ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

STARTTLS is an SMTP command that allows the client to upgrade an existing insecure connection to a secure, encrypted TLS connection. It is widely supported by SMTP servers and used to protect email transmissions from interception.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Section: Secure Email Communication

Quote:

“STARTTLS is an SMTP command used to initiate encryption on an existing plaintext connection using TLS.”

Incorrect Options:

A. Opportunistic TLS is a concept, not a command

B & C. UPGRADETLS and FORCETLS are not valid SMTP commands

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

Comprehensive and Detailed Explanation:

ARP Poisoning (Address Resolution Protocol Poisoning) is a classic Man-in-the-Middle (MiTM) attack in a LAN environment. It works by sending fake ARP replies to devices on a network to associate the attacker’s MAC address with the IP address of another host (typically the default gateway). As a result:

Network traffic meant for the gateway is sent to the attacker instead.

The attacker can then intercept, modify, or forward the traffic to the actual destination, performing a full MiTM.

This allows the attacker to:

Sniff sensitive data (e.g., credentials, emails)

Hijack sessions

Inject malicious payloads

From CEH v13 Courseware:

Module 8: Sniffing

Topic: MiTM Attacks → ARP Spoofing Techniques

Incorrect Options:

A. Password Sniffing is a result of MiTM but not a technique itself.

C. MAC Flooding is a switch attack that floods the CAM table to make the switch act like a hub.

D. DHCP Sniffing relates to capturing DHCP messages but is not commonly used for MiTM.

Rootkits can deeply infect and compromise a system’s kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

The most secure and recommended response is:

Completely wipe the compromised system.

Reinstall the OS from known good (clean) media.

Apply all patches and updates.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Rootkit Handling

Incorrect Options:

A: Copying files might transfer infected components.

B: Trap and trace is investigative, not remedial.

C: Deleting files may not fully remove the rootkit.

D: Backups might be infected if taken post-compromise.

Using default settings on a web server is considered a security risk because it can reveal the server software type and version, which can help attackers identify potential vulnerabilities and launch targeted attacks. For example, if the default settings include a server signature that displays the name and version of the web server software, such as Apache 2.4.46, an attacker can search for known exploits or bugs that affect that specific software and version. Additionally, default settings may also include other insecure configurations, such as weak passwords, unnecessary services, or open ports, that can expose the web server to unauthorized access or compromise.

The best initial step to mitigate this risk is to change the default settings to hide or obscure the server software type and version, as well as to disable or remove any unnecessary or insecure features. For example, to hide the server signature, one can modify the ServerTokens and ServerSignature directives in the Apache configuration file1. Alternatively, one can use a web application firewall or a reverse proxy to mask the server information from the client requests2. Changing the default settings can reduce the attack surface and make it harder for attackers to exploit the web server.

This Google dork uses advanced operators:

site:target.com — restricts results to pages within the target.com domain

-site:Marketing.target.com — excludes results from the marketing.target.com subdomain

accounting — the keyword to be matched

So, it returns pages from target.com (excluding the marketing subdomain) that include the word "accounting".

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Advanced search operators like site:, inurl:, intitle:, and the minus (-) operator help to include or exclude specific domains or pages when gathering public information via Google.”

Incorrect Options:

A. Opposite logic — this excludes marketing.target.com

B. Too general

C. Incorrect because marketing.target.com is excluded

===========

Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U.K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

A Pulse Wave attack is a type of DDoS attack that uses a botnet to send high-volume traffic pulses at regular intervals, typically lasting for a few minutes each. The attacker can adjust the frequency and duration of the pulses to maximize the impact and evade detection. A Pulse Wave attack can exhaust the network resources of the target, as well as the resources of any DDoS mitigation service that the target may use. A Pulse Wave attack can also conceal the attacker’s identity, as the traffic originates from multiple sources that are part of the botnet. A Pulse Wave attack can bypass simple defensive measures, such as IP-based blocking, as the traffic can appear legitimate and vary in source IP addresses.

The other options are less effective or feasible for the attacker’s objectives. A protocol-based SYN flood attack is a type of DDoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. However, a SYN flood attack can be easily detected and mitigated by using SYN cookies or firewalls. A SYN flood attack can also expose the attacker’s identity, as the source IP addresses of the SYN requests can be traced back to the attacker. An ICMP flood attack is a type of DDoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity. However, an ICMP flood attack from a single IP can be easily blocked by using IP-based filtering or disabling ICMP responses. An ICMP flood attack can also reveal the attacker’s identity, as the source IP address of the ICMP packets can be identified. A volumetric flood attack is a type of DDoS attack that sends a large amount of traffic to the target server, saturating its network bandwidth and preventing legitimate users from accessing it. However, a volumetric flood attack using a single compromised machine may not be sufficient to overwhelm the network bandwidth of a major online retailer, as the attacker’s machine may have limited bandwidth itself. A volumetric flood attack can also be detected and mitigated by using traffic shaping or rate limiting techniques. References:

Pulse Wave DDoS Attacks: What You Need to Know

DDoS Attack Prevention: 7 Effective Mitigation Strategies

DDoS Attack Types: Glossary of Terms

DDoS Attacks: What They Are and How to Protect Yourself

DDoS Attack Prevention: How to Protect Your Website

In CEH v13 Module 12: Hacking Web Applications, the N-tier architecture is explained as a model used in web applications, typically with:

Presentation tier – User interface (UI) that interacts with the user.

