ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

Comprehensive and Detailed Explanation:

An Xmas scan is a type of stealth TCP scan that sets the FIN, PSH, and URG flags. According to RFC 793:

If the port is closed, the target responds with a TCP RST (Reset) packet.

If the port is open or filtered, there is no response.

Thus, receiving a RST response indicates a closed port.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flag Scanning Techniques

Split DNS (also known as Split-Horizon DNS) is a configuration where internal users and external users receive different DNS responses. Typically, one DNS server resides in the DMZ for public access, and another is inside the network for internal name resolution.

📘 Reference – CEH v13 Official Study Guide, Module 9: System Hacking / Perimeter Security

“Split DNS allows different DNS records to be presented based on whether the requester is from inside or outside the organization’s network.”

❌ Incorrect options:

A. DynDNS is a dynamic DNS provider.

B. DNS Scheme is a non-standard term.

C. DNSSEC is a security extension for DNS, not a deployment model.

Worker Message Block (SMB) is an organization document sharing and information texture convention. SMB is utilized by billions of gadgets in a different arrangement of working frameworks, including Windows, MacOS, iOS , Linux, and Android. Customers use SMB to get to information on workers. This permits sharing of records, unified information the board, and brought down capacity limit needs for cell phones. Workers additionally use SMB as a feature of the Software-characterized Data Center for outstanding burdens like grouping and replication.

Since SMB is a far off record framework, it requires security from assaults where a Windows PC may be fooled into reaching a pernicious worker running inside a confided in organization or to a far off worker outside the organization edge. Firewall best practices and arrangements can upgrade security keeping malevolent traffic from leaving the PC or its organization.

For Windows customers and workers that don’t have SMB shares, you can obstruct all inbound SMB traffic utilizing the Windows Defender Firewall to keep far off associations from malignant or bargained gadgets. In the Windows Defender Firewall, this incorporates the accompanying inbound principles.

You should also create a new blocking rule to override any other inbound firewall rules. Use the following suggested settings for any Windows clients or servers that do not host SMB Shares:

Name: Block all inbound SMB 445

Description: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or computers that host SMB shares.

Action: Block the connection

Programs: All

Remote Computers: Any

Protocol Type: TCP

Local Port: 445

Remote Port: Any

Profiles: All

Scope (Local IP Address): Any

Scope (Remote IP Address): Any

Edge Traversal: Block edge traversal

You must not globally block inbound SMB traffic to domain controllers or file servers. However, you can restrict access to them from trusted IP ranges and devices to lower their attack surface. They should also be restricted to Domain or Private firewall profiles and not allow Guest/Public traffic.

When a NULL scan is sent to a port on a UNIX-based system:

If the port is OPEN: The system does not respond at all.

If the port is CLOSED: The system responds with a RST packet.

This behavior is based on how the TCP stack processes unexpected packets.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: Stealth Scanning Techniques → NULL Scan

CEH v13 Official Guide states:

“A NULL scan sends a TCP packet with no flags set. On systems following RFC 793 (like many Unix/Linux), open ports silently drop such packets (no response), while closed ports respond with a TCP RST.”

Incorrect Options:

A–E: Not standard responses for an open port in a NULL scan scenario.

DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP) these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and resource usage compared TCP-equivalent queries. UDP has no error or flow-control capabilities, nor does it have any integrity checking to make sure the info arrived intact.

How is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it’s a best-effort protocol after all) within the first instance, most systems will retry variety of times and only after multiple failures, potentially switch to TCP before trying again; TCP is additionally used if the DNS query exceeds the restrictions of the UDP datagram size – typically 512 bytes for DNS but can depend upon system settings.

Figure 1 below illustrates the essential process of how DNS operates: the client sends a question string (for example, mail.google[.]com during this case) with a particular type – typically A for a number address. I’ve skipped the part whereby intermediate DNS systems may need to establish where ‘.com’ exists, before checking out where ‘google[.]com’ are often found, and so on.

