Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Hashing algorithms (such as SHA-256 or MD5) are used to generate a unique digital fingerprint of a file or message. Once the CFO approves the financial statement, generating a hash value for the document ensures that if any modification occurs (even a single bit), the hash value will change, indicating a breach in data integrity.

This solution directly addresses integrity — one of the three components of the CIA triad (Confidentiality, Integrity, Availability). Password protection or transferring via USB does not ensure integrity; they offer access control and delivery security.

DNS spoofing (also known as DNS cache poisoning) occurs when an attacker intercepts or falsifies DNS responses to redirect traffic or exfiltrate data. The appropriate way to prevent such attacks includes:

Implementing DNS anti-spoofing techniques

Using DNSSEC (DNS Security Extensions)

Ensuring proper DNS configurations and validation of responses

From CEH v13:

Module 3: Scanning Networks

Topic: DNS Poisoning and Spoofing Attacks

Defensive Measures: DNS Hardening

CEH v13 Study Guide states:

“To prevent DNS spoofing and cache poisoning, organizations should use DNSSEC, configure anti-spoofing protections, and restrict zone transfers. DNS Anti-spoofing solutions validate responses and ensure data integrity.”

Incorrect Options:

A: Logging may detect but not prevent.

B: Disabling DNS timeouts is unrelated and harmful.

D: Prevents zone transfers, not spoofing specifically.

In CEH v13 Module 16: Cloud Computing and Container Security, Kubernetes components are explained for understanding container orchestration risks.

Kube-scheduler is the master node component responsible for:

Assigning newly created pods to available nodes.

Evaluating each pod’s resource requirements.

Considering node affinity/anti-affinity, data locality, hardware restrictions, etc.

Ensuring workload balancing across nodes.

Other Options:

A. Kube-controller-manager: Manages control loops for replication and status.

C. Kube-apiserver: Acts as the entry point for all REST commands.

D. Etcd: A key-value store used to save configuration data.

In CEH v13 Module 01: Information Security Governance, PCI-DSS (Payment Card Industry Data Security Standard) is introduced as the mandatory compliance framework for organizations handling credit card transactions.

PCI-DSS Requirements Include:

Encrypting cardholder data.

Maintaining secure systems and applications.

Regular vulnerability testing and audits.

Restricting access to sensitive data.

Option Clarification:

A. FISMA: Applies to U.S. federal information systems.

B. HITECH: Related to health information privacy and HIPAA.

C. PCI-DSS: Correct for credit card companies and merchant environments.

D. SOX (Sarbanes-Oxley): Focuses on financial reporting, not card data.

An iPhone client’s most noticeably terrible bad dream is to have somebody oversee his/her gadget, including the capacity to record and control all action without waiting be in a similar room. In this blog entry, we present another weakness called “Trustjacking”, which permits an aggressor to do precisely that.

This weakness misuses an iOS highlight called iTunes Wi-Fi sync, which permits a client to deal with their iOS gadget without genuinely interfacing it to their PC. A solitary tap by the iOS gadget proprietor when the two are associated with a similar organization permits an assailant to oversee the gadget. Furthermore, we will stroll through past related weaknesses and show the progressions that iPhone has made to alleviate them, and why these are adequately not to forestall comparative assaults.

After interfacing an iOS gadget to another PC, the clients are being found out if they trust the associated PC or not. Deciding to believe the PC permits it to speak with the iOS gadget by means of the standard iTunes APIs.

This permits the PC to get to the photographs on the gadget, perform reinforcement, introduce applications and considerably more, without requiring another affirmation from the client and with no recognizable sign. Besides, this permits enacting the “iTunes Wi-Fi sync” highlight, which makes it conceivable to proceed with this sort of correspondence with the gadget even after it has been detached from the PC, as long as the PC and the iOS gadget are associated with a similar organization. It is intriguing to take note of that empowering “iTunes Wi-Fi sync” doesn’t need the casualty’s endorsement and can be directed simply from the PC side.

Getting a live stream of the gadget’s screen should be possible effectively by consistently requesting screen captures and showing or recording them distantly.

It is imperative to take note of that other than the underlying single purpose of disappointment, approving the vindictive PC, there is no other component that forestalls this proceeded with access. Likewise, there isn’t anything that informs the clients that by approving the PC they permit admittance to their gadget even in the wake of detaching the USB link.

Promiscuous mode is a configuration for a network interface card (NIC) that allows it to pass all network traffic to the CPU for processing, not just the traffic addressed to that NIC. It is commonly used in:

Network sniffing and monitoring

Packet analysis tools like Wireshark

IDS/IPS systems

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Promiscuous mode allows a NIC to capture all packets on the network segment, regardless of the destination MAC address.”

