312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

Pharming is a cyberattack technique in which malicious code is used to redirect a website’s traffic to a fraudulent or malicious website without the user's knowledge. This redirection typically occurs through:

DNS poisoning or host file modification

Exploitation of vulnerabilities in DNS servers or user machines

Pharming aims to collect sensitive data (like usernames, passwords, credit card details) by making users believe they are interacting with a legitimate website when, in fact, they are on a fake one.

As per CEH v13 Official Courseware:

Pharming is a server-side or client-side attack that manipulates how URLs are resolved.

It differs from phishing in that it does not rely on fake emails or social engineering but rather on redirecting web traffic via compromised DNS infrastructure or local configuration.

Incorrect Options:

A. Spimming is the use of spam over instant messaging.

C. Phishing involves tricking users through fake emails or messages.

D. Spear-phishing is a targeted version of phishing directed at specific individuals or roles.

Reference – CEH v13 Official Courseware:

Module 09: Social Engineering

Section: “Phishing and Pharming Attacks”

Subsection: “Differences Between Phishing and Pharming”

Comprehensive and Detailed Explanation:

In TCP session hijacking or spoofing:

An attacker sends a spoofed packet with the ACK bit set and a guessed (or predicted) sequence number to fool the receiver into thinking it's a legitimate continuation of an existing session.

Fred is simulating this by sending a TCP packet with the ACK bit and using his own IP as the source, trying to trick the switch into believing it's part of an already established session.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

A Collision attack is a type of cryptographic attack that targets the hash function. The goal of this attack is to find two different inputs that produce the same hash output. This undermines the integrity of the hashing algorithm, as hash functions are expected to produce a unique output for each unique input.

In practical terms, if two different documents (inputs) produce the same hash value (collision), an attacker can replace a legitimate file with a malicious one without detection, assuming the system validates integrity only via the hash.

CEH v13 defines a collision attack as follows:

"A collision attack focuses on finding two different messages (M1 and M2) that produce the same hash value. This can compromise digital signatures, certificates, and other security protocols."

Reference – CEH v13 Study Guide:

Module 20: Cryptography, Section: “Hashing Algorithms and Attacks”, Subsection: “Collision Attacks”

Incorrect Options Explained:

A: Public keys are part of asymmetric encryption, not relevant to collisions.

B/C: These are incorrect descriptions; collision attacks are not about breaking hashes into parts to retrieve plaintext or private keys.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a “zombie host”—a system with a predictable IPID sequence—to route all probe packets through it. Since no packets ever originate directly from the attacker’s IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods—switch spoofing and double tagging—allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH’s network perimeter attack methodology.

A Pulse Wave attack is a type of DDoS attack that uses a botnet to send high-volume traffic pulses at regular intervals, typically lasting for a few minutes each. The attacker can adjust the frequency and duration of the pulses to maximize the impact and evade detection. A Pulse Wave attack can exhaust the network resources of the target, as well as the resources of any DDoS mitigation service that the target may use. A Pulse Wave attack can also conceal the attacker’s identity, as the traffic originates from multiple sources that are part of the botnet. A Pulse Wave attack can bypass simple defensive measures, such as IP-based blocking, as the traffic can appear legitimate and vary in source IP addresses.

The other options are less effective or feasible for the attacker’s objectives. A protocol-based SYN flood attack is a type of DDoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. However, a SYN flood attack can be easily detected and mitigated by using SYN cookies or firewalls. A SYN flood attack can also expose the attacker’s identity, as the source IP addresses of the SYN requests can be traced back to the attacker. An ICMP flood attack is a type of DDoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity. However, an ICMP flood attack from a single IP can be easily blocked by using IP-based filtering or disabling ICMP responses. An ICMP flood attack can also reveal the attacker’s identity, as the source IP address of the ICMP packets can be identified. A volumetric flood attack is a type of DDoS attack that sends a large amount of traffic to the target server, saturating its network bandwidth and preventing legitimate users from accessing it. However, a volumetric flood attack using a single compromised machine may not be sufficient to overwhelm the network bandwidth of a major online retailer, as the attacker’s machine may have limited bandwidth itself. A volumetric flood attack can also be detected and mitigated by using traffic shaping or rate limiting techniques. References:

Pulse Wave DDoS Attacks: What You Need to Know

DDoS Attack Prevention: 7 Effective Mitigation Strategies

DDoS Attack Types: Glossary of Terms

DDoS Attacks: What They Are and How to Protect Yourself

DDoS Attack Prevention: How to Protect Your Website

Outdated encryption protocols such as SSL 3.0 and TLS 1.0 contain numerous cryptographic weaknesses, making them susceptible to downgrade attacks, cipher-suite vulnerabilities, and interception. CEH explains that weak SSL/TLS configurations expose encrypted traffic to man-in-the-middle attacks because attackers can exploit vulnerabilities such as BEAST, POODLE, or weak ciphers to decrypt or manipulate data in transit. These flaws compromise confidentiality and integrity, allowing attackers to observe login credentials, session identifiers, or sensitive information. XSS and SQL injection exploit entirely different web vulnerabilities unrelated to encryption strength. Brute-forcing SSL handshakes is computationally infeasible and not relevant. Therefore, a MitM attack targeting the outdated protocol is the most effective exploitation method.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.

