312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

Infrastructure as a Service (IaaS) provides virtualized computing infrastructure over the internet. In this model:

The cloud provider supplies the hardware (servers, storage, networking).

The client (your organization) is responsible for installing and managing the OS, applications, and all configurations.

This aligns with the question, where the organization must take full responsibility for maintenance.

Incorrect Options:

A. PaaS offers managed OS, middleware, and runtime, reducing customer responsibilities.

B. SaaS provides fully managed applications—users only access features.

C. Functions as a Service (FaaS) offers event-driven computing without server management, used in serverless environments.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Cloud Service Models”

Table: “Responsibilities in IaaS vs PaaS vs SaaS”

=

Cross-Site Request Forgery (CSRF) is covered in CEH v13 Module 12: Hacking Web Applications. It occurs when an attacker tricks a victim’s browser into making unintended, authenticated requests to a web application where the victim is already logged in.

Example:

User logs in to a banking site.

While logged in, the attacker sends the user a crafted link that submits a transaction via a hidden request.

Since the user’s session cookies are valid, the bank processes the request.

Why Other Options Are Incorrect:

A. Session hijacking: Steals session tokens but doesn’t involve forcing browser actions.

B. SSRF: Server sends a request to an internal service, not via user's browser.

D. XSS: Executes scripts in the user’s browser but doesn't force HTTP requests under the user’s identity.

In CEH v13 Module 03: Scanning Networks, service version detection is achieved using the -sV option in Nmap.

-sV: Enables version detection of open ports by sending probes to determine the service name and version (e.g., Apache 2.4.49).

Helps identify potential vulnerabilities in specific software versions.

Option Clarification:

A. -SN: Ping scan (host discovery only).

B. -SX: Invalid/undefined option.

C. -sV: Correct option for service version detection.

D. -SF: Sends FIN packets (used in stealth scans), not for version discovery.

LAN Manager (LM) hashes are legacy password hashing methods used in older Windows systems (including Windows 2000 for backward compatibility). LM hashing works by:

Converting the password to uppercase.

Padding or truncating it to 14 characters.

Splitting it into two 7-character halves.

Using each half as a DES key to encrypt a known constant ("KGS!@#$%").

Therefore, LM hashing uses the DES (Data Encryption Standard) algorithm.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Password Storage and LM Hash Structure

To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console.

In CEH v13 Module 03: Scanning Networks, banner grabbing is defined as a technique used during reconnaissance to capture service banners that provide information about:

Web server version

Operating system

Service details

In This Case:

The engineer used Netcat to connect to port 80 (HTTP).

The response reveals the web server software (Microsoft-IIS/6), which is typical of a banner returned in the server's HTTP response headers.

This technique helps identify vulnerable versions of services.

Other Options:

B. SQL injection: Involves sending SQL payloads — unrelated here.

C. Whois query: Provides domain registration info — unrelated.

D. Cross-site scripting: Requires injecting scripts into a web app — not relevant here.

https://en.wikipedia.org/wiki/Presentation_layer

In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display.

Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.

The SOA (Start of Authority) record contains key DNS parameters, including TTL (Time To Live). The components of an SOA record are in this order:

(domain) IN SOA (Primary Name Server) (Responsible party) (Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field breakdown:

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds ← This is the TTL value

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration and Zone Transfers

Subsection: Understanding DNS Records

CEH v13 Study Guide states:

“In an SOA record, the last value is the Minimum TTL — the amount of time other DNS servers should cache resource records for the zone.”

Incorrect Options:

A: Serial number

B: Refresh interval

C: Expiry interval

E/F: Arbitrary, not part of the SOA shown

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

When a switch's ARP cache is flooded using a tool like Macof (from the Dsniff suite), it overwhelms the device's MAC address table, which stores port-to-MAC mappings.

If the table overflows:

The switch can no longer associate MAC addresses with specific ports.

It fails open and begins forwarding frames out all ports — just like a hub.

This degrades the switch’s functionality and allows attackers to sniff traffic on segments that should otherwise be isolated.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-based Attacks

In CEH v13 Cloud Computing, serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do.

Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

CEH v13 describes Cross-Site Request Forgery (CSRF) as a technique that forces authenticated users to unknowingly execute actions within a web application without their intent. Unlike session hijacking methods that require stealing or replaying session cookies, CSRF exploits the trust relationship that the server has with a user's browser. Even with HTTPS, secure cookies, and MFA, once a user is authenticated, the browser automatically sends session cookies with each request. If the attacker convinces the victim to load a maliciously crafted webpage or URL, the browser sends a forged request to the target application, executing actions under the user’s authenticated session. CEH notes that secure cookies and MFA do not stop CSRF because no credentials are stolen—only forced actions occur. This technique is sophisticated because it leaves minimal traces, avoids direct cookie manipulation, bypasses robust authentication mechanisms, and leverages design weaknesses rather than technical misconfigurations. Protection typically requires anti-CSRF tokens and proper origin validation.

