Free ECCouncil 312-50v13 Practice Exam with Questions & Answers

The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as ‘+’ or ‘||’. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword ‘OR’ with ‘O’||‘R’ or ‘O’+‘R’ in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

The other options are not as effective as option D for the following reasons:

A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as ‘0x41’ for ‘A’. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical SQL injection pattern.

ARIN (American Registry for Internet Numbers) is a Regional Internet Registry (RIR) that provides information about IP address allocations and autonomous systems in North America. It’s used for WHOIS lookups and footprinting in reconnaissance.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

DNS tunneling may be a method wont to send data over the DNS protocol, a protocol which has never been intended for data transfer. due to that, people tend to overlook it and it’s become a well-liked but effective tool in many attacks.

Most popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports, hotels, or if you are feeling patient the not-so-cheap on the wing Wi-Fi.

On those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS traffic is usually still allowed within the background: we will encode our HTTP traffic over DNS and voilà, we’ve internet access.

This sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.

Another more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP appliances…) to line up an immediate and unmonitored communications channel on an organisation’s network. Possibilities here are endless: Data exfiltration, fixing another penetration testing tool… you name it.

To make it even more worrying, there’s an outsized amount of easy to use DNS tunneling tools out there.

There’s even a minimum of one VPN over DNS protocol provider (warning: the planning of the web site is hideous, making me doubt on the legitimacy of it).

As a pentester all this is often great, as a network admin not such a lot .

How does it work:

For those that ignoramus about DNS protocol but still made it here, i feel you deserve a really brief explanation on what DNS does: DNS is sort of a phonebook for the web , it translates URLs (human-friendly language, the person’s name), into an IP address (machine-friendly language, the phone number). That helps us remember many websites, same as we will remember many people’s names.

For those that know what DNS is i might suggest looking here for a fast refresh on DNS protocol, but briefly what you would like to understand is:

• A Record: Maps a website name to an IP address.

example.com ? 12.34.52.67

• NS Record (a.k.a. Nameserver record): Maps a website name to an inventory of DNS servers, just in case our website is hosted in multiple servers.

example.com ? server1.example.com, server2.example.com

Who is involved in DNS tunneling?

• Client. Will launch DNS requests with data in them to a website .

• One Domain that we will configure. So DNS servers will redirect its requests to an outlined server of our own.

• Server. this is often the defined nameserver which can ultimately receive the DNS requests.

The 6 Steps in DNS tunneling (simplified):

1. The client encodes data during a DNS request. The way it does this is often by prepending a bit of knowledge within the domain of the request. for instance : mypieceofdata.server1.example.com

2. The DNS request goes bent a DNS server.

3. The DNS server finds out the A register of your domain with the IP address of your server.

4. The request for mypieceofdata.server1.example.com is forwarded to the server.

5. The server processes regardless of the mypieceofdata was alleged to do. Let’s assume it had been an HTTP request.

6. The server replies back over DNS and woop woop, we’ve got signal.

Bypassing Firewalls through the DNS Tunneling Method DNS operates using UDP, and it has a 255-byte limit on outbound queries. Moreover, it allows only alphanumeric characters and hyphens. Such small size constraints on external queries allow DNS to be used as an ideal choice to perform data exfiltration by various malicious entities. Since corrupt or malicious data can be secretly embedded into the DNS protocol packets, even DNSSEC cannot detect the abnormality in DNS tunneling. It is effectively used by malware to bypass the firewall to maintain communication between the victim machine and the C&C server. Tools such as NSTX (https://sourceforge.net), Heyoka (http://heyoka.sourceforge.netuse), and Iodine (https://code.kryo.se) use this technique of tunneling traffic across DNS port 53. CEH v11 Module 12 Page 994

MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

The switch enters “fail-open” mode and broadcasts traffic to all ports

The attacker can then sniff sensitive traffic

This attack effectively turns a switch into a hub, facilitating data sniffing.

Incorrect Options:

A. Evil twin is a wireless attack using rogue access points.

B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

Reference – CEH v13 Official Courseware:

Module 11: Sniffing

Section: “Switch Port Stealing and MAC Flooding”

Subsection: “Layer 2 Attacks and CAM Table Poisoning”

===========

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.

The ethical hacker conducted Test 1, which is a TCP/IP stack fingerprinting technique that uses the SYN and ECN-Echo flags to determine the OS of the target system. The SYN flag is used to initiate a TCP connection, and the ECN-Echo flag is used to indicate that the sender supports Explicit Congestion Notification (ECN), which is a mechanism to reduce network congestion. Different OSes have different implementations and responses to these flags, which can reveal their identity. For example, Windows XP and 2000 will reply with SYN and ECN-Echo flags set, while Linux will reply with only SYN flag set. By sending a TCP packet with these flags enabled to an open TCP port and observing the reply, the ethical hacker can probe the nature of the response and subsequently determine the OS fingerprint.

The ethical hacker adopted this specific approach because it is an advanced and stealthy technique that can evade some firewalls and intrusion detection systems (IDS) that may block or alert other types of packets, such as NULL, FIN, or Xmas packets. Moreover, this technique can provide more accurate and reliable results than other techniques, such as banner grabbing or passive analysis, that may depend on the availability or validity of the information provided by the target system.

The other options are not correct, as they describe different tests and reasons. Test 3 is a TCP/IP stack fingerprinting technique that uses the URG, PSH, SYN, and FIN flags to determine the OS of the target system. Test 2 is a TCP/IP stack fingerprinting technique that uses a NULL packet, which is a TCP packet with no flags enabled, to determine the OS of the target system. Test 6 is a TCP/IP stack fingerprinting technique that uses the ACK flag, which is used to acknowledge the receipt of a TCP segment, to determine the OS of the target system. References:

OS and Application Fingerprinting | SANS Institute

Operating System Fingerprinting | SpringerLink

OS and Application Fingerprinting - community.akamai.com

What is OS Fingerprinting and Techniques - Zerosuniverse

In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here’s how it works:

When you send a TCP ACK segment:

If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

If a stateful firewall is used, it keeps track of connection states. Therefore:

An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn’t correspond to any active connection.

No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

Therefore:

No RST response = packet was silently dropped.

Silent dropping of unsolicited ACK packets = Stateful Firewall Behavior.

Option Analysis:

A. There is no firewall in place

❌ Incorrect. If there were no firewall, an RST would be sent from the closed port.

B. This event does not tell you anything about the firewall

❌ Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

C. It is a stateful firewall

Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

D. It is a non-stateful firewall

❌ Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scanning Techniques → TCP ACK Scan

CEH Engage Labs – Network Scanning Phase: Firewall Rule Detection using ACK Scans

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/

Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish’s encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can’t detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.

Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources The attacker finds and extracts a logged-on domain admin account hash The attacker uses the extracted hash to log on to the domain controller

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.

The scenario describes a decentralized cryptographic trust model where each user maintains a ring or database of public keys, and communications are encrypted using the recipient’s public key. This aligns precisely with the Web of Trust (WOT) model.

According to the CEH v13 Official Courseware:

Web of Trust (WOT) is a decentralized trust model used primarily in PGP (Pretty Good Privacy) environments.

In WOT:

Each user maintains a local keyring of trusted public keys.

There is no central Certificate Authority (CA).

Trust is built based on mutual verification and endorsement of public keys among users.

It uses asymmetric cryptography: messages are encrypted using the receiver's public key and decrypted using the corresponding private key.

This model provides authentication (via digital signatures) and message integrity (via cryptographic hash functions).

Incorrect Options:

A. Zero Trust Network is a security architecture that enforces strict access control but is not a cryptographic trust model.

B. TLS (Transport Layer Security) is a protocol for securing data in transit, commonly used in HTTPS, and relies on the PKI trust model (not WOT).

C. SSL (Secure Socket Layer) is an outdated version of TLS, also based on centralized certificate authorities.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Public Key Infrastructure (PKI) and Trust Models”

Subsection: “Web of Trust (WOT) Model”

Study Guide Table: Comparison of Trust Models – PKI vs WOT vs Hybrid

Lab references in CEH Engage may also cover key signing and verifying concepts in decentralized environments.

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing, an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the expected outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. Where white-box testing is design-driven,[1] that is, driven exclusively by agreed specifications of how each component of the software is required to behave (as in DO-178C and ISO 26262 processes) then white-box test techniques can accomplish assessment for unimplemented or missing requirements.

White-box test design techniques include the following code coverage criteria:

· Control flow testing

· Data flow testing

· Branch testing

· Statement coverage

· Decision coverage

· Modified condition/decision coverage

· Prime path testing

· Path testing

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.