Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

An evil twin may be a fraudulent Wi-Fi access point that appears to be legitimate but is about up to pay attention to wireless communications.[1] The evil twin is that the wireless LAN equivalent of the phishing scam.

This type of attack could also be wont to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves fixing a fraudulent internet site and luring people there.

The attacker snoops on Internet traffic employing a bogus wireless access point. Unwitting web users could also be invited to log into the attacker’s server, prompting them to enter sensitive information like usernames and passwords. Often, users are unaware they need been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it’s sent through their equipment. The attacker is additionally ready to hook up with other networks related to the users’ credentials.

Fake access points are found out by configuring a wireless card to act as an access point (known as HostAP). they’re hard to trace since they will be shut off instantly. The counterfeit access point could also be given an equivalent SSID and BSSID as a close-by Wi-Fi network. The evil twin are often configured to pass Internet traffic through to the legitimate access point while monitoring the victim’s connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

In CEH v13 Module 01: Introduction to Ethical Hacking, the types of law applicable to cybersecurity incidents are discussed. When executives fail to protect their company’s information systems and this leads to financial loss, data breaches, or negligence, the resulting liability is considered under civil law.

Civil law deals with non-criminal disputes such as negligence, liability, and contractual breaches.

A company or affected party may file a civil lawsuit for damages.

Executives can be held civilly liable for failing in their duty of care, especially when regulations like GDPR, SOX, or HIPAA are involved.

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

Zero Trust Networks The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network.It strictly follows the principle, “Trust no one and validate before providing a cloud service or granting access permission.”It also allows companies to impose conditions, such as allowing employees to only access the appropriate resources required for their work role. (P.2997/2981)

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.

Enumeration is the process of extracting usernames, shares, services, and other system-specific information from a target system. Tools used for enumeration include:

B. USER2SID: Resolves a username to its associated Security Identifier (SID).

D. SID2USER: Resolves an SID back to the corresponding username.

E. DumpSec: A powerful GUI tool used to enumerate users, shares, and permissions on Windows systems.

From CEH v13 Courseware:

Module 4: Enumeration

Section: NetBIOS and Windows Enumeration Tools

CEH v13 Study Guide states:

“USER2SID and SID2USER are classic tools used to map usernames to SIDs and vice versa during Windows enumeration. DumpSec can enumerate user accounts, group memberships, and shared resources on systems with open permissions.”

Incorrect Options:

A. SolarWinds: Primarily a network performance monitoring tool, not designed for enumeration.

C. Cheops: A network mapping tool, not an enumeration utility.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

Hootsuite may be a social media management platform that covers virtually each side of a social media manager’s role.

With only one platform users area unit ready to do the easy stuff like reverend cool content and schedule posts on social media in all the high to managing team members and measure ROI.

There area unit many totally different plans to decide on from, from one user set up up to a bespoken enterprise account that’s appropriate for much larger organizations.

Conducting location search on social media sites such as Twitter, Instagram, and Facebook helps attackers to detect the geolocation of the target. This information further helps attackers to perform various social engineering and non-technical attacks. Many online tools such as Followerwonk, Hootsuite, and Sysomos are available to search for both geotagged and non-geotagged information on social media sites. Attackers search social media sites using these online tools using keywords, usernames, date, time, and so on...

Tautology-based SQL injection tests, such as using ' OR '1'='1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

The best security practice in this scenario is to implement IEEE 802.1X. This is a port-based Network Access Control (NAC) protocol that provides authentication for devices before they are allowed to transmit traffic on the network. It ensures that only authorized users/devices can access the network through physical (wired) or wireless connections.

CEH v13 Official Courseware states:

“802.1X provides a framework for authenticating and authorizing devices attached to a LAN port, enforcing port-based network access control. It helps prevent unauthorized users from connecting to an internal network, particularly in environments where physical access to network jacks cannot be fully controlled.”

Incorrect Options:

A. Disabling unused ports is a good practice, but students may still use open ports intended for authorized personnel. It does not scale or provide identity-based access control.

B. Separating users in VLANs helps in segmentation, but it does not prevent unauthorized physical access to ports.

D. Asking students to use wireless is administrative, not a technical enforcement measure.

Reference – CEH v13 Guide:

Module 04: Enumeration

Topic: Network Access Control (802.1X) and Switch Port Security

===========

ARP Spoofing Attack ARP packets can be forged to send data to the attacker’s machine.Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. (P.1143/1127)