Pass the ECCouncil CEH v13 312-50v13 Questions and answers with ValidTests

Infoga may be a tool gathering email accounts informations (ip,hostname,country,…) from completely different public supply (search engines, pgp key servers and shodan) and check if email was leaked using haveibeenpwned.com API. is a really simple tool, however very effective for the first stages of a penetration test or just to know the visibility of your company within the net.

In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here’s how it works:

When you send a TCP ACK segment:

If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

If a stateful firewall is used, it keeps track of connection states. Therefore:

An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn’t correspond to any active connection.

No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

Therefore:

No RST response = packet was silently dropped.

Silent dropping of unsolicited ACK packets = Stateful Firewall Behavior.

Option Analysis:

A. There is no firewall in place

❌ Incorrect. If there were no firewall, an RST would be sent from the closed port.

B. This event does not tell you anything about the firewall

❌ Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

C. It is a stateful firewall

Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

D. It is a non-stateful firewall

❌ Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scanning Techniques → TCP ACK Scan

CEH Engage Labs – Network Scanning Phase: Firewall Rule Detection using ACK Scans

The SOA (Start of Authority) record contains key DNS parameters, including TTL (Time To Live). The components of an SOA record are in this order:

(domain) IN SOA (Primary Name Server) (Responsible party) (Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

Given:

Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

Field breakdown:

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds

Minimum TTL: 2400 seconds ← This is the TTL value

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration and Zone Transfers

Subsection: Understanding DNS Records

CEH v13 Study Guide states:

“In an SOA record, the last value is the Minimum TTL — the amount of time other DNS servers should cache resource records for the zone.”

Incorrect Options:

A: Serial number

B: Refresh interval

C: Expiry interval

E/F: Arbitrary, not part of the SOA shown

Comprehensive and Detailed Explanation:

An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

From CEH v13 Courseware:

Module 19: Incident Response and Forensics → Incident Handling Procedures

Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

For example, if the application uses the following query to display the username of a user based on the user ID:

SELECT username FROM users WHERE id = '$id'

The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

SELECT username FROM users WHERE id = '1'

The application might display an error message like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR '1'='1 to test whether unauthorized data is returned. However, within CEH’s theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

The Sarbanes-Oxley Act of 2002 could be a law the U.S. Congress passed on July thirty of that year to assist defend investors from fallacious money coverage by companies.Also called the SOX Act of 2002 and also the company Responsibility Act of 2002, it mandated strict reforms to existing securities rules and obligatory powerful new penalties on law breakers.

The Sarbanes-Oxley law Act of 2002 came in response to money scandals within the early 2000s involving in public listed corporations like Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds cask capitalist confidence within the trustiness of company money statements Associate in Nursingd light-emitting diode several to demand an overhaul of decades-old restrictive standards.

Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high-speed collisions.

This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

Incorrect Options:

B. Receptionist is a human control, not a physical barrier for vehicles.

C. Mantrap is used to control personnel access, not vehicle access.

D. Turnstile controls pedestrian entry, not vehicles.

document.write(); (Cookie and session ID theft)

https://www.softwaretestinghelp.com/cross-site-scripting-xss-attack-test/

As seen in the indicated question, cookies are escaped and sent to script to variable ‘cookie’. If the malicious user would inject this script into the website’s code, then it will be executed in the user’s browser and cookies will be sent to the malicious user.

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

CEH cloud security modules highlight that Azure Managed Identities allow workloads such as functions, VMs, and automation tasks to authenticate to Azure resources without storing secrets. If an attacker obtains the token associated with a managed identity, they can impersonate that identity and access any Azure resources it is permitted to use. In this scenario, the captured access token is used to authenticate via Azure PowerShell and retrieve storage account keys, demonstrating unauthorized privilege usage by hijacking the managed identity. This aligns directly with managed identity abuse, where attackers leverage identity tokens instead of user credentials. NSG rule gathering and AzureGraph enumeration are reconnaissance activities, and Stormspotter is used for visualizing attack paths, not abusing identities. Therefore, this scenario clearly illustrates exploitation of managed identities.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

Infrastructure as a Service (IaaS) provides virtualized computing infrastructure over the internet. In this model:

The cloud provider supplies the hardware (servers, storage, networking).

The client (your organization) is responsible for installing and managing the OS, applications, and all configurations.

This aligns with the question, where the organization must take full responsibility for maintenance.

Incorrect Options:

A. PaaS offers managed OS, middleware, and runtime, reducing customer responsibilities.

B. SaaS provides fully managed applications—users only access features.

C. Functions as a Service (FaaS) offers event-driven computing without server management, used in serverless environments.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Cloud Service Models”

Table: “Responsibilities in IaaS vs PaaS vs SaaS”

===========

https://en.wikipedia.org/wiki/Subnetwork

As we can see, we have an IP address of 10.1.4.0 with a subnet mask of /23. According to the question, we need to determine which IP address will be included in the range of the last 100 IP addresses.

The available addresses for hosts start with 10.1.4.1 and end with 10.1.5.254. Now you can clearly see that the last 100 addresses include the address 10.1.5.200.