Passed Exam Today 312-50v13

In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here’s how it works:

When you send a TCP ACK segment:

If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

If a stateful firewall is used, it keeps track of connection states. Therefore:

An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn’t correspond to any active connection.

No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

Therefore:

No RST response = packet was silently dropped.

Silent dropping of unsolicited ACK packets = Stateful Firewall Behavior.

Option Analysis:

A. There is no firewall in place

❌ Incorrect. If there were no firewall, an RST would be sent from the closed port.

B. This event does not tell you anything about the firewall

❌ Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

C. It is a stateful firewall

Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

D. It is a non-stateful firewall

❌ Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scanning Techniques → TCP ACK Scan

CEH Engage Labs – Network Scanning Phase: Firewall Rule Detection using ACK Scans

In an SOA (Start of Authority) record, the fifth value represents the “Expire” interval — the time a secondary DNS server will keep trying to contact the primary server before considering the zone data stale or invalid.

SOA Format:

SOA Primary-NS Hostmaster (Serial Refresh Retry Expire Minimum-TTL)

Given SOA:

(200302028 3600 3600 604800 3600)

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds = 7 days = 1 week

Minimum TTL: 3600

So, if the secondary DNS cannot contact the primary for 604800 seconds (1 week), it will stop serving that zone’s data.

In CEH v13 Module 14: Cryptography, VPN (Virtual Private Network) technology is described as the method that allows users to securely transmit data over an insecure (public) network by establishing a secure, encrypted tunnel.

VPN Features:

Encrypts all traffic between the user's device and the target network.

Prevents session hijacking, eavesdropping, and man-in-the-middle (MITM) attacks.

Common protocols: IPSec, L2TP, SSL VPN, and OpenVPN.

Option Clarification:

A. DMZ: A network segmentation strategy, not an encryption method.

B. SMB signing: Ensures integrity for SMB protocol, but not for remote tunneling.

C. VPN: Correct. Used to securely tunnel over public networks.

D. Switch network: Refers to network segmentation using switches, unrelated to tunneling.

The honey trap is a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.

Baiting is a technique in which attackers offer end users something alluring in exchange for

important information such as login details and other sensitive data. This technique relies on

the curiosity and greed of the end-users. Attackers perform this technique by leaving a physical

device such as a USB flash drive containing malicious files in locations where people can easily

find them, such as parking lots, elevators, and bathrooms. This physical device is labeled with a

legitimate company's logo, thereby tricking end-users into trusting it and opening it on their

systems. Once the victim connects and opens the device, a malicious file downloads. It infects

the system and allows the attacker to take control.

For example, an attacker leaves some bait in the form of a USB drive in the elevator with the

label "Employee Salary Information 2019" and a legitimate company's logo. Out of curiosity and

greed, the victim picks up the device and opens it up on their system, which downloads the

bait. Once the bait is downloaded, a piece of malicious software installs on the victim's system,

giving the attacker access.