Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 4

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

Many network and system administrators don't pay enough attention to system clock accuracy and time synchronization. Computer clocks can run faster or slower over time, batteries and power sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing security issues to deal with, but not ensuring that the time on network devices is synchronized can cause problems. And these problems often only come to light after a security incident.

If you suspect a hacker is accessing your network, for example, you will want to analyze your log files to look for any suspicious activity. If your network's security devices do not have synchronized times, the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only will you have difficulty in tracking events, but you will also find it difficult to use such evidence in court; you won't be able to illustrate a smooth progression of events as they occurred throughout your network.

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.

Key Features of Burp Suite:

Captures all HTTP requests and responses.

Allows for manual testing of input parameters, headers, and cookies.

Includes tools such as Intruder, Repeater, Scanner, and Decoder.

Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.

Option Review:

A. Maskgen: Used for generating masks, not a web proxy.

B. Dimitry: A footprinting tool, not used for request/response testing.

C. Burpsuite: Correct. Designed for web application vulnerability analysis.

D. Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.

An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.

The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:

Intellectual property thieving (e.g., trade secrets or patents)

Compromised sensitive info (e.g., worker and user personal data)

The sabotaging of essential structure infrastructures (e.g., information deletion)

Total website takeovers

Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.

APT attacks dissent from ancient internet application threats, in that:

They’re considerably additional advanced.

They’re not hit and run attacks—once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.

They’re manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.

They typically aim to infiltrate a complete network, as opposition one specific half.

More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.

Tess King is attempting to gather all DNS records from a target zone. This process is referred to as a zone transfer (AXFR), which is typically performed by secondary name servers to synchronize DNS data with the primary. If improperly secured, attackers can initiate unauthorized zone transfers to enumerate valuable information such as:

Hostnames

IP addresses

Mail servers

Name servers

CEH v13 defines a zone transfer as a crucial step in DNS enumeration.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration → Zone Transfers

CEH v13 Study Guide states:

“A zone transfer (AXFR) is a DNS transaction used to replicate DNS databases. Attackers can exploit this feature to extract all DNS information from an improperly secured server.”

Incorrect Options:

A. Zone harvesting is not a formal term.

C. Zone update refers to DNS dynamic update operations (e.g., DDNS).

D. Zone estimate is not a DNS-related process.

A brute-force attack is the most exhaustive password-cracking method. It tries every possible combination of characters (letters, numbers, and symbols) until the correct password is found.

From CEH v13 Courseware:

Module 6: Password Cracking Techniques

CEH v13 Study Guide states:

“Brute-force attacks try every possible combination until the correct password is discovered. It’s resource-intensive but guarantees success if enough time and processing power is available.”

Incorrect Options:

B: Refers to social engineering or coercion.

C: Describes a dictionary attack.

D: Refers to a rainbow table attack.

E: Not a cracking method.

A hybrid attack combines a dictionary and brute-force approach. Given that:

Passwords are required to be complex

Users still often choose predictable variations (e.g., Password123!, Welcome@2024)

A hybrid attack is best suited because it applies common mutations to known words—much faster than full brute force and more effective than a plain dictionary attack.

From CEH v13 Courseware:

Module 6: Password Cracking → Attack Techniques

CEH v13 Study Guide states:

“Hybrid attacks combine the speed of dictionary attacks with some of the thoroughness of brute-force. It’s ideal when users use complex but predictable passwords.”

Incorrect Options:

A: Online attacks are slow and may trigger account lockouts.

B: Plain dictionary attacks won’t cover variations like “P@ssw0rd!”

C: Brute-force would be too slow for complex passwords.

SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:

VRFY: Verifies whether a particular email address or user ID exists on the mail server.

EXPN: Reveals the actual addresses behind a mailing list or alias.

These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.

Incorrect Options:

B. Daily outgoing message limits are not typically disclosed via SMTP.

C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.

D. Mail proxy addresses are not revealed directly via SMTP enumeration.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “SMTP Enumeration Techniques”

Tool Reference: smtp-user-enum, Netcat

===========

A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user’s ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user’s account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References:

EC-Council CEHv12 Courseware Module 11: Hacking Webservers, page 11-24

What is a Kerberoasting Attack? – CrowdStrike

How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that’s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what’s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren’t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.

A research group from the University of California at Berkeley recently published a report citing “major security flaws” in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group’s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP – which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it’s very effective.

In CEH v13 Module 04: Enumeration, identifying services based on well-known port numbers is foundational for enumeration and scanning activities.

Port 21/TCP is assigned to the File Transfer Protocol (FTP).

FTP is a standard protocol used to upload, download, and manage files on a remote server.

During enumeration, open FTP ports can be probed for:

Anonymous login

Banner grabbing

Directory traversal vulnerabilities

Option Clarification:

A. BGP: Runs on TCP port 179.

C. NFS: Commonly uses port 2049.

D. RPC: Dynamically uses multiple ports.

Correct answer is B. FTP (port 21).

ISAPI (Internet Server Application Programming Interface) filters are DLLs used to extend the functionality of Microsoft IIS (Internet Information Services). If unnecessary or outdated ISAPI filters are enabled, they can introduce vulnerabilities or backdoors that attackers may exploit to launch web server-based attacks.

From the CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Section: Web Server Vulnerabilities

Subsection: Common Web Server Misconfigurations

CEH v13 states:

“Unnecessary ISAPI filters and extensions should be disabled or removed, as they may introduce unneeded attack surfaces on the web server. Attackers may exploit vulnerabilities in these filters to gain unauthorized access, execute code remotely, or escalate privileges on the server.”

This is part of a broader hardening strategy to reduce the web server’s attack surface.

Incorrect Options:

A. Social engineering involves manipulating people, not software vulnerabilities.

C. Jailbreaking refers to bypassing restrictions on mobile devices.

D. Wireless attacks are unrelated to web server software components.

The description in the scenario clearly points to Docker. Docker is an open-source platform that automates the deployment, scaling, and management of applications inside containers. It allows:

Isolation of applications from the underlying system

Communication through well-defined APIs and networking interfaces

Rapid packaging and shipping of applications in a containerized format

Docker uses OS-level virtualization and is ideal for Platform-as-a-Service (PaaS) environments.

Incorrect Options:

A. Virtual machines virtualize entire operating systems and are heavier in resource use.

B. Serverless computing abstracts the infrastructure entirely but is not about containerization.

D. Zero Trust is a security architecture, not a development or packaging platform.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Containerization and Docker”

Subsection: “Security Benefits of Containers”

===========