Pass the ECCouncil CEH v13 312-50v13 Questions and answers with Dumpstech

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch’s MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.

The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it. 

When using exploits, you might gain access as only a local user. This limits what you can do on the target machine. You can use Meterpreters 'getsystem` command (https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70) to elevate your permissions from a local administrator to SYSTEM. This works by using three elevation techniques.

PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health info held by lined entities and provides patients an array of rights with regard to that info. under HIPAA phi is considered to be any identifiable health info that’s used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a aid clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the availability of aid or payment for aid services.

It is not only past and current medical info that’s considered letter under HIPAA Rules, however also future info concerning medical conditions or physical and mental health related to the provision of care or payment for care. phi is health info in any kind, together with physical records, electronic records, or spoken info.

Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of phi underneath HIPAA Rules, as square measure several common identifiers like patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, once they square measure connected with health info.

The eighteen identifiers that create health info letter are:

Names

Dates, except year

phonephone numbers

Geographic information

FAX numbers

Social Security numbers

Email addresses

case history numbers

Account numbers

Health arrange beneficiary numbers

Certificate/license numbers

Vehicle identifiers and serial numbers together with license plates

Web URLs

Device identifiers and serial numbers

net protocol addresses

Full face photos and comparable pictures

Biometric identifiers (i.e. retinal scan, fingerprints)

Any distinctive identifying variety or code

One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA Security Rule.

In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

Yagi Antenna

A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

Why Other Options Are Incorrect:

B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz–VHF.

D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

In CEH v13 Module 11: Hacking Wireless Networks, wireless standards and their transmission ranges are discussed.

Actual Range Specs:

802.11a: Operates at 5 GHz, range up to ~75 ft indoors, much less than 150 ft due to poor wall penetration.

802.11b/g: Operate at 2.4 GHz, typically 150–300 ft indoors.

802.16 (WiMax): Wireless MAN technology with range up to 30 miles — correct for point-to-point outdoor line of sight.

Conclusion:

802.11a listed as 150–150 ft is incorrect.

Realistic effective range is up to 75 ft indoors, depending on obstructions and interference.

This overestimation makes Option D the wrong one.

CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim’s knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits—which hide processes and files—or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that’s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what’s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren’t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.

A research group from the University of California at Berkeley recently published a report citing “major security flaws” in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group’s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP – which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it’s very effective.

https://en.wikipedia.org/wiki/Subnetwork

As we can see, we have an IP address of 10.1.4.0 with a subnet mask of /23. According to the question, we need to determine which IP address will be included in the range of the last 100 IP addresses.

The available addresses for hosts start with 10.1.4.1 and end with 10.1.5.254. Now you can clearly see that the last 100 addresses include the address 10.1.5.200.

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

A Collision attack is a type of cryptographic attack that targets the hash function. The goal of this attack is to find two different inputs that produce the same hash output. This undermines the integrity of the hashing algorithm, as hash functions are expected to produce a unique output for each unique input.

In practical terms, if two different documents (inputs) produce the same hash value (collision), an attacker can replace a legitimate file with a malicious one without detection, assuming the system validates integrity only via the hash.

CEH v13 defines a collision attack as follows:

"A collision attack focuses on finding two different messages (M1 and M2) that produce the same hash value. This can compromise digital signatures, certificates, and other security protocols."

Reference – CEH v13 Study Guide:

Module 20: Cryptography, Section: “Hashing Algorithms and Attacks”, Subsection: “Collision Attacks”

Incorrect Options Explained:

A: Public keys are part of asymmetric encryption, not relevant to collisions.

B/C: These are incorrect descriptions; collision attacks are not about breaking hashes into parts to retrieve plaintext or private keys.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

Once the base DN is identified through LDAP namingContexts, CEH teaches that the next step in enumeration is to query the directory tree using this DN. This allows retrieval of users, groups, computers, and other AD objects. LDAP-based enumeration requires valid search filters rooted in the base DN.

Implementing regular firmware updates for all IoT devices is the primary recommendation to prevent DDoS attacks on the smart city project. Firmware updates can fix security vulnerabilities, patch bugs, and improve performance of the IoT devices, making them less susceptible to malware infections and botnet recruitment12. Firmware updates can also enable new security features, such as encryption, authentication, and firewall, that can protect the IoT devices from unauthorized access and data theft3. Firmware updates should be done automatically or remotely, without requiring user intervention, to ensure timely and consistent security across the IoT network4.

The other options are not as effective or feasible as firmware updates for the following reasons:

B. Deploying network intrusion detection systems (IDS) across the IoT network can help detect and alert DDoS attacks, but not prevent them. IDS can monitor network traffic and identify malicious patterns, such as high volume, spoofed IP addresses, or unusual protocols, that indicate a DDoS attack5. However, IDS cannot block or mitigate the attack, and may even be overwhelmed by the flood of traffic, resulting in false positives or missed alerts. Moreover, deploying IDS across a vast network of IoT devices can be costly, complex, and resource-intensive, as it requires dedicated hardware, software, and personnel.

C. Establishing strong, unique passwords for each IoT device can prevent unauthorized access and brute-force attacks, but not DDoS attacks. Passwords can protect the IoT devices from being compromised by hackers who try to guess or crack the default or weak credentials. However, passwords cannot prevent DDoS attacks that exploit known or unknown vulnerabilities in the IoT devices, such as buffer overflows, command injections, or protocol flaws. Moreover, establishing and managing strong, unique passwords for each IoT device can be challenging and impractical, as it requires user awareness, memory, and effort.

D. Implementing IP address whitelisting for all IoT devices can restrict network access and communication to trusted sources, but not DDoS attacks. IP address whitelisting can filter out unwanted or malicious traffic by allowing only the predefined IP addresses to connect to the IoT devices. However, IP address whitelisting cannot prevent DDoS attacks that use spoofed or legitimate IP addresses, such as reflection or amplification attacks, that bypass the whitelisting rules. Moreover, implementing IP address whitelisting for all IoT devices can be difficult and risky, as it requires constant updating, testing, and monitoring of the whitelist, and may block legitimate or emergency traffic by mistake.

The scenario describes a method used to make a cryptographic key more secure by making it harder to brute-force. This process is called Key Stretching.

Key Stretching:

Takes a weak or short key and processes it through a function (often repeatedly) to produce a stronger, longer key.

Commonly used in password hashing (e.g., bcrypt, PBKDF2, scrypt).

Increases the computational time required to test each guess in a brute-force attack, effectively reducing attack feasibility.

Incorrect Options:

A. Key derivation function (KDF) is related but more general; key stretching is a specific technique often implemented within KDFs.

B. Key reinstallation is associated with WPA2 KRACK attacks.

C. Public key infrastructure (PKI) is a system of digital certificates, not a key strengthening technique.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Password Hashing and Key Stretching Techniques”

Subsection: “bcrypt, PBKDF2, and Key Strengthening”

CEH iLab: Password Hashing and Cracking Simulations