Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

The scenario describes a hybrid encryption solution based on the OpenPGP standard that uses both symmetric and asymmetric encryption. The key phrase in the question is “a free implementation of the OpenPGP standard,” which directly refers to GPG.

GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP standard.

It combines symmetric encryption for data encryption (fast and efficient) and asymmetric encryption for secure key exchange (using public/private key pairs).

GPG is widely used to secure emails, files, and messages, often in conjunction with tools like Thunderbird or command-line utilities.

Incorrect Options:

A. PGP (Pretty Good Privacy) is the original proprietary implementation of OpenPGP, not free/open-source by default.

B. S/MIME (Secure/Multipurpose Internet Mail Extensions) is another email encryption standard but does not implement OpenPGP.

C. SMTP (Simple Mail Transfer Protocol) is a mail transport protocol, not an encryption method.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Hybrid Encryption and Email Encryption Tools”

Subsection: “GPG and OpenPGP-Based Encryption”

===========

This phase having the hacker uses different techniques and tools to realize maximum data from the system. they’re –

• Password cracking – Methods like Bruteforce, dictionary attack, rule-based attack, rainbow table are used. Bruteforce is trying all combinations of the password. Dictionary attack is trying an inventory of meaningful words until the password matches. Rainbow table takes the hash value of the password and compares with pre-computed hash values until a match is discovered.

• Password attacks – Passive attacks like wire sniffing, replay attack. Active online attack like Trojans, keyloggers, hash injection, phishing. Offline attacks like pre-computed hash, distributed network and rainbow. Non electronic attack like shoulder surfing, social engineering and dumpster diving.

Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist1.

By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization’s website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization12.

The other options are not as effective as option A for the following reasons:

B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles, which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario3.

C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization’s website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines4.

D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization’s website, which is the goal of this scenario56.

LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

The password is converted to uppercase and padded/truncated to 14 characters.

Split into two 7-character halves.

Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")—resulting in a 16-byte LM hash.

From CEH v13 Courseware:

Module 6: Malware Threats

Topic: Windows Password Storage & Cracking

CEH v13 Study Guide states:

“LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks.”

Incorrect Options:

A: MD4 is used in NTLM hashes.

C: SHA is not used in LM.

D: SSL is a transport security protocol, not a hashing algorithm.

The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a “MUST” in today’s quickly evolving landscape of cybersecurity threats

https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html

Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

===========

The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods12:

Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time.

Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information.

The other options are not as suitable as option D for the following reasons:

A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario3.

B. Attempt to compromise the system through OS-level command shell execution: This option is not relevant because it is not a SQL injection technique, but a post-exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files, or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario4.

C. Try to insert a string value where a number is expected in the input field: This option is not effective because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application does not return any detailed error messages from the database, as in this scenario5.

In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM) could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager (LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|completely different} versions of Windows have different default settings. NTLM passwords area unit thought-about weak as a result of they will be brute-forced very simply with fashionable hardware.

NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity is desired.

First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the consumer.

Finally, the consumer responds to the challenge with Associate in Nursing AUTHENTICATE_MESSAGE.

The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain controller), and that through a scarcity of seasoning area unit word equivalent, that means that if you grab the hash price from the server, you’ll evidence while not knowing the particular word. the 2 area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16 Unicode password). each hash values area unit sixteen bytes (128 bits) every.

The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version. National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate (LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).

TCP Maimon scan

This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

https://nmap.org/book/scan-methods-maimon-scan.html

How Nmap interprets responses to a Maimon scan probe

Probe Response Assigned State

No response received (even after retransmissions) open|filtered

TCP RST packet closed

ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered

Censys is a powerful Internet-wide scanning tool that allows users to:

Discover and analyze devices and services exposed to the public internet

Enumerate connected IoT devices, open ports, software versions

Provide structured and searchable reports for vulnerability analysis

According to CEH v13:

Censys continuously scans the IPv4 address space and maintains up-to-date databases of connected devices and their metadata.

Incorrect Options:

B. Wapiti is a web application vulnerability scanner.

C. NeuVector is a container security solution.

D. Lacework is a cloud workload protection platform, not focused on IoT enumeration.

Reference – CEH v13 Official Courseware:

Module 18: IoT and OT Hacking

Section: “IoT Discovery Tools”

Tool Focus: Censys, Shodan

===========

In CEH v13 Module 04: Enumeration and Module 06: Malware Threats, when investigating Command-and-Control (C2) communication, it is important to determine whether the communication actually occurred and what data was sent.

C. Internet Firewall/Proxy log

Best source to confirm outbound connections to external IPs.

Proxy logs show which internal host made the connection, the timestamp, and sometimes even URL and payload.

Firewalls can indicate port usage, traffic volume, and connection duration.

This data gives a direct view of how severe the incident is, whether data exfiltration occurred, and which internal system is affected.

Why Other Options Are Less Effective Initially:

A. IDS Log: Only tells you that an alert was generated. May be false positive or triggered by a failed connection.

B. Event logs on Domain Controller: Useful for user account behavior, but not for network connections.

D. Event logs on the PC: May lack detail or be tampered with by malware.

White-hat hackers perform security assessments with authorization. CEH defines ethical hacking as legal, structured testing of network defenses with the goal of improving security rather than causing harm.

Comprehensive and Detailed Explanation:

Non-repudiation ensures that a sender cannot deny having sent a message. This is typically achieved through digital signatures or logs which verify the origin and integrity of communications.

From CEH v13 Courseware:

Module 10: Cryptography → Security Services

“Non-repudiation prevents entities from denying their actions, such as sending emails or digital transactions.”

In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

Key Features of OSINT Framework:

Web-based visual tool that maps out links to open-source intelligence tools.

Allows collection of emails, domains, usernames, IPs, social media data, and more.

Focuses on passive footprinting to avoid detection.

Option Clarification:

A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

C. OSINT Framework: Correct — open-source intelligence and reconnaissance.

D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.