312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user’s ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user’s account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References:

EC-Council CEHv13 Courseware Module 11: Hacking Webservers, page 11-24

What is a Kerberoasting Attack? – CrowdStrike

How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

The recommended architecture for secure web application deployment is a multi-tiered setup:

Web server in the DMZ (public-facing)

Application server on the internal network

Database server on the internal network

This design limits the exposure of critical components. Only the web server is exposed to the internet, while application and database servers are shielded by firewalls and only accessible internally.

Reference – CEH v13 Official Study Guide:

Module 10: Hacking Web Servers

Quote:

“Place the web server in the DMZ and keep the application and database servers within the internal network. This reduces the attack surface and provides layered security.”

Incorrect Options Explained:

A. Internal placement makes them inaccessible externally.

C & D. Exposing the database or all servers to the internet introduces significant risk.

=

Types of Password Attacks - Active Online Attacks: Internal Monologue Attack Attackers perform an internal monologue(獨自) attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user.Attacker disables the security controls of NetNTLMv1, extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users. (P.594/578)

CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user’s security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the-ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.

On Linux and UNIX-like systems, files or directories that begin with a period (.) are considered hidden. These files do not appear by default when a user runs the ls command, unless explicitly instructed to show hidden files using ls -a.

Example:

File named .hiddenfile will not appear with a simple ls command.

To view it, use: ls -a

This is commonly used for configuration files (e.g., .bashrc, .profile) and also by attackers or malicious users who want to conceal their scripts or payloads.

Incorrect Options:

A. Exclamation mark (!) is used in shell history and command expansion, not for hiding files.

B. Underscore (_) is a valid filename character but does not hide files.

C. Tilde (~) represents the current user's home directory; not used for hiding.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Tactics to Hide Malware Files in the OS”

Lab: CEH Engage — Creating and Hiding Files in Linux

=

MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain. Each MX record has a priority value.

Important concept:

A lower number indicates a higher priority.

Email servers attempt delivery to the mail server with the lowest priority first.

For example:

If MX records are:

10 mail1.example.com

20 mail2.example.com

Then mail1 will be tried first. If it fails, mail2 will be used.

So the statement “MX record priority increases as the number increases” is false.

Comprehensive and Detailed Explanation:

Subnet 10.1.4.0/23 includes addresses from:

10.1.4.0 to 10.1.5.255

Total = 512 IPs (510 usable)

Last 100 usable IPs would be:

Start: 10.1.5.155 to 10.1.5.254

Only option C (10.1.5.200) falls within that range.

From CEH v13 Courseware:

Module 3: Subnetting & IP Addressing