Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

https://www.eccouncil.org/what-is-social-engineering/

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

"A quid pro quo attack (aka something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action." https://resources.infosecinstitute.com/topic/common-social-engineering-attacks/#:~:text=A%20quid%20pro%20quo%20attack,execution%20of%20a%20specific%20action.

The attack scenario is best described as Instant Messenger Applications, and the measure that could have prevented it is verifying the sender’s identity before opening any files. Instant Messenger Applications are communication tools that allow users to exchange text, voice, video, and file messages in real time. However, they can also be used as attack vectors for spreading malware, such as viruses, worms, or Trojans, by exploiting the trust and familiarity between the users. In this scenario, the attacker compromised one of the team member’s messenger account and used it to send malicious files to the other team members, who may have opened them without suspicion, thus infecting their systems. This type of attack is also known as an instant messaging worm12.

To prevent this type of attack, the users should verify the sender’s identity before opening any files sent through instant messenger applications. This can be done by checking the sender’s profile, asking for confirmation, or using a secure channel. Additionally, the users should also follow other security tips, such as using strong passwords, updating the application software, scanning the files with antivirus software, and reporting any suspicious activity34.

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash (Bourne Again Shell) that allows remote code execution via crafted environment variables. It was disclosed in 2014 and had a wide impact on systems that relied on Bash as a command-line shell interpreter.

Affected systems include:

Linux distributions (Red Hat, Debian, CentOS, Ubuntu, etc.)

Unix variants (e.g., FreeBSD, OpenBSD, etc.)

Apple macOS (formerly OS X), since it uses Bash as the default shell

Windows systems were not directly affected because they do not use Bash by default. Bash is not a native component of Windows operating systems, and Shellshock exploits Bash-specific behavior. Only Windows systems where Bash was manually installed through a third-party method or environment (e.g., Cygwin) might be susceptible — but by default, Windows systems are immune.

Incorrect options:

A. Linux — Affected

B. Unix — Affected

C. OS X — Affected

D. Windows — Not directly affected (Correct answer)

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

When using Nmap:

-PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

The response type to this SYN packet determines the host status:

If a SYN/ACK is received, it indicates the port is open, and the host is up.

If RST is received, the port is closed, but the host is still considered online.

If no response or ICMP unreachable is received, the host may be down or filtered.

Clarification of options:

A. -pp: This is not a valid Nmap option.

B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

C. -PS: Correct. Performs a TCP SYN Ping Scan.

D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 03 – Scanning Networks, Slide: Nmap Host Discovery Techniques

EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.html

Passwords are usually delineated as “hashed and salted”. salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it’s hashed, typically this “salt” is placed in front of each password.

The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used.

The use of unique salts means that common passwords shared by multiple users – like “123456” or “password” – aren’t revealed revealed when one such hashed password is known – because despite the passwords being the same the immediately and hashed values are not.

Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken.

Both hashing and salting may be repeated more than once to increase the issue in breaking the security.

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

Identify assets & baseline (Step 2)

Vulnerability scanning (Step 5)

Risk assessment/prioritization (Step 6)

Remediation (Step 1)

Verification (Step 3)

Continuous monitoring (Step 4)

So the correct lifecycle flow is:

2 → 5 → 6 → 1 → 3 → 4

This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.

A mirror site may be a website or set of files on a computer server that has been copied to a different computer server in order that the location or files are available from quite one place. A mirror site has its own URL, but is otherwise just like the principal site. Load-balancing devices allow high-volume sites to scale easily, dividing the work between multiple mirror sites.

A mirror site is typically updated frequently to make sure it reflects the contents of the first site. In some cases, the first site may arrange for a mirror site at a bigger location with a better speed connection and, perhaps, a better proximity to an outsized audience.

If the first site generates an excessive amount of traffic, a mirror site can ensure better availability of the web site or files. For websites that provide copies or updates of widely used software, a mirror site allows the location to handle larger demands and enables the downloaded files to arrive more quickly. Microsoft, Sun Microsystems and other companies have mirror sites from which their browser software are often downloaded.

Mirror sites are wont to make site access faster when the first site could also be geographically distant from those accessing it. A mirrored web server is usually located on a special continent from the principal site, allowing users on the brink of the mirror site to urge faster and more reliable access.

Mirroring an internet site also can be done to make sure that information are often made available to places where access could also be unreliable or censored. In 2013, when Chinese authorities blocked access to foreign media outlets just like the Wall Street Journal and Reuters, site mirroring was wont to restore access and circumvent government censorship.

SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL database. The attacker injects malicious SQL code into the user input, such as a login form, that is then executed by the database server. This can allow the attacker to access, modify, or delete data, or execute commands on the database server.

