Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 11

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

CEH v13 clarifies that nbtstat is used only for NetBIOS name table enumeration, not for listing shared resources. Tags such as <20> indicate file server services, but share enumeration requires tools like net view or SMB enumeration utilities.

Thus, the inability to list shares is due to tool limitation, not service configuration. Option C is correct.

Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

Domain registrant details (name, email, phone, and address)

Domain registration and expiry dates

Name servers and registrar information

Administrative and technical contact data

According to CEH v13:

Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

Incorrect Options:

A. VPN footprinting refers to identifying VPN gateways or configurations — not related to domain data.

B. Email footprinting involves gathering information from or about email systems.

C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “WHOIS Footprinting”

Tools: Whois lookup tools, ICANN WHOIS, DomainTools

According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds.

Option D correctly identifies this issue.

Option A describes the symptom, not the root cause.

Option B is unrelated to IDS alert behavior.

Option C can cause missed detections, not excessive alerts.

CEH recommends proper tuning and baseline profiling.

The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

Key Indicators from the Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

Reference to CVE-2003-0352

Class type: attempted-admin

The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

From CEH v13 Courseware:

Module 6: Malware Threats

Module 11: Session Hijacking

Discussion of historic worms and their exploit signatures, including MS Blaster.

Incorrect Options:

A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

Firewalls primarily operate at Layer 3 (Network) and Layer 4 (Transport) of the OSI model. They inspect:

IP headers (Layer 3)

TCP/UDP port numbers (Layer 4)

Application-specific data in Layer 7-aware firewalls (for application filtering)

By examining transport layer port numbers and application layer headers, firewalls can block or allow traffic based on services like HTTP (port 80), FTP (port 21), and others.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Firewalls filter traffic based on IP addresses, transport-layer port numbers, and application protocol headers to control access to services and applications.”

Incorrect Options:

B & C. Presentation and session layers are not relevant to firewall rule inspection.

D. Application layer doesn’t have port numbers; they are part of the transport layer.

=

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

A Multipartite Virus is designed to infect both the boot sector and executable files of a system. This makes it more complex and harder to remove than viruses that target only one area. It can spread in multiple ways and activate under different conditions depending on whether the infected file or boot sector is accessed first.

CEH v13 Official Curriculum states:

“Multipartite viruses infect both the boot sector and program files. They are difficult to remove and can reinfect the system unless both locations are cleaned simultaneously.”

Incorrect Options:

A. Polymorphic viruses change their code signatures but do not necessarily target both boot and executable areas.

B. Stealth viruses conceal their presence, often by intercepting system calls.

D. Macro viruses infect macro-enabled files, typically in Microsoft Office documents.

Reference – CEH v13 Guide:

Module 06: Malware Threats

Topic: Types of Malware – Multipartite Viruses

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

CEH v13 emphasizes that IoT and smart city environments are highly sensitive and safety-critical. When an IoT device shows anomalous outbound traffic and unauthorized open ports, this strongly indicates device compromise.

The correct immediate response is to isolate the affected device to prevent lateral movement and protect public safety. CEH v13 further stresses the importance of firmware analysis, as IoT malware often resides at the firmware level to maintain persistence.

Attempting reverse connections (Option A) is risky and may violate operational safety. Firewall changes alone (Option C) do not address an already compromised device. A full penetration test (Option D) is appropriate later but not as an immediate containment step.

Therefore, Option B aligns with CEH v13 incident handling best practices for IoT and OT environments.

Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

https://www.wireshark.org/

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

The AndroidManifest.xml file contains information of your package, including components of the appliance like activities, services, broadcast receivers, content providers etc.

It performs another tasks also:

• it’s responsible to guard the appliance to access any protected parts by providing the permissions.

• It also declares the android api that the appliance goes to use.

• It lists the instrumentation classes. The instrumentation classes provides profiling and other informations. These informations are removed just before the appliance is published etc.

This is the specified xml file for all the android application and located inside the basis directory.

In a man-in-the-middle (MITM) attack, an attacker intercepts communication between two parties and can read, alter, or inject data without either party knowing. Susan's actions — intercepting and modifying her boss's session data before relaying it to the server — is the classic MITM pattern.

From CEH v13 Official Courseware:

Module 8: Sniffing

Module 11: Session Hijacking

CEH v13 Study Guide states:

“In a MITM attack, the attacker positions themselves between two communicating parties, relaying and possibly altering communications while maintaining the illusion that the parties are communicating directly.”

Incorrect Options:

A: Sniffing only involves passive listening.

B: Spoofing may involve impersonation but not necessarily interception and relay.

