Ace Your 312-50v13 CEH v13 Exam

TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:

tcp.port == 21

This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.

CEH v13 states:

“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”

Incorrect Options:

B. Port 23 is used for Telnet, not FTP.

C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.

D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.

Reference – CEH v13 Guide:

Module 01: Introduction to Ethical Hacking

Subsection: Sniffing and Cleartext Protocols

Wireshark iLab: Identifying FTP Traffic

===========

In active session hijacking, after identifying a valid session, the attacker must desynchronize the legitimate communication between the client and the server. To do this, Bob should:

Knock one of the parties offline (typically the client).

Then spoof the session by injecting crafted packets using the guessed sequence number.

From CEH v13 Courseware:

Module 11: Session Hijacking

CEH v13 Study Guide states:

“After identifying a session and predicting its sequence number, the attacker forces the original user offline, allowing them to assume control over the connection using spoofed packets.”

Incorrect Options:

A: Taking over the session is the ultimate goal, but the necessary step before that is disconnecting the original participant.

B: Sequence prediction is already done.

C: Sequence number has already been guessed.

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

Josh is preparing to send the payload (malicious file) to the target, which clearly maps to the Delivery phase of the Cyber Kill Chain.

According to CEH v13 and the Cyber Kill Chain model (developed by Lockheed Martin and used in ethical hacking methodology):

Delivery is the third phase of the kill chain.

It involves transmitting the weaponized payload to the target via phishing emails, USB drops, or malicious links.

In this case, Josh is preparing the email with a spoofed identity and malicious attachment — representing an act of delivery.

Incorrect options:

A. Exploitation occurs after delivery, when the payload is executed.

B. Weaponization is the phase where the malicious file is created (combining exploit with a backdoor or trojan).

D. Reconnaissance involves information gathering, completed earlier in the scenario.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Cyber Kill Chain Model”

Table Reference: “Stages of a Cyber Attack”

CEH Engage Lab: “Kill Chain Simulation in Phishing Campaigns”