Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

RST hijacking is a TCP session hijacking technique emphasized in CEH materials under network attacks against established communications. In TCP, a Reset flag packet is used to abruptly tear down a connection. If an attacker can observe the session and determine the correct parameters such as IP addresses, ports, and an in-window sequence number, they can forge a TCP RST packet that appears to come from one endpoint. This can force the victim side to drop the session, making the legitimate client suddenly lose responsiveness.

The key clue in the scenario is that Rachel “observes a client-server communication” and then injects crafted packets that disrupt the client while the server continues to communicate with Rachel’s system. That behavior matches the practical use of RST hijacking in demonstrations: terminate or desynchronize the victim endpoint while keeping the server-side session usable long enough for the attacker to inject traffic with valid sequence and acknowledgment values. In a switched LAN, this is often paired with sniffing or traffic visibility to reliably craft the reset packet and subsequent injected packets.

Blind hijacking is different because the attacker cannot see the traffic and must guess sequence numbers, which contradicts the “observes communication” detail. UDP hijacking is not applicable because UDP is connectionless and does not use session state or RST flags. “TCP/IP hijacking” is a broad category, but the question asks for the specific technique used to disrupt the client via crafted packets, which is best identified as RST hijacking.

The CEH IDS/IPS Evasion module describes packet fragmentation as a common evasion technique used to bypass signature-based detection.

Option B is correct.

Other options represent different attack categories.

CEH highlights reassembly normalization as a countermeasure.

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

Thomas is most likely using Follow TCP Stream. This Wireshark feature reconstructs the bidirectional application data carried over a TCP connection by reassembling packets in sequence into a readable conversation view. When traffic is unencrypted HTTP, the reassembled stream can reveal full request/response content, including URLs, headers, form parameters, and—critically in this scenario—usernames and passwords transmitted in clear text (for example, within POST body parameters).

The scenario’s language is a direct match: “reconstruct entire conversations between browsers and the server” and “reassembles packet data into a readable stream.” That is exactly what Follow TCP Stream does: it groups packets that belong to the same TCP session and displays the payload as contiguous data, making it far easier than manually inspecting individual packets. This is commonly used during assessments and investigations to understand what data was exchanged, validate whether sensitive data is exposed, and confirm whether protections like TLS are properly applied.

Why the other options are not correct:

Filtering by IP Address (A) helps narrow the packet list to specific hosts but does not reconstruct conversations.

Display Filtering by Protocol (B) can isolate HTTP packets but still leaves the analyst to interpret individual packets without full reassembly.

Monitoring the Specific Ports (C) similarly narrows traffic (e.g., TCP/80 for HTTP) but does not present a reassembled readable session.

Because the goal is quick, readable reconstruction of HTTP login sessions over TCP, the correct answer is D. Follow TCP Stream.

The most likely tool/command is dig @server axfr, which attempts a DNS zone transfer (AXFR) from a specified DNS server. In CEH-aligned reconnaissance and enumeration methodology, DNS is a high-value target because it reveals how an organization’s names map to systems. A successful zone transfer can expose an entire DNS zone database, often including hostnames (subdomains), mail exchanger (MX) records, canonical name (CNAME) aliases, and sometimes internal-facing entries if the zone is misconfigured. The scenario’s outcome—receiving “a full list of subdomains, MX records, and aliases”—matches exactly what an AXFR zone transfer can disclose when a DNS server is improperly configured to allow transfers to unauthorized hosts.

The clue about a “secondary server” is also significant. In DNS architecture, organizations frequently deploy primary (master) and secondary (slave) DNS servers. Secondary servers legitimately request zone transfers from the master to stay synchronized. If the secondary server is misconfigured (for example, allowing AXFR to any requester or to a broader range than intended), an attacker can exploit this and retrieve the zone file. This results in detailed visibility into the organization’s naming scheme and infrastructure layout—information that can be used to identify high-value targets (mail servers, VPN portals, admin hosts), locate staging points, and plan follow-on attacks such as credential harvesting, targeted exploitation, or social engineering.

Why the other options do not fit: smtp-user-enum.pl is used for enumerating valid users on SMTP servers, not DNS records. ldapsearch enumerates directory information from LDAP services, not DNS zones. nbtstat -A queries NetBIOS name tables for Windows hosts, which may reveal local names and shares but not DNS-wide subdomains and MX/CNAME records. Therefore, the enumeration described is most consistent with a DNS zone transfer using dig with AXFR.

CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing—often achieved with Nmap’s T0 or T1 timing templates—prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

CEH courseware categorizes hackers based on intent, authorization, and affiliation. State-sponsored hackers are defined as individuals or teams who conduct cyber operations on behalf of a government to advance national interests. These operations often include espionage, cyber warfare, intelligence gathering, and covert offensive actions. Unlike organized hackers or cybercriminal groups, whose motivations may include financial gain or ideological activism, state-sponsored units follow strategic directives issued by government agencies. CEH materials explain that such groups operate with access to advanced tools, long-term funding, and classified intelligence, enabling them to execute highly sophisticated and covert operations targeting foreign governments, corporations, or critical infrastructure. Hacktivists pursue political or social causes, while gray-hat hackers operate without explicit permission but without malicious intent. Only state-sponsored hackers match the scenario where cyber experts are formally trained, resourced, and authorized by a national government to conduct operations that remain undetected. Therefore, the correct classification is state-sponsored hackers.

