CEH v13 312-50v13 ECCouncil Study Notes

The correct answer is D, Rules of engagement. In CEH pre-engagement concepts, the rules of engagement document defines the authorized boundaries of a penetration test before any testing begins. It specifies what testing techniques are permitted, which systems or networks may be tested, when testing may occur, what actions are prohibited, whom to contact during emergencies, and how incidents such as service disruption should be handled. It also helps protect the penetration tester by documenting client approval and limiting liability when the tester acts within the agreed boundaries. A project scope may list targets, IP ranges, applications, or business units included in testing, but it does not fully cover operational permissions and liability terms by itself. A nondisclosure agreement protects confidential information discovered during the engagement. A service-level agreement defines service expectations such as uptime, response time, or support obligations. Therefore, the document that best matches allowed testing, timing, and tester liability limits is the Rules of engagement.

According to the Certified Ethical Hacker (CEH) System Hacking and Session Hijacking module, sidejacking is a form of session hijacking where an attacker passively intercepts network traffic to capture unencrypted session cookies. These cookies are then reused to impersonate the authenticated user without needing credentials.

CEH documentation explains that sidejacking commonly occurs on unencrypted HTTP connections, public Wi-Fi networks, or improperly secured internal networks. Once the session cookie is stolen, the attacker can replay it to gain access to the victim’s active session.

Option B correctly describes this mechanism and directly matches CEH’s definition of sidejacking.

Option A refers to perimeter exploitation, not session hijacking.

Option C describes social engineering, which is unrelated to sidejacking.

Option D is an example of cross-site scripting (XSS), not sidejacking.

CEH emphasizes HTTPS enforcement and secure cookie attributes as key countermeasures.

CEH v13 clarifies that nbtstat is used only for NetBIOS name table enumeration, not for listing shared resources. Tags such as < 20 > indicate file server services, but share enumeration requires tools like net view or SMB enumeration utilities.

Thus, the inability to list shares is due to tool limitation, not service configuration. Option C is correct.

According to the Certified Ethical Hacker (CEH) Reconnaissance and Footprinting module, DNS cache snooping is a passive information-gathering technique used to determine whether a specific DNS record exists in a server’s cache. Attackers commonly use the dig +norecurse option to prevent the DNS server from querying other DNS servers, thereby revealing only cached results.

When a DNS server responds with NOERROR but does not return an answer, it indicates that the domain name itself is valid, but the requested record is not present in the DNS cache. CEH documentation explains that this situation usually occurs when no internal client has recently queried that domain, so the DNS server has no cached entry for it.

Option A is incorrect because a cached record would return a valid answer section.

Option B is incorrect because NOERROR explicitly means the DNS query was processed successfully.

Option D is incorrect because an expired or non-existent domain would typically return NXDOMAIN, not NOERROR.

CEH materials highlight that attackers use DNS cache snooping to infer user behavior, internal browsing habits, and potential target systems within an organization—making option C the correct conclusion.