Selected 312-50v13 CEH v13 Questions Answers

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select accurate time servers and is designed to mitigate variable network latency effects. NTP can usually maintain time to within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in local area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.

The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source. Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number 123.

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

In CEH v13 Module 14: Cryptography, Serpent is detailed as one of the finalists in the Advanced Encryption Standard (AES) competition, known for its strong security characteristics.

Key Features of Serpent:

128-bit block size, and key sizes of 128, 192, or 256 bits.

Uses 32 rounds of substitution and permutation.

Operates on four 32-bit words per block.

Employs 8 different S-boxes, each with a 4-bit input and 4-bit output.

Designed to provide high security and resistance against differential cryptanalysis.

Option Clarification:

A. TEA: Uses a Feistel structure with simple operations, but not 32 rounds with S-boxes.

B. CAST-128: Has 64-bit block size and fewer rounds.

C. RC5: Variable block and key sizes but doesn’t use 32 rounds with fixed S-box design.

D. Serpent: Matches all given features.

In this scenario, users outside the organization (like Smith and Joseph on dial-up) see the defaced site, while Joseph on the internal corporate network sees the legitimate site. Tripwire confirms that the files on the actual web server are intact. This clearly indicates that the attack was not on the server itself, but rather on how external users are being directed to a malicious server.

This behavior is indicative of a DNS poisoning attack. The attacker poisoned the DNS cache of an external DNS resolver, redirecting to a malicious server. Internal DNS servers, unaffected by the poisoning, still resolved to the correct IP address.

From CEH v13:

Module 3: DNS Poisoning and Spoofing

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“DNS poisoning involves injecting false information into a DNS resolver’s cache, causing users to be redirected to malicious websites without changing the actual web server’s content.”

Incorrect Options:

A: ARP spoofing affects local network address resolution, not global DNS.

B: SQL injection is used to exploit databases, not alter DNS records.

D: Routing table injection affects traffic routes, but wouldn’t explain DNS-level redirection discrepancies.