Many worms and scanners are created to seek out and exploit systems running telnet. Given these facts, it’s really no surprise that telnet is usually seen on the highest Ten Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually the case, this upgrade has not been performed on variety of devices. this might flow from to the very fact that a lot of systems administrators and users don’t fully understand the risks involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to completely discontinue its use. the well-liked method of mitigating all of telnets vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing many of an equivalent functions as telnet and a number of other additional services typical handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks to beat before it can completely replace telnet. it’s typically only supported on newer equipment. It requires processor and memory resources to perform the info encryption and decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are often and to supply solutions to alleviate the main known threats so as to enhance the general security of the web

Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is usually cached on the local system (and possibly on intermediate DNS servers) for a period of your time . Subsequent queries for an equivalent name from an equivalent client then don’t leave the local system until said cache expires. Of course, once the IP address of the remote service is understood , applications can use that information to enable other TCP-based protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat GIFs are often reliably shared together with your colleagues.

So, beat all, a couple of dozen extra UDP DNS queries from an organization’s network would be fairly inconspicuous and will leave a malicious payload to beacon bent an adversary; commands could even be received to the requesting application for processing with little difficulty.

A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

How is it done?

Basically, it’s attempting each single word that’s already ready. it’s done victimization machine-controlled tools that strive all the possible words within the dictionary.

Some password Cracking Software:

• John the ripper

• L0phtCrack

• Aircrack-ng

The security strategy that you would likely suggest is to adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. This strategy is based on the concept of continuous monitoring and improvement of the security posture of an organization, using a feedback loop that integrates various security activities and technologies. A Continual/Adaptive Security Strategy aims to proactively identify and mitigate emerging threats, vulnerabilities, and risks, as well as to respond effectively and efficiently to security incidents and breaches. A Continual/Adaptive Security Strategy can help enhance the organization’s security stance by providing the following benefits12:

It can reduce the attack surface and the exposure time of the organization’s network infrastructure, by applying timely patches, updates, and configurations, as well as by implementing security controls and policies.

It can increase the visibility and awareness of the organization’s network activity and behavior, by collecting, analyzing, and correlating data from various sources, such as logs, sensors, alerts, and reports.

It can improve the detection and prevention capabilities of the organization, by using advanced tools and techniques, such as artificial intelligence, machine learning, threat intelligence, and behavioral analytics, to identify and block malicious or anomalous patterns and indicators.

It can enhance the response and recovery processes of the organization, by using automated and orchestrated actions, such as isolation, quarantine, remediation, and restoration, to contain and resolve security incidents and breaches, as well as by conducting lessons learned and root cause analysis to prevent recurrence.

The other options are not as appropriate as option C for the following reasons:

A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization: This option is not sufficient because risk management is only one aspect of a comprehensive security strategy, and it does not address the dynamic and evolving nature of cyber threats and vulnerabilities. Risk management is a process of identifying, analyzing, evaluating, and treating the risks that may affect the organization’s objectives and operations, as well as monitoring and reviewing the effectiveness of the risk treatment measures3. Risk management can help the organization prioritize and allocate resources for security, but it cannot guarantee the prevention or detection of security incidents and breaches, nor the response and recovery from them.

B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack: This option is not optimal because defense-in-depth is a traditional and static approach to security, and it may not be able to cope with the sophisticated and persistent attacks that exploit unknown or zero-day vulnerabilities. Defense-in-depth is a strategy of implementing multiple and diverse security controls and mechanisms at different layers of the organization’s network infrastructure, such as perimeter, network, endpoint, application, and data, to provide redundancy and resilience against attacks4. Defense-in-depth can help the organization protect its assets and systems from unauthorized access or damage, but it cannot ensure the timely detection and response to security incidents and breaches, nor the continuous improvement of the security posture.

D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems: This option is not comprehensive because information assurance is a subset of cybersecurity, and it does not cover all the aspects of a holistic security strategy. Information assurance is a discipline of managing the risks associated with the use, processing, storage, and transmission of information and data, and ensuring the protection of the information and data from unauthorized access, use, disclosure, modification, or destruction5. Information assurance can help the organization safeguard its information and data from compromise or loss, but it does not address the prevention, detection, and response to security incidents and breaches, nor the adaptation and innovation of the security technologies and processes.

Weaknesses of LM hashes include:

A. Passwords are converted to uppercase before hashing.

B. In older Windows systems, LM hashes were transmitted over the network, sometimes in plaintext (or easily intercepted).

D. Passwords are split into two 7-character chunks, which are hashed independently, reducing entropy.

From CEH v13 Courseware:

Module 6: Malware and Password Threats

Module 4: Windows Enumeration

Incorrect Option:

C: LM uses DES encryption with 56-bit keys (not 32-bit).

In active session hijacking, after identifying a valid session, the attacker must desynchronize the legitimate communication between the client and the server. To do this, Bob should:

Knock one of the parties offline (typically the client).

Then spoof the session by injecting crafted packets using the guessed sequence number.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 Study Guide states:

“After identifying a session and predicting its sequence number, the attacker forces the original user offline, allowing them to assume control over the connection using spoofed packets.”

Incorrect Options:

A: Taking over the session is the ultimate goal, but the necessary step before that is disconnecting the original participant.

B: Sequence prediction is already done.

C: Sequence number has already been guessed.

YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References:

yarGen - A Tool to Generate YARA Rules

YARA Rules: The Basics

Why master YARA: from routine to extreme threat hunting cases

After the attacker completes preparations, subsequent step is an effort to realize an edge within the target’s environment. a particularly common entry tactic is that the use of spearphishing emails containing an internet link or attachment. Email links usually cause sites where the target’s browser and related software are subjected to varied exploit techniques or where the APT actors plan to social engineer information from the victim which will be used later. If a successful exploit takes place, it installs an initial malware payload on the victim’s computer. Figure 2 illustrates an example of a spearphishing email that contains an attachment. Attachments are usually executable malware, a zipper or other archive containing malware, or a malicious Office or Adobe PDF (Portable Document Format) document that exploits vulnerabilities within the victim’s applications to ultimately execute malware on the victim’s computer. Once the user has opened a malicious file using vulnerable software, malware is executing on the target system. These phishing emails are often very convincing and difficult to differentiate from legitimate email messages. Tactics to extend their believability include modifying legitimate documents from or associated with the organization. Documents are sometimes stolen from the organization or their collaborators during previous exploitation operations. Actors modify the documents by adding exploits and malicious code then send them to the victims. Phishing emails are commonly sent through previously compromised email servers, email accounts at organizations associated with the target or public email services. Emails also can be sent through mail relays with modified email headers to form the messages appear to possess originated from legitimate sources. Exploitation of vulnerabilities on public-facing servers is another favorite technique of some APT groups. Though this will be accomplished using exploits for known vulnerabilities, 0-days are often developed or purchased to be used in intrusions as required .

Gaining an edge within the target environment is that the primary goal of the initial intrusion. Once a system is exploited, the attacker usually places malware on the compromised system and uses it as a jump point or proxy for further actions. Malware placed during the initial intrusion phase is usually an easy downloader, basic Remote Access Trojan or an easy shell. Figure 3 illustrates a newly infected system initiating an outbound connection to notify the APT actor that the initial intrusion attempt was successful which it’s able to accept commands.

A demilitarized zone (DMZ) is a buffer zone between a trusted internal network and an untrusted external network (usually the internet). Public-facing services like web servers, email servers, and DNS servers are typically placed in the DMZ. These nodes can be accessed from the internet, but the DMZ design ensures that unauthorized access to the internal network is blocked or highly restricted.

The purpose is to provide access to certain systems without exposing the internal network directly.

https://en.wikipedia.org/wiki/Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

Comprehensive and Detailed Explanation:

Non-repudiation ensures that a sender cannot deny having sent a message. This is typically achieved through digital signatures or logs which verify the origin and integrity of communications.

From CEH v13 Courseware:

Module 10: Cryptography → Security Services

“Non-repudiation prevents entities from denying their actions, such as sending emails or digital transactions.”

ISAPI (Internet Server Application Programming Interface) filters are DLLs used to extend the functionality of Microsoft IIS (Internet Information Services). If unnecessary or outdated ISAPI filters are enabled, they can introduce vulnerabilities or backdoors that attackers may exploit to launch web server-based attacks.

From the CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Section: Web Server Vulnerabilities

Subsection: Common Web Server Misconfigurations

CEH v13 states:

“Unnecessary ISAPI filters and extensions should be disabled or removed, as they may introduce unneeded attack surfaces on the web server. Attackers may exploit vulnerabilities in these filters to gain unauthorized access, execute code remotely, or escalate privileges on the server.”

This is part of a broader hardening strategy to reduce the web server’s attack surface.

Incorrect Options:

A. Social engineering involves manipulating people, not software vulnerabilities.

C. Jailbreaking refers to bypassing restrictions on mobile devices.

D. Wireless attacks are unrelated to web server software components.