What is the least important information when you analyze a public IP address in a security alert?
Correct Answer: D
In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert. Let's evaluate the options: A). DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy. B). Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider. C). Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn't match your user's location, it raises red flags. D). ARP (Address Resolution Protocol): # ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model. Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments. Reference: Module 02 - Public IP Analysis Tools (WHOIS, DNS, IP Lookup) CEH iLabs: IP Attribution and Threat Hunting using WHOIS & Geolocation
312-50v13 Exam Question 142
Abel, a security professional, conducts penetration testing in his client organization to check for any security loopholes. He launched an attack on the DHCP servers by broadcasting forged DHCP requests and leased all the DHCP addresses available in the DHCP scope until the server could not issue any more IP addresses. This led to a Dos attack, and as a result, legitimate employees were unable to access the clients network. Which of the following attacks did Abel perform in the above scenario?
Correct Answer: B
A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the- Middle (MITM) assault. In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they've used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they're refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What's more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets. In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn't send a modest bunch - it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation. In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands. When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses. The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor's machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.
312-50v13 Exam Question 143
Which of the following allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to hack.
Correct Answer: D
Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization's network presence. Specficially, it allows attackers to draw a map or outline of the target organization's network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)
312-50v13 Exam Question 144
A security analyst investigates unusual east-west traffic on a corporate network. A rogue device has been physically inserted between a workstation and the switch, enabling unauthorized access while inheriting the workstation's authenticated network state. Which evasion technique is being used?
Correct Answer: B
Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.
312-50v13 Exam Question 145
Which type of sniffing technique is generally referred as MiTM attack?
Correct Answer: B
Comprehensive and Detailed Explanation: ARP Poisoning (Address Resolution Protocol Poisoning) is a classic Man-in-the-Middle (MiTM) attack in a LAN environment. It works by sending fake ARP replies to devices on a network to associate the attacker's MAC address with the IP address of another host (typically the default gateway). As a result: Network traffic meant for the gateway is sent to the attacker instead. The attacker can then intercept, modify, or forward the traffic to the actual destination, performing a full MiTM. This allows the attacker to: Sniff sensitive data (e.g., credentials, emails) Hijack sessions Inject malicious payloads From CEH v13 Courseware: Module 8: Sniffing Topic: MiTM Attacks # ARP Spoofing Techniques Incorrect Options: A). Password Sniffing is a result of MiTM but not a technique itself. C). MAC Flooding is a switch attack that floods the CAM table to make the switch act like a hub. D). DHCP Sniffing relates to capturing DHCP messages but is not commonly used for MiTM. Reference:CEH v13 Study Guide - Module 8: ARP Poisoning and MiTM AttacksOWASP Network Threats - ARP Spoofing ChatGPT said:
