SOX stands for Sarbanes-Oxley Act of 2002. It is a U.S. federal law enacted to protect shareholders and the general public from accounting errors and corporate fraud.

Key points:

Requires strict internal controls and financial disclosures in publicly traded companies.

Mandates regular audits and IT security controls related to financial data.

Applies especially to accounting systems, databases, access controls, and IT procedures related to financial reporting.

Incorrect Options:

A. PCI-DSS relates to securing credit card data.

B. FISMA pertains to federal agency cybersecurity standards.

D. ISO/IEC 27001:2013 is an international information security standard, not a legal requirement for financial integrity.

Reference – CEH v13 Official Courseware:

Module 01: Introduction to Ethical Hacking

Section: “Compliance and Legal Concepts”

Table: "Major Laws and Regulations in Information Security"

===========

Before the incident response team is contacted, it’s crucial to contain the breach to prevent further data exfiltration or compromise. Disconnecting the affected server from the network immediately halts communication with any malicious actors.

━━━━━━━━━━━━━━━━━━━━━━

In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

Trick users into entering authentication codes or PINs.

Deliver malicious payloads or alter device configurations.

Simulate OTA (Over-the-Air) provisioning messages.

In this case:

The attacker sends a fake OTA setup message asking for a PIN.

Once Ben enters the PIN, the device's configuration is hijacked.

Why Others Are Incorrect:

B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

C. Phishing: General term; SMS-specific variant is more accurate here.

D. Tap ‘n ghost: A touch screen manipulation attack, unrelated to messaging.

Correct answer is A. Advanced SMS phishing.

Web Server Attacks - DNS Server Hijacking Attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server. (P.1623/1607)

A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

In CEH v13:

Module 3: Scanning Networks

Module 4: Enumeration

Module 5: Vulnerability Analysis

Related Lab: Packet Analysis using Wireshark

The CEH v13 Study Guide states:

“A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks.”

PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

Incorrect Options:

B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from the volume of secret information, the length of the key, and the cipher's mathematical strength.

The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part.

 DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

■ HOSTMIB.MIB: Monitors and manages host resources

■ LNMIB2.MIB: Contains object types for workstation and server services

■ MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

■ WINS.MIB: For the Windows Internet Name Service (WINS)

https://en.wikipedia.org/wiki/Subnetwork

This is a fairly simple question. You must to understand what a subnet mask is and how it works.

A subnetwork or subnet is a logical subdivision of an IP network.The practice of dividing a network into two or more networks is called subnetting.

Computers that belong to the same subnet are addressed with an identical most-significant bit-group in their IP addresses. This results in the logical division of an IP address into two fields: the network number or routing prefix and the rest field or host identifier. The rest field is an identifier for a specific host or network interface.

The routing prefix may be expressed in Classless Inter-Domain Routing (CIDR) notation written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network. The IPv6 address specification 2001:db8::/32 is a large address block with 296 addresses, having a 32-bit routing prefix.

For IPv4, a network may also be characterized by its subnet mask or netmask, which is the bitmask that when applied by a bitwise AND operation to any IP address in the network, yields the routing prefix. Subnet masks are also expressed in dot-decimal notation like an address. For example, 255.255.255.0 is the subnet mask for the prefix 198.51.100.0/24.

STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm.

STP is a hierarchical tree-like topology with a “root” switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/TCA) using bridge protocol data units (BPDU).

An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker’s system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

These tools are all Distributed Denial of Service (DDoS) attack tools that coordinate large numbers of systems (bots) to flood target networks or services:

Trinoo – UDP flood-based DDoS tool

TFN2k (Tribe Flood Network 2000) – Supports ICMP, SYN, and other attack types

WinTrinoo – Windows variant of Trinoo

Stacheldraht – Combines features of Trinoo and TFN with encryption and auto-updating

T-Sight – DDoS control tool

From CEH v13 Official Courseware:

Module 9: Denial-of-Service Attacks

CEH v13 Study Guide states:

“These tools are classic examples of distributed DoS platforms used by attackers to launch coordinated flood attacks using compromised hosts.”

Incorrect Options:

A: Not all tools were developed by the same group.

B: Not typically used by defenders.

D/E: These tools are cross-platform (some run on Linux, others on Windows).

In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here’s how it works:

When you send a TCP ACK segment:

If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

If a stateful firewall is used, it keeps track of connection states. Therefore:

An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn’t correspond to any active connection.

No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

Therefore:

No RST response = packet was silently dropped.

Silent dropping of unsolicited ACK packets = Stateful Firewall Behavior.

Option Analysis:

A. There is no firewall in place

❌ Incorrect. If there were no firewall, an RST would be sent from the closed port.

B. This event does not tell you anything about the firewall

❌ Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

C. It is a stateful firewall

Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

D. It is a non-stateful firewall

❌ Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scanning Techniques → TCP ACK Scan

CEH Engage Labs – Network Scanning Phase: Firewall Rule Detection using ACK Scans

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.