ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

In CEH v13 Module 10: Injection Attacks, the SQL Injection technique is covered extensively. A common attack method is to manipulate the input fields so that the resulting SQL query becomes logically always true, effectively bypassing authentication.

Given the input:

Username: attack' or 1=1 --

Password: 123456

And assuming the original SQL query is:

SELECT * FROM Users WHERE UserName = '' AND UserPassword = '';

When inputs are substituted, the query becomes:

SELECT * FROM Users WHERE UserName = 'attack' or 1=1 --' AND UserPassword = '123456';

The -- sequence is used in SQL to indicate a comment. Everything after -- is ignored by the SQL engine. So the query essentially becomes:CopyEdit

SELECT * FROM Users WHERE UserName = 'attack' or 1=1;

This query is always true due to 1=1, and if the application is vulnerable, it grants access regardless of the password.

Option Analysis:

A. Incorrect – Contains '' (double quote) after attack, which would cause a syntax error due to extra quotation marks.

B. Correct – This is the accurate representation of what the SQL query would look like with a successful injection.

C. Incorrect – The input string is malformed, combining input into one literal string.

D. Incorrect – Misplacement of ' after the comment token -- invalidates the SQL syntax.

Reference from CEH v13 Study Materials:

Module 10 – Injection Attacks, Section: SQL Injection – Authentication Bypass

CEH v13 eCourseware Practical Lab: Exploiting SQL Injection Vulnerability in Login Forms

CEH Engage – Web Application Testing Phase: SQLi Exploitation in Login Panels

DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.

The SOA record contains several fields including:

Serial number

Refresh

Retry

Expire

Minimum TTL

The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data — including any potentially poisoned data.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration & Poisoning

CEH v13 Study Guide states:

“The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires.”

Incorrect Options:

A: MX (Mail Exchange) defines mail servers, not TTLs.

C: NS (Name Server) specifies authoritative servers, not caching durations.

D: TIMEOUT is not a valid DNS resource record.

The description in the scenario clearly points to Docker. Docker is an open-source platform that automates the deployment, scaling, and management of applications inside containers. It allows:

Isolation of applications from the underlying system

Communication through well-defined APIs and networking interfaces

Rapid packaging and shipping of applications in a containerized format

Docker uses OS-level virtualization and is ideal for Platform-as-a-Service (PaaS) environments.

Incorrect Options:

A. Virtual machines virtualize entire operating systems and are heavier in resource use.

B. Serverless computing abstracts the infrastructure entirely but is not about containerization.

D. Zero Trust is a security architecture, not a development or packaging platform.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Containerization and Docker”

Subsection: “Security Benefits of Containers”

===========

The scenario describes a cryptographic attack where the attacker (in this case, the student) uses a predefined list of commonly used passwords to try and unlock a secured PDF document. This technique is known as a Dictionary Attack.

According to the CEH v13 Official Courseware:

A Dictionary Attack is defined as “a method of breaking passwords by trying out a predefined list of words (dictionary) commonly used as passwords.”

Unlike a brute-force attack, which tries every possible character combination, a dictionary attack relies on known or likely password choices, which makes it faster but less exhaustive.

Dictionary attacks are commonly used against encrypted or password-protected files, login forms, and even hashes.

Relevant distinctions from other options:

A. Man-in-the-middle attack involves intercepting communication between two parties and is unrelated to offline password cracking.

B. Brute-force attack tries all possible character combinations, not just a list of known or common passwords.

D. Session hijacking involves taking over a user session and is unrelated to document password cracking.

Reference – CEH v13 Official Study Materials:

Module 20: Cryptography

Section: "Cryptanalysis Techniques"

Subsection: "Dictionary Attack vs. Brute-force Attack"

CEH v13 eBook or Study Guide — look for Table: “Types of Password Attacks” under “Cryptography Attack Vectors”

This exact technique is illustrated in CEH v13 labs involving John the Ripper, Hydra, and password recovery tools.

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:

The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

%c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character “/” when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).

This type of attack attempts to:

Traverse out of the web root directory (via encoded ../ sequences)

Access cmd.exe in the Windows system32 directory

Execute operating system commands such as dir c: (list contents of drive C)

From CEH v13 Official Courseware:

Module 14: Hacking Web Servers

Topic: Unicode Directory Traversal Vulnerability (IIS-specific)

CEH v13 Study Guide states:

“A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32.”

Incorrect Options:

A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.

B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.

