Pass the ECCouncil CEH v13 312-50v13 Questions and answers with ValidTests

The recommended architecture for secure web application deployment is a multi-tiered setup:

Web server in the DMZ (public-facing)

Application server on the internal network

Database server on the internal network

This design limits the exposure of critical components. Only the web server is exposed to the internet, while application and database servers are shielded by firewalls and only accessible internally.

Reference – CEH v13 Official Study Guide:

Module 10: Hacking Web Servers

Quote:

“Place the web server in the DMZ and keep the application and database servers within the internal network. This reduces the attack surface and provides layered security.”

Incorrect Options Explained:

A. Internal placement makes them inaccessible externally.

C & D. Exposing the database or all servers to the internet introduces significant risk.

===========

The Heartbleed vulnerability (CVE-2014-0160) is a critical buffer over-read flaw in OpenSSL’s implementation of the TLS heartbeat extension. It allows attackers to read portions of memory from a server using vulnerable versions of OpenSSL.

This exposed sensitive data including:

Usernames and passwords

Session tokens

Private encryption keys

From CEH v13 Study Guide – Module 5: Vulnerability Analysis and Module 6: Malware Threats:

“The Heartbleed vulnerability allowed attackers to extract memory contents from the OpenSSL process, including sensitive materials such as private SSL keys. These private keys are used in the TLS protocol to encrypt and decrypt secure communications. Once compromised, attackers could decrypt communications or impersonate the server.”

Private keys being compromised allow attackers to decrypt HTTPS traffic, impersonate trusted servers, and conduct MITM (Man-in-the-Middle) attacks.

Incorrect Options:

A. Public: Public keys are already shared and not a security risk if disclosed.

C. Shared: Vague term not applicable here.

D. Root: Heartbleed doesn’t directly expose root keys; rather, it leaks application memory including private SSL/TLS keys.

PKI uses public-key cryptography, which is widely used on the Internet to encrypt messages or

authenticate message senders. In public-key cryptography, a CA generates public and private

keys with the same algorithm simultaneously. The private key is held only by the subject (user,

company, or system) mentioned in the certificate, while the public key is made publicly available

in a directory that all parties can access. The subject keeps the private key secret and uses it to

decrypt the text encrypted by someone else using the corresponding public key (available in a

public directory). Thus, others encrypt messages for the user with the user's public key, and the user decrypts it with his/her private key.

According to CEH v13 Module 08: Sniffing, the attack described is a classic example of ARP spoofing/poisoning which leads to Man-in-the-Middle (MITM) scenarios. In such attacks, a malicious actor sends forged ARP responses to associate their MAC address with the IP address of a target system, redirecting traffic through their machine.

Tool Used: BetterCAP

BetterCAP is a powerful, modular MITM framework.

It can:

Perform ARP spoofing

Intercept and manipulate HTTP/HTTPS traffic

Modify packets in real-time

Carry out credential harvesting and session hijacking

Miley's actions match the default behavior of BetterCAP during an ARP spoofing attack:

Spoof ARP to redirect traffic.

Intercept and analyze (or manipulate) traffic.

Option Clarification:

A. Gobbler: An older ARP tool, but mostly for ARP scanning, not modern MITM attacks.

B. KDerpNSpoof: Incorrect or misspelled; not a recognized CEH tool.

C. BetterCAP: Correct – used for ARP spoofing and traffic manipulation.

D. Wireshark: Passive sniffer; cannot perform ARP spoofing or MITM.

The best practice to meet the client’s requirement is to encrypt data client-side before uploading to the cloud and retain control of the encryption keys. This practice is also known as client-side encryption or end-to-end encryption, and it involves encrypting the data on the client’s device using a software or hardware tool that generates and manages the encryption keys. The encrypted data is then uploaded to the cloud service, where it remains encrypted at rest. The encryption keys are never shared with the cloud service provider or any third party, and they are only used by the client to decrypt the data when needed. This way, the client can maintain full control over the encryption keys and the security of the data, even when the data is stored on a public cloud service12.

The other options are not as optimal as option D for the following reasons:

A. Use the cloud service provider’s encryption services but store keys on-premises: This option is not feasible because it contradicts the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s encryption services means that the client has to rely on the cloud service provider to generate and manage the encryption keys, even if the keys are stored on-premises. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Moreover, storing the keys on-premises may introduce additional challenges, such as key distribution, synchronization, backup, and recovery3.

B. Use the cloud service provider’s default encryption and key management services: This option is not desirable because it violates the client’s requirement of maintaining full control over the encryption keys. Using the cloud service provider’s default encryption and key management services means that the client has to trust the cloud service provider to encrypt and decrypt the data on the server-side, using the cloud service provider’s own encryption keys and mechanisms. The cloud service provider may have access to the keys or the ability to decrypt the data, which may compromise the security and privacy of the data. Furthermore, the cloud service provider’s default encryption and key management services may not meet the regulatory requirements or the security standards of the client4.

C. Rely on Secure Sockets Layer (SSL) encryption for data at rest: This option is not sufficient because SSL encryption is not designed for data at rest, but for data in transit. SSL encryption is a protocol that encrypts the data as it travels over the internet between the client and the server, using certificates and keys that are exchanged and verified by both parties. SSL encryption can protect the data from being intercepted or modified by unauthorized parties, but it does not protect the data from being accessed or decrypted by the cloud service provider or any third party who has access to the server. Moreover, SSL encryption does not provide the client with any control over the encryption keys or the security of the data.

Comprehensive and Detailed Explanation:

An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

From CEH v13 Courseware:

Module 19: Incident Response and Forensics → Incident Handling Procedures

Comprehensive and Detailed Explanation:

Host-based Intrusion Detection Systems (HIDS) run on individual hosts and monitor activities like file access, processes, and system logs. HIDS:

Detects attacks missed by NIDS (e.g., insider threats, encrypted traffic)

Monitors integrity of system files

Works in near real-time

Requires no additional network hardware

Can be implemented at low cost

From CEH v13 Courseware:

Module 13: IDS, Firewalls and Honeypots → Types of IDS (HIDS vs. NIDS)

An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.

The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:

Intellectual property thieving (e.g., trade secrets or patents)

Compromised sensitive info (e.g., worker and user personal data)

The sabotaging of essential structure infrastructures (e.g., information deletion)

Total website takeovers

Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.

APT attacks dissent from ancient internet application threats, in that:

They’re considerably additional advanced.

They’re not hit and run attacks—once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.

They’re manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.

They typically aim to infiltrate a complete network, as opposition one specific half.

More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.

In CEH v13 Module 06: Malware Threats, code emulation is defined as a technique used by modern antivirus software where a virtual CPU and memory are created to safely execute and analyze malware in a sandboxed environment.

This allows the detection engine to observe runtime behavior of suspicious code without risking the actual system.

It’s more effective than signature-based detection for catching polymorphic and obfuscated malware.

The Security Account Manager (SAM) file on Windows contains user account information, including password hashes. Hackers target this file to extract credentials for offline cracking using tools like L0phtCrack or Cain & Abel.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 4: Enumeration

CEH v13 Study Guide states:

“The SAM file stores hashed user credentials. If attackers gain access to it, they can extract password hashes and perform brute-force or dictionary attacks offline.”

Common locations:

C:\Windows\System32\config\SAM

C:\Windows\Repair\SAM

Comprehensive and Detailed Explanation:

SIEM (Security Information and Event Management) systems aggregate logs and alerts from across the network—servers, routers, firewalls, IDS/IPS, and applications—and correlate that data to identify suspicious or malicious activity.

They provide:

Real-time alerting

Long-term log storage

Compliance reporting

Incident response facilitation

From CEH v13 Courseware:

Module 12: Evading IDS, Firewalls, and Honeypots → SIEM Tools

A digital certificate, issued by a trusted Certificate Authority (CA), binds a public key to the identity of an entity (e.g., user, organization). This provides a means to validate ownership of the public key.

CEH v13 Reference:

Module 17: Cryptography

"A digital certificate ensures the authenticity of the public key through a trusted third party known as a Certificate Authority."

━━━━━━━━━━━━━━━━━━━━━━

Adware, or advertising supported computer code, is computer code that displays unwanted advertisements on your pc. Adware programs can tend to serve you pop-up ads, will modification your browser’s homepage, add spyware and simply bombard your device with advertisements. Adware may be a additional summary name for doubtless unwanted programs. It’s roughly a virulent disease and it’s going to not be as clearly malicious as a great deal of different problematic code floating around on the net. create no mistake concerning it, though, that adware has to return off of no matter machine it’s on. Not solely will adware be extremely annoying whenever you utilize your machine, it might additionally cause semipermanent problems for your device.

Adware a network users the browser to gather your internet browsing history so as to ’target’ advertisements that appear tailored to your interests. At their most innocuous, adware infections square measure simply annoying. as an example, adware barrages you with pop-up ads that may create your net expertise markedly slower and additional labor intensive.

Comprehensive and Detailed Explanation:

The correct file name is /var/log/auth.log (not auth.fesg). “auth.fesg” is a typo or does not exist by default in Linux systems.

Linux login records include:

/var/log/auth.log – authentication logs

/var/log/wtmp – records login sessions

/var/log/btmp – records failed logins

/var/log/user.log – logs user-level messages (optional)

Therefore, B is not a valid log file.

From CEH v13 Courseware:

Module 6: System Hacking → Covering Tracks in Linux