CEH v13 312-50v13 Syllabus Exam Questions Answers

CEH v13 follows the Incident Response Lifecycle, which prioritizes identification and analysis before containment, unless there is immediate risk of catastrophic damage. In this scenario, the attacker has escalated privileges, but the organization still needs to understand what actions are being taken, what systems are affected, and whether lateral movement is occurring.

Option C aligns with CEH v13 best practices. Real-time monitoring and documentation allow analysts to:

Identify attacker techniques and tools

Preserve volatile evidence

Understand scope and impact

Implement targeted containment

Immediately powering down the server (Option B) may destroy volatile forensic evidence and disrupt services unnecessarily. Engaging forensic teams (Option A) is important but premature without initial analysis. Running vulnerability scans (Option D) does not address the active threat.

CEH v13 stresses that informed containment is more effective than reactive shutdowns. Therefore, Option C is correct.

SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.

The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA.

In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker. Once authentication completes, the attacker hijacks the valid session without needing credentials.

Option A directly targets session management logic.

Option B exploits authorization logic, not session handling.

Option C is unrelated to session management.

Option D is mitigated by encrypted cookies and HTTPS.

CEH explicitly warns that applications must regenerate session IDs after authentication.

Spanning Tree Protocol (STP) manipulation attacks involve an attacker injecting BPDUs (Bridge Protocol Data Units) to force a switch to recognize the attacker’s system as the root bridge. Once this is achieved, the attacker can:

Redirect traffic through their own machine

Create a SPAN (Switched Port Analyzer) session to mirror traffic

Intercept, sniff, or modify data passing through the network

This is typically the next logical step in an STP attack to facilitate a Man-in-the-Middle (MITM) position.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“An attacker who becomes the root bridge using STP manipulation can redirect traffic and use SPAN ports to mirror traffic to their system for analysis or manipulation.”

Incorrect Options:

B. OSPF is a Layer 3 routing protocol, not relevant here.

C. DoS is not the goal of this specific attack.

D. Attacking all switches is inefficient and unnecessary once root access is gained.

=