Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

1. AV (Asset value) = $300 + (14 * $10) = $440 - the cost of a hard drive plus the work of a recovery person, i.e.how much would it take to replace 1 asset? 10 hours for resorting the OS and soft + 4 hours for DB restore multiplies by hourly rate of the recovery person.

2. SLE (Single Loss Expectancy) = AV * EF (Exposure Factor) = $440 * 1 = $440

3. ARO (Annual rate of occurrence) = 1/3 (every three years, meaning the probability of occurring during 1 years is 1/3)

4. ALE (Annual Loss Expectancy) = SLE * ARO = 0.33 * $440 = $145.2

A Stealth or Tunneling Virus is designed specifically to evade detection by antivirus software and system monitoring tools. These viruses work by intercepting and modifying the operating system’s service call interrupts (such as INT 13h and INT 21h in DOS systems), which are used to access files or system services.

By hooking into these interrupts, the virus can return clean or forged data to antivirus scanners, thus hiding its malicious presence from detection tools.

Tunneling viruses may also operate at a lower level to evade even more advanced antivirus detection methods, making them particularly dangerous and hard to detect.

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Section: Types of Viruses

Quote:

“Tunneling viruses attempt to avoid detection by antivirus programs by installing themselves in the interrupt handler chain. These viruses intercept operating system calls to conceal their activities.”

Incorrect Options Explained:

A. Macro viruses target applications like Microsoft Word/Excel and use embedded macros, but do not alter service call interrupts.

C. Cavity viruses insert code into empty spaces in files without changing the file size but do not modify interrupts.

D. Polymorphic viruses mutate their code to avoid signature-based detection but do not typically interfere with system interrupts directly.

In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.

Let’s evaluate the options:

A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.

B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.

C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn’t match your user's location, it raises red flags.

D. ARP (Address Resolution Protocol): ❌ ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.

Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.

MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain. Each MX record has a priority value.

Important concept:

A lower number indicates a higher priority.

Email servers attempt delivery to the mail server with the lowest priority first.

For example:

If MX records are:

10 mail1.example.com

20 mail2.example.com

Then mail1 will be tried first. If it fails, mail2 will be used.

So the statement “MX record priority increases as the number increases” is false.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements. Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

In CEH v13 Module 13: Hacking Web Applications, Server-Side Includes (SSI) is defined as a method for dynamically generating web content through directives embedded in HTML files.

stm File Extension:

Associated with Server Side Includes (SSI).

Files like .stm, .shtml, and .shtm can embed server-side directives.

Vulnerable if user input is improperly handled, allowing command injection or arbitrary file access.

Option Clarification:

A. .stm: Correct – indicates SSI is enabled.

B. .html: Static file, not associated with SSI.

C. .rss: XML feed; irrelevant to SSI.

D. .cms: Generic; doesn’t indicate SSI functionality.

In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

When using Nmap:

-PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

The response type to this SYN packet determines the host status:

If a SYN/ACK is received, it indicates the port is open, and the host is up.

If RST is received, the port is closed, but the host is still considered online.

If no response or ICMP unreachable is received, the host may be down or filtered.

Clarification of options:

A. -pp: This is not a valid Nmap option.

B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

C. -PS: Correct. Performs a TCP SYN Ping Scan.

D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 03 – Scanning Networks, Slide: Nmap Host Discovery Techniques

EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.html

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

In CEH v13 Module 01: Introduction to Ethical Hacking, Business Impact Analysis (BIA) is defined as a core component of the risk management process that helps identify and evaluate critical business functions, their dependencies, and the impact of downtime.

BIA is performed to:

Identify critical services and resources.

Determine the impact of their failure.

Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Prioritize systems for business continuity planning.

Option Clarification:

A. EPR: Emergency Plan Response – not a formal phase in BIA or risk analysis.

C. Risk Mitigation: Involves taking actions to reduce risks, but doesn't identify business-critical services.

D. DRP: Disaster Recovery Planning focuses on restoration, not impact assessment.

Most likely have an issue with DNS.

DNS stands for “Domain Name System.” It’s a system that lets you connect to websites by matching human-readable domain names (like example.com) with the server's unique ID where a website is stored.

Think of the DNS system as the internet’s phonebook. It lists domain names with their corresponding identifiers called IP addresses, instead of listing people’s names with their phone numbers. When a user enters a domain name like wpbeginner.com on their device, it looks up the IP address and connects them to the physical location where that website is stored.

NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process, making it quicker. The example below outlines all 8 steps when nothing is cached.

The 8 steps in a DNS lookup:

1. A user types ‘example.com’ into a web browser, and the query travels into the Internet and is received by a DNS recursive resolver;

2. The resolver then queries a DNS root nameserver;

3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD;

4. The resolver then requests the .com TLD;

5. The TLD server then responds with the IP address of the domain’s nameserver, example.com;

6. Lastly, the recursive resolver sends a query to the domain’s nameserver;

7. The IP address for example.com is then returned to the resolver from the nameserver;

8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially;

Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can request the web page:

9. The browser makes an HTTP request to the IP address;

10. The server at that IP returns the webpage to be rendered in the browser.

NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. And if this port is blocked, then a problem arises already in the first step. But the ninth step is performed without problems.

Bug bounty programs allow independent security researchers to report bugs to an companies and receive rewards or compensation. These bugs area unit sometimes security exploits and vulnerabilities, although they will additionally embody method problems, hardware flaws, and so on.

The reports area unit usually created through a program travel by associate degree freelance third party (like Bugcrowd or HackerOne). The companies can got wind of (and run) a program curated to the organization’s wants.

Programs is also non-public (invite-only) wherever reports area unit unbroken confidential to the organization or public (where anyone will sign in and join). they will happen over a collection timeframe or with without stopping date (though the second possibility is a lot of common).

