Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

In CEH v13 Module 10: Injection Attacks, the SQL Injection technique is covered extensively. A common attack method is to manipulate the input fields so that the resulting SQL query becomes logically always true, effectively bypassing authentication.

Given the input:

Username: attack' or 1=1 --

Password: 123456

And assuming the original SQL query is:

SELECT * FROM Users WHERE UserName = '<input_username>' AND UserPassword = '<input_password>';

When inputs are substituted, the query becomes:

SELECT * FROM Users WHERE UserName = 'attack' or 1=1 --' AND UserPassword = '123456';

The -- sequence is used in SQL to indicate a comment. Everything after -- is ignored by the SQL engine. So the query essentially becomes:CopyEdit

SELECT * FROM Users WHERE UserName = 'attack' or 1=1;

This query is always true due to 1=1, and if the application is vulnerable, it grants access regardless of the password.

Option Analysis:

A. Incorrect – Contains '' (double quote) after attack, which would cause a syntax error due to extra quotation marks.

B. Correct – This is the accurate representation of what the SQL query would look like with a successful injection.

C. Incorrect – The input string is malformed, combining input into one literal string.

D. Incorrect – Misplacement of ' after the comment token -- invalidates the SQL syntax.

Reference from CEH v13 Study Materials:

Module 10 – Injection Attacks, Section: SQL Injection – Authentication Bypass

CEH v13 eCourseware Practical Lab: Exploiting SQL Injection Vulnerability in Login Forms

CEH Engage – Web Application Testing Phase: SQLi Exploitation in Login Panels

A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server’s resources. The attacker can launch multiple such connections, exceeding the server’s capacity to handle concurrent requests and preventing legitimate users from accessing the web server.

The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter. 

In CEH v13 Module 14: Cryptography, IPSec (Internet Protocol Security) is defined as a framework used to establish secure communication channels over IP networks, particularly in VPNs.

IPSec supports encryption, authentication, and integrity.

Operates in Tunnel Mode (VPNs) or Transport Mode (End-to-End).

Core protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload).

Option Analysis:

A. PEM: Privacy Enhanced Mail (email encryption).

B. PPP: Point-to-Point Protocol (data link layer, not encryption).

C. IPSEC: VPN encryption protocol.

D. SET: Secure Electronic Transaction (used in payment systems, obsolete).

SSL/TLS uses a hybrid cryptographic approach:

Asymmetric cryptography is used during the handshake phase to securely exchange symmetric session keys over an insecure network.

After the key exchange, symmetric encryption (e.g., AES) is used for the bulk of data transfer due to its high performance and lower overhead.

This approach balances security and efficiency by leveraging asymmetric encryption for secure key exchange and symmetric encryption for speed.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Section: SSL/TLS

Quote:

“SSL/TLS uses asymmetric cryptography to negotiate keys and symmetric cryptography to encrypt data. This combination ensures secure, fast, and reliable communication.”

Incorrect Options Explained:

A. Not relevant — all devices follow the protocol regardless of capability.

B. There is no failover mechanism as described.

C. Session keys are exchanged during the handshake, not out-of-band.

A counter-based authentication system is based on the HOTP (HMAC-Based One-Time Password) algorithm. It uses a shared secret and a moving counter to generate a one-time password (OTP). Each time the counter is incremented, a new OTP is generated and encrypted using the secret key.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Quote:

“HOTP generates a one-time password using a counter value and a secret key. This is a form of two-factor authentication, and the passwords are encrypted.”

Incorrect Options Explained:

A & B. These describe biometric systems, not counter-based OTPs.

D. Virtual passwords from passphrases are not counter-based systems.

===========

Launching Fileless Malware through Phishing Attackers commonly use social engineering techniques such as phishing to spread fileless malware to the target systems. Fileless malware exploits vulnerabilities in system tools to load and run malicious payloads on the victim’s machine to compromise the sensitive information stored in the process memory. (P.978/962)

According to CEH v13 Module 06: Malware Threats, when analyzing suspicious system behavior or investigating a suspected Trojan infection, a common and effective approach is to:

Monitor system activity and network behavior using tools like netstat, Wireshark, and TCPView.

Trojans often create covert channels or backdoors for remote access, which can be identified through unexpected or unauthorized outgoing connections to remote IP addresses or domains.

Using netstat -an or netstat -ano helps identify open ports and active connections, and checking these against known IPs can indicate whether a Trojan is communicating with a Command and Control (C&C) server.

Analysis of Each Option:

A. Use ExifTool and check for malicious content

Incorrect. ExifTool is primarily used for extracting metadata from files, especially images and documents. It is not effective for analyzing executable malware or system behavior post-execution.

B. You do not check; rather, you immediately restore a previous snapshot of the operating system

Incorrect. While restoring from a snapshot might eventually be required, immediate restoration without diagnosis is not a recommended or forensically sound first step. It also prevents root cause analysis.

