Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 2

According to CEH v13 Module 04: Enumeration and Module 08: Sniffing, packet sniffers such as Wireshark, tcpdump, and EtherApe are designed to capture and analyze network traffic at the data link (Layer 2) and network (Layer 3) layers of the OSI model.

At Layer 2 (Data Link), sniffers capture Ethernet frames, including MAC addresses and frame type.

At Layer 3 (Network), sniffers interpret IP headers, IP addresses, and transport layer protocols (TCP, UDP).

They do not operate at Layer 1 (Physical) as they do not deal with raw electrical signals.

Packet sniffers also do not manipulate traffic but passively monitor and capture packets that traverse the network.

Therefore, the correct statement is:

Packet Sniffers operate on both Layer 2 & Layer 3 of the OSI model.

Option Analysis:

A. Layer 1: ❌ Incorrect. Layer 1 is the physical layer (electrical, optical signals).

B. Layer 2: ❌ Partially correct but incomplete.

C. Both Layer 2 & Layer 3: Correct. Full coverage of packet sniffing capabilities.

D. Layer 3: ❌ Partially correct but incomplete.

Reference from CEH v13 Courseware:

Module 08 – Sniffing, Section: How Packet Sniffers Work

CEH iLabs: Capturing Ethernet Frames and IP Packets Using Wireshark

OSI Model Mapping in CEH Official eBook

Comprehensive and Detailed Explanation:

TCPView is a Windows Sysinternals utility that provides a real-time graphical view of:

TCP and UDP endpoints on the system

Listening, established, and closing states

Associated process names using the connections

It’s ideal for administrators or analysts looking to monitor and troubleshoot live network activity.

From CEH v13 Courseware:

Module 3: Scanning Networks → Tools for Port and Service Discovery

Incorrect Options:

A. Netstat provides snapshot (static) info, not real-time with process association.

C. Nmap is used for remote scanning, not real-time local monitoring.

D. Loki is a covert channel tool used for stealthy communication.

A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks—typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.

From CEH v13 Official Courseware:

Module 13: Hacking Web Applications

Module 14: Hacking Web Servers

Module 1: Introduction to Ethical Hacking – Security Architecture Concepts

CEH v13 clearly outlines:

“A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated.”

Bob’s assumption is flawed for several reasons:

DMZs can be implemented even with stateless firewalls using strict access control rules.

Relying solely on IP-based filtering is error-prone and doesn’t offer layered defense.

A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.

Incorrect Options:

A/D: DMZ can still make sense even with stateless firewalls if properly configured.

B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

In CEH v13 Module 17: Mobile and IoT Security, Spearphone is defined as a privacy-intrusion attack that:

Exploits a smartphone’s speaker output, particularly when loudspeaker mode is used.

Leverages motion sensors (accelerometer, gyroscope) through a malicious app to capture acoustic signals emitted during:

Phone calls

Voice assistant interactions

Media playback

This enables attackers to extract private speech content without needing microphone access.

Option Clarification:

A. Man-in-the-disk: Exploits unprotected external storage in Android.

B. aLTEr: Exploits LTE protocol weaknesses; unrelated to loudspeaker eavesdropping.

C. SIM card attack: Targets SIM-level vulnerabilities (e.g., SIMjacker).

D. Spearphone: Correct — exploits loudspeaker emissions and motion sensors.

The scenario describes a method used to make a cryptographic key more secure by making it harder to brute-force. This process is called Key Stretching.

Key Stretching:

Takes a weak or short key and processes it through a function (often repeatedly) to produce a stronger, longer key.

Commonly used in password hashing (e.g., bcrypt, PBKDF2, scrypt).

Increases the computational time required to test each guess in a brute-force attack, effectively reducing attack feasibility.

Incorrect Options:

A. Key derivation function (KDF) is related but more general; key stretching is a specific technique often implemented within KDFs.

B. Key reinstallation is associated with WPA2 KRACK attacks.

C. Public key infrastructure (PKI) is a system of digital certificates, not a key strengthening technique.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Password Hashing and Key Stretching Techniques”

Subsection: “bcrypt, PBKDF2, and Key Strengthening”

CEH iLab: Password Hashing and Cracking Simulations

Verbose failure messages are detailed error messages that reveal too much information about authentication failures. In the described scenario, the web application specifies whether the username or password is incorrect. This behavior enables attackers to:

Enumerate valid usernames by submitting random inputs and observing which error message is returned.

Use the valid usernames to conduct targeted attacks such as brute-force attempts or social engineering.

According to CEH v13:

Authentication mechanisms should provide generic error messages such as “Invalid username or password” to avoid exposing system behavior.

Verbose error messages violate the principle of "fail securely."

Incorrect Options:

A. Insecure transmission relates to credentials being sent over unencrypted channels (e.g., HTTP instead of HTTPS).

C. User impersonation involves taking on the identity of another user, not enumeration.

D. Password reset mechanisms are a different component of authentication, not mentioned in this context.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Authentication Bypass Techniques”

Subsection: “Enumeration via Verbose Error Messages”

===========

JXplorer could be a cross platform LDAP browser and editor. it’s a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools.

JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it’s been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

Comprehensive and Detailed Explanation From CEH v13 Guide:

Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

CEH v13 Reference:

Module 5: Vulnerability Assessment – Risk Assessment Concepts

“Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited.”

=============================================================

When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications.

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address.

https://en.wikipedia.org/wiki/Public-key_cryptography

Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner’s secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.

Incident Handling and Response Incident handling and response (IH&R) is the process of taking organized and careful steps when reacting to a security incident or cyberattack. Steps involved in the IH&R process: 3.Incident Triage - The IH&R team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited. (P.84/68)

True Positive - IDS referring a behavior as an attack, in real life it is

True Negative - IDS referring a behavior not an attack and in real life it is not

False Positive - IDS referring a behavior as an attack, in real life it is not

False Negative - IDS referring a behavior not an attack, but in real life is an attack.

False Negative - is the most serious and dangerous state of all !!!!

YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References:

yarGen - A Tool to Generate YARA Rules

YARA Rules: The Basics

Why master YARA: from routine to extreme threat hunting cases

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.