This activity most accurately describes a DHCP starvation attack. CEH network and sniffing coverage explains that DHCP starvation is a denial-of-service technique in which an attacker rapidly sends large numbers of DHCP requests, usually with spoofed MAC addresses, to consume all available IP addresses in the DHCP pool. Once the pool is exhausted, legitimate clients can no longer obtain valid leases, which produces exactly the symptoms described in the question: repeated address negotiation attempts, failure to receive configuration, and a burst of requests coming from a single interface. A rogue DHCP server is often paired with starvation later, but the key evidence here is the rapid exhaustion behavior rather than the distribution of malicious configurations. IRDP spoofing would manipulate gateway discovery, not primarily deplete DHCP leases, and MAC spoofing alone would not explain widespread address assignment failure across multiple hosts. CEH guidance presents DHCP starvation as both a network disruption issue and a stepping stone for further interception attacks, since denying legitimate DHCP service can set conditions for a rogue DHCP server to take over client configuration and redirect traffic.

The scenario points directly to information gathering from the robots.txt file. A robots.txt file is typically located at the root of a website (e.g., https://example.com/robots.txt) and is intended to instruct search engine crawlers which paths should or should not be indexed. During web reconnaissance, testers often review robots.txt because it can unintentionally disclose sensitive directories, administrative panels, staging paths, backup locations, or restricted areas that the organization hoped would remain obscure. The scenario explicitly says Sofia found “a crawler directive at the server’s root” that “allows unintended indexing of restricted areas,” and that this “reveals internal paths.” That is exactly the kind of leakage that can come from misconfigured or overly revealing crawler directives.

This is considered an early-stage reconnaissance / information gathering technique because it does not require exploitation. It leverages publicly accessible configuration hints to map the application’s hidden structure. Even when robots.txt is used correctly, the listed disallowed entries can still serve as a roadmap of interesting targets; if configured incorrectly (for example, allowing indexing or exposing sensitive paths), it can increase exposure by helping those paths surface in search results or be discovered faster by attackers.

Why the other options are less accurate:

Vulnerability Scanning (A) implies using scanners to identify known flaws; here, the tester is manually/strategically inspecting a crawler directive for exposed paths.

Web Server Footprinting/Banner Grabbing (C) focuses on identifying server type/version and technologies via headers or responses, not discovering hidden paths from crawler directives.

Directory Brute Forcing (D) uses wordlists to guess directories; Sofia’s discovery comes from a disclosed list of paths, not brute-force guessing.

Therefore, the technique is B. Information Gathering from robots.txt File.

This scenario aligns with a Replay Attack against RF-based smart key systems, covered in CEH v13 IoT and OT Hacking. Attackers capture radio-frequency signals transmitted by key fobs and replay them to unlock vehicles.

CEH v13 emphasizes that detecting and preventing such attacks requires monitoring wireless RF signals for anomalies such as signal replay, interference, or jamming patterns. RF analysis helps confirm unauthorized signal capture and retransmission.

Firmware updates may mitigate future vulnerabilities, but confirmation requires RF monitoring. Physical surveillance and smartphone malware controls are unrelated to RF replay attacks. Therefore, option D is correct.

An Application-Level Firewall, commonly called an application-level gateway or proxy firewall, inspects traffic at the application layer and enforces rules based on specific application protocols and commands. In CEH-aligned coverage of perimeter defenses, this firewall type is distinguished by its ability to understand protocol behavior and content for services such as DNS and SSH, rather than relying only on IP addresses, ports, and basic connection state.

The question states the filtering system “analyzes incoming SSH and DNS requests to block unauthorized access attempts.” That wording points directly to application-aware inspection: it is evaluating protocol-specific requests, not merely allowing or denying traffic based on port numbers. A packet filtering firewall generally makes decisions using network and transport layer information such as source and destination IP, protocol, and port, without parsing DNS queries or SSH negotiation details. A circuit-level gateway firewall focuses on validating session establishment and connection properties, typically without deep inspection of the application commands inside the session. A stateful multilayer inspection firewall can track connection state and sometimes incorporate deeper inspection, but the strongest and most explicit match to “analyzes SSH and DNS requests” in CEH terminology is the application-level firewall, which uses proxies or protocol engines to parse and filter application traffic.

From an ethical testing perspective, attempts to “craft specific payloads” often involve probing how the firewall validates protocol fields, handles malformed requests, or enforces policy on application commands. Defenders mitigate these risks through strict proxy policy configuration, robust protocol validation, patching, logging, and limiting exposed services to only what is required.