You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: "FTP on the network!";)
Correct Answer: D
The given rule syntax is consistent with Snort, a popular open-source Intrusion Detection System (IDS). This rule alerts when any TCP traffic from any source IP and port is sent to IPs within the 192.168.100.0/24 subnet on port 21 (FTP), triggering the alert message: "FTP on the network!" The Snort rule format is: alert protocol source_IP source_port -> destination_IP destination_port (rule_options) CEH v13 course materials teach this rule format under IDS/IPS configuration. From CEH v13 Guide: "Snort rules are used in IDS/IPS to define suspicious traffic patterns. An example rule: alert tcp any any -> 192.168.1.0/24 21 (msg: 'FTP detected') triggers an alert on FTP traffic within a subnet." Incorrect Options: * A/C. IP tables are used in firewalls and routers but follow a completely different syntax. * B. FTP servers do not use such alerting rules. Reference - CEH v13 Study Guide: Module 12: Evading IDS, Firewalls, and Honeypots Section: Snort IDS Configuration
312-50v13 Exam Question 87
Which type of attack attempts to overflow the content-addressable memory (CAM) table in an Ethernet switch?
Correct Answer: C
MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full: The switch enters "fail-open" mode and broadcasts traffic to all ports The attacker can then sniff sensitive traffic This attack effectively turns a switch into a hub, facilitating data sniffing. Incorrect Options: A). Evil twin is a wireless attack using rogue access points. B). DNS cache flooding corrupts DNS entries, unrelated to Ethernet. D). DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows. Reference - CEH v13 Official Courseware: Module 11: Sniffing Section: "Switch Port Stealing and MAC Flooding" Subsection: "Layer 2 Attacks and CAM Table Poisoning"
312-50v13 Exam Question 88
During a security assessment, an attacker identifies a flaw in a multi-user file system. The system first verifies access rights to a temporary file created by a user. However, immediately after this verification, and before the file is processed, the attacker manages to swap the original file with a malicious version. This manipulation happens in the brief interval between the system's access verification and the moment it handles the file, resulting in the malicious file being treated as legitimate. Which vulnerability is the attacker exploiting?
Correct Answer: A
Comprehensive Explanation from CEH v13 Courseware: CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options-certificate validation, integer overflow, and null pointer dereference-do not involve timing-based race conditions. The scenario exactly matches CEH's description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.
312-50v13 Exam Question 89
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?
Correct Answer: D
https://www.offensive-security.com/metasploit-unleashed/msfencode/ One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.
312-50v13 Exam Question 90
John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly using this type of encryption?
Correct Answer: B
When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key https://en.wikipedia.org/wiki/Pretty_Good_Privacy Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. https://en.wikipedia.org/wiki/Public-key_cryptography Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner's secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.
