312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

According to CEH v13 Module 08: Sniffing, the attack described is a classic example of ARP spoofing/poisoning which leads to Man-in-the-Middle (MITM) scenarios. In such attacks, a malicious actor sends forged ARP responses to associate their MAC address with the IP address of a target system, redirecting traffic through their machine.

Tool Used: BetterCAP

BetterCAP is a powerful, modular MITM framework.

It can:

Perform ARP spoofing

Intercept and manipulate HTTP/HTTPS traffic

Modify packets in real-time

Carry out credential harvesting and session hijacking

Miley's actions match the default behavior of BetterCAP during an ARP spoofing attack:

Spoof ARP to redirect traffic.

Intercept and analyze (or manipulate) traffic.

Option Clarification:

A. Gobbler: An older ARP tool, but mostly for ARP scanning, not modern MITM attacks.

B. KDerpNSpoof: Incorrect or misspelled; not a recognized CEH tool.

C. BetterCAP: Correct – used for ARP spoofing and traffic manipulation.

D. Wireshark: Passive sniffer; cannot perform ARP spoofing or MITM.

CEH v13 outlines insertion attacks as IDS evasion methods in which attackers send packets deliberately crafted so that the IDS processes them differently from the target host. In an insertion attack, malformed packets appear legitimate to the IDS—allowing malicious traffic to blend with benign inspection results—while the end host rejects or modifies the packets due to incorrect checksums, invalid flags, or protocol inconsistencies. As a result, the IDS sees one set of reconstructed data, while the actual host processes a different version or nothing at all. CEH emphasizes that intrusion detection systems may not follow full TCP/IP stack validation, making them susceptible to deception by malformed or borderline-conformant packets. Polymorphic shellcode (Option B) changes payload signatures, not packet structure. Session splicing (Option C) splits payload across packets to evade pattern matching but does not rely on checksum manipulation. Fragmentation attacks (Option D) divide traffic into smaller fragments, not alter validity fields. The described behavior fits insertion attacks precisely.

A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

Appending or prepending numbers or symbols

Changing case (e.g., admin → Admin1!)

Leetspeak substitutions (e.g., p@ssw0rd)

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Password Cracking Methods

CEH v13 Study Guide states:

“A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks.”

Incorrect Options:

A/B/D: These are not standard terminology in cryptographic or password auditing literature.

SHA-256 is a cryptographic hash function, and CEH v13 clearly states that hash functions alone provide data integrity, but not authenticity or non-repudiation. If attackers can modify data and recompute the hash, integrity checks will still pass.

The issue arises because SHA-256 does not prove who created or modified the data. To address this weakness, CEH v13 recommends using digital signatures, which combine hashing with asymmetric cryptography. A digital signature ensures:

Integrity (data has not changed)

Authentication (data was signed by a known entity)

Non-repudiation (the signer cannot deny the action)

Digital signatures work by hashing the data and encrypting the hash with the sender’s private key. Any modification to the data invalidates the signature.

Encryption alone (Options A and C) protects confidentiality, not integrity or authenticity. SSL/TLS (Option B) secures data in transit but does not protect stored data from tampering.

CEH v13 explicitly identifies digital signatures as the correct cryptographic control when integrity mechanisms alone are insufficient. Therefore, Option D is correct.

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

ESP (Encapsulating Security Payload) in transport mode is used for end-to-end communication between hosts within the same LAN. It encrypts only the payload, not the header, ensuring confidentiality and integrity while maintaining efficient routing.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“In ESP transport mode, only the data payload is encrypted, making it ideal for secure communication within a LAN where the IP header must remain intact for routing.”

Incorrect Options Explained:

B & C. Not valid IPSec modes.

D. AH tunnel mode ensures integrity but does not provide encryption.

=

TCP port 48101 uses the Transmission management Protocol. transmission control protocol is one in all the most protocols in TCP/IP networks. transmission control protocol could be a connection-oriented protocol, it needs acknowledgement to line up end-to-end communications. only a association is about up user’s knowledge may be sent bi-directionally over the association.

Attention! transmission control protocol guarantees delivery of knowledge packets on port 48101 within the same order during which they were sent. bonded communication over transmission control protocol port 48101 is that the main distinction between transmission control protocol and UDP. UDP port 48101 wouldn’t have bonded communication as transmission control protocol.

UDP on port 48101 provides Associate in Nursing unreliable service and datagrams might arrive duplicated, out of order, or missing unexpectedly. UDP on port 48101 thinks that error checking and correction isn’t necessary or performed within the application, avoiding the overhead of such process at the network interface level.

UDP (User Datagram Protocol) could be a borderline message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).

Application examples that always use UDP: vocalisation IP (VoIP), streaming media and period multiplayer games. several internet applications use UDP, e.g. the name System (DNS), the Routing info Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the straightforward Network Management Protocol (SNMP).

Asymmetric encryption, as defined in CEH v13 Cryptography, uses a public-private key pair, solving the key distribution problem inherent in symmetric encryption.

Public keys can be freely shared, enabling secure communication initiation without prior shared secrets. Disk encryption and hashes do not address key exchange.

Therefore, Option D is correct.

Comprehensive and Detailed Explanation:

Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.

From CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking → Hacker Types

“Script kiddies are unskilled attackers who use tools created by others.”

According to the CEH Network and Perimeter Security module, one of the most effective and widely used firewall evasion techniques is the use of encrypted communication channels. When traffic is encrypted using protocols such as HTTPS, TLS, or VPN tunnels, traditional firewalls and packet-inspection tools may be unable to inspect payload contents unless SSL/TLS inspection is explicitly enabled.

