Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats

Webhooks are one of a few ways internet applications will communicate with one another.

It allows you to send real-time data from one application to another whenever a given event happens.

For example, let’s say you’ve created an application using the Foursquare API that tracks when people check into your restaurant. You ideally wish to be able to greet customers by name and provide a complimentary drink when they check in.

What a webhook will is notify you any time someone checks in, therefore you’d be able to run any processes that you simply had in your application once this event is triggered.

The data is then sent over the web from the application wherever the event originally occurred, to the receiving application that handles the data.

Here’s a visual representation of what that looks like:

A webhook url is provided by the receiving application, and acts as a phone number that the other application will call once an event happens.

Only it’s more complicated than a phone number, because data about the event is shipped to the webhook url in either JSON or XML format. this is known as the “payload.”

Here’s an example of what a webhook url looks like with the payload it’s carrying:

What are Webhooks? Webhooks are user-defined HTTP callback or push APIs that are raised based on events triggered, such as comment received on a post and pushing code to the registry. A webhook allows an application to update other applications with the latest information. Once invoked, it supplies data to the other applications, which means that users instantly receive real-time information. Webhooks are sometimes called “Reverse APIs” as they provide what is required for API specification, and the developer should create an API to use a webhook. A webhook is an API concept that is also used to send text messages and notifications to mobile numbers or email addresses from an application when a specific event is triggered. For instance, if you search for something in the online store and the required item is out of stock, you click on the “Notify me” bar to get an alert from the application when that item is available for purchase. These notifications from the applications are usually sent through webhooks.

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1

The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1

In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

Guardster is an anonymizing proxy service that allows users to:

Mask their real IP address

Bypass content filters and access restricted websites

Maintain anonymity while browsing or engaging in online activities

It functions as a middleman between the user and target sites, hiding user identities.

Incorrect Options:

A. Baidu is a Chinese search engine.

C. WolframAlpha is a computational search engine.

D. Karma Decay is a reverse image search engine for Reddit.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “Anonymous Browsing Tools and Techniques”

Subsection: “Proxy and Anonymizing Services”

Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

Example 5.19. An idle scan against the RIAA

# nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )

Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental

Nmap scan report for 208.225.90.120

(The 65522 ports scanned but not shown below are in state: closed)

Port       State       Service

21/tcp     open        ftp

25/tcp     open        smtp

80/tcp     open        http

111/tcp    open        sunrpc

135/tcp    open        loc-srv

443/tcp    open        https

1027/tcp   open        IIS

1030/tcp   open        iad1

2306/tcp   open        unknown

5631/tcp   open        pcanywheredata

7937/tcp   open        unknown

7938/tcp   open        unknown

36890/tcp  open        unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP) these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and resource usage compared TCP-equivalent queries. UDP has no error or flow-control capabilities, nor does it have any integrity checking to make sure the info arrived intact.

How is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it’s a best-effort protocol after all) within the first instance, most systems will retry variety of times and only after multiple failures, potentially switch to TCP before trying again; TCP is additionally used if the DNS query exceeds the restrictions of the UDP datagram size – typically 512 bytes for DNS but can depend upon system settings.

Figure 1 below illustrates the essential process of how DNS operates: the client sends a question string (for example, mail.google[.]com during this case) with a particular type – typically A for a number address. I’ve skipped the part whereby intermediate DNS systems may need to establish where ‘.com’ exists, before checking out where ‘google[.]com’ are often found, and so on.

Many worms and scanners are created to seek out and exploit systems running telnet. Given these facts, it’s really no surprise that telnet is usually seen on the highest Ten Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually the case, this upgrade has not been performed on variety of devices. this might flow from to the very fact that a lot of systems administrators and users don’t fully understand the risks involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to completely discontinue its use. the well-liked method of mitigating all of telnets vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing many of an equivalent functions as telnet and a number of other additional services typical handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks to beat before it can completely replace telnet. it’s typically only supported on newer equipment. It requires processor and memory resources to perform the info encryption and decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are often and to supply solutions to alleviate the main known threats so as to enhance the general security of the web

Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is usually cached on the local system (and possibly on intermediate DNS servers) for a period of your time . Subsequent queries for an equivalent name from an equivalent client then don’t leave the local system until said cache expires. Of course, once the IP address of the remote service is understood , applications can use that information to enable other TCP-based protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat GIFs are often reliably shared together with your colleagues.

