A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

Appending or prepending numbers or symbols

Changing case (e.g., admin → Admin1!)

Leetspeak substitutions (e.g., p@ssw0rd)

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Password Cracking Methods

CEH v13 Study Guide states:

“A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks.”

Incorrect Options:

A/B/D: These are not standard terminology in cryptographic or password auditing literature.

The Security Account Manager (SAM) file on Windows contains user account information, including password hashes. Hackers target this file to extract credentials for offline cracking using tools like L0phtCrack or Cain & Abel.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 4: Enumeration

CEH v13 Study Guide states:

“The SAM file stores hashed user credentials. If attackers gain access to it, they can extract password hashes and perform brute-force or dictionary attacks offline.”

Common locations:

C:\Windows\System32\config\SAM

C:\Windows\Repair\SAM

In CEH v13 Module 03: Scanning Networks, ICMP scan types are covered under host discovery techniques in Nmap/Zenmap.

The -PP option in Nmap is used to perform an ICMP timestamp request scan.

This method sends an ICMP timestamp request and listens for a timestamp reply from the target.

It helps analysts determine the system uptime and verify whether the host is alive (for stealthy discovery).

Option Clarification:

A. -PY: SCTP INIT Ping (used for SCTP-based hosts).

B. -PU: UDP Ping (sends UDP packets).

C. -PP: ICMP Timestamp Ping — correct answer.

D. -Pn: Skips host discovery (treats all hosts as alive), not a ping type.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.

The SOA record contains several fields including:

Serial number

Refresh

Retry

Expire

Minimum TTL

The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data — including any potentially poisoned data.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Topic: DNS Enumeration & Poisoning

CEH v13 Study Guide states:

“The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires.”

Incorrect Options:

A: MX (Mail Exchange) defines mail servers, not TTLs.

C: NS (Name Server) specifies authoritative servers, not caching durations.

D: TIMEOUT is not a valid DNS resource record.

CEH v13 explains that packet fragmentation is a classic and effective IDS evasion technique. By breaking malicious payloads into smaller fragments, attackers attempt to prevent the IDS from reconstructing the full packet stream correctly, thereby avoiding signature detection.

Many IDS systems rely on packet reassembly and pattern matching. Fragmented packets can confuse or overload the reassembly process, especially if the IDS is poorly configured. CEH v13 specifically lists fragmentation, overlapping fragments, and out-of-order packets as evasion techniques used to bypass network defenses.

Option B describes malware propagation, not IDS evasion. Option C is a social engineering attack, unrelated to IDS detection. Option D is a denial-of-service attempt, not a stealth evasion method.

CEH v13 highlights that defending against fragmentation-based evasion requires proper normalization and reassembly configuration in IDS/IPS systems. Therefore, Option A is the correct answer.

A sheep dip computer is a dedicated device that is used to test inbound files or physical media for viruses, malware, or other harmful content, before they are allowed to be used with other computers. The term sheep dip comes from a method of preventing the spread of parasites in a flock of sheep by dipping the new animals that farmers are adding to the flock in a trough of pesticide. A sheep dip computer is isolated from the organization’s network and has port monitors, file monitors, network monitors, and antivirus software installed. Before initiating the analysis of a potentially malicious program, the analyst should store the program on an external medium, such as a CD-ROM, and then insert it into the sheep dip computer. This way, the analyst can prevent the program from infecting other devices or spreading over the network, and can safely analyze its behavior and characteristics.

The other options are not correct steps to take before initiating the analysis. Running the potentially malicious program on the sheep dip computer may cause irreversible damage to the device or compromise its security. Connecting the sheep dip computer to the organization’s internal network may expose the network to the risk of infection or attack. Installing the potentially malicious program on the sheep dip computer may not be possible or advisable, as the program may require certain dependencies or permissions that the sheep dip computer does not have or allow. 

The host command in Linux is used for DNS lookup operations. The switch -t specifies the type of DNS record you are querying.

host -t a domain.com queries for A (Address) records, which return the IP address associated with a domain.

host -t ns queries for name servers (NS records).

host -t soa queries for the Start of Authority (SOA) record.

host -t AXFR attempts a zone transfer (not a standard resolution method and typically blocked).