C. Upload the file to VirusTotal

Partially correct but not sufficient. While uploading the file to VirusTotal is a good step to confirm if the file is known malware, it does not identify whether the machine is currently infected or actively compromised.

D. Use netstat and check for outgoing connections to strange IP addresses or domains

Correct. This method helps detect if the system is making suspicious external connections that are common in Trojan infections.

Reference from CEH v13 Study Guide and Course Materials:

CEH v13 Official Module 06 – Malware Threats, Section: Types of Malware – Trojans, and System Monitoring Tools

CEH v13 eCourseware Lab Manual: "Detecting Trojan Activity using netstat and TCPView"

CEH Engage Range: Malware Investigation Phase – Trojan Behavior Detection

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

The host command in Linux is used for DNS lookup operations. The switch -t specifies the type of DNS record you are querying.

host -t a domain.com queries for A (Address) records, which return the IP address associated with a domain.

host -t ns queries for name servers (NS records).

host -t soa queries for the Start of Authority (SOA) record.

host -t AXFR attempts a zone transfer (not a standard resolution method and typically blocked).

Hence, option A correctly resolves a domain name to its IP address.

According to CEH v13 Module 08: Sniffing, the attack described is a classic example of ARP spoofing/poisoning which leads to Man-in-the-Middle (MITM) scenarios. In such attacks, a malicious actor sends forged ARP responses to associate their MAC address with the IP address of a target system, redirecting traffic through their machine.

Tool Used: BetterCAP

BetterCAP is a powerful, modular MITM framework.

It can:

Perform ARP spoofing

Intercept and manipulate HTTP/HTTPS traffic

Modify packets in real-time

Carry out credential harvesting and session hijacking

Miley's actions match the default behavior of BetterCAP during an ARP spoofing attack:

Spoof ARP to redirect traffic.

Intercept and analyze (or manipulate) traffic.

Option Clarification:

A. Gobbler: An older ARP tool, but mostly for ARP scanning, not modern MITM attacks.

B. KDerpNSpoof: Incorrect or misspelled; not a recognized CEH tool.

C. BetterCAP: Correct – used for ARP spoofing and traffic manipulation.

D. Wireshark: Passive sniffer; cannot perform ARP spoofing or MITM.

Hashing algorithms are specifically designed to ensure data integrity. A hash function takes an input and returns a fixed-length string, called a hash or message digest. Even a small change in the input results in a completely different hash, making it useful for detecting tampering.

Common hashing algorithms include:

MD5 (now obsolete for secure uses)

SHA-1, SHA-2, SHA-3

HMAC (Hashed Message Authentication Code)

From CEH v13 Courseware:

Module 20: Cryptography

Topic: Hash Functions and Data Integrity

CEH v13 Study Guide states:

“Hashing algorithms provide integrity by generating a unique digital fingerprint of data. Any alteration in the message content will result in a different hash value, indicating that the integrity has been compromised.”

Incorrect Options:

A: Symmetric algorithms provide confidentiality.

B: Asymmetric algorithms provide confidentiality and authentication.

D: "Integrity algorithms" is not a formal cryptographic term.

Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible authentication factors are combined to grant access to a website or application.1) something the user knows, 2) something the user has, or 3) something the user is.

The possible factors of authentication are:

· Something the User Knows:

This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user must provide information that matches the answers previously provided to the organization by that user, such as “Name the town in which you were born.”

· Something the User Has:

This involves entering a one-time password generated by a hardware authenticator. Users carry around an authentication device that will generate a one-time password on command. Users then authenticate by providing this code to the organization. Today, many organizations offer software authenticators that can be installed on the user’s mobile device.

· Something the User Is:

This third authentication factor requires the user to authenticate using biometric data. This can include fingerprint scans, facial scans, behavioral biometrics, and more.

For example: In internet security, the most used factors of authentication are:

something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication, Two-Step Verification, or 2FA.

The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of these authentication factors.

CEH v13 emphasizes that IoT devices must implement secure firmware update mechanisms that enforce authenticity, integrity, and version control. A critical lapse occurs when devices allow rollback to older firmware versions or accept updates without cryptographic validation. This opens the door to “firmware downgrade attacks,” where attackers intentionally install outdated but vulnerable firmware to reintroduce exploitable weaknesses. CEH identifies this as part of insecure update design, one of the most dangerous IoT vulnerabilities because firmware governs device behavior, network communication, and trust boundaries. Without signature verification, integrity checking, and anti-rollback enforcement, attackers can load malicious or deprecated firmware to escalate privileges or pivot deeper into a network. Options B and C represent different categories of IoT weaknesses, and D refers to supply-chain issues, none of which match the described rollback exploitation. Therefore, the vulnerability demonstrated is the absence of secure update mechanisms.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

===========