Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Hashing is a one-way function—by design, it cannot be reversed. Password-cracking tools do not "reverse" the hash. Instead, they:

Generate a list of potential passwords.

Hash each candidate using the same algorithm.

Compare the result to the target hash.

If a match is found, the original password is revealed by correlation, not reversal.

From CEH v13 Official Courseware:

Module 6: Cryptography and Password Cracking

CEH v13 Study Guide states:

“Hash functions are one-way and irreversible. Password-cracking tools work by hashing wordlists or character combinations and comparing them to known password hashes.”

https://en.wikipedia.org/wiki/Internet_Relay_Chat

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The chat process works on a client/server networking model. IRC clients are computer programs that users can install on their system or web-based applications running either locally in the browser or on a third-party server. These clients communicate with chat servers to transfer messages to other clients.

IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well-known port for IRC is 6667, a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well.

You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.

https://en.wikipedia.org/wiki/Application_firewall

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the OSI model's application layer, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

Application layer filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Addresses or ports. It can also use information spanning across multiple connections for any given host.

Network-based application firewalls

Network-based application firewalls operate at the application layer of a TCP/IP stack. They can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non-standard port or detect if an allowed protocol is being abused.

Host-based application firewalls

A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control but is limited to only protecting the host it is running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.

A covert channel is a communication method used to transfer information in a way that violates security policy, often by repurposing legitimate protocols or functions for unauthorized communication.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Covert Communication and Data Exfiltration Techniques

CEH v13 Study Guide states:

“A covert channel exploits unintended uses of legitimate communication protocols. It allows data to be transmitted without detection by hiding the communication inside seemingly benign traffic.”

Incorrect Options:

A: A non-standard port may aid in hiding services, but doesn’t constitute a covert channel.

C: Multiplexing is a normal communication mechanism.

D: WEP is insecure, but this isn’t related to covert channels.

In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

Yagi Antenna

A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

Why Other Options Are Incorrect:

B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz–VHF.

D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

https://en.wikipedia.org/wiki/IPsec

Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the Application layer, IPsec can automatically secure applications at the IP layer.

https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it’s lost.

Key Escrow Characteristics:

Common in enterprise environments for systems like BitLocker.

Keys are automatically backed up to Active Directory (AD) for future retrieval.

Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

Option Clarification:

A. Key archival: Storing old keys for audit/record-keeping.

B. Key escrow: Correct – Third-party or central storage for recovery purposes.

C. Certificate rollover: Replacement of expiring certificates.

D. Key renewal: Generating a new key after expiration or compromise.

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks—typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.

From CEH v13 Official Courseware:

Module 13: Hacking Web Applications

Module 14: Hacking Web Servers

Module 1: Introduction to Ethical Hacking – Security Architecture Concepts

CEH v13 clearly outlines:

“A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated.”

Bob’s assumption is flawed for several reasons:

DMZs can be implemented even with stateless firewalls using strict access control rules.

Relying solely on IP-based filtering is error-prone and doesn’t offer layered defense.

A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.

Incorrect Options:

A/D: DMZ can still make sense even with stateless firewalls if properly configured.

B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.

In an SOA (Start of Authority) record, the fifth value represents the “Expire” interval — the time a secondary DNS server will keep trying to contact the primary server before considering the zone data stale or invalid.

SOA Format:

SOA Primary-NS Hostmaster (Serial Refresh Retry Expire Minimum-TTL)

Given SOA:

(200302028 3600 3600 604800 3600)

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds = 7 days = 1 week

Minimum TTL: 3600

So, if the secondary DNS cannot contact the primary for 604800 seconds (1 week), it will stop serving that zone’s data.

Comprehensive and Detailed Explanation:

Social engineering is a psychological manipulation technique used by attackers to trick individuals into divulging confidential or personal information that may be used for fraudulent purposes.

It relies on human interaction and may involve tactics such as:

Impersonation

Pretexting

Phishing

Baiting

Rather than attacking systems directly, attackers exploit human trust and error.

From CEH v13 Courseware:

Module 7: Social Engineering

Zone transfers (AXFR) are DNS operations used to replicate DNS data from a primary to a secondary server. If improperly configured, attackers can request these transfers and retrieve valuable DNS information, including hostnames and IPs.

Correct Statements:

A: Zone transfers are DNS protocol operations.

C: They transfer the entire DNS zone file (records for the domain).

E: Zone transfers use TCP port 53. Blocking it can prevent unauthorized transfers.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer is a mechanism used by DNS servers to replicate databases. It can be used by attackers to retrieve detailed DNS information if not properly restricted. Zone transfers occur over TCP port 53.”

Incorrect Statements:

B/D: nslookup is a query tool; it doesn’t perform or manage zone transfers.

F: Zone transfers can happen on the internet if DNS servers are misconfigured.

Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash (Bourne Again Shell) that allows remote code execution via crafted environment variables. It was disclosed in 2014 and had a wide impact on systems that relied on Bash as a command-line shell interpreter.

Affected systems include:

Linux distributions (Red Hat, Debian, CentOS, Ubuntu, etc.)

Unix variants (e.g., FreeBSD, OpenBSD, etc.)

Apple macOS (formerly OS X), since it uses Bash as the default shell

Windows systems were not directly affected because they do not use Bash by default. Bash is not a native component of Windows operating systems, and Shellshock exploits Bash-specific behavior. Only Windows systems where Bash was manually installed through a third-party method or environment (e.g., Cygwin) might be susceptible — but by default, Windows systems are immune.

Incorrect options:

A. Linux — Affected

B. Unix — Affected

C. OS X — Affected

D. Windows — Not directly affected (Correct answer)

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

Key Features of OSINT Framework:

Web-based visual tool that maps out links to open-source intelligence tools.

Allows collection of emails, domains, usernames, IPs, social media data, and more.

Focuses on passive footprinting to avoid detection.

Option Clarification:

A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

C. OSINT Framework: Correct — open-source intelligence and reconnaissance.

D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.