C. Multiple Domain Traversal: Not a valid or recognized attack type.

The total data extracted by the attacker is E=xyz’u’, where x is the number of tables, y is the number of columns, z is the number of records, and u is the number of SQL payloads. To maximize E, the attacker would want to choose the highest values of z and u, while keeping x and y constant. Therefore, the situation where z=600 and u=2 would result in the highest extracted data volume, as E=42600*2=9600. The other situations would result in lower values of E, as shown below:

A: E=42400*4=12800

B: E=42550*2=8800

D: E=42500*3=12000

The attacker uses UNION SELECT statements to combine the results from different tables and columns, and DBMS_XSLPPOCESSOR.READ2CLOB to read sensitive files from the database server12. These techniques can bypass input validation and pattern matching measures that are based on the application’s responses3.

Comprehensive and Detailed Explanation:

The correct nslookup syntax to perform a zone transfer is:

ls -d domain_name

So, from the nslookup prompt:

server 192.168.10.2

ls -d abccorp.local

This will attempt to list all DNS records for the abccorp.local domain from the specified server, if zone transfers are permitted.

From CEH v13 Courseware:

Module 4: Enumeration → DNS Zone Transfers

Comprehensive and Detailed Explanation:

A Suicide Hacker is someone who launches a cyberattack without regard for the consequences, such as being caught or imprisoned. Yancey's actions fit this profile because:

He is knowingly committing illegal acts.

He is fully aware of and indifferent to the consequences.

His motive is revenge, not ideology or personal gain.

From CEH v13 Courseware:

Module 1: Introduction to Ethical Hacking → Types of Hackers

Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc. (P.2884/2868)

Developed by Robert “RSnake” Hansen, Slowloris is DDoS attack software that permits one computer to require down an internet server. Due the straightforward yet elegant nature of this attack, it requires minimal bandwidth to implement and affects the target server’s web server only, with almost no side effects on other services and ports.

Slowloris has proven highly-effective against many popular sorts of web server software, including Apache 1.x and 2.x.

Over the years, Slowloris has been credited with variety of high-profile server takedowns. Notably, it had been used extensively by Iranian ‘hackivists’ following the 2009 Iranian presidential election to attack Iranian government internet sites .

Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, expecting each of the attack requests to be completed.

Periodically, the Slowloris sends subsequent HTTP headers for every request, but never actually completes the request. Ultimately, the targeted server’s maximum concurrent connection pool is filled, and extra (legitimate) connection attempts are denied.

By sending partial, as against malformed, packets, Slowloris can easily elapse traditional Intrusion Detection systems.

Named after a kind of slow-moving Asian primate, Slowloris really does win the race by moving slowly and steadily. A Slowloris attack must await sockets to be released by legitimate requests before consuming them one by one.

For a high-volume internet site , this will take a while . the method are often further slowed if legitimate sessions are reinitiated. But within the end, if the attack is unmitigated, Slowloris—like the tortoise—wins the race.

If undetected or unmitigated, Slowloris attacks also can last for long periods of your time . When attacked sockets outing , Slowloris simply reinitiates the connections, continuing to reach the online server until mitigated.

Designed for stealth also as efficacy, Slowloris are often modified to send different host headers within the event that a virtual host is targeted, and logs are stored separately for every virtual host.

More importantly, within the course of an attack, Slowloris are often set to suppress log file creation. this suggests the attack can catch unmonitored servers off-guard, with none red flags appearing in log file entries.

Methods of mitigation

Imperva’s security services are enabled by reverse proxy technology, used for inspection of all incoming requests on their thanks to the clients’ servers.

Imperva’s secured proxy won’t forward any partial connection requests—rendering all Slowloris DDoS attack attempts completely and utterly useless.

 DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

â–  HOSTMIB.MIB: Monitors and manages host resources

â–  LNMIB2.MIB: Contains object types for workstation and server services

â–  MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

â–  WINS.MIB: For the Windows Internet Name Service (WINS)

Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message.

The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat.

==================================================================

aLTEr attacks are usually performed on LTE devices Attacker installs a virtual (fake) communication tower between two authentic endpoints intending to mislead the victim This virtual tower is used to interrupt the data transmission between the user and real tower attempting to hijack the active session.

https://alter-attack.net/media/breaking_lte_on_layer_two.pdf

The new aLTEr attack can be used against nearly all LTE connected endpoints by intercepting traffic and redirecting it to malicious websites together with a particular approach for Apple iOS devices.

This attack works by taking advantage of a style flaw among the LTE network — the information link layer (aka: layer-2) of the LTE network is encrypted with AES-CTR however it’s not integrity-protected, that is why an offender will modify the payload.

As a result, the offender is acting a classic man-in-the-middle wherever they’re movement as a cell tower to the victim.