Who uses bug bounty programs?

Many major organizations use bug bounties as an area of their security program, together with AOL, Android, Apple, Digital Ocean, and goldman Sachs. you’ll read an inventory of all the programs offered by major bug bounty suppliers, Bugcrowd and HackerOne, at these links.

Why do corporations use bug bounty programs?

Bug bounty programs provide corporations the flexibility to harness an outsized cluster of hackers so as to seek out bugs in their code.

This gives them access to a bigger variety of hackers or testers than they’d be able to access on a one-on-one basis. It {can also|also will|can even|may also|may} increase the probabilities that bugs area unit found and reported to them before malicious hackers can exploit them.

It may also be an honest publicity alternative for a firm. As bug bounties became a lot of common, having a bug bounty program will signal to the general public and even regulators that a corporation incorporates a mature security program.

This trend is likely to continue, as some have began to see bug bounty programs as an business normal that all companies ought to invest in.

Why do researchers and hackers participate in bug bounty programs?

Finding and news bugs via a bug bounty program may end up in each money bonuses and recognition. In some cases, it will be a good thanks to show real-world expertise once you are looking for employment, or will even facilitate introduce you to parents on the protection team within an companies.

This can be full time income for a few of us, income to supplement employment, or the way to point out off your skills and find a full time job.

It may also be fun! it is a nice (legal) probability to check out your skills against huge companies and government agencies.

What area unit the disadvantages of a bug bounty program for independent researchers and hackers?

A lot of hackers participate in these varieties of programs, and it will be tough to form a major quantity of cash on the platform.

In order to say the reward, the hacker has to be the primary person to submit the bug to the program. meaning that in apply, you may pay weeks searching for a bug to use, solely to be the person to report it and build no cash.

Roughly ninety seven of participants on major bug bounty platforms haven’t sold-out a bug.

In fact, a 2019 report from HackerOne confirmed that out of quite three hundred,000 registered users, solely around two.5% received a bounty in their time on the platform.

Essentially, most hackers are not creating a lot of cash on these platforms, and really few square measure creating enough to switch a full time wage (plus they do not have advantages like vacation days, insurance, and retirement planning).

What square measure the disadvantages of bug bounty programs for organizations?

These programs square measure solely helpful if the program ends up in the companies realizeing issues that they weren’t able to find themselves (and if they’ll fix those problems)!

If the companies is not mature enough to be able to quickly rectify known problems, a bug bounty program is not the right alternative for his or her companies.

Also, any bug bounty program is probably going to draw in an outsized range of submissions, several of which can not be high-quality submissions. a corporation must be ready to cope with the exaggerated volume of alerts, and also the risk of a coffee signal to noise magnitude relation (essentially that it’s probably that they’re going to receive quite few unhelpful reports for each useful report).

Additionally, if the program does not attract enough participants (or participants with the incorrect talent set, and so participants are not able to establish any bugs), the program is not useful for the companies.

The overwhelming majority of bug bounty participants consider web site vulnerabilities (72%, per HackerOn), whereas solely a number of (3.5%) value more highly to seek for package vulnerabilities.

This is probably because of the actual fact that hacking in operation systems (like network hardware and memory) needs a big quantity of extremely specialised experience. this implies that firms may even see vital come on investment for bug bounties on websites, and not for alternative applications, notably those that need specialised experience.

This conjointly implies that organizations which require to look at AN application or web site among a selected time-frame may not need to rely on a bug bounty as there is no guarantee of once or if they receive reports.

Finally, it are often probably risky to permit freelance researchers to try to penetrate your network. this could end in public speech act of bugs, inflicting name harm within the limelight (which could end in individuals not eager to purchase the organizations’ product or service), or speech act of bugs to additional malicious third parties, United Nations agency may use this data to focus on the organization.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.

The network is using an uncrackable encryption method, which makes it difficult to crack the Wi-Fi password. WPA2 Personal with AES encryption is the strongest form of security offered by Wi-Fi devices at the moment, and it should be used for all purposes. AES stands for Advanced Encryption Standard, and it is a symmetric-key algorithm that uses a 128-bit, 192-bit, or 256-bit key to encrypt and decrypt data. AES is considered to be uncrackable by brute force attacks, as it would take an impractical amount of time and computational power to try all possible key combinations12. Therefore, unless you have access to the Wi-Fi password or the encryption key, you will not be able to decrypt the network traffic and crack the password.

The other options are not correct for the following reasons:

A. The Wi-Fi password is too complex and long: This option is not relevant because the Wi-Fi password is not directly used to encrypt the network traffic. Instead, the password is used to generate a Pre-Shared Key (PSK), which is then used to derive a Pairwise Master Key (PMK), which is then used to derive a Pairwise Transient Key (PTK), which is then used to encrypt the data. Therefore, the complexity and length of the password do not affect the encryption strength, as long as the password is not easily guessed or leaked34.

B. Your hacking tool is outdated: This option is not plausible because even if your hacking tool is outdated, it would not affect your ability to capture the network traffic and attempt to crack the password. The hacking tool may not support the latest Wi-Fi standards or protocols, but it should still be able to capture the raw data packets and save them in a file. The cracking process would depend on the encryption algorithm and the key, not on the hacking tool.

D. The network is using MAC address filtering: This option is not feasible because MAC address filtering is a technique that restricts network access and communication to trusted devices based on their MAC addresses, which are unique identifiers assigned to network interfaces. MAC address filtering can prevent unauthorized devices from joining the network, but it cannot prevent authorized devices from capturing the network traffic. Moreover, MAC address filtering can be easily bypassed by spoofing the MAC address of an allowed device56.

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC is necessary because the original DNS design did not include security but was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward compatibility.

===========