D: DoS is about service disruption, not data interception.

Developed by Robert “RSnake” Hansen, Slowloris is DDoS attack software that permits one computer to require down an internet server. Due the straightforward yet elegant nature of this attack, it requires minimal bandwidth to implement and affects the target server’s web server only, with almost no side effects on other services and ports.

Slowloris has proven highly-effective against many popular sorts of web server software, including Apache 1.x and 2.x.

Over the years, Slowloris has been credited with variety of high-profile server takedowns. Notably, it had been used extensively by Iranian ‘hackivists’ following the 2009 Iranian presidential election to attack Iranian government internet sites .

Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, expecting each of the attack requests to be completed.

Periodically, the Slowloris sends subsequent HTTP headers for every request, but never actually completes the request. Ultimately, the targeted server’s maximum concurrent connection pool is filled, and extra (legitimate) connection attempts are denied.

By sending partial, as against malformed, packets, Slowloris can easily elapse traditional Intrusion Detection systems.

Named after a kind of slow-moving Asian primate, Slowloris really does win the race by moving slowly and steadily. A Slowloris attack must await sockets to be released by legitimate requests before consuming them one by one.

For a high-volume internet site , this will take a while . the method are often further slowed if legitimate sessions are reinitiated. But within the end, if the attack is unmitigated, Slowloris—like the tortoise—wins the race.

If undetected or unmitigated, Slowloris attacks also can last for long periods of your time . When attacked sockets outing , Slowloris simply reinitiates the connections, continuing to reach the online server until mitigated.

Designed for stealth also as efficacy, Slowloris are often modified to send different host headers within the event that a virtual host is targeted, and logs are stored separately for every virtual host.

More importantly, within the course of an attack, Slowloris are often set to suppress log file creation. this suggests the attack can catch unmonitored servers off-guard, with none red flags appearing in log file entries.

Methods of mitigation

Imperva’s security services are enabled by reverse proxy technology, used for inspection of all incoming requests on their thanks to the clients’ servers.

Imperva’s secured proxy won’t forward any partial connection requests—rendering all Slowloris DDoS attack attempts completely and utterly useless.

Buffer overflow this attack is an anomaly that happens when software writing data to a buffer overflows the buffer’s capacity, leading to adjacent memory locations being overwritten. In other words, an excessive amount of information is being passed into a container that doesn’t have enough space, which information finishes up replacing data in adjacent containers.

Buffer overflows are often exploited by attackers with a goal of modifying a computer’s memory so as to undermine or take hold of program execution.

What’s a buffer?

A buffer, or data buffer, is a neighborhood of physical memory storage wont to temporarily store data while it’s being moved from one place to a different . These buffers typically sleep in RAM memory. Computers frequently use buffers to assist improve performance; latest hard drives cash in of buffering to efficiently access data, and lots of online services also use buffers. for instance , buffers are frequently utilized in online video streaming to stop interruption. When a video is streamed, the video player downloads and stores perhaps 20% of the video at a time during a buffer then streams from that buffer. This way, minor drops in connection speed or quick service disruptions won’t affect the video stream performance.

Buffers are designed to contain specific amounts of knowledge . Unless the program utilizing the buffer has built-in instructions to discard data when an excessive amount of is shipped to the buffer, the program will overwrite data in memory adjacent to the buffer.

Buffer overflows are often exploited by attackers to corrupt software. Despite being well-understood, buffer overflow attacks are still a serious security problem that torment cyber-security teams. In 2014 a threat referred to as ‘heartbleed’ exposed many many users to attack due to a buffer overflow vulnerability in SSL software.

How do attackers exploit buffer overflows?

An attacker can deliberately feed a carefully crafted input into a program which will cause the program to undertake and store that input during a buffer that isn’t large enough, overwriting portions of memory connected to the buffer space. If the memory layout of the program is well-defined, the attacker can deliberately overwrite areas known to contain executable code. The attacker can then replace this code together with his own executable code, which may drastically change how the program is meant to figure .

For example if the overwritten part in memory contains a pointer (an object that points to a different place in memory) the attacker’s code could replace that code with another pointer that points to an exploit payload. this will transfer control of the entire program over to the

attacker’s code.

In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

Key Features of OSINT Framework:

Web-based visual tool that maps out links to open-source intelligence tools.

Allows collection of emails, domains, usernames, IPs, social media data, and more.

Focuses on passive footprinting to avoid detection.

Option Clarification:

A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

C. OSINT Framework: Correct — open-source intelligence and reconnaissance.

D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.

https://nmap.org/book/man-output.html

-oX - Requests that XML output be directed to the given filename.