Incorrect Options:

A. Multicast mode handles group address traffic, not all frames

C. WEM is not a valid network mode term

D. Port forwarding redirects traffic to specific internal IPs

===========

The TCP three-way handshake is the foundational mechanism used to establish a reliable connection between two devices. The sequence is as follows:

The client sends a SYN (synchronize) packet to the server to initiate the connection.

The server replies with a SYN-ACK (synchronize-acknowledge) packet.

The client sends an ACK (acknowledge) packet back to the server.

Therefore, the connection starts with a SYN packet from the client.

In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

This question is about web link enumeration using Linux CLI tools — a common initial step during information gathering in penetration testing, covered in CEH v13 Module 02: Footprinting and Reconnaissance.

Objective:

Extract all hyperlinks (i.e., ) from the homepage of a target site to collect subpages, links, or external URLs.

Let’s analyze each component of Option B:

=

=

curl -s <a href="https://site.com">https://site.com | grep '

curl -s <a href="https://site.com:">https://site.com: Silently fetches the HTML source of the main page.

grep '

grep "site.com": Further filters those that point to site.com.

cut -d "v" -f 2: Cuts the line based on the delimiter v to isolate part of the URL — though not perfect, it attempts to extract the visible link.

While not perfectly formed (due to slightly inconsistent quote usage), Option B demonstrates the correct logic chain for web link enumeration using pipes in Linux: fetching, filtering, and extracting.

Why Other Options Are Incorrect:

A. dirb <a href="https://site.com">https://site.com | grep "site"

❌ dirb is used for brute-forcing directories, not grabbing links from HTML.

C. wget https://site.com | grep "

❌ Incorrect. wget will download the entire content (including binary files by default), and piping it directly to grep without -O - or -q -O - makes it ineffective.

D. wget <a href="https://site.com">https://site.com | cut -d "http"

❌ Incorrect. Syntax error (cut -d"http" is invalid without correct delimiter formatting), and again wget needs to be directed to stdout using -O -.

Corrected Optimal Syntax for Real-World Use:

bash

CopyEdit

curl -s https://site.com | grep -oP 'href="\Khttp[^"]+' | grep "site.com"

This uses -oP with Perl-compatible regex to extract only URLs and is a method recommended in CEH iLabs and demonstrations.

Reference from CEH v13 Study Materials:

Module 02 – Footprinting and Reconnaissance, Section: Website Footprinting and Web Crawling

CEH iLabs – Website Information Gathering Lab

CEH Engage Range: Passive and Active Footprinting Phase – Linux Scripting Tasks

A Collision attack is a type of cryptographic attack that targets the hash function. The goal of this attack is to find two different inputs that produce the same hash output. This undermines the integrity of the hashing algorithm, as hash functions are expected to produce a unique output for each unique input.

In practical terms, if two different documents (inputs) produce the same hash value (collision), an attacker can replace a legitimate file with a malicious one without detection, assuming the system validates integrity only via the hash.

CEH v13 defines a collision attack as follows:

"A collision attack focuses on finding two different messages (M1 and M2) that produce the same hash value. This can compromise digital signatures, certificates, and other security protocols."

Reference – CEH v13 Study Guide:

Module 20: Cryptography, Section: “Hashing Algorithms and Attacks”, Subsection: “Collision Attacks”

Incorrect Options Explained:

A: Public keys are part of asymmetric encryption, not relevant to collisions.

B/C: These are incorrect descriptions; collision attacks are not about breaking hashes into parts to retrieve plaintext or private keys.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

The best measure to prevent similar attacks without overly restricting the use of personal devices is to conduct regular cybersecurity awareness training, focusing on phishing attacks. Cybersecurity awareness training is a process of educating and empowering employees on the best practices and behaviors to protect themselves and the organization from cyber threats, such as phishing, malware, ransomware, or data breaches. Cybersecurity awareness training can help the organization mitigate the risk of phishing incidents by providing the following benefits12:

It can increase the knowledge and skills of employees on how to identify and avoid phishing emails, messages, or links, such as by checking the sender, the subject, the content, the attachments, and the URL of the message, and by verifying the legitimacy and authenticity of the message before responding or clicking.

It can enhance the attitude and culture of employees on the importance and responsibility of cybersecurity, such as by encouraging them to report any suspicious or malicious activity, to follow the security policies and guidelines, and to seek help or guidance when in doubt or trouble.

It can reduce the human error and negligence that are often the main causes of phishing incidents, such as by reminding employees to update their devices and applications, to use strong and unique passwords, to enable multi-factor authentication, and to backup their data regularly.