CEH documentation explains that attackers commonly encrypt command-and-control (C2) traffic to:

Blend in with legitimate encrypted traffic

Bypass content-based inspection

Evade signature-based detection

Option B is therefore correct.

Option A (IP spoofing) is less effective against stateful firewalls.

Option C is a human-focused attack, not firewall evasion.

Option D has no relevance to firewall bypass techniques.

CEH highlights encryption misuse as a major blind spot in perimeter defenses.

Passive sniffing refers to listening to or capturing network traffic without sending any packets or altering the communication stream. The attacker’s system operates in "promiscuous mode" to monitor all traffic flowing through the network segment. This technique is mostly used in environments like hub-based or unencrypted Wi-Fi networks, where traffic is visible to all systems.

According to the CEH v13 Official Courseware, Module 08: Sniffing, under the subsection "Passive Sniffing", the following capabilities are associated with passive sniffing:

Capturing unencrypted credentials (usernames and passwords)

Identifying protocols, services, IP addresses, and hostnames

Monitoring HTTP sessions, cookies, and other clear-text traffic

Gathering detailed information for fingerprinting and enumeration

Exporting traffic to PCAPs for forensic and offline analysis

However, passive sniffing does not involve any active interference with the traffic. Therefore, actions like “modifying and replaying” packets require an attacker to craft and inject packets into the network — this is considered active sniffing or traffic manipulation, which is out of scope for passive techniques.

Thus:

Option A: Valid for passive sniffing (host discovery via captured traffic)

Option B: Invalid for passive sniffing (requires active traffic manipulation)

Option C: Valid (if data is unencrypted)

Option D: Valid (captures traffic for offline review)

Reference – CEH v13 Official Courseware:

Module 08: Sniffing

Section: “Passive Sniffing vs Active Sniffing”

Study Guide Pages: Usually found under “Types of Sniffing Techniques”

CEH iLabs/Engage Scenarios: Packet capture and Wireshark lab modules

In CEH v13 Module 05: System Hacking, and Module 14: Access Control, Identity Management, and Cryptography, Single Sign-On (SSO) is defined as a system that allows users to authenticate once and gain access to multiple systems without re-entering credentials.

SSO uses a Central Authentication Server (CAS).

Common technologies: Kerberos, OAuth, SAML, AD Federation Services.

Improves user convenience and centralized credential management.

Comprehensive and Detailed Explanation:

A Suicide Hacker is someone who launches a cyberattack without regard for the consequences, such as being caught or imprisoned. Yancey's actions fit this profile because:

He is knowingly committing illegal acts.

He is fully aware of and indifferent to the consequences.

His motive is revenge, not ideology or personal gain.

From CEH v13 Courseware:

Module 1: Introduction to Ethical Hacking → Types of Hackers

Verbose failure messages are detailed error messages that reveal too much information about authentication failures. In the described scenario, the web application specifies whether the username or password is incorrect. This behavior enables attackers to:

Enumerate valid usernames by submitting random inputs and observing which error message is returned.

Use the valid usernames to conduct targeted attacks such as brute-force attempts or social engineering.

According to CEH v13:

Authentication mechanisms should provide generic error messages such as “Invalid username or password” to avoid exposing system behavior.

Verbose error messages violate the principle of "fail securely."

Incorrect Options:

A. Insecure transmission relates to credentials being sent over unencrypted channels (e.g., HTTP instead of HTTPS).

C. User impersonation involves taking on the identity of another user, not enumeration.

D. Password reset mechanisms are a different component of authentication, not mentioned in this context.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Authentication Bypass Techniques”

Subsection: “Enumeration via Verbose Error Messages”

=

Well-known and widely used password-cracking tools include:

A. L0phtcrack – Windows password auditing tool that can crack LM and NTLM hashes.

E. John the Ripper – Versatile password cracker that supports many hash types on Unix, Windows, etc.

Incorrect Options:

B. NetCat – A network tool used for port scanning and data transfer.

C. “Jack the Ripper” is likely a mistaken reference to John the Ripper.

D. Netbus – A remote access Trojan, not a password cracker.

From CEH v13 Courseware:

Module 6: Password Cracking Tools

This scenario describes a worm infection, as defined in CEH v13 Malware Threats. Worms are self-replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic, system crashes, and resource exhaustion, which aligns with the symptoms described.

CEH v13 differentiates worms from other malware:

Ransomware encrypts data but does not self-propagate aggressively.

Trojans require user execution.

Rootkits focus on stealth and persistence rather than replication.

The appropriate response prioritizes containment and eradication. Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

In active session hijacking, after identifying a valid session, the attacker must desynchronize the legitimate communication between the client and the server. To do this, Bob should:

Knock one of the parties offline (typically the client).

Then spoof the session by injecting crafted packets using the guessed sequence number.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 Study Guide states:

“After identifying a session and predicting its sequence number, the attacker forces the original user offline, allowing them to assume control over the connection using spoofed packets.”

Incorrect Options:

A: Taking over the session is the ultimate goal, but the necessary step before that is disconnecting the original participant.

B: Sequence prediction is already done.

C: Sequence number has already been guessed.

LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

The password is converted to uppercase and padded/truncated to 14 characters.

Split into two 7-character halves.

Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")—resulting in a 16-byte LM hash.

From CEH v13 Courseware:

Module 6: Malware Threats

Topic: Windows Password Storage & Cracking

CEH v13 Study Guide states:

“LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks.”

Incorrect Options:

A: MD4 is used in NTLM hashes.

C: SHA is not used in LM.

D: SSL is a transport security protocol, not a hashing algorithm.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses—critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH’s description of anonymous LDAP binding.