So, beat all, a couple of dozen extra UDP DNS queries from an organization’s network would be fairly inconspicuous and will leave a malicious payload to beacon bent an adversary; commands could even be received to the requesting application for processing with little difficulty.

The nbtstat command is a Windows utility that displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables, and the NetBIOS name cache. However, the nbtstat command does not support IPv6 addresses, which are the standard format for the Internet Protocol version 6 (IPv6). Therefore, using the nbtstat command with IPv6 addresses will result in an error message or no output. To enumerate NetBIOS names on a network that uses IPv6, you should switch to an enumeration tool that supports IPv6, such as Nmap, which is a network scanning and security auditing tool. Nmap has a scripting engine (NSE) that allows users to write and execute scripts for various network tasks, including NetBIOS enumeration. Nmap can also detect the operating system, services, and vulnerabilities of the target machines, regardless of the IP version they use. References:

Nbtstat Command - Computer Hope

Nbtstat CMD: Windows Network Command Line Prompt

[Nmap Scripting Engine (NSE) Documentation]

False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when, in fact, you do.

A false positive is like a false alarm; your house alarm goes off, but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when, in reality, there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. These tools help them ensure that all web application attack surfaces are correctly tested in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, the penetration tester assumes that all the others are false positives and ignore the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

When checking for false positives, you want to ensure that they are indeed false. By nature, we humans tend to start ignoring false positives rather quickly. For example, suppose a web application security scanner detects 100 SQL Injection vulnerabilities. If the first 20 variants are false positives, the penetration tester assumes that all the others are false positives and ignore all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected. This is why it is crucial to check every vulnerability and deal with each false positive separately to ensure false positives.

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

This scenario demonstrates a classic social engineering tactic often referred to as “social media quizzes” or “engagement bait”, commonly used in open-source intelligence gathering (OSINT) and pretexting attacks.

From CEH v13 Module 01: Introduction to Ethical Hacking and Module 09: Social Engineering, attackers may create seemingly innocent posts that ask users to share answers to common questions like:

What was your first pet’s name?

What’s your mother’s maiden name?

What city were you born in?

What’s your favorite food?

These questions mirror the types of security questions used by banks and other services for account recovery or authentication. By answering these in public forums or comments, users unknowingly disclose data that can be used to:

Bypass security questions

Reset passwords

Perform targeted account takeovers

Why Other Options Are Incorrect:

B. Matt's bank account login information was brute forced.

Unlikely. Most banks implement account lockout policies and multi-factor authentication that would prevent brute force attempts.

C. Matt inadvertently provided his password when responding to the post.

Incorrect. Passwords are not usually asked in public-facing posts. Users are unlikely to provide literal passwords unless heavily tricked by phishing.

D. Matt's computer was infected with a keylogger.

Possible but less likely. The context suggests that the only suspicious behavior was responding to the Facebook post, which doesn't imply malware installation or downloading.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 09 – Social Engineering, Slide: Common Social Engineering Techniques (Quizzes, Pretexting)

CEH Engage – Social Engineering Phase

EC-Council iLabs – Performing Social Engineering Attacks Simulation

CEH v13 Courseware Notes – Reconnaissance Using OSINT and Public Social Platforms

Telnetting into port 25 allows users to manually issue SMTP commands. While not necessarily malicious, it can be abused (e.g., for spamming or probing).

You don’t want to shut down SMTP (as that’s required for email), and you can’t block port 25 entirely. The best approach is to secure the service by requiring:

SMTP authentication (username/password)

Possibly TLS encryption

From CEH v13 Courseware:

Module 5: Vulnerability Analysis

Module 20: Secure Protocols

CEH v13 Study Guide states:

“To prevent unauthorized SMTP access, require SMTP AUTH. This allows only authenticated users to send email, mitigating abuse of open mail relays.”

Incorrect Options:

A: Blocks all SMTP, affecting email functionality.

B: Disables mail service entirely.

D: Switching platforms doesn’t solve the underlying issue.

E: Not appropriate—there is a clear solution.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

===========

The most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold. This option works as follows:

The Cyber Kill Chain Methodology is a framework that describes the stages of a cyberattack from the perspective of the attacker. It helps defenders to understand the attacker’s objectives, tactics, and techniques, and to design effective countermeasures. The Cyber Kill Chain Methodology consists of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives12.

The delivery stage is the third stage in the Cyber Kill Chain Methodology, and it involves sending or transmitting the weaponized payload to the target system. The delivery stage can use various methods, such as email attachments, web links, removable media, or network protocols. The delivery stage aims to reach the target system and bypass any security controls, such as firewalls, antivirus, or email filters12.

The exploitation stage is the fourth stage in the Cyber Kill Chain Methodology, and it involves executing the malicious payload on the target system. The exploitation stage can use various techniques, such as buffer overflows, code injection, or privilege escalation. The exploitation stage aims to exploit a vulnerability or a weakness in the target system and gain access to its resources, such as files, processes, or memory12.

The installation stage is the fifth stage in the Cyber Kill Chain Methodology, and it involves installing a backdoor or a malware on the target system. The installation stage can use various tools, such as rootkits, trojans, or ransomware. The installation stage aims to establish a foothold on the target system and maintain persistence, which means to survive reboots, updates, or scans12.

Therefore, the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold, because:

This action follows the logical sequence of the Cyber Kill Chain Methodology, as it is the next stage after the delivery stage.

This action is consistent with the attacker’s goal, as it allows the attacker to gain access and control over the target system and prepare for further actions.

This action is feasible, as the attacker has already delivered the malicious payload to the target system and may have bypassed some security controls.

The other options are not as probable as option B for the following reasons:

A. The attacker will attempt to escalate privileges to gain complete control of the compromised system: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the exploitation stage or the installation stage. Privilege escalation is a method of increasing the level of access or permissions on a system, such as from a normal user to an administrator. Privilege escalation can help the attacker to gain complete control of the compromised system, but it is not a mandatory step, as the attacker may already have sufficient privileges or may use other techniques to achieve the same goal12.

C. The attacker will initiate an active connection to the target system to gather more data: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the command and control stage or the actions on objectives stage. An active connection is a communication channel that allows the attacker to send commands or receive data from the target system, such as a remote shell or a botnet. An active connection can help the attacker to gather more data from the target system, but it is not a necessary step, as the attacker may already have enough data or may use other techniques to obtain more data12.

D. The attacker will start reconnaissance to gather as much information as possible about the target: This option is not probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather the first stage. Reconnaissance is the process of collecting information about the target, such as its IP address, domain name, network structure, services, vulnerabilities, or employees. Reconnaissance is usually done before the delivery stage, as it helps the attacker to identify the target and plan the attack. Reconnaissance can be done again after the delivery stage, but it is not the most likely action, as the attacker may already have enough information or may focus on other actions12.

File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that are executed.

BASH_HISTORY files are hidden files with no filename prefix. They always use the filename .bash_history.

NOTE: Bash is that the shell program employed by Apple Terminal.

Our goal is to assist you understand what a file with a *.bash_history suffix is and the way to open it.

The Bash History file type, file format description, and Mac and Linux programs listed on this page are individually researched and verified by the FileInfo team. we attempt for 100% accuracy and only publish information about file formats that we’ve tested and validated.

In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

-T5: Insane mode – very fast, highly aggressive, easily detectable.

-T0: Paranoid mode – very slow and stealthy.

-O: Enables OS detection (not related to scan speed).

-A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

Therefore:

If speed is your goal and you are not concerned about detection, then:

-T5 is the correct answer.