theft)

https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

An evil twin may be a fraudulent Wi-Fi access point that appears to be legitimate but is about up to pay attention to wireless communications.[1] The evil twin is that the wireless LAN equivalent of the phishing scam.

This type of attack could also be wont to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves fixing a fraudulent internet site and luring people there.

The attacker snoops on Internet traffic employing a bogus wireless access point. Unwitting web users could also be invited to log into the attacker’s server, prompting them to enter sensitive information like usernames and passwords. Often, users are unaware they need been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it’s sent through their equipment. The attacker is additionally ready to hook up with other networks related to the users’ credentials.

Fake access points are found out by configuring a wireless card to act as an access point (known as HostAP). they’re hard to trace since they will be shut off instantly. The counterfeit access point could also be given an equivalent SSID and BSSID as a close-by Wi-Fi network. The evil twin are often configured to pass Internet traffic through to the legitimate access point while monitoring the victim’s connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

Firewalking is a technique used to determine what layer 4 protocols a firewall will allow by sending crafted packets with TTL values that expire at the firewall and analyzing ICMP Time Exceeded responses. This helps in determining what ports and services are allowed through a firewall.

???? Reference – CEH v13 Study Guide, Module 11: Evading IDS, Firewalls, and Honeypots

“Firewalking is a technique used to gather information about firewalls and their rule sets by sending packets with TTL values that expire at the firewall.”

❌ Incorrect options:

A. Session hijacking refers to taking over an active session.

C. MITM attacks involve intercepting communications between two parties.

D. Network sniffing involves capturing packets, not probing firewall rules.