PDF 312-50v13 Study Guide

This scenario matches a session fixation attack because Michael sets up a valid session identifier with the application first, then forces the victim to authenticate while using that same pre-established session. In CEH terms, session fixation occurs when an attacker “fixes” or plants a known session ID in the victim’s browser, typically via a crafted URL parameter, cookie setting through a subdomain, or a redirect that preserves a session token. If the application does not regenerate the session ID after login, the victim’s authentication becomes bound to the attacker-known session. The attacker can then reuse that same session ID to access the application as the victim, exactly as described when Michael “uses that session to access the portal” after the employee logs in.

The other options do not fit the mechanism. Session sniffing relies on capturing session tokens from network traffic, usually when encryption is missing or weak, but the question focuses on a link and a pre-initialized session rather than intercepting traffic. Session replay generally refers to capturing and replaying authentication exchanges or tokens, not pre-setting a session before the victim authenticates. “Session donation” is not the standard CEH label for this behavior and is not the best match to the described flow.

CEH-recommended mitigations include regenerating session IDs immediately after authentication and privilege changes, rejecting session IDs supplied in URLs, setting Secure and HttpOnly cookie flags, enforcing SameSite where appropriate, implementing short idle timeouts, and adding server-side controls to detect concurrent use or abnormal session binding changes.

The correct answer is A. Activating Dynamic ARP Inspection to validate ARP packets.

The scenario describes a switch discarding ARP replies that do not match known IP-to-MAC and address-to-port bindings. This is the function of Dynamic ARP Inspection (DAI).

CEH-aligned sniffing and ARP defense material states that Dynamic ARP Inspection is used with DHCP snooping, where IP-to-MAC bindings are tracked from DHCP transactions to protect against ARP poisoning. It also notes that DHCP snooping is required to build the MAC-to-IP bindings used for DAI validation . The same material lists the configuration command ip arp inspection vlan < vlan number > and the verification command show ip arp inspection .

Option B is incorrect because displaying the DHCP snooping table only verifies bindings; it does not enforce ARP validation.

Option C is incorrect because DHCP Snooping builds the trusted binding database, but DAI is the feature that validates and drops invalid ARP packets.

Option D is incorrect because BPDU Guard protects spanning-tree edge ports from unexpected BPDUs. It does not validate ARP packets.

Therefore, the best answer is A. Activating Dynamic ARP Inspection to validate ARP packets.

Comprehensive and Detailed Explanation From CEH v13 Guide Topics:

The correct answer is D. SYN. TCP (Transmission Control Protocol) establishes reliable communication between a client and a server through a process known as the three-way handshake. This mechanism ensures that both parties are ready to communicate and agree on sequence numbers before data transfer begins.

The three steps are:

SYN (Synchronize): The client initiates the connection by sending a TCP packet with the SYN flag set to the server. This packet contains the client ' s initial sequence number (ISN).

SYN-ACK (Synchronize-Acknowledge): The server responds with a packet containing both SYN and ACK flags. This acknowledges the client ' s request and provides the server ' s own sequence number.

ACK (Acknowledge): The client sends an ACK packet back to the server, confirming receipt of the server ' s sequence number. At this point, the TCP connection is established and data transmission can begin.

Option A (RST) is used to reset or terminate a connection. Option B (ACK) is used to acknowledge received packets but does not initiate a connection. Option C (SYN-ACK) is sent by the server as the second step of the handshake, not by the client to begin it.

Understanding the TCP three-way handshake is fundamental in CEH network security topics because many attacks, such as SYN flooding, exploit this connection establishment process. Therefore, the client begins the negotiation by sending a SYN packet.

The correct answer is A. Honey trap. In CEH social engineering concepts, a honey trap is a technique in which an attacker creates a fake attractive identity, often on social media or dating platforms, to build emotional trust with a target. The attacker then uses that trust to extract sensitive personal, corporate, or security-related information.

In this scenario, Steve created a fake social media profile and used an appealing profile picture and description to attract Stella. Once Stella accepted the request and began communicating with him, Steve gradually asked questions about her company and collected important organizational information. This matches the honey trap method because the attacker used attraction, trust, and manipulation to obtain confidential information.

Option B, diversion theft, involves redirecting deliveries or information to the wrong location. Option C, piggybacking, means gaining physical access by following an authorized person. Option D, baiting, uses an enticing object or offer, such as infected USB media, to lure victims. Therefore, the best answer is Honey trap.