Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 11

Cloud-based antivirus relies on data collected from endpoint devices and sends that data to cloud servers for real-time malware analysis. This allows rapid updates and detection of new threats without waiting for local signature updates.

???? Reference – CEH v13 Official Study Guide, Module 20: Cryptography and Malware

“Cloud-based detection systems analyze suspicious files and behaviors in the provider’s environment, enabling faster response and reduced endpoint resource usage.”

❌ Incorrect options:

A. Behavioral-based detection monitors live activity locally.

B. Heuristic-based detection uses rules or behavior patterns locally.

C. Honeypots are decoys for detecting attackers, not antivirus methods.

https://en.wikipedia.org/wiki/Kismet_(software)

Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic.

We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a ‘fire and forget’ methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link). 

There are two modes of operation with SNMP – get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

SNMP traps

Since SNMP is primarily a UDP port based system, traps may be ‘lost’ when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn’t listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know.

The SNMP v2c specification introduced the idea of splitting traps into two types; the original ‘hope it gets there’ trap and the newer ‘INFORM’ traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn’t get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.

A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

How is it done?

Basically, it’s attempting each single word that’s already ready. it’s done victimization machine-controlled tools that strive all the possible words within the dictionary.

Some password Cracking Software:

• John the ripper

• L0phtCrack

• Aircrack-ng

Server-side request forgery (also called SSRF) is a net security vulnerability that allows an assaulter to induce the server-side application to make http requests to associate arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services among the organization’s infrastructure, or to external third-party systems.

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with different back-end systems that aren’t directly reachable by users. These systems typically have non-routable private informatics addresses. Since the back-end systems normally ordinarily protected by the topology, they typically have a weaker security posture. In several cases, internal back-end systems contain sensitive functionality that may be accessed while not authentication by anyone who is able to act with the systems.

In the preceding example, suppose there’s an body interface at the back-end url https://192.168.0.68/admin. Here, an attacker will exploit the SSRF vulnerability to access the executive interface by submitting the following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

stockApi=http://192.168.0.68/admin

In CEH v13 Module 11: Hacking Wireless Networks, WPS (Wi-Fi Protected Setup) is discussed as a vulnerable configuration that can be exploited using tools like Reaver and wash.

wash is a command-line utility used to detect WPS-enabled Access Points.

It provides information about:

Whether WPS is enabled or locked.

Signal strength, BSSID, channel, etc.

Very useful before attempting WPS PIN attacks.

Option Clarifications:

B. ntptrace: Used for querying NTP servers, not wireless networks.

C. macof: Part of dsniff suite; floods network with MAC addresses (DoS tool).

D. net view: Windows command for listing network shares, not for wireless or WPS.

Correct answer is A. wash.

Firewalls primarily operate at Layer 3 (Network) and Layer 4 (Transport) of the OSI model. They inspect:

IP headers (Layer 3)

TCP/UDP port numbers (Layer 4)

Application-specific data in Layer 7-aware firewalls (for application filtering)

By examining transport layer port numbers and application layer headers, firewalls can block or allow traffic based on services like HTTP (port 80), FTP (port 21), and others.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Firewalls filter traffic based on IP addresses, transport-layer port numbers, and application protocol headers to control access to services and applications.”

Incorrect Options:

B & C. Presentation and session layers are not relevant to firewall rule inspection.

D. Application layer doesn’t have port numbers; they are part of the transport layer.

===========

This question is about web link enumeration using Linux CLI tools — a common initial step during information gathering in penetration testing, covered in CEH v13 Module 02: Footprinting and Reconnaissance.

Objective:

Extract all hyperlinks (i.e., ) from the homepage of a target site to collect subpages, links, or external URLs.

Let’s analyze each component of Option B:

=

=

curl -s <a href="https://site.com">https://site.com | grep '

curl -s <a href="https://site.com:">https://site.com: Silently fetches the HTML source of the main page.

grep '

grep "site.com": Further filters those that point to site.com.

cut -d "v" -f 2: Cuts the line based on the delimiter v to isolate part of the URL — though not perfect, it attempts to extract the visible link.

