Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

The command uses sqlmap, a powerful SQL injection and database penetration testing tool. The flag -u specifies the target URL, and -dbs instructs sqlmap to enumerate the available databases on the DBMS behind that URL.

Command Breakdown:

-u: Target URL with injectable parameters

-dbs: Retrieve and enumerate all available database names

This is a common first step in identifying vulnerable DBMS structures after confirming SQL injection.

Incorrect Options:

A. Backdoor creation is not the default function of sqlmap.

C. Retrieving SQL statements would require additional options like --trace or --sql-query.

D. Option D is not technically accurate—sqlmap is used for injection and enumeration, not searching statements.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “SQL Injection Tools and Automation”

Tool Reference: sqlmap usage and options

=

A Stealth or Tunneling Virus is designed specifically to evade detection by antivirus software and system monitoring tools. These viruses work by intercepting and modifying the operating system’s service call interrupts (such as INT 13h and INT 21h in DOS systems), which are used to access files or system services.

By hooking into these interrupts, the virus can return clean or forged data to antivirus scanners, thus hiding its malicious presence from detection tools.

Tunneling viruses may also operate at a lower level to evade even more advanced antivirus detection methods, making them particularly dangerous and hard to detect.

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Section: Types of Viruses

Quote:

“Tunneling viruses attempt to avoid detection by antivirus programs by installing themselves in the interrupt handler chain. These viruses intercept operating system calls to conceal their activities.”

Incorrect Options Explained:

A. Macro viruses target applications like Microsoft Word/Excel and use embedded macros, but do not alter service call interrupts.

C. Cavity viruses insert code into empty spaces in files without changing the file size but do not modify interrupts.

D. Polymorphic viruses mutate their code to avoid signature-based detection but do not typically interfere with system interrupts directly.

https://tools.kali.org/information-gathering/hping3

http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf

Evilginx Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

The honey trap is a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.

Baiting is a technique in which attackers offer end users something alluring in exchange for

important information such as login details and other sensitive data. This technique relies on

the curiosity and greed of the end-users. Attackers perform this technique by leaving a physical

device such as a USB flash drive containing malicious files in locations where people can easily

find them, such as parking lots, elevators, and bathrooms. This physical device is labeled with a

legitimate company's logo, thereby tricking end-users into trusting it and opening it on their

systems. Once the victim connects and opens the device, a malicious file downloads. It infects

the system and allows the attacker to take control.

For example, an attacker leaves some bait in the form of a USB drive in the elevator with the

label "Employee Salary Information 2019" and a legitimate company's logo. Out of curiosity and

greed, the victim picks up the device and opens it up on their system, which downloads the

bait. Once the bait is downloaded, a piece of malicious software installs on the victim's system,

giving the attacker access.

CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.

By encrypting malicious traffic—using HTTPS, VPN tunnels, or encrypted C2 channels—attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.

IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls. Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.

Therefore, Option C is the correct and CEH-aligned answer.

This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

Other options are incorrect because:

XMAS scans send packets with multiple flags set.

SYN/ACK scans are primarily used for firewall rule discovery.

TCP Connect scans complete the full handshake and generate ACKs.

CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

CEH v13 identifies automated patch management as the most secure and scalable approach. Automated tools ensure timely deployment, validation, rollback capability, and compliance reporting.

Manual patching increases human error. Applying patches from unknown sources introduces malware risk. Limiting patches contradicts best practices.

Therefore, Option B is correct.

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit with obfuscation is far more likely to bypass detection.

CEH explicitly teaches that:

Zero-day or unpatched vulnerabilities

Custom, obfuscated payloads

Minimal use of known frameworks

are the most effective for bypassing endpoint defenses during controlled testing.

Option A is correct.

Options B and C are easily detected.

Option D is social engineering, not a technical exploit.

In a man-in-the-middle (MITM) attack, an attacker intercepts communication between two parties and can read, alter, or inject data without either party knowing. Susan's actions — intercepting and modifying her boss's session data before relaying it to the server — is the classic MITM pattern.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a MITM attack, the attacker positions themselves between two communicating parties, relaying and possibly altering communications while maintaining the illusion that the parties are communicating directly.”

Incorrect Options:

A: Sniffing only involves passive listening.

B: Spoofing may involve impersonation but not necessarily interception and relay.

D: DoS is about service disruption, not data interception.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Grey-box testing is a hybrid method where the tester has partial knowledge of the internal workings of the system, allowing for a more focused and efficient assessment of security vulnerabilities compared to black-box (no knowledge) and white-box (full knowledge). This approach simulates an insider threat or a user with limited access rights.