Logic tier (also known as application or business logic layer) – Processes commands, makes logical decisions, and handles data movement and processing between the UI and the database.

Data tier – Manages database access and data storage.

So, the Logic tier is responsible for:

Handling the business rules.

Processing user inputs.

Accessing and manipulating data from the database.

Software as a service (SaaS) allows users to attach to and use cloud-based apps over the web. Common examples ar email, calendaring and workplace tool (such as Microsoft workplace 365).

SaaS provides a whole software solution that you get on a pay-as-you-go basis from a cloud service provider. You rent the use of an app for your organisation and your users connect with it over the web, typically with an internet browser. All of the underlying infrastructure, middleware, app software system and app knowledge ar located within the service provider’s knowledge center. The service provider manages the hardware and software system and with the appropriate service agreement, can make sure the availability and also the security of the app and your data as well. SaaS allows your organisation to induce quickly up and running with an app at token upfront cost.

Common SaaS scenarios

This tool having used a web-based email service like Outlook, Hotmail or Yahoo! Mail, then you have got already used a form of SaaS. With these services, you log into your account over the web, typically from an internet browser. the e-mail software system is found on the service provider’s network and your messages ar hold on there moreover. you can access your email and hold on messages from an internet browser on any laptop or Internet-connected device.

The previous examples are free services for personal use. For organisational use, you can rent productivity apps, like email, collaboration and calendaring; and sophisticated business applications like client relationship management (CRM), enterprise resource coming up with (ERP) and document management. You buy the use of those apps by subscription or per the level of use.

Advantages of SaaS

Gain access to stylish applications. to supply SaaS apps to users, you don’t ought to purchase, install, update or maintain any hardware, middleware or software system. SaaS makes even sophisticated enterprise applications, like ERP and CRM, affordable for organisations that lack the resources to shop for, deploy and manage the specified infrastructure and software system themselves.

Pay just for what you utilize. you furthermore may economize because the SaaS service automatically scales up and down per the level of usage.

Use free shopper software system. Users will run most SaaS apps directly from their web browser without needing to transfer and install any software system, though some apps need plugins. this suggests that you simply don’t ought to purchase and install special software system for your users.

Mobilise your hands simply. SaaS makes it simple to “mobilise” your hands as a result of users will access SaaS apps and knowledge from any Internet-connected laptop or mobile device. You don’t ought to worry concerning developing apps to run on differing types of computers and devices as a result of the service supplier has already done therefore. additionally, you don’t ought to bring special experience aboard to manage the safety problems inherent in mobile computing. A fastidiously chosen service supplier can make sure the security of your knowledge, no matter the sort of device intense it.

Access app knowledge from anyplace. With knowledge hold on within the cloud, users will access their info from any Internet-connected laptop or mobile device. And once app knowledge is hold on within the cloud, no knowledge is lost if a user’s laptop or device fails.

A Gray Hat hacker operates between ethical (White Hat) and unethical (Black Hat) behavior. They might break into systems without permission but without malicious intent, often reporting vulnerabilities afterward. They perform both offensive and defensive activities.

📘 Reference – CEH v13 Official Study Guide, Module 1: Introduction to Ethical Hacking

“Gray Hat hackers may violate ethical standards but not necessarily for personal or financial gain. They typically operate without malicious intent.”

❌ Incorrect options:

A. White Hats are ethical hackers.

B. Suicide Hackers attack without regard for being caught.

D. Black Hats are malicious hackers.

One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company’s website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company’s website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

The virus described changes its own code with each execution but still performs the same actions. This is the hallmark of a Metamorphic Virus. Unlike polymorphic viruses (which use encrypted code with a changing decryptor), metamorphic viruses rewrite their own code entirely — including their decryption and execution routines — to avoid pattern detection by antivirus software.

Key characteristics of metamorphic viruses seen in the scenario:

Mutates completely on every execution.

Keeps overall functionality identical (semantics intact).

Alters its appearance and logic flow.

From CEH v13 Courseware:

Module 6: Malware Threats → Types of Viruses and Obfuscation Techniques

CEH v13 Study Guide states:

“Metamorphic viruses modify their own code structure and appearance with each iteration, without altering their underlying behavior. This makes them more difficult to detect through signature-based mechanisms.”

Incorrect Options:

A: Polymorphic viruses encrypt themselves with a changing decryptor stub but do not change their core logic.

C: “Dravidic Virus” is not a recognized term in cybersecurity.

D: Stealth viruses hide their presence (e.g., by intercepting system calls), but do not change their code structure.

A NOP (No Operation) instruction tells the CPU to do nothing for one instruction cycle. In exploit development:

A NOP sled is a long sequence of NOPs (0x90) that increases the chance of the instruction pointer landing before the shellcode.

0x90 is the x86 opcode for the NOP instruction.

From CEH v13 Courseware:

Module 6: Malware Threats → Shellcode and Buffer Overflow

Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.

3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.