Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The ethical hacker is likely performing an SYN scan to stealthily identify open ports without fully establishing a connection. An SYN scan, also known as a half-open scan or a stealth scan, is a type of port scanning technique that exploits the TCP three-way handshake process. The hacker sends an SYN packet to a target port and waits for a response. If the target responds with an SYN/ACK packet, it means the port is open and listening for connections. If the target responds with an RST packet, it means the port is closed and not accepting connections. However, instead of completing the handshake with an ACK packet, the hacker sends an RST packet to abort the connection. This way, the hacker avoids creating a full connection and logging an entry in the target’s system, making the scan less detectable and intrusive. The hacker can repeat this process for different ports and identify which ones are open and potentially vulnerable to exploitation12.

The other options are not correct for the following reasons:

B. They are performing a TCP connect scan to identify open ports on the target machine: This option is incorrect because a TCP connect scan involves establishing a full connection with the target port by completing the TCP three-way handshake. The hacker sends an SYN packet, receives an SYN/ACK packet, and then sends an ACK packet to finalize the connection. Then, the hacker terminates the connection with an RST or FIN packet. A TCP connect scan is more reliable and compatible than an SYN scan, but also more noisy and slow, as it creates more traffic and logs on the target system12.

C. They are performing a vulnerability scan to identify any weaknesses in the target system: This option is incorrect because a vulnerability scan is a broader and deeper process than a port scan. A vulnerability scan involves identifying and assessing the security flaws and risks in a system or network, such as missing patches, misconfigurations, outdated software, or weak passwords. A vulnerability scan may use port scanning as one of its techniques, but it also uses other methods, such as banner grabbing, service enumeration, or exploit testing. A vulnerability scan usually requires more time, resources, and permissions than a port scan34.

D. They are performing a network scan to identify live hosts and their IP addresses: This option is incorrect because a network scan is a different process than a port scan. A network scan involves discovering and mapping the devices and hosts connected to a network, such as routers, switches, servers, or workstations. A network scan may use ping, traceroute, or ARP requests to identify the IP addresses, MAC addresses, and hostnames of the live hosts. A network scan usually precedes a port scan, as it provides the target range and scope for the port scan56.

The command usage that would best serve your objective to find where the NTP server obtains the time from and to trace the list of NTP servers connected to the network is ntptrace -n -m 5 192.168.1.1. This command usage works as follows:

ntptrace is a tool that determines where a given NTP server gets its time from, and follows the chain of NTP servers back to their master time source. For example, a stratum 0 server, which is a device that directly obtains the time from a physical source, such as an atomic clock or a GPS receiver1.

-n is a flag that outputs host IP addresses instead of host names. This can be useful if the host names are not resolvable or if the IP addresses are more informative1.

-m 5 is a flag that specifies the maximum number of hosts to be traced. This can be useful to limit the output and avoid tracing irrelevant or unreachable hosts1.

192.168.1.1 is the IP address of the NTP server in the demilitarized zone, which is the starting point of the trace. This can be useful to find out the source and the path of the time synchronization for the network system1.

By using this command usage, the output will show the IP addresses, the stratum, the offset, the sync distance, and the reference ID of each NTP server in the chain, up to five hosts. This can provide valuable information about the accuracy, the reliability, and the security of the time service for the network system1.

The other options are not as suitable as option D for the following reasons:

A. ntptrace -m 5 192.168.1.1: This option is similar to option D, but it does not use the -n flag, which means that it will output host names instead of IP addresses. This can be less useful if the host names are not resolvable or if the IP addresses are more informative1.

B. tptrace 192.1681.: This option is incorrect because it uses a wrong tool name and a wrong IP address. tptrace is not a valid tool name, and 192.1681. is not a valid IP address. The correct tool name is ntptrace, and the correct IP address is 192.168.1.11.

C. ntptrace -n localhost: This option is not effective because it uses localhost as the starting point of the trace, which means that it will only show the local host’s time source. This can be useful to check the local host’s time configuration, but it does not help to find out the time source and the trace of the NTP server in the demilitarized zone, which is the objective of this scenario1.

In CEH v13 Module 06: Malware Threats, stealth viruses are covered as advanced malware that can evade detection by:

Intercepting system calls related to file access.

Masking their presence in files, memory, or on disk.

Restoring original code temporarily to fool signature-based scanners.

These capabilities allow stealth viruses to:

Avoid detection by antivirus scanners.

Operate undisturbed until triggered.

Option Clarification:

A. Cavity virus: Hides in unused file space but doesn't evade as effectively.

C. File-extension virus: Exploits deceptive file names but is often detected.

D. Macro virus: Targets office documents, not highly evasive.

Correct answer is B. Stealth virus.

If a system stores passwords in weak or reversible formats, attackers can perform offline cracking. CEH emphasizes dictionary attacks as the fastest and most efficient method to exploit weak hashing practices. This avoids detection and leverages known password patterns to recover plaintext credentials.

