Pass 312-50v13 Exam Guide

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered " safe, " they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections—precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

Jason’s goal is to capture live SNMP traffic on the wire and manually inspect protocol fields such as community strings, OIDs, and variable bindings within requests and responses. The method described is packet capture and protocol dissection, which is exactly what Wireshark is designed for. Wireshark can capture traffic from an interface (or from a mirrored/SPAN port) and decode SNMP at the protocol level, presenting SNMP PDUs in a human-readable structure. This enables an assessor to view SNMP GET/GETNEXT/GETBULK requests, SET operations (if present), and responses, including the transmitted identifiers and values—useful for verifying whether sensitive SNMP data is exposed in transit.

The scenario explicitly states Jason is not running structured queries and instead wants to observe “SNMP requests and responses in transit,” which rules out tools that actively query devices. SnmpWalk (C) is an active enumeration tool that queries SNMP agents using a community string and walks a subtree of the MIB; that is the opposite of passive traffic inspection. Nmap (A) can scan ports and perform some SNMP-related scripts, but it still operates as an active probing tool rather than a live traffic capture and manual field review platform. SoftPerfect Network Scanner (D) is a network discovery tool for identifying hosts and services; it is not a packet-level sniffer intended for dissecting SNMP messages on the wire.

Additionally, the mention of “manual parsing” is consistent with packet analysis workflows: even though Wireshark decodes SNMP, the analyst still needs to interpret what OIDs and values mean, correlate requests to responses, and assess sensitivity (e.g., community strings in SNMPv1/v2c are not encrypted, and captured traffic may reveal them).

Therefore, the correct method is B. Wireshark.

The correct answer is Host-based Scanning. CEH vulnerability assessment material explains that host-based scanning focuses on individual systems such as servers, desktops, and workstations, and is intended to discover local security weaknesses including file permissions, registry permissions, patch issues, configuration errors, installed software problems, and operating-system-level exposures. The question explicitly mentions Windows servers and workstations, valid logins to each device, and inspection targets such as registry settings and local file permissions. Those are classic indicators of host-based scanning. Network-based scanning would focus more on exposed network services, listening ports, protocol behavior, and remotely visible vulnerabilities. External scanning is concerned with internet-facing exposure from outside the organization. Application scanning is too narrow because the scenario is not limited to a specific software application but instead covers broad system-level posture. CEH guidance often notes that host-based vulnerability scans may be credentialed so the scanner can inspect the internal configuration of each machine in detail. Because the assessment is centered on system-specific misconfigurations and local security settings across endpoints and servers, host-based scanning is the best classification.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.