Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

When a switch's ARP cache is flooded using a tool like Macof (from the Dsniff suite), it overwhelms the device's MAC address table, which stores port-to-MAC mappings.

If the table overflows:

The switch can no longer associate MAC addresses with specific ports.

It fails open and begins forwarding frames out all ports — just like a hub.

This degrades the switch’s functionality and allows attackers to sniff traffic on segments that should otherwise be isolated.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-based Attacks

Command Breakdown:

nc: Netcat utility

-l: Listen mode

-u: Use UDP protocol

-p 55555: Listen on port 55555

< /etc/passwd: Redirects the contents of /etc/passwd into the socket

This means that when a connection is made to UDP port 55555, the contents of /etc/passwd will be sent to the connecting host.

From CEH v13 Courseware:

Module 8: Sniffing & Network Communication Tools

CEH v13 Study Guide states:

“Netcat can be used to serve files, open shells, or transfer data. Using input redirection, it can stream file contents to anyone who connects.”

Incorrect Options:

A: Does not log; it outputs /etc/passwd

C: The opposite; it serves the file, doesn’t grab it

D: Netcat does not delete files with this syntax

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization’s network presence. Specficially, it allows attackers to draw a map or outline of the target organization’s network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.

MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

The switch enters “fail-open” mode and broadcasts traffic to all ports

The attacker can then sniff sensitive traffic

This attack effectively turns a switch into a hub, facilitating data sniffing.

Incorrect Options:

A. Evil twin is a wireless attack using rogue access points.

B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

Reference – CEH v13 Official Courseware:

Module 11: Sniffing

Section: “Switch Port Stealing and MAC Flooding”

Subsection: “Layer 2 Attacks and CAM Table Poisoning”

=

This is a textbook case of Intranet DNS Poisoning, often combined with ARP spoofing, as described in CEH v13 Network Sniffing and MITM Attacks. The attacker positions themselves inside the local network, intercepts DNS requests, and responds faster than the legitimate DNS server.

ARP spoofing enables the attacker to perform a Man-in-the-Middle attack, allowing sniffing and modification of DNS traffic. CEH v13 notes that faster rogue responses are a strong indicator of local DNS poisoning.

In CEH v13 Module 03: Scanning Networks, stealth scanning refers to a method of scanning that avoids detection by not completing the TCP handshake.

-sS = TCP SYN scan (Stealth scan)

Sends SYN packet.

If SYN-ACK is returned, the port is open; then a RST is sent back instead of completing handshake.

Harder to detect via IDS/IPS.

Option Analysis:

A. -sM: TCP Maimon scan (rarely used).

B. -sU: UDP scan.

C. -sS: Stealth SYN scan.

D. -sT: TCP Connect scan (not stealthy).

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The “ext:” operator can also be used—the results are identical.

Example: apple filetype:pdf / apple ext:pdf

Insecure communication is defined in CEH’s mobile and IoT security modules as the failure to encrypt sensitive data transmitted between a device and a server. When applications use plain HTTP instead of HTTPS, all traffic—including authentication tokens, user identifiers, and session data—can be monitored and altered by an attacker through network sniffing or man-in-the-middle attacks. CEH emphasizes that insecure transport channels represent one of the most common and critical weaknesses in mobile ecosystems, allowing attackers to harvest credentials or inject malicious commands. Security misconfiguration refers to improper server settings, while SSL pinning issues involve certificate validation bypassing. Insufficient input validation pertains to application-side data validation. None of these align as directly as insecure communication, which precisely describes the unencrypted data exposure.

In CEH v13 Module 11: Hacking Wireless Networks, WPA3-Personal is discussed as the latest wireless encryption standard designed to address the weaknesses of WPA2, particularly PSK brute-force vulnerabilities.

Key Features of WPA3-Personal:

Replaces the pre-shared key (PSK) with Simultaneous Authentication of Equals (SAE), also known as the Dragonfly Key Exchange.

SAE performs a zero-knowledge proof which makes it resistant to offline dictionary attacks.

Even if attackers capture the handshake, they cannot use it to brute-force passwords offline.

Option Clarification:

A. WPA3-Personal: Correct – uses SAE instead of PSK.

B. WPA2-Enterprise: Uses 802.1X, not related to SAE.

C. Bluetooth: Wireless protocol but unrelated to SAE or WPA.

D. ZigBee: IoT protocol; unrelated to Wi-Fi security protocols.

Adware, or advertising supported computer code, is computer code that displays unwanted advertisements on your pc. Adware programs can tend to serve you pop-up ads, will modification your browser’s homepage, add spyware and simply bombard your device with advertisements. Adware may be a additional summary name for doubtless unwanted programs. It’s roughly a virulent disease and it’s going to not be as clearly malicious as a great deal of different problematic code floating around on the net. create no mistake concerning it, though, that adware has to return off of no matter machine it’s on. Not solely will adware be extremely annoying whenever you utilize your machine, it might additionally cause semipermanent problems for your device.

Adware a network users the browser to gather your internet browsing history so as to ’target’ advertisements that appear tailored to your interests. At their most innocuous, adware infections square measure simply annoying. as an example, adware barrages you with pop-up ads that may create your net expertise markedly slower and additional labor intensive.

Tailgating, as defined in CEH v13 Social Engineering, is a physical social engineering attack where an unauthorized individual gains access by following an authorized person into a restricted area.

The attacker exploits human courtesy rather than technical vulnerabilities. Options B, C, and D describe phishing, pretexting, and baiting respectively.

Thus, option A is the correct representation of tailgating.

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.