While not perfectly formed (due to slightly inconsistent quote usage), Option B demonstrates the correct logic chain for web link enumeration using pipes in Linux: fetching, filtering, and extracting.

Why Other Options Are Incorrect:

A. dirb <a href="https://site.com">https://site.com | grep "site"

❌ dirb is used for brute-forcing directories, not grabbing links from HTML.

C. wget https://site.com | grep "

❌ Incorrect. wget will download the entire content (including binary files by default), and piping it directly to grep without -O - or -q -O - makes it ineffective.

D. wget <a href="https://site.com">https://site.com | cut -d "http"

❌ Incorrect. Syntax error (cut -d"http" is invalid without correct delimiter formatting), and again wget needs to be directed to stdout using -O -.

Corrected Optimal Syntax for Real-World Use:

bash

CopyEdit

curl -s https://site.com | grep -oP 'href="\Khttp[^"]+' | grep "site.com"

This uses -oP with Perl-compatible regex to extract only URLs and is a method recommended in CEH iLabs and demonstrations.

Reference from CEH v13 Study Materials:

Module 02 – Footprinting and Reconnaissance, Section: Website Footprinting and Web Crawling

CEH iLabs – Website Information Gathering Lab

CEH Engage Range: Passive and Active Footprinting Phase – Linux Scripting Tasks

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

Identify assets & baseline (Step 2)

Vulnerability scanning (Step 5)

Risk assessment/prioritization (Step 6)

Remediation (Step 1)

Verification (Step 3)

Continuous monitoring (Step 4)

So the correct lifecycle flow is:

2 → 5 → 6 → 1 → 3 → 4

This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.

An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System.

Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level.

Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.

In CEH v13 Module 06: Malware Threats, a worm is described as a self-replicating piece of malware that spreads independently from one system to another without needing to attach itself to any file or program (unlike viruses).

Key Characteristics of Worms:

Capable of network propagation without human interaction.

Often used in mass attacks (e.g., WannaCry, Conficker).

Can cause significant damage by:

Consuming bandwidth.

Spreading payloads (e.g., ransomware).

Modifying or deleting files.

Option Clarification:

A. Rootkit: Hides presence of malware or attacker activities.

B. Trojan: Disguised as legitimate software; does not replicate.

C. Worm: Correct – self-replicating and spreads automatically.

D. Adware: Primarily shows ads; not typically destructive or self-replicating.

https://en.wikipedia.org/wiki/Metasploit_Project

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7.

Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.

The basic steps for exploiting a system using the Framework include.

1. Optionally checking whether the intended target system is vulnerable to an exploit.

2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included).

3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work.

4. Choosing the encoding technique so that hexadecimal opcodes known as "bad characters" are removed from the payload, these characters will cause the exploit to fail.

5. Executing the exploit.

This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

In CEH v13 Module 12: Hacking Web Applications, the N-tier architecture is explained as a model used in web applications, typically with:

Presentation tier – User interface (UI) that interacts with the user.

Logic tier (also known as application or business logic layer) – Processes commands, makes logical decisions, and handles data movement and processing between the UI and the database.

Data tier – Manages database access and data storage.

So, the Logic tier is responsible for:

Handling the business rules.

Processing user inputs.

Accessing and manipulating data from the database.

In LM hashing (used in legacy Windows systems), passwords are split into two 7-character chunks. If a password is fewer than 8 characters, the second half is padded with nulls and hashed to a constant value.

That constant is:

AAD3B435B51404EE

Thus, the second half of the LM hash (the rightmost 16 characters) is always the same if the password is < 8 characters.

From CEH v13 Courseware:

Module 6: Malware Threats → LM Hash Characteristics

CEH v13 Study Guide states:

“If the password is less than 8 characters, the second half of the LM hash will always be ‘AAD3B435B51404EE’, indicating the hash belongs to a short password.”

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.