CEH v13 Reference:

Module 15: Hacking Web Applications – Types of Penetration Testing

“Gray-box testing assumes partial knowledge of internal structures, combining elements of both black-box and white-box testing.”

=

WS-Address provides additional routing information in the SOAP header to support asynchronous communication. This technique allows the transmission of web service requests and response messages using different TCP connections

https://www.google.com/search?client=firefox-b-d &q=WS-Address+spoofing

CEH V11 Module 14 Page 1896

L0phtCrack is a password auditing and recovery tool. It can:

Capture password hashes over the network (e.g., via SMB).

Crack password hashes using dictionary, brute-force, or hybrid attacks.

It’s particularly effective when used on SMB-based challenge-response authentication (NTLM/LM) captured via packet sniffing.

From CEH v13 Courseware:

Module 4: Enumeration

Module 6: Malware Threats

CEH v13 Study Guide states:

“L0phtCrack can sniff SMB authentication exchanges from network traffic and extract NTLM password hashes to crack them offline.”

Incorrect Options:

A: This is possible (hence A is wrong).

B: Netbus is a backdoor/trojan tool.

C: NTFSDOS is used to read NTFS partitions under DOS, not for password cracking.

document.write(); (Cookie and session ID theft)

https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

Digital signatures are designed to provide two key guarantees:

Authenticity – confirming the identity of the sender.

Unforgeability – ensuring that no one else can produce the same signature without the sender’s private key.

These properties are achieved using a combination of hash functions and asymmetric encryption (digital certificates/private keys).

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“A valid digital signature ensures that the message comes from a legitimate sender (authenticity) and has not been altered or forged (unforgeability).”

Incorrect Options:

A, C, D: Refer to human/visual signatures, not cryptographic properties

=

Passive Assessment Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently accessing the network.

A hybrid encryption system is a system that combines the advantages of both asymmetric and symmetric encryption algorithms. Asymmetric encryption, such as RSA, uses a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide key exchange, authentication, and non-repudiation, but it is slower and less efficient than symmetric encryption. Symmetric encryption, such as AES, uses a single key to encrypt and decrypt data. Symmetric encryption is faster and more efficient than asymmetric encryption, but it requires a secure way to share the key.

In a hybrid encryption system, RSA encryption is used for key exchange, and AES encryption is used for data encryption. This way, the system can benefit from the security of RSA and the speed of AES. However, the system also depends on the key sizes of both algorithms, which affect the security and performance of the system.

The key size of RSA encryption determines the number of bits in the public and private keys. The larger the key size, the more secure the encryption, but also the slower the key generation and encryption/decryption processes. The time complexity of generating an RSA key pair is O(n*2), where n is the key size in bits. This means that the time required to generate an RSA key pair increases quadratically with the key size. For example, if it takes 1 second to generate a 1024-bit RSA key pair, it will take 4 seconds to generate a 2048-bit RSA key pair, and 16 seconds to generate a 4096-bit RSA key pair.

The key size of AES encryption determines the number of bits in the symmetric key. The larger the key size, the more secure the encryption, but also the more rounds of encryption/decryption are needed. The time complexity of AES encryption is O(n), where n is the key size in bits. This means that the time required to encrypt/decrypt data increases linearly with the key size. For example, if it takes 1 second to encrypt/decrypt data with a 128-bit AES key, it will take 2 seconds to encrypt/decrypt data with a 256-bit AES key, and 4 seconds to encrypt/decrypt data with a 512-bit AES key.

An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA encryption. This means that the time required to break RSA encryption decreases exponentially with the key size. For example, if it takes 1 second to break a 1024-bit RSA encryption, it will take 0.25 seconds to break a 2048-bit RSA encryption, and 0.0625 seconds to break a 4096-bit RSA encryption. This makes RSA encryption vulnerable to quantum attacks, unless the key size is very large.

Given n=4000 and variable AES key size, the scenario that is likely to provide the best balance of security and performance is C. AES key size=192 bits. This configuration is a compromise between options A and B, providing moderate security and performance. Option A, AES key size=128 bits, provides less security than option C, but RSA key generation and AES encryption will be faster. Option B, AES key size=256 bits, provides more security than option C, but RSA key generation may be slow. Option D, AES key size=512 bits, provides the highest level of security, but at a significant performance cost due to the large AES key size.