312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

The command C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood is the correct one to spoof IP addresses for anonymity during probing. This command sends SYN packets (-S) to the target IP 192.168.1.1 with a spoofed source IP (-a) 192.168.1.254 on port 22 (-p) and floods the target with packets (-flood). This way, the CEH can hide his real IP address and avoid detection by the target’s firewall or IDS12.

The other commands are incorrect for the following reasons:

A. Hping3 -110.0.0.25 --ICMP: This command sends ICMP packets (–ICMP) to the target IP 10.0.0.25, but does not spoof the source IP. Therefore, the CEH’s real IP address will be exposed to the target.

B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4: This command performs a stealthy SYN scan (-sS) on all ports (-p-) of the target without pinging it (-Pn) or resolving DNS names (-n). It also enables verbose output (-v), packet tracing (–packet-trace), and discovery scripts (–script discovery) with an aggressive timing (-T4). However, this command does not spoof the source IP, and in fact, reveals more information about the scan to the target by using packet tracing and discovery scripts.

D. Hping3-210.0.0.25-p 80: This command sends TCP packets (default) to the target IP 10.0.0.25 on port 80 (-p), but does not spoof the source IP. Therefore, the CEH’s real IP address will be exposed to the target.

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

This question is about web link enumeration using Linux CLI tools — a common initial step during information gathering in penetration testing, covered in CEH v13 Module 02: Footprinting and Reconnaissance.

Objective:

Extract all hyperlinks (i.e., ) from the homepage of a target site to collect subpages, links, or external URLs.

Let’s analyze each component of Option B:

=

=

curl -s <a href="https://site.com">https://site.com | grep '

curl -s <a href="https://site.com:">https://site.com: Silently fetches the HTML source of the main page.

grep '

grep "site.com": Further filters those that point to site.com.

cut -d "v" -f 2: Cuts the line based on the delimiter v to isolate part of the URL — though not perfect, it attempts to extract the visible link.

While not perfectly formed (due to slightly inconsistent quote usage), Option B demonstrates the correct logic chain for web link enumeration using pipes in Linux: fetching, filtering, and extracting.

Why Other Options Are Incorrect:

A. dirb <a href="https://site.com">https://site.com | grep "site"

❌ dirb is used for brute-forcing directories, not grabbing links from HTML.

C. wget https://site.com | grep "

❌ Incorrect. wget will download the entire content (including binary files by default), and piping it directly to grep without -O - or -q -O - makes it ineffective.

D. wget <a href="https://site.com">https://site.com | cut -d "http"

❌ Incorrect. Syntax error (cut -d"http" is invalid without correct delimiter formatting), and again wget needs to be directed to stdout using -O -.

Corrected Optimal Syntax for Real-World Use:

bash

CopyEdit

curl -s https://site.com | grep -oP 'href="\Khttp[^"]+' | grep "site.com"

This uses -oP with Perl-compatible regex to extract only URLs and is a method recommended in CEH iLabs and demonstrations.

Reference from CEH v13 Study Materials:

Module 02 – Footprinting and Reconnaissance, Section: Website Footprinting and Web Crawling

CEH iLabs – Website Information Gathering Lab

CEH Engage Range: Passive and Active Footprinting Phase – Linux Scripting Tasks

Blind SQL Injection is a type of SQL injection attack where no error messages or data are directly returned to the attacker. Instead, the attacker sends specially crafted SQL queries that result in true or false responses. Based on how the application responds (such as redirecting to a different page or loading time), the attacker infers information about the backend database.

According to CEH v13:

Blind SQLi is used when standard SQL injection yields no visible output.

It comes in two forms:

Boolean-based: Infers information based on application behavior.

Time-based: Infers information based on server response time delays.

Incorrect Options:

A. Time-based SQLi is a sub-type of Blind SQLi, but the question describes Boolean-based behavior.

B. Union SQL injection uses the UNION keyword to fetch additional rows; requires visible output.

C. Error-based SQL injection relies on database error messages.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Types of SQL Injection”

Subsection: “Blind SQL Injection (Boolean and Time-Based)”

===========