312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

related: operator is used to find websites similar to a given domain or webpage.

This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

Example:

related:example.com

Will return a list of sites Google deems related to example.com.

Option Clarification:

A. inurl: – Searches for a keyword in the URL.

B. related: – Correct – Finds similar or related websites.

C. info: – Provides Google’s cached and indexed data about a URL.

D. site: – Restricts search to a specific domain or site.

The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

In the Xmas scan, three specific TCP flags are set in the packet:

URG (Urgent)

PSH (Push)

FIN (Finish)

This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system’s behavior, especially when it does not follow standard RFC 793 behavior.

Closed ports will usually respond with a RST (reset).

Open ports may not respond at all, depending on the operating system and configuration.

This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

Reference – CEH v13 Official Study Guide:

Module 03: Scanning Networks, Section: “TCP Scan Types”, Subsection: “Xmas Tree Scan”, Page Reference: typically listed under TCP Flag Scanning Techniques.

CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

Incorrect Options Explained:

A. SYN scan (-sS) sets only the SYN flag.

C. ACK scan (-sA) sets the ACK flag.

D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

Comprehensive and Detailed Explanation:

Steganography allows someone to hide data (like a spreadsheet or document) within another innocuous-looking file (like an image, video, or audio). This disguises the presence of the data entirely, allowing it to bypass standard data loss prevention (DLP) systems and firewalls, which look for file types and suspicious patterns.

From CEH v13 Courseware:

Module 6: Malware Threats → Steganography and Covert Channels

YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References:

yarGen - A Tool to Generate YARA Rules

YARA Rules: The Basics

Why master YARA: from routine to extreme threat hunting cases

Comprehensive and Detailed Explanation:

In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

Once the CAM table is full:

The switch can no longer learn new MAC-to-port associations.

It fails open and starts broadcasting all incoming traffic to all ports.

This causes the switch to act like a hub.

Consequently, the attacker can:

Sniff traffic that would otherwise be switched.

Intercept data not destined for their system.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-Based Attacks → MAC Flooding

Incorrect Options:

B: A switch typically does not crash but reverts to hub behavior.

C: There is no factory default override behavior like this.

D: Packets are not dropped—this would defeat the attack’s purpose.

https://owasp.org/www-community/attacks/csrf

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

CSRF attacks target functionality that causes a state change on the server, such as changing the victim’s email address or password, or purchasing something. Forcing the victim to retrieve data doesn’t benefit an attacker because the attacker doesn’t receive the response, the victim does. As such, CSRF attacks target state-changing requests.

It’s sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called “stored CSRF flaws”. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

The protocol that you would recommend to the team to achieve the secure exchange of the symmetric key is the Diffie-Hellman protocol. The Diffie-Hellman protocol is a key agreement protocol that allows two or more parties to establish a shared secret key over an unsecured communication channel, without having to exchange the key itself. The Diffie-Hellman protocol works as follows12:

The parties agree on a large prime number p and a generator g, which are public parameters that can be known by anyone.

Each party chooses a random private number a or b, which are kept secret from anyone else.

Each party computes a public value A or B, by raising g to the power of a or b modulo p, i.e., A = g^a mod p and B = g^b mod p.

Each party sends their public value A or B to the other party over the unsecured channel.

Each party computes the shared secret key K, by raising the received public value to the power of their own private number modulo p, i.e., K = A^b mod p = B^a mod p.

The parties can now use the shared secret key K to encrypt and decrypt the data using a symmetric key encryption algorithm, such as AES or 3DES.

The Diffie-Hellman protocol can ensure the secure exchange of the symmetric key because it relies on the mathematical difficulty of computing discrete logarithms, which means that it is hard to find the private numbers a or b given the public values A or B, g, and p. Therefore, an attacker who intercepts the public values A or B cannot easily compute the shared secret key K, and thus cannot decrypt the data encrypted with K12.

The other options are not as appropriate as option B for the following reasons:

A. Implementing SSL certificates on your company’s web servers: This option is not relevant because SSL certificates are not used to exchange symmetric keys, but to authenticate the identity of the web servers and to establish a secure connection using public key encryption. SSL certificates are digital certificates that contain the public key and the identity information of the web server, and are issued and signed by a trusted certificate authority (CA). When a client connects to a web server, the web server sends its SSL certificate to the client, who verifies it with the CA. If the verification is successful, the client and the web server use the public key in the certificate to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or SSL certificates34.

C. Switching all data transmission to the HTTPS protocol: This option is not sufficient because HTTPS protocol is not a protocol for exchanging symmetric keys, but a protocol for securing web traffic using SSL or TLS encryption. HTTPS protocol is a combination of HTTP protocol and SSL or TLS protocol, which means that it uses HTTP for the application layer communication and SSL or TLS for the transport layer encryption. When a client requests a web page from a web server using HTTPS protocol, the client and the web server establish a secure connection using SSL or TLS protocol, which involves the exchange of SSL certificates and a symmetric key, as explained in option A. Then, the client and the web server use the symmetric key to encrypt and decrypt the HTTP data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or HTTPS protocol5 .

D. Utilizing SSH for secure remote logins to the servers: This option is not applicable because SSH is not a protocol for exchanging symmetric keys, but a protocol for securing remote access to servers using public key authentication and encryption. SSH is a protocol that allows a client to securely connect to a server and execute commands or transfer files over an encrypted channel. SSH uses public key cryptography to authenticate the identity of the server and the client, and to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve remote logins or SSH protocol .

TCP port 48101 uses the Transmission management Protocol. transmission control protocol is one in all the most protocols in TCP/IP networks. transmission control protocol could be a connection-oriented protocol, it needs acknowledgement to line up end-to-end communications. only a association is about up user’s knowledge may be sent bi-directionally over the association.

Attention! transmission control protocol guarantees delivery of knowledge packets on port 48101 within the same order during which they were sent. bonded communication over transmission control protocol port 48101 is that the main distinction between transmission control protocol and UDP. UDP port 48101 wouldn’t have bonded communication as transmission control protocol.

UDP on port 48101 provides Associate in Nursing unreliable service and datagrams might arrive duplicated, out of order, or missing unexpectedly. UDP on port 48101 thinks that error checking and correction isn’t necessary or performed within the application, avoiding the overhead of such process at the network interface level.

UDP (User Datagram Protocol) could be a borderline message-oriented Transport Layer protocol (protocol is documented in IETF RFC 768).

Application examples that always use UDP: vocalisation IP (VoIP), streaming media and period multiplayer games. several internet applications use UDP, e.g. the name System (DNS), the Routing info Protocol (RIP), the Dynamic Host Configuration Protocol (DHCP), the straightforward Network Management Protocol (SNMP).