ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

The TCP three-way handshake is the foundational mechanism used to establish a reliable connection between two devices. The sequence is as follows:

The client sends a SYN (synchronize) packet to the server to initiate the connection.

The server replies with a SYN-ACK (synchronize-acknowledge) packet.

The client sends an ACK (acknowledge) packet back to the server.

Therefore, the connection starts with a SYN packet from the client.

Hashing is a one-way function—by design, it cannot be reversed. Password-cracking tools do not "reverse" the hash. Instead, they:

Generate a list of potential passwords.

Hash each candidate using the same algorithm.

Compare the result to the target hash.

If a match is found, the original password is revealed by correlation, not reversal.

From CEH v13 Official Courseware:

Module 6: Cryptography and Password Cracking

CEH v13 Study Guide states:

“Hash functions are one-way and irreversible. Password-cracking tools work by hashing wordlists or character combinations and comparing them to known password hashes.”

In CEH v13 Cloud Computing, APIs are identified as the primary control plane for managing cloud resources. A vulnerability in a cloud API can allow attackers to bypass authentication, escalate privileges, and manipulate resources.

Unauthorized access may lead to:

Data exposure

Resource abuse

Account takeover

Lateral movement within the cloud environment

Physical security (Option A) and encryption at rest (Option D) are unrelated to API flaws. DDoS attacks (Option C) are possible but not the primary risk of API vulnerabilities.

Thus, Option B is correct.

Android Debug Bridge (ADB) is a powerful debugging interface that, if misconfigured, allows attackers to execute commands remotely. CEH v13 identifies exposed ADB as a critical mobile security risk, especially in enterprise environments.

The most effective countermeasure is to disable ADB entirely, except when explicitly required for development or troubleshooting, and only within tightly controlled environments. This directly removes the attack vector.

VPNs and biometrics improve security but do not prevent ADB abuse. Updating MDM systems is important but does not eliminate the risk if ADB remains enabled.

CEH v13 explicitly recommends strict ADB control as a best practice. Therefore, Option C is the correct answer.

PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health info held by lined entities and provides patients an array of rights with regard to that info. under HIPAA phi is considered to be any identifiable health info that’s used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a aid clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the availability of aid or payment for aid services.

It is not only past and current medical info that’s considered letter under HIPAA Rules, however also future info concerning medical conditions or physical and mental health related to the provision of care or payment for care. phi is health info in any kind, together with physical records, electronic records, or spoken info.

Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of phi underneath HIPAA Rules, as square measure several common identifiers like patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, once they square measure connected with health info.

The eighteen identifiers that create health info letter are:

Names

Dates, except year

phonephone numbers

Geographic information

FAX numbers

Social Security numbers

Email addresses

case history numbers

Account numbers

Health arrange beneficiary numbers

Certificate/license numbers

Vehicle identifiers and serial numbers together with license plates

Web URLs

Device identifiers and serial numbers

net protocol addresses

Full face photos and comparable pictures

Biometric identifiers (i.e. retinal scan, fingerprints)

Any distinctive identifying variety or code

One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA Security Rule.

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

*REST is not a specification, tool, or framework, but instead is an architectural style for web services that serves as a communication medium between various systems on the web. *RESTful APIs, which are also known as RESTful services, are designed using REST principles and HTTP communication protocols RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

RESTful API: RESTful API is a RESTful service that is designed using REST principles and HTTP communication protocols. RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE. RESTful API is also designed to make applications independent to improve the overall performance, visibility, scalability, reliability, and portability of an application. APIs with the following features can be referred to as to RESTful APIs: o Stateless: The client end stores the state of the session; the server is restricted to save data during the request processing o Cacheable: The client should save responses (representations) in the cache. This feature can enhance API performance pg. 1920 CEHv11 manual.

https://cloud.google.com/files/apigee/apigee-web-api-design-the-missing-link-ebook.pdf

The HTTP methods GET, POST, PUT or PATCH, and DELETE can be used with these templates to read, create, update, and delete description resources for dogs and their owners. This API style has become popular for many reasons. It is straightforward and intuitive, and learning this pattern is similar to learning a programming language API. APIs like this one are commonly called RESTful APIs, although they do not display all of the characteristics that define REST (more on REST later).

