Download Full Version 312-50v13 ECCouncil Exam

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

WS-Address provides additional routing information in the SOAP header to support asynchronous communication. This technique allows the transmission of web service requests and response messages using different TCP connections

&q=WS-Address+spoofing

CEH V11 Module 14 Page 1896

In authentication, Multi-Factor Authentication (MFA) involves using more than one category of authentication factors:

Something you know (e.g., password)

Something you have (e.g., RFID badge, token)

Something you are (e.g., biometrics like fingerprints, facial recognition, gait)

In this scenario:

The RFID badge is "something you have" (a physical object).

The gait recognition (walking pattern) captured by the camera is a biometric—"something you are" (a physical characteristic).

Together, these two methods represent two distinct authentication factors, thereby implementing true multi-factor authentication.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Topic: Authentication Mechanisms

Quote:

“Examples of multi-factor authentication include combining biometrics (something you are) with a smart card or badge (something you have). Gait recognition is considered a behavioral biometric and falls under ‘something you are’.”

Incorrect Options Explained:

A. Incorrect — gait and RFID represent two separate factor types, not one.

C. No evidence in the scenario supports high false positives.

D. Gait analysis is a recognized biometric method and can be used for identification.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.