312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

Server-side request forgery (also called SSRF) is a net security vulnerability that allows an assaulter to induce the server-side application to make http requests to associate arbitrary domain of the attacker’s choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services among the organization’s infrastructure, or to external third-party systems.

Another type of trust relationship that often arises with server-side request forgery is where the application server is able to interact with different back-end systems that aren’t directly reachable by users. These systems typically have non-routable private informatics addresses. Since the back-end systems normally ordinarily protected by the topology, they typically have a weaker security posture. In several cases, internal back-end systems contain sensitive functionality that may be accessed while not authentication by anyone who is able to act with the systems.

In the preceding example, suppose there’s an body interface at the back-end url https://192.168.0.68/admin. Here, an attacker will exploit the SSRF vulnerability to access the executive interface by submitting the following request:

POST /product/stock HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Length: 118

stockApi=http://192.168.0.68/admin

CEH’s SQL Injection coverage distinguishes between classic (error-based), union-based, boolean-based blind, and time-based blind SQL injection. Time-based blind SQL injection is used when the application does not return database errors or query results to the attacker (no visible output), but the attacker can infer execution behavior by measuring response delays.

A time-based payload intentionally triggers a database delay function (for example, SLEEP(), WAITFOR DELAY, pg_sleep() depending on DBMS). If the injection is successful, the page response time increases predictably, confirming that attacker-controlled SQL is being executed.

Option C is the correct time-based blind probe because it uses conditional logic (IF(1=1, SLEEP(5), 0)) to cause a measurable delay only when the injected condition evaluates true. CEH teaches that this technique is particularly effective against hardened applications that suppress errors and sanitize outputs, because timing becomes the side-channel for confirmation.

Option A and Option D are UNION-based payload patterns intended to extract data via returned result sets, which time-based blind scenarios typically do not provide. Option B is a classic authentication-bypass/boolean test; it can indicate injection but does not specifically validate time-based blind behavior when output is not observable.

CEH mitigation guidance includes parameterized queries, strict input validation, least-privilege DB accounts, WAF tuning, and centralized logging to detect anomalous query timing patterns.

This scenario describes steganographic sniffing, a highly sophisticated technique covered in CEH v13 Network Sniffing and Steganography. By embedding sensitive data inside legitimate image files—such as CT scans—attackers can intercept or exfiltrate patient information while avoiding detection.

Option D represents a steganography-based covert channel, which is extremely difficult to identify because:

The file appears legitimate

Standard encryption and IDS tools do not flag it

Medical images naturally contain large data volumes

Options A and B involve malware, which is more detectable. Option C involves text-based covert channels, which are easier to analyze than binary image embedding.

CEH v13 identifies steganography as one of the hardest data-hiding techniques to detect, making Option D correct.

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

=

Types of Vulnerability Assessment - External Assessment External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall. (P.527/511)

External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall.

The following are some of the possible steps in performing an external assessment:

o Determine a set of rules for firewall and router configurations for the external network

o Check whether the external server devices and network devices are mapped o Identify open ports and related services on the external network o Examine the patch levels on the server and external network devices o Review detection systems such as IDS, firewalls, and application-layer protection systems

o Get information on DNS zones

o Scan the external network through a variety of proprietary tools available on the Internet

o Examine Web applications such as e-commerce and shopping cart software for vulnerabilities

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

A low-and-slow scanning technique spreads probe attempts over long intervals, reducing the chance of triggering IDS signatures that rely on detecting rapid or high-volume scans. CEH highlights timing-based evasion as an effective method for reconnaissance against networks with strict perimeter controls.

If SNMP access is restricted to specific IP addresses (e.g., 192.168.1.0/24), you can bypass access controls by:

Spoofing the source IP to fall within that allowed range.

Using a SNMP set request to instruct the device (e.g., to copy its configuration to a TFTP server).

This is a classic SNMP spoofing attack.

From CEH v13 Courseware:

Module 4: Enumeration → SNMP Enumeration Attacks