DNS spoofing (also known as DNS cache poisoning) occurs when an attacker intercepts or falsifies DNS responses to redirect traffic or exfiltrate data. The appropriate way to prevent such attacks includes:

Implementing DNS anti-spoofing techniques

Using DNSSEC (DNS Security Extensions)

Ensuring proper DNS configurations and validation of responses

From CEH v13:

Module 3: Scanning Networks

Topic: DNS Poisoning and Spoofing Attacks

Defensive Measures: DNS Hardening

CEH v13 Study Guide states:

“To prevent DNS spoofing and cache poisoning, organizations should use DNSSEC, configure anti-spoofing protections, and restrict zone transfers. DNS Anti-spoofing solutions validate responses and ensure data integrity.”

Incorrect Options:

A: Logging may detect but not prevent.

B: Disabling DNS timeouts is unrelated and harmful.

D: Prevents zone transfers, not spoofing specifically.

Types of Vulnerability Assessment - External Assessment External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall. (P.527/511)

External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall.

The following are some of the possible steps in performing an external assessment:

o Determine a set of rules for firewall and router configurations for the external network

o Check whether the external server devices and network devices are mapped o Identify open ports and related services on the external network o Examine the patch levels on the server and external network devices o Review detection systems such as IDS, firewalls, and application-layer protection systems

o Get information on DNS zones

o Scan the external network through a variety of proprietary tools available on the Internet

o Examine Web applications such as e-commerce and shopping cart software for vulnerabilities

In CEH’s Cloud Computing module, one of the most common real-world causes of cloud data exposure is misconfiguration, especially overly permissive network access controls. Cloud platforms commonly use constructs like security groups / firewall rules / network ACLs to define inbound and outbound access. CEH highlights that exposing sensitive services (databases, storage endpoints, admin panels) to the public internet—whether by “0.0.0.0/0” rules, overly broad ports, or unintended administrative access—frequently results in unauthorized access and data leakage even without sophisticated exploit chains.

Option D is therefore the most likely, because misconfigured security groups can directly expose customer data stores or management interfaces, enabling data theft through normal connectivity rather than exploiting a rare hypervisor flaw.

Option A (hypervisor side-channel attack) is advanced and less common; it typically requires high attacker capability and conditions not implied here. Option B (DoS) impacts availability, not confidentiality, so it doesn’t best explain data exposure. Option C (brute force passwords) is possible, but the question emphasizes an “unknown vulnerability” in the cloud environment—CEH teaching often frames “unknown vulnerability” in cloud incidents as misconfiguration or uncontrolled exposure rather than authentication guessing alone.

CEH countermeasures include least-privilege security group rules, segmentation, continuous configuration monitoring, cloud security posture management, and auditing publicly exposed resources.

Analyze Web Applications: Identify Files and Directories - enumerate applications, as well as hidden directories and files of the web application hosted on the web server. Tools such as ☆Gobuster is directory scanner that allows attackers to perform fast-paced enumeration of hidden files and directories of a target web application. # gobuster -u -w common.txt (wordlist) (P.1849/1833)

A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

The attacker’s strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using ‘r’ packets per second. The server can handle ‘h’ packets per second before it starts showing signs of strain. If ‘r’ surpasses ‘h’, it overwhelms the server, causing it to become unresponsive. The attacker selects ‘r’ as a composite number and ‘h’ as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

Considering ‘r=2010’ and different values for ‘h’, the scenario that would potentially cause the server to falter is the one where ‘h=1987’ (prime). This is because ‘r’ is greater than ‘h’ by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as ‘h’ is either greater than or very close to ‘r’, which means the server can either manage or barely cope with the incoming traffic. References:

What is a denial-of-service (DoS) attack? | Cloudflare

Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

DDoS Attack Types: Glossary of Terms

What is a Denial of Service (DoS) Attack? | Webopedia

CEH v13 defines passive reconnaissance as information gathering without directly interacting with the target’s systems. Activities such as reviewing archived websites, social media, forums, and public records are all passive and legal.

Running an intensive port scan, however, is an active reconnaissance technique. According to CEH v13, port scanning directly interacts with target systems and can trigger IDS/IPS alerts, logs, and even legal consequences if done without authorization.

Therefore, option B violates the principles of passive reconnaissance and is the riskiest choice.

Twofish is an encryption algorithm designed by Bruce Schneier. It’s a symmetric key block cipher with a block size of 128 bits, with keys up to 256 bits. it’s associated with AES (Advanced Encryption Standard) and an earlier block cipher called Blowfish. Twofish was actually a finalist to become the industry standard for encryption, but was ultimately beaten out by the present AES.

Twofish has some distinctive features that set it aside from most other cryptographic protocols. For one, it uses pre-computed, key-dependent S-boxes. An S-box (substitution-box) may be a basic component of any symmetric key algorithm which performs substitution. within the context of Twofish’s block cipher, the S-box works to obscure the connection of the key to the ciphertext. Twofish uses a pre-computed, key-dependent S-box which suggests that the S-box is already provided, but depends on the cipher key to decrypt the knowledge .

How Secure is Twofish?

Twofish is seen as a really secure option as far as encryption protocols go. one among the explanations that it wasn’t selected because the advanced encryption standard is thanks to its slower speed. Any encryption standard that uses a 128-bit or higher key, is theoretically safe from brute force attacks. Twofish is during this category.

Because Twofish uses “pre-computed key-dependent S-boxes”, it are often susceptible to side channel attacks. this is often thanks to the tables being pre-computed. However, making these tables key-dependent helps mitigate that risk. There are a couple of attacks on Twofish, but consistent with its creator, Bruce Schneier, it didn’t constitute a real cryptanalysis. These attacks didn’t constitue a practical break within the cipher.

Products That Use Twofish

GnuPG: GnuPG may be a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also referred to as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a flexible key management system, along side access modules for all types of public key directories.

KeePass: KeePass may be a password management tool that generates passwords with top-notch security. It’s a free, open source, lightweight and easy-to-use password manager with many extensions and plugins.

Password Safe: Password Safe uses one master password to stay all of your passwords protected, almost like the functionality of most of the password managers on this list. It allows you to store all of your passwords during a single password database, or multiple databases for various purposes. Creating a database is straightforward , just create the database, set your master password.

PGP (Pretty Good Privacy): PGP is employed mostly for email encryption, it encrypts the content of the e-mail . However, Pretty Good Privacy doesn’t encrypt the topic and sender of the e-mail , so make certain to never put sensitive information in these fields when using PGP.

TrueCrypt: TrueCrypt may be a software program that encrypts and protects files on your devices. With TrueCrypt the encryption is transparent to the user and is completed locally at the user’s computer. this suggests you’ll store a TrueCrypt file on a server and TrueCrypt will encrypt that file before it’s sent over the network.

CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments. In MitB attacks, malware operates inside the user’s browser, intercepting and manipulating transactions in real time.

Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication, within a trusted session.

Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.

Challenge/response authentication is designed to prevent replay attacks. In this mechanism:

The server sends a random “challenge” string.

The client uses its secret (like a password or private key) to generate a response.

The server verifies that the response matches what it expected for that challenge.

Since the challenge is random and changes each time, an attacker cannot simply capture and replay previous responses to gain unauthorized access.

From CEH v13 Courseware:

Module 11: Session Hijacking

Module 6: Authentication Protocols

CEH v13 Study Guide states:

“Challenge-response authentication prevents replay attacks by using dynamically generated nonces or challenge tokens that change with each session.”

Incorrect Options:

B: Scanning attacks are not related to authentication mechanisms.

C: Session hijacking involves active takeovers, not replaying login attempts.

D: Password cracking targets password hashes, not session tokens.

A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch’s MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.

The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it. 

“Clearing tracks” is a post-exploitation phase in the ethical hacking methodology in which the attacker removes or alters system evidence to hide their activities and avoid detection. This may include:

Deleting or modifying event logs

Clearing bash history or command history

Removing malware traces

Disabling auditing

From CEH v13:

Corrupting or erasing event logs ensures that system administrators or forensic investigators cannot trace the intrusion or determine how the system was compromised.

Incorrect Options:

A. Creating a backdoor is part of the "Maintaining Access" phase, not "Clearing Tracks."

B. Injecting a rootkit is part of the "Gaining or Maintaining Access" stage.

C. Exploiting a vulnerability is part of the "Gaining Access" phase.

Reference – CEH v13 Official Courseware:

Module 05: System Hacking

Section: “Clearing Logs and Erasing Evidence”

Subsection: “Track-Clearing Techniques”

Lab: Log Manipulation and Covering Tracks

The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as ‘+’ or ‘||’. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword ‘OR’ with ‘O’||‘R’ or ‘O’+‘R’ in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

The other options are not as effective as option D for the following reasons:

A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as ‘0x41’ for ‘A’. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical SQL injection pattern.

This scenario describes fileless malware using covert command-and-control (C2) channels over commonly allowed protocols such as HTTP and DNS, a technique heavily emphasized in CEH v13 Malware Threats. Such malware avoids writing files to disk and instead leverages memory, legitimate system tools, and trusted protocols to evade traditional defenses.