In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

related: operator is used to find websites similar to a given domain or webpage.

This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

Example:

related:example.com

Will return a list of sites Google deems related to example.com.

Option Clarification:

A. inurl: – Searches for a keyword in the URL.

B. related: – Correct – Finds similar or related websites.

C. info: – Provides Google’s cached and indexed data about a URL.

D. site: – Restricts search to a specific domain or site.

This scenario clearly describes Load Balancing as a DDoS mitigation strategy, which is covered under the CEH v13 Network and Perimeter Hacking module. Load balancing distributes incoming network or application traffic across multiple servers or resources to prevent any single system from becoming overwhelmed.

According to CEH v13, modern DDoS mitigation architectures often combine hardware load balancers with cloud-based scrubbing centers or Content Delivery Networks (CDNs). These systems absorb high traffic volumes and ensure availability by spreading requests across multiple nodes. This approach aligns perfectly with the organization’s strategy of absorbing and distributing traffic rather than blocking it outright.

Other options are incorrect:

Black hole routing drops all traffic, including legitimate traffic.

Rate limiting restricts traffic volume rather than distributing it.

Sinkholing redirects traffic for analysis, not load distribution.

https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.

CEH v13 explains that cryptographic consistency is essential for secure session management. Variable token lengths can leak information about encryption methods, key sizes, or user privilege levels, making sessions vulnerable to cryptanalysis or targeted attacks.

The most effective mitigation is implementing uniform encryption strength across all roles, ensuring consistent key sizes, algorithms, and token formats. While MFA improves authentication and key rotation improves lifecycle management, neither directly resolves cryptographic inconsistency.

CEH v13 stresses that encryption should be role-agnostic and standardized. Therefore, Option C is correct.

Symmetric encryption is a method of encrypting and decrypting data using the same secret key. Symmetric encryption is fast and efficient, but it requires a secure way of managing and distributing the keys to the users who need them. If the keys are compromised, the data is no longer secure.

One of the strategies to securely manage and distribute symmetric keys is to use HTTPS protocol for secure key transfer. HTTPS is a protocol that uses SSL/TLS to encrypt the communication between a client and a server over the Internet. HTTPS can protect the symmetric keys from being intercepted or modified by an attacker during the key transfer process. HTTPS can also authenticate the server and the client using certificates, ensuring that the keys are sent to and received by the intended parties.

To use HTTPS protocol for secure key transfer, the development team needs to implement the following steps1:

Generate a symmetric key for each user who wants to store their files on the cloud storage platform. The symmetric key will be used to encrypt and decrypt the user’s files.

Generate a certificate for the cloud storage server. The certificate will contain the server’s public key and other information, such as the server’s domain name, the issuer, and the validity period. The certificate will be signed by a trusted certificate authority (CA), which is a third-party entity that verifies the identity and legitimacy of the server.

Install the certificate on the cloud storage server and configure the server to use HTTPS protocol for communication.

When a user wants to upload or download their files, the user’s client (such as a web browser or an app) will initiate a HTTPS connection with the cloud storage server. The client will verify the server’s certificate and establish a secure session with the server using SSL/TLS. The client and the server will negotiate a session key, which is a temporary symmetric key that will be used to encrypt the data exchanged during the session.

The cloud storage server will send the user’s symmetric key to the user’s client, encrypted with the session key. The user’s client will decrypt the symmetric key with the session key and use it to encrypt or decrypt the user’s files.

The user’s client will store the symmetric key securely on the user’s device, such as in a password-protected file or a hardware token. The user’s client will also delete the session key after the session is over.

Using HTTPS protocol for secure key transfer can ensure that the symmetric keys are protected from eavesdropping, tampering, or spoofing attacks. However, this strategy also has some challenges and limitations, such as:

The development team needs to obtain and maintain valid certificates for the cloud storage server from a trusted CA, which might incur costs and administrative overhead.