The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:

Intellectual property thieving (e.g., trade secrets or patents)

Compromised sensitive info (e.g., worker and user personal data)

The sabotaging of essential structure infrastructures (e.g., information deletion)

Total website takeovers

Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.

APT attacks dissent from ancient internet application threats, in that:

They’re considerably additional advanced.

They’re not hit and run attacks—once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.

They’re manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.

They typically aim to infiltrate a complete network, as opposition one specific half.

More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.

WS-Security (Web Services Security) is a protocol specification that provides a means for securing SOAP-based messages. It defines how to add authentication, encryption, and digital signatures to SOAP headers, helping ensure message integrity and confidentiality.

According to CEH v13 Official Courseware:

WS-Security is an extension of SOAP.

It supports features such as:

Authentication via tokens (e.g., username, X.509)

Message integrity via digital signatures

Message confidentiality via XML encryption

Incorrect Options:

A. WSDL (Web Services Description Language) describes the web service interface but does not provide security.

B. WS Work Processes is not a defined web service security standard.

C. WS-Policy allows expressing security requirements, but enforcement is handled by WS-Security.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "Web Services Security"

Subsection: "WS-* Standards"

=

Without documented approval, the firewall rule could represent an unauthorized change or security risk. Rolling it back until proper change control processes are followed is consistent with best practices in security governance.

CEH v13 Reference:

Module 1: Introduction to Ethical Hacking

"Unauthorized changes to security devices should be immediately reviewed and reverted until formal approval is obtained."

━━━━━━━━━━━━━━━━━━━━━━

In CEH v13 Cryptography, this threat is formally referred to as “Harvest Now, Decrypt Later” (HNDL). It describes a long-term cryptographic risk where adversaries intercept and store encrypted communications today, even though they cannot decrypt them with current computational capabilities. The expectation is that future quantum computers will be powerful enough to break widely used public-key cryptographic algorithms.

CEH v13 emphasizes that quantum algorithms such as Shor’s Algorithm can theoretically break RSA, DSA, and ECC by efficiently solving integer factorization and discrete logarithm problems. However, the defining feature of this threat is not the act of breaking encryption itself, but rather the strategic collection and storage of encrypted data in advance.

Option C is incomplete because it focuses only on the cryptographic mechanism rather than the threat model. Options B and D are unrelated to the scenario described and refer to quantum communication integrity issues, not long-term cryptographic exposure.

CEH v13 highlights that sensitive data with long confidentiality lifetimes—such as government records, financial data, healthcare information, and intellectual property—is especially vulnerable to this threat. As a result, organizations are encouraged to adopt quantum-resistant (post-quantum) cryptographic algorithms proactively.

Thus, Option A accurately describes the threat model and aligns with CEH v13’s treatment of future cryptographic risks.

Comprehensive and Detailed Explanation:

Tshark is the command-line version of Wireshark. The correct syntax for filtering packets from a subnet:

sudo tshark -f "net 192.168.8.0/24"

This captures only the traffic from that IP range. It’s ideal for cron jobs and automated monitoring.

From CEH v13 Courseware:

Module 8: Sniffing → Tshark and Wireshark Usage

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

To secure DNS infrastructure, best practices include:

B. Harden DNS Servers: Disable unused services, apply patches, implement secure configurations.

C. Use Split-Horizon DNS: Present different DNS data to internal vs. external users to prevent data leakage.

D. Restrict Zone Transfers: Prevent unauthorized replication of zone data using IP-based access control or TSIG.

E. Subnet Diversity: Place DNS servers on different subnets or networks to enhance resilience.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 20: Cryptography

Incorrect Option:

A: Hosting DNS on multi-purpose servers increases the attack surface and violates security best practices.

The command shown is a Windows batch loop that attempts to mount a hidden administrative share (c$) on a remote machine (\10.1.2.3) using the username "Administrator" and a list of passwords from the file hackfile.txt.

for /f "tokens=1 %%a in (hackfile.txt) → Reads one password per line from the file

do net use * \10.1.2.3\c$ /user:"Administrator" %%a → Tries to authenticate to the share using the Administrator account and each password

This is a classic brute-force password attack attempting to crack the Administrator account using a wordlist.

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware and Password Cracking Techniques

CEH v13 Study Guide states:

“Tools and scripts that automate login attempts using SMB shares and administrative credentials can be used to brute force user accounts. An attacker attempts access using a list of passwords (dictionary attack).”

Incorrect Options:

A: The connection attempt is made, but the success is dependent on password cracking.

B: This command does not enumerate users.

D: No null session involved; this is a brute-force attempt, not privilege escalation.

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

This scenario describes SNMP Enumeration, a technique covered under CEH v13 Reconnaissance and Enumeration. Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries, enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access. The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3, which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.