Signature-based antivirus updates (Option A) are ineffective against fileless malware because there are no static artifacts to match. Blocking known malware ports (Option C) is also ineffective, as the malware intentionally uses ports 80 and 53, which must remain open for normal business operations. Restricting plain HTTP (Option B) may reduce visibility but does not stop DNS tunneling or encrypted malicious traffic.

CEH v13 identifies behavioral analytics as the most effective countermeasure against advanced malware. Behavioral solutions establish a baseline of normal system and network activity, then detect anomalies such as:

Unusual outbound DNS query patterns

Abnormal HTTP beaconing intervals

Legitimate applications behaving suspiciously

PowerShell or system tools generating network traffic unexpectedly

By monitoring how systems behave rather than what files exist, behavioral analytics can identify stealthy C2 communications and disrupt them early. Therefore, Option D is the most effective and CEH-aligned response.

There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability.

The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

A demilitarized zone (DMZ) is a buffer zone between a trusted internal network and an untrusted external network (usually the internet). Public-facing services like web servers, email servers, and DNS servers are typically placed in the DMZ. These nodes can be accessed from the internet, but the DMZ design ensures that unauthorized access to the internal network is blocked or highly restricted.

The purpose is to provide access to certain systems without exposing the internal network directly.

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

CEH teaches that insufficient input validation on mobile applications enables code injection attacks. Injecting JavaScript or crafted payloads into fields validates whether the application improperly processes untrusted data. If executed, it confirms that the app is vulnerable to injection-based attacks.

CEH methodology emphasizes validating and researching identified vulnerabilities to determine exploitability, patch status, and business impact. Even medium-risk findings require investigation to assess their real severity.

The given command is used to establish a null session connection with the IPC$ share on a Windows machine. IPC$ (Inter-Process Communication) is a special hidden share used for Windows inter-process communication, and when connected with blank credentials, it allows anonymous access to certain system information — a common step in enumeration.

Command breakdown:

net use \target\ipc$ "" /u:""

→ Initiates a connection using a blank username and password (null session).

From CEH v13 Courseware:

Module 04: Enumeration

Topic: Null Sessions and SMB Enumeration

CEH v13 Study Guide states:

“A null session allows unauthorized users to connect to a Windows machine and extract information like usernames, shares, and policies. Null sessions exploit the default settings of the IPC$ share and are typically initiated using net use commands.”

Incorrect Options:

A/B: Accessing the etc/passwd or SAM directly is not the function of this command.

C: Samba uses SMB, but this is targeting a Windows system.

E: Cisco router enumeration involves SNMP, not Windows IPC$.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

=

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

Side jacking, as defined in CEH v13 Web Application Hacking, is a form of session hijacking where an attacker captures valid session identifiers—usually cookies—by sniffing network traffic. This attack is particularly effective when applications fail to encrypt session cookies using HTTPS.

In CEH v13, side jacking is commonly associated with attacks performed on unsecured wireless networks, where attackers passively monitor traffic using packet sniffers such as Wireshark. If session cookies are transmitted in plaintext, the attacker can replay them to impersonate the victim without needing login credentials.

Option B precisely matches this definition: capturing unencrypted session cookies and reusing them to gain unauthorized access.

Other options describe different attack types:

A is credential harvesting via social engineering.

C is network exploitation.

D is cross-site scripting (XSS).

CEH v13 emphasizes enforcing HTTPS, Secure and HttpOnly cookie flags, and session regeneration as defenses against side jacking.

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

Wireless Threats - Confidentiality Attacks Launch of Wireless Attacks: Evil Twin Evil Twin is a wireless AP that pretends to be a legitimate AP by replicating another network name. Attackers set up a rogue AP outside the corporate perimeter and lures users to sign into the wrong AP. (P.2297/2281)

Spanning Tree Protocol (STP) manipulation attacks involve an attacker injecting BPDUs (Bridge Protocol Data Units) to force a switch to recognize the attacker’s system as the root bridge. Once this is achieved, the attacker can:

Redirect traffic through their own machine

Create a SPAN (Switched Port Analyzer) session to mirror traffic

Intercept, sniff, or modify data passing through the network

This is typically the next logical step in an STP attack to facilitate a Man-in-the-Middle (MITM) position.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“An attacker who becomes the root bridge using STP manipulation can redirect traffic and use SPAN ports to mirror traffic to their system for analysis or manipulation.”

Incorrect Options:

B. OSPF is a Layer 3 routing protocol, not relevant here.

C. DoS is not the goal of this specific attack.

D. Attacking all switches is inefficient and unnecessary once root access is gained.

=