ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

https://www.darknet.org.uk/2017/07/bluto-dns-recon-zone-transfer-brute-forcer/

"Attackers also use DNS lookup tools such as DNSdumpster.com, Bluto, and Domain Dossier to retrieve DNS records for a specified domain or hostname. These tools retrieve information such as domains and IP addresses, domain Whois records, DNS records, and network Whois records." CEH Module 02 Page 138

The purpose of this idea is to permit multiple customers to figure on joint projects and applications that belong to the community, where it’s necessary to possess a centralized clouds infrastructure. In other words, Community Cloud may be a distributed infrastructure that solves the precise problems with business sectors by integrating the services provided by differing types of clouds solutions.

The communities involved in these projects, like tenders, business organizations, and research companies, specialise in similar issues in their cloud interactions. Their shared interests may include concepts and policies associated with security and compliance considerations, and therefore the goals of the project also .

Community Cloud computing facilitates its users to spot and analyze their business demands better. Community Clouds could also be hosted during a data center, owned by one among the tenants, or by a third-party cloud services provider and may be either on-site or off-site.

Community Cloud Examples and Use Cases

Cloud providers have developed Community Cloud offerings, and a few organizations are already seeing the advantages . the subsequent list shows a number of the most scenarios of the Community Cloud model that’s beneficial to the participating organizations.

Multiple governmental departments that perform transactions with each other can have their processing systems on shared infrastructure. This setup makes it cost-effective to the tenants, and may also reduce their data traffic.

Benefits of Community Clouds

Community Cloud provides benefits to organizations within the community, individually also as collectively. Organizations don’t need to worry about the safety concerns linked with Public Cloud due to the closed user group.

This recent cloud computing model has great potential for businesses seeking cost-effective cloud services to collaborate on joint projects, because it comes with multiple advantages.

Openness and Impartiality

Community Clouds are open systems, and that they remove the dependency organizations wear cloud service providers. Organizations are able to do many benefits while avoiding the disadvantages of both public and personal clouds.

Flexibility and Scalability

Ensures compatibility among each of its users, allowing them to switch properties consistent with their individual use cases. They also enable companies to interact with their remote employees and support the utilization of various devices, be it a smartphone or a tablet. This makes this sort of cloud solution more flexible to users’ demands.

Consists of a community of users and, as such, is scalable in several aspects like hardware resources, services, and manpower. It takes under consideration demand growth, and you simply need to increase the user-base.

High Availability and Reliability

Your cloud service must be ready to make sure the availability of knowledge and applications in the least times. Community Clouds secure your data within the same way as the other cloud service, by replicating data and applications in multiple secure locations to guard them from unforeseen circumstances.

Cloud possesses redundant infrastructure to form sure data is out there whenever and wherever you would like it. High availability and reliability are critical concerns for any sort of cloud solution.

Security and Compliance

Two significant concerns discussed when organizations believe cloud computing are data security and compliance with relevant regulatory authorities. Compromising each other’s data security isn’t profitable to anyone during a Community Cloud.

Users can configure various levels of security for his or her data. Common use cases:

the power to dam users from editing and downloading specific datasets.

Making sensitive data subject to strict regulations on who has access to Sharing sensitive data unique to a specific organization would bring harm to all or any the members involved.

What devices can store sensitive data.

Convenience and Control

Conflicts associated with convenience and control don’t arise during a Community Cloud. Democracy may be a crucial factor the Community Cloud offers as all tenants share and own the infrastructure and make decisions collaboratively. This setup allows organizations to possess their data closer to them while avoiding the complexities of a personal Cloud.

Less Work for the IT Department

Having data, applications, and systems within the cloud means you are doing not need to manage them entirely. This convenience eliminates the necessity for tenants to use extra human resources to manage the system. Even during a self-managed solution, the work is split among the participating organizations.

Environment Sustainability

In the Community Cloud, organizations use one platform for all their needs, which dissuades them from investing in separate cloud facilities. This shift introduces a symbiotic relationship between broadening and shrinking the utilization of cloud among clients. With the reduction of organizations using different clouds, resources are used more efficiently, thus resulting in a smaller carbon footprint.

Comprehensive and Detailed Explanation:

The “weakest link” in cybersecurity is almost always the human element. Even with cutting-edge technology and airtight configurations, untrained or careless users can fall for phishing attacks, use weak passwords, or mishandle sensitive data — giving hackers a path into the system.

From CEH v13 Courseware:

Module 7: Social Engineering

Topic: Human Element in Security Breaches

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.

In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.

Several counter-measures could be in place to avoid this vulnerability. Common defenses:

- SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.

- Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.

- Ask for the password user to authorise the action.

- Resolve a captcha

- Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with:

http://mal.net?orig=http://example.com (ends with the url)

http://example.com.mal.net (starts with the url)

- Modify the name of the parameters of the Post or Get request

- Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

===========

The command uses sqlmap, a powerful SQL injection and database penetration testing tool. The flag -u specifies the target URL, and -dbs instructs sqlmap to enumerate the available databases on the DBMS behind that URL.

Command Breakdown:

-u: Target URL with injectable parameters

-dbs: Retrieve and enumerate all available database names

This is a common first step in identifying vulnerable DBMS structures after confirming SQL injection.

Incorrect Options:

A. Backdoor creation is not the default function of sqlmap.

C. Retrieving SQL statements would require additional options like --trace or --sql-query.

D. Option D is not technically accurate—sqlmap is used for injection and enumeration, not searching statements.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “SQL Injection Tools and Automation”

Tool Reference: sqlmap usage and options

===========

In CEH v13 Module 13: Hacking Web Applications, this exact payload is an example of an XXE (XML External Entity) Attack.

XXE Attack:

Exploits the way XML parsers process DOCTYPE declarations.

The payload references a local file (/etc/passwd), allowing local file inclusion.

Can result in sensitive file disclosure, SSRF, or Denial of Service (DoS).

Option Clarification:

A. XXE: Correct – targets vulnerable XML parsers.

B. SQLi: Targets SQL databases with ' OR '1'='1-type injections.

C. IDOR: Insecure Direct Object Reference, not related to XML.

D. XSS: Cross-site scripting; this is XML-based, not JavaScript injection.

A mirror site may be a website or set of files on a computer server that has been copied to a different computer server in order that the location or files are available from quite one place. A mirror site has its own URL, but is otherwise just like the principal site. Load-balancing devices allow high-volume sites to scale easily, dividing the work between multiple mirror sites.

A mirror site is typically updated frequently to make sure it reflects the contents of the first site. In some cases, the first site may arrange for a mirror site at a bigger location with a better speed connection and, perhaps, a better proximity to an outsized audience.

If the first site generates an excessive amount of traffic, a mirror site can ensure better availability of the web site or files. For websites that provide copies or updates of widely used software, a mirror site allows the location to handle larger demands and enables the downloaded files to arrive more quickly. Microsoft, Sun Microsystems and other companies have mirror sites from which their browser software are often downloaded.

Mirror sites are wont to make site access faster when the first site could also be geographically distant from those accessing it. A mirrored web server is usually located on a special continent from the principal site, allowing users on the brink of the mirror site to urge faster and more reliable access.

Mirroring an internet site also can be done to make sure that information are often made available to places where access could also be unreliable or censored. In 2013, when Chinese authorities blocked access to foreign media outlets just like the Wall Street Journal and Reuters, site mirroring was wont to restore access and circumvent government censorship.

In CEH v13 Module 01: Introduction to Ethical Hacking, the types of law applicable to cybersecurity incidents are discussed. When executives fail to protect their company’s information systems and this leads to financial loss, data breaches, or negligence, the resulting liability is considered under civil law.

Civil law deals with non-criminal disputes such as negligence, liability, and contractual breaches.

A company or affected party may file a civil lawsuit for damages.

Executives can be held civilly liable for failing in their duty of care, especially when regulations like GDPR, SOX, or HIPAA are involved.

Wired Equivalent Privacy (WEP) may be a security protocol, laid out in the IEEE wireless local area network (Wi-Fi) standard, 802.11b, that’s designed to supply a wireless local area network (WLAN) with A level of security and privacy like what’s usually expected of a wired LAN. A wired local area network (LAN) is usually protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but could also be ineffective for WLANs because radio waves aren’t necessarily bound by the walls containing the network. WEP seeks to determine similar protection thereto offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. encoding protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms like password protection, end-to-end encryption, virtual private networks (VPNs), and authentication are often put in situ to make sure privacy.

A research group from the University of California at Berkeley recently published a report citing “major security flaws” in WEP that left WLANs using the protocol susceptible to attacks (called wireless equivalent privacy attacks). within the course of the group’s examination of the technology, they were ready to intercept and modify transmissions and gain access to restricted networks. The Wireless Ethernet Compatibility Alliance (WECA) claims that WEP – which is included in many networking products – was never intended to be the only security mechanism for a WLAN, and that, in conjunction with traditional security practices, it’s very effective.

flags –source-port and -g are equivalent and instruct nmap to send packets through a selected port. this option is used to try to cheat firewalls whitelisting traffic from specific ports. the following example can scan the target from the port twenty to ports eighty, 22, 21,23 and 25 sending fragmented packets to LinuxHint.

Comprehensive and Detailed Explanation:

Nikto is an open-source web server scanner that:

Checks for common vulnerabilities

Detects outdated software versions

Flags insecure configurations and files

It is widely used for quick and comprehensive web vulnerability assessments.

From CEH v13 Courseware:

Module 10: Web Application Hacking → Web Vulnerability Scanning Tools

TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:

tcp.port == 21

This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.

CEH v13 states:

“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”

Incorrect Options:

B. Port 23 is used for Telnet, not FTP.

C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.

D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.

Reference – CEH v13 Guide:

Module 01: Introduction to Ethical Hacking

Subsection: Sniffing and Cleartext Protocols

Wireshark iLab: Identifying FTP Traffic

===========

In CEH v13 Module 14: Cryptography, Serpent is detailed as one of the finalists in the Advanced Encryption Standard (AES) competition, known for its strong security characteristics.

Key Features of Serpent:

128-bit block size, and key sizes of 128, 192, or 256 bits.

Uses 32 rounds of substitution and permutation.

Operates on four 32-bit words per block.

Employs 8 different S-boxes, each with a 4-bit input and 4-bit output.

Designed to provide high security and resistance against differential cryptanalysis.

Option Clarification:

A. TEA: Uses a Feistel structure with simple operations, but not 32 rounds with S-boxes.

B. CAST-128: Has 64-bit block size and fewer rounds.

C. RC5: Variable block and key sizes but doesn’t use 32 rounds with fixed S-box design.

D. Serpent: Matches all given features.

Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:

Restricting input to specific data types (e.g., integer, string)

Limiting size, format, or allowed characters

Accepting only expected values (e.g., country codes, age ranges)

This practice is highly effective in mitigating SQL injection and other input-based attacks.

Incorrect Options:

A. Output encoding prevents XSS by encoding output but doesn't validate input.

B. Enforcing least privilege is an access control principle.

D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Input Validation and SQL Injection Mitigation”

Subsection: “Whitelist vs Blacklist Input Validation”

===========