The ‘UNION’ SQL keyword is often used in SQL Injection attacks to combine the results of two or more SELECT statements into a single result set. This can allow the attacker to retrieve additional data from other tables or columns that are not intended to be displayed by the application. For example, if the application uses the following query to check the user credentials:

SELECT * FROM users WHERE username = '$username' AND password = '$password'

The attacker can inject a ‘UNION’ statement to append another query, such as:

' OR 1 = 1 UNION SELECT * FROM credit_cards --

This will result in the following query being executed by the database server:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

The first part of the query will always return true, and the second part of the query will return the data from the credit_cards table. The ‘–’ symbol is a comment that will ignore the rest of the query. The attacker can then see the credit card information in the application’s response.

However, some web applications implement security measures to prevent SQL Injection attacks, such as filtering special characters in user inputs. Special characters are symbols that have a special meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters, the application can prevent the attacker from injecting malicious SQL code. For example, if the application replaces single quotes with two single quotes, the previous injection attempt will fail, as the query will become:

SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND password = '$password'

This will result in a syntax error, as the query is not valid SQL.

In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, the strategy that he is most likely to employ is to bypass the special character filter by encoding his malicious input. Encoding is a process of transforming data into a different format, such as hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous injection attempt will become:

%27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--

This will result in the following query being executed by the database server, after the application decodes the input:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

This will succeed in returning the credit card information, as the filter will not detect the special characters in the encoded input.

Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.

This question focuses on API Security, Webhooks abuse, and Webshell mitigation, all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D, as it directly addresses the root causes and persistence mechanisms of the compromise.

According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.

Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.

Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.

Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access. CEH v13 identifies webshell detection as a key defensive measure during incident response and post-exploitation containment.

Other options are incomplete:

A WAF alone cannot detect all webshells.

IP blocking is ineffective against spoofed or cloud-based attacks.

MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.

Therefore, Option D provides the most comprehensive, CEH v13–aligned mitigation strategy.

CEH v13 explains that the Deep Web contains content not indexed by search engines, including exposed databases, misconfigured portals, leaked credentials, and internal documents.

This makes it a critical area to assess unintended data exposure. The Deep Web is not primarily for attacker profiling or insider detection.

Thus, Option D is correct.

In CEH v13 Module 14: Cryptography, CAST-128 is defined as a symmetric block cipher based on a Feistel structure with:

Block size of 64 bits

12 or 16 rounds, depending on key size

Uses 8×32-bit S-boxes with complex structures (including bent functions)

Operates with modular addition/subtraction, XOR, key-dependent rotations, and masking keys (Km) and rotation keys (Kr)

All features described in the scenario match the CAST-128 algorithm.

Option Clarification:

B. AES: Operates on 128-bit blocks, uses Substitution-Permutation Network (SPN), not Feistel.

C. GOST: Russian block cipher, also Feistel-based, but structure and key use differ.

D. DES: Feistel cipher with 64-bit block size, but uses 16 rounds and simpler S-boxes.

Correct answer is A. CAST-128

According to CEH v13 Web Application and Server Security, regular patching and updates are the most effective way to reduce server attack surfaces. Vulnerabilities in web servers, proxies, and supporting services are frequently exploited if patches are delayed.

While architectural choices and directory placement influence organization, they do not mitigate known vulnerabilities. Changing IP addresses does not prevent exploitation, and moving directories does not address underlying software flaws.

CEH v13 consistently emphasizes patch management as a primary defensive control. Therefore, Option C is correct.

In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it’s lost.

Key Escrow Characteristics:

Common in enterprise environments for systems like BitLocker.

Keys are automatically backed up to Active Directory (AD) for future retrieval.

Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

Option Clarification:

A. Key archival: Storing old keys for audit/record-keeping.

B. Key escrow: Correct – Third-party or central storage for recovery purposes.

C. Certificate rollover: Replacement of expiring certificates.

D. Key renewal: Generating a new key after expiration or compromise.

Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

For example, if the application uses the following query to display the username of a user based on the user ID:

SELECT username FROM users WHERE id = '$id'

The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

SELECT username FROM users WHERE id = '1'

The application might display an error message like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.

Static Network Address Translation (Static NAT) allows a single private IP address to be mapped to a single public IP address. This one-to-one mapping ensures that the same internal machine is always reachable through the same external IP address, which is crucial for "server publishing" — making internal servers (e.g., web servers, FTP servers) accessible from the internet.

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: Network Address Translation

Section: Types of NAT

CEH v13 Study Guide states:

“Static NAT provides a fixed translation of a private IP address to a public IP address. It is commonly used when an internal server must always be accessible from the Internet using a consistent IP address — this is known as server publishing.”

Incorrect Options:

A. Overloading PAT: Multiple private IPs share a single public IP using port numbers — not suited for static mappings.

B. Dynamic PAT: Similar to overloading; used for outbound traffic only.

C. Dynamic NAT: Assigns a public IP from a pool; the mapping can change, not suitable for server publishing.

CEH v13 classifies this malware as fileless malware, which resides in memory and abuses legitimate system tools (Living-off-the-Land techniques). Traditional antivirus solutions are often ineffective.

CEH v13 recommends:

Script control (PowerShell Constrained Language Mode)

Application whitelisting

Monitoring parent-child process relationships

These measures directly target the malware’s execution method. Reboots and folder cleanup do not address in-memory persistence.