The users need to trust the CA that issued the certificates for the cloud storage server and verify the certificates before accepting them.

The users need to protect their symmetric keys from being lost, stolen, or corrupted on their devices. The development team needs to provide a mechanism for key backup, recovery, or revocation in case of such events.

The users need to update their symmetric keys periodically to prevent key exhaustion or reuse attacks. The development team needs to provide a mechanism for key rotation or renewal in a secure and efficient manner.

GINA stands for Graphical Identification and Authentication. It is a Windows component (a DLL) that provides the user interface for logging into a Windows system.

Located in msgina.dll (in legacy Windows)

Handles the Ctrl+Alt+Del screen

Collects credentials (username/password) and passes them to the Local Security Authority (LSA)

From CEH v13 Courseware:

Module 6: Malware Threats

Module 4: Windows Authentication Internals

CEH v13 Study Guide states:

“The Graphical Identification and Authentication (GINA) is a DLL that implements the authentication UI for Windows systems. Malicious actors can create custom GINA DLLs to capture login credentials.”

Key observations in the packet capture:

Repeated 0x90 values indicate a NOP sled (No Operation instructions), commonly used in buffer overflow payloads to guide execution to the malicious shellcode.

The presence of "/bin/sh" in ASCII indicates that the attacker intends to launch a shell (command-line access) on the victim’s system once the overflow is successful.

The payload likely contains shellcode that spawns a shell, giving the attacker command-line access.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 9: Denial-of-Service

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“A buffer overflow exploit typically involves injecting a NOP sled followed by shellcode. The string '/bin/sh' is a tell-tale sign of shell-spawning code that aims to give the attacker command access.”

Incorrect Options:

A: There's no evidence the IDS blocked the attack—only that it logged it.

B: Creating a directory would not involve a NOP sled or spawn a shell.

C: We cannot confirm success; only the intent and method are clear.

https://en.wikipedia.org/wiki/Bluejacking

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol.

Bluejacking is usually harmless, but because bluejacked people generally don't know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it's possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames.

Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth.

In CEH v13 Module 11: Hacking Wireless Networks, wireless standards and their transmission ranges are discussed.

Actual Range Specs:

802.11a: Operates at 5 GHz, range up to ~75 ft indoors, much less than 150 ft due to poor wall penetration.

802.11b/g: Operate at 2.4 GHz, typically 150–300 ft indoors.

802.16 (WiMax): Wireless MAN technology with range up to 30 miles — correct for point-to-point outdoor line of sight.

Conclusion:

802.11a listed as 150–150 ft is incorrect.

Realistic effective range is up to 75 ft indoors, depending on obstructions and interference.

This overestimation makes Option D the wrong one.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

If a system stores passwords in weak or reversible formats, attackers can perform offline cracking. CEH emphasizes dictionary attacks as the fastest and most efficient method to exploit weak hashing practices. This avoids detection and leverages known password patterns to recover plaintext credentials.

This scenario describes fileless malware using covert command-and-control (C2) channels over commonly allowed protocols such as HTTP and DNS, a technique heavily emphasized in CEH v13 Malware Threats. Such malware avoids writing files to disk and instead leverages memory, legitimate system tools, and trusted protocols to evade traditional defenses.

Signature-based antivirus updates (Option A) are ineffective against fileless malware because there are no static artifacts to match. Blocking known malware ports (Option C) is also ineffective, as the malware intentionally uses ports 80 and 53, which must remain open for normal business operations. Restricting plain HTTP (Option B) may reduce visibility but does not stop DNS tunneling or encrypted malicious traffic.

CEH v13 identifies behavioral analytics as the most effective countermeasure against advanced malware. Behavioral solutions establish a baseline of normal system and network activity, then detect anomalies such as:

Unusual outbound DNS query patterns

Abnormal HTTP beaconing intervals

Legitimate applications behaving suspiciously

PowerShell or system tools generating network traffic unexpectedly

By monitoring how systems behave rather than what files exist, behavioral analytics can identify stealthy C2 communications and disrupt them early. Therefore, Option D is the most effective and CEH-aligned response.