312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

CEH defines ethical hacking as the authorized, structured, and permission-based process of identifying vulnerabilities to strengthen an organization’s security posture. Ethical hackers operate under a signed scope-of-work and follow legal boundaries. Malicious hackers, by contrast, exploit systems without permission, often with harmful or criminal intent. CEH emphasizes that both ethical and malicious hackers may use similar tools, techniques, and methodologies; the distinction lies entirely in authorization, intent, and legality. Ethical hacking is conducted to improve defenses, while malicious hacking targets exploitation, theft, or disruption. Nothing in CEH materials suggests that toolsets or work styles distinguish the two groups; permission and lawful operation remain the central differentiators.

According to the Certified Ethical Hacker (CEH) Reconnaissance and Footprinting module, DNS cache snooping is a passive information-gathering technique used to determine whether a specific DNS record exists in a server’s cache. Attackers commonly use the dig +norecurse option to prevent the DNS server from querying other DNS servers, thereby revealing only cached results.

When a DNS server responds with NOERROR but does not return an answer, it indicates that the domain name itself is valid, but the requested record is not present in the DNS cache. CEH documentation explains that this situation usually occurs when no internal client has recently queried that domain, so the DNS server has no cached entry for it.

Option A is incorrect because a cached record would return a valid answer section.

Option B is incorrect because NOERROR explicitly means the DNS query was processed successfully.

Option D is incorrect because an expired or non-existent domain would typically return NXDOMAIN, not NOERROR.

CEH materials highlight that attackers use DNS cache snooping to infer user behavior, internal browsing habits, and potential target systems within an organization—making option C the correct conclusion.

In CEH v13 Maintaining Access, stealth and persistence are key goals after compromise. Placing a backdoor in a file type excluded from resource maps (such as image metadata, configuration files, or uncommon extensions) reduces the likelihood of discovery by automated scanners and integrity checks.

Option D is correct because many security tools focus on executable or commonly accessed web files. Files excluded from resource maps are less likely to be scanned or monitored.

Option A increases detection risk due to frequent changes. Option B increases signature visibility. Option C still exposes the file to access logs and monitoring.

CEH v13 highlights that attackers often hide backdoors in non-obvious locations to avoid detection. Therefore, Option D is correct.

The nbtstat command is a Windows utility that displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables, and the NetBIOS name cache. However, the nbtstat command does not support IPv6 addresses, which are the standard format for the Internet Protocol version 6 (IPv6). Therefore, using the nbtstat command with IPv6 addresses will result in an error message or no output. To enumerate NetBIOS names on a network that uses IPv6, you should switch to an enumeration tool that supports IPv6, such as Nmap, which is a network scanning and security auditing tool. Nmap has a scripting engine (NSE) that allows users to write and execute scripts for various network tasks, including NetBIOS enumeration. Nmap can also detect the operating system, services, and vulnerabilities of the target machines, regardless of the IP version they use. References:

Nbtstat Command - Computer Hope

Nbtstat CMD: Windows Network Command Line Prompt

[Nmap Scripting Engine (NSE) Documentation]

A pharming attacker tries to send a web site’s traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

Though they share similar goals, pharming uses a special technique from phishing. “Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site,” explains David Emm, principal security man of science at Kaspersky. “When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different.”

Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

PKI uses public-key cryptography, which is widely used on the Internet to encrypt messages or

authenticate message senders. In public-key cryptography, a CA generates public and private

keys with the same algorithm simultaneously. The private key is held only by the subject (user,

company, or system) mentioned in the certificate, while the public key is made publicly available

in a directory that all parties can access. The subject keeps the private key secret and uses it to

decrypt the text encrypted by someone else using the corresponding public key (available in a

public directory). Thus, others encrypt messages for the user with the user's public key, and the user decrypts it with his/her private key.

In CEH v13 Module 01: Information Security Fundamentals, the types of threat intelligence are categorized as Strategic, Tactical, Operational, and Technical, each serving different security roles.

Tactical Threat Intelligence – Correct Answer

Definition: Provides information in a machine-readable format such as indicators of compromise (IOCs) — including IP addresses, file hashes, URLs, domains, and signatures.

Purpose: Used to update security appliances like firewalls, IDS/IPS, endpoint protection to automatically detect and block threats in real-time.

Roma used threat intelligence in this exact way — automating detection and blocking via security tools.

Why Other Options Are Incorrect:

A. Technical Threat Intelligence: Often overlaps with tactical but usually refers to low-level indicators used for internal analysis, not device-ready feeds.

B. Operational Threat Intelligence: Focuses on specific campaigns, attacker TTPs, and is generally not automated or directly used in security appliances.

D. Strategic Threat Intelligence: High-level, non-technical insights for executives and decision-makers — used for long-term planning, not immediate threat blocking.