The SOA (Start of Authority) record is a DNS record that defines the authoritative information about a domain. Its format includes the following fields:

(domain) IN SOA (Primary Name Server) (Responsible Email)

(Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field values:

Serial: 200302028 (→ This is the version number of the zone file.)

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds

These values represent key configurations and are all part of the SOA record's operational data.

A: 200302028 = Serial/version (correct)

B: 3600 = Refresh (correct)

C: 604800 = Expire (correct)

D: 2400 = Minimum TTL (correct)

Incorrect Options:

E and F (60, 4800): Not part of the SOA record shown.

A Kerberoasting attack is a technique that exploits the weak encryption of Kerberos service tickets to obtain the password hashes of service accounts that have a Service Principal Name (SPN) associated with them. The attacker can then crack the hashes offline and use the plaintext passwords to impersonate the service accounts and access network resources.

A Kerberoasting attack follows these steps1:

The attacker impersonates a legitimate Active Directory user and authenticates to the Key Distribution Center (KDC) in the Active Directory environment. They then request a Ticket Granting Ticket (TGT) from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user.

The attacker enumerates the service accounts that have an SPN using tools like GetUserSPNs.py or PowerView. They then request a service ticket for each SPN from the KDC using their TGT. The KDC grants the service tickets, which are encrypted with the password hashes of the service accounts.

The attacker captures the service tickets and takes them offline. They then attempt to crack the password hashes using tools like Hashcat or John the Ripper. They can use various methods, such as brute force, dictionary, or hybrid attacks, to guess the passwords. Alternatively, they can use a PRINCE attack, which is a probabilistic password generation technique that combines common words, patterns, and transformations to generate likely passwords2.

Once the attacker obtains the plaintext passwords of the service accounts, they can use them to authenticate as the service accounts and access the network resources that they are authorized to.

Therefore, the next step that the analyst should take after obtaining a valid TGT is to request a service ticket for the SPN of the target service account. This will allow them to capture the service ticket and extract the password hash of the service account.

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.

Simple Network Management Protocol (SNMP) enumeration involves querying devices on the network for information such as routing tables, interface statistics, and system details.

Useful tools include:

A. SNMPUtil: A command-line Microsoft utility for sending SNMP requests.

B. SNScan: Tool from Foundstone for SNMP scanning and enumeration.

C. SNMPScan: Lightweight tool for scanning networks for SNMP-enabled devices.

D. SolarWinds IP Network Browser: A commercial tool for graphical SNMP enumeration.

From CEH v13 Courseware:

Module 4: Enumeration

Subsection: SNMP Enumeration Tools

Incorrect Option:

E. NMap can detect SNMP services, but is not specialized for SNMP enumeration like the others.

Regional Internet Registries (RIRs):

ARIN (American Registry for Internet Numbers)

AFRINIC (African Network Information Center)

APNIC (Asia Pacific Network Information Center)

RIPE (Réseaux IP Européens Network Coordination Centre)

LACNIC (Latin American and Caribbean Network Information Center)

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. See authorization to operate (ATO). Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called authorization.

Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. Synonymous with Security Perimeter.

For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system. See authorization boundary. Rationale: The Risk Management Framework uses a new term to refer to the concept of accreditation, and it is called authorization. Extrapolating, the accreditation boundary would then be referred to as the authorization boundary.

CEH v13 outlines a structured approach to vulnerability assessment and exploitation. After identifying a high-severity vulnerability, the next critical step is verification and research, not immediate exploitation. This ensures accuracy, reduces false positives, and avoids unnecessary risk. CEH emphasizes that testers must validate vulnerability details, confirm version applicability, assess exploit availability (e.g., Metasploit, Exploit-DB), and evaluate potential impact. Attempting DoS attacks (Option A) is prohibited unless explicitly scoped and does not align with responsible testing. Brute-force attacks (Option B) are unrelated to software version vulnerabilities. Ignoring the issue (Option D) violates CEH methodology. The correct process is to research and verify—ensuring exploitation is safe, relevant, and authorized. This aligns with CEH’s vulnerability management lifecycle: discovery → verification → prioritization → exploitation (when allowed) → reporting.

https://blog.mailfence.com/how-do-digital-signatures-work/

https://en.wikipedia.org/wiki/Digital_signature

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or digital messages. Signers can also use them to acknowledge informed consent.

Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private and one public.

Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.

https://www.eccouncil.org/what-is-social-engineering/

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

"A quid pro quo attack (aka something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action." https://resources.infosecinstitute.com/topic/common-social-engineering-attacks/#:~:text=A%20quid%20pro%20quo%20attack,execution%20of%20a%20specific%20action.

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

https://nmap.org/book/scan-methods-maimon-scan.html

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered