312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

Reverse engineering is the process of analyzing compiled software to reconstruct its source code or understand its structure and functionality. In the context of mobile applications:

It involves decompiling the APK (for Android) or IPA (for iOS) files.

Analysts can inspect the disassembled or decompiled code.

The goal is to uncover logic flaws, identify hardcoded secrets, debug issues, or assess security weaknesses.

According to CEH v13:

Reverse engineering is a common security assessment method to validate code quality and investigate vulnerabilities in mobile and binary applications.

Tools like JADX, Apktool, Hopper, and Ghidra are often used.

Incorrect Options:

B. App sandboxing restricts app access to system resources; it's a protection mechanism, not an analysis method.

C. Jailbreaking is the process of removing OS restrictions, not source code analysis.

D. Social engineering manipulates human behavior, unrelated to code or binary analysis.

Reference – CEH v13 Official Courseware:

Module 17: Hacking Mobile Platforms

Section: “Mobile Application Security Testing”

Subsection: “Reverse Engineering Tools and Techniques”

===========

Bug bounty programs allow independent security researchers to report bugs to an companies and receive rewards or compensation. These bugs area unit sometimes security exploits and vulnerabilities, although they will additionally embody method problems, hardware flaws, and so on.

The reports area unit usually created through a program travel by associate degree freelance third party (like Bugcrowd or HackerOne). The companies can got wind of (and run) a program curated to the organization’s wants.

Programs is also non-public (invite-only) wherever reports area unit unbroken confidential to the organization or public (where anyone will sign in and join). they will happen over a collection timeframe or with without stopping date (though the second possibility is a lot of common).

Who uses bug bounty programs?

Many major organizations use bug bounties as an area of their security program, together with AOL, Android, Apple, Digital Ocean, and goldman Sachs. you’ll read an inventory of all the programs offered by major bug bounty suppliers, Bugcrowd and HackerOne, at these links.

Why do corporations use bug bounty programs?

Bug bounty programs provide corporations the flexibility to harness an outsized cluster of hackers so as to seek out bugs in their code.

This gives them access to a bigger variety of hackers or testers than they’d be able to access on a one-on-one basis. It {can also|also will|can even|may also|may} increase the probabilities that bugs area unit found and reported to them before malicious hackers can exploit them.

It may also be an honest publicity alternative for a firm. As bug bounties became a lot of common, having a bug bounty program will signal to the general public and even regulators that a corporation incorporates a mature security program.

This trend is likely to continue, as some have began to see bug bounty programs as an business normal that all companies ought to invest in.

Why do researchers and hackers participate in bug bounty programs?

Finding and news bugs via a bug bounty program may end up in each money bonuses and recognition. In some cases, it will be a good thanks to show real-world expertise once you are looking for employment, or will even facilitate introduce you to parents on the protection team within an companies.

This can be full time income for a few of us, income to supplement employment, or the way to point out off your skills and find a full time job.

It may also be fun! it is a nice (legal) probability to check out your skills against huge companies and government agencies.

What area unit the disadvantages of a bug bounty program for independent researchers and hackers?

A lot of hackers participate in these varieties of programs, and it will be tough to form a major quantity of cash on the platform.

In order to say the reward, the hacker has to be the primary person to submit the bug to the program. meaning that in apply, you may pay weeks searching for a bug to use, solely to be the person to report it and build no cash.

Roughly ninety seven of participants on major bug bounty platforms haven’t sold-out a bug.

In fact, a 2019 report from HackerOne confirmed that out of quite three hundred,000 registered users, solely around two.5% received a bounty in their time on the platform.

Essentially, most hackers are not creating a lot of cash on these platforms, and really few square measure creating enough to switch a full time wage (plus they do not have advantages like vacation days, insurance, and retirement planning).

What square measure the disadvantages of bug bounty programs for organizations?

These programs square measure solely helpful if the program ends up in the companies realizeing issues that they weren’t able to find themselves (and if they’ll fix those problems)!

If the companies is not mature enough to be able to quickly rectify known problems, a bug bounty program is not the right alternative for his or her companies.

Also, any bug bounty program is probably going to draw in an outsized range of submissions, several of which can not be high-quality submissions. a corporation must be ready to cope with the exaggerated volume of alerts, and also the risk of a coffee signal to noise magnitude relation (essentially that it’s probably that they’re going to receive quite few unhelpful reports for each useful report).

Additionally, if the program does not attract enough participants (or participants with the incorrect talent set, and so participants are not able to establish any bugs), the program is not useful for the companies.

The overwhelming majority of bug bounty participants consider web site vulnerabilities (72%, per HackerOn), whereas solely a number of (3.5%) value more highly to seek for package vulnerabilities.

This is probably because of the actual fact that hacking in operation systems (like network hardware and memory) needs a big quantity of extremely specialised experience. this implies that firms may even see vital come on investment for bug bounties on websites, and not for alternative applications, notably those that need specialised experience.

This conjointly implies that organizations which require to look at AN application or web site among a selected time-frame may not need to rely on a bug bounty as there is no guarantee of once or if they receive reports.

Finally, it are often probably risky to permit freelance researchers to try to penetrate your network. this could end in public speech act of bugs, inflicting name harm within the limelight (which could end in individuals not eager to purchase the organizations’ product or service), or speech act of bugs to additional malicious third parties, United Nations agency may use this data to focus on the organization.

Comprehensive and Detailed Explanation:

To identify inconsistencies in secure asset records and confirm that systems meet baseline security standards, vulnerability scanning and checking data items (e.g., configuration settings, software versions) is essential. This helps the analyst discover gaps between expected and actual system states.

From CEH v13 Official Curriculum:

Module 5: Vulnerability Assessment → Security Assessment Techniques

“Automated vulnerability scanners and asset inventories help validate that systems are compliant with security baselines.”

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.

Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild–Lawrence Berkeley National Laboratory received ten throughout the past year.

DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers–because each came knock on everyone’s door!

MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain. Each MX record has a priority value.

Important concept:

A lower number indicates a higher priority.

Email servers attempt delivery to the mail server with the lowest priority first.

For example:

If MX records are:

10 mail1.example.com

20 mail2.example.com

Then mail1 will be tried first. If it fails, mail2 will be used.

So the statement “MX record priority increases as the number increases” is false.

The described method is a classic example of a Side-Channel Attack, specifically a Timing Attack.

Key characteristics:

It exploits variations in response time from a system to infer sensitive information, such as the correct number of characters in a password.

In this scenario, if a correct character causes a longer processing time, the attacker can deduce the correct sequence iteratively.

According to CEH v13:

Side-channel attacks do not directly break encryption but rely on observing system behavior like timing, power consumption, or electromagnetic leaks.

These attacks are effective against poorly implemented authentication mechanisms or embedded systems like ICS/SCADA.

Incorrect Options:

B. Denial-of-service is aimed at making systems unavailable, not extracting credentials.

C. HMI-based attacks involve manipulating the human-machine interface of ICS systems.

D. Buffer overflow exploits memory handling flaws, not timing behavior.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Cryptanalysis and Side-Channel Attacks”

Subsection: “Timing Attacks and Password Recovery”

A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system’s characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.

The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system’s responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References:

What is a Honeypot? Types, Benefits, Risks and Best Practices

Using Honeypots for Network Intrusion Detection

Detecting Honeypot Access With Varonis

Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.