The other options are not as optimal as option D for the following reasons:

A. Provide employees with corporate-owned devices for work-related tasks: This option is not feasible because it contradicts the BYOD policy, which allows employees to use their personal devices for work-related tasks. Providing employees with corporate-owned devices would require the organization to incur additional costs and resources, such as purchasing, maintaining, and securing the devices, as well as training and supporting the employees on how to use them. Moreover, providing employees with corporate-owned devices would not necessarily prevent phishing incidents, as the devices could still be compromised by phishing emails, messages, or links, unless the organization implements strict security controls and policies on the devices, which may limit the user autonomy and productivity3.

B. Implement a mobile device management solution that restricts the installation of non-approved applications: This option is not desirable because it violates the user autonomy and privacy under the BYOD policy, which allows employees to use their personal devices for both personal and professional purposes. Implementing a mobile device management solution that restricts the installation of non-approved applications would require the organization to monitor and control the devices of the employees, which may raise legal and ethical issues, such as data ownership, consent, and compliance. Furthermore, implementing a mobile device management solution that restricts the installation of non-approved applications would not completely prevent phishing incidents, as the employees could still receive phishing emails, messages, or links through the approved applications, unless the organization implements strict security controls and policies on the applications, which may affect the user experience and functionality4.

C. Require all employee devices to use a company-provided VPN for internet access: This option is not sufficient because it does not address the root cause of phishing incidents, which is the human factor. Requiring all employee devices to use a company-provided VPN for internet access would provide the organization with some benefits, such as encrypting the network traffic, hiding the IP address, and bypassing geo-restrictions. However, requiring all employee devices to use a company-provided VPN for internet access would not prevent phishing incidents, as the employees could still fall victim to phishing emails, messages, or links that lure them to malicious websites or applications, unless the organization implements strict security controls and policies on the VPN, which may affect the network performance and reliability.

In ethical hacking and penetration testing, assessing the security posture of a target system requires direct technical interaction with that system. The combination of techniques in option D—port scanning, banner grabbing, and service identification—provides actionable and detailed insight into the system’s vulnerabilities, services, and configurations.

According to CEH v13 Official Courseware:

Port scanning is the process of identifying open ports and the services running on them. It reveals:

Which ports are open or closed

The operating system's response behavior

Entry points for possible exploitation

Banner grabbing involves connecting to open services to retrieve application-level information. This can expose:

Software version numbers

Server type and configuration

Security misconfigurations

Service identification allows the security professional to determine what protocols and services (HTTP, FTP, SSH, etc.) are active and how they are configured. This supports:

Vulnerability analysis

Risk evaluation

Threat modeling

These combined techniques are fundamental steps in the reconnaissance and scanning phases of the ethical hacking lifecycle.

Incorrect Options:

A. Phishing, spamming, sending trojans are offensive tactics used in attacks; they provide limited direct system analysis and do not measure technical posture directly.

B. Social engineering, site browsing, and tailgating are physical or psychological attack vectors, not direct technical assessments.

C. Wardriving and warchalking identify wireless networks but offer limited detail about internal system configurations or vulnerabilities.

Reference – CEH v13 Official Study Material:

Module 03: Scanning Networks

Section: “Types of Scanning”

Subsections: “Port Scanning,” “Banner Grabbing,” and “Service Version Detection”

CEH Engage: Scanning and Enumeration labs

CEH Official Exam Blueprint: Knowledge Area — “Footprinting and Reconnaissance” and “Scanning Networks”

These techniques are emphasized as foundational components in any network vulnerability assessment.

In CEH v13 Module 06: Malware Threats, a worm is described as a self-replicating piece of malware that spreads independently from one system to another without needing to attach itself to any file or program (unlike viruses).

Key Characteristics of Worms:

Capable of network propagation without human interaction.

Often used in mass attacks (e.g., WannaCry, Conficker).

Can cause significant damage by:

Consuming bandwidth.

Spreading payloads (e.g., ransomware).

Modifying or deleting files.

Option Clarification:

A. Rootkit: Hides presence of malware or attacker activities.

B. Trojan: Disguised as legitimate software; does not replicate.

C. Worm: Correct – self-replicating and spreads automatically.

D. Adware: Primarily shows ads; not typically destructive or self-replicating.

The Shellshock vulnerability (CVE-2014-6271) allows attackers to execute arbitrary commands via crafted environment variables in Bash. In this example, the malicious command cat /etc/passwd is executed, displaying the contents of the file (which contains system user account info).

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Shellshock allows remote code execution through environment variables processed by Bash. Exploits can be used to run commands like cat /etc/passwd on a vulnerable system.”

Incorrect Options:

A. No file deletion occurs.

B. It doesn’t change passwords.

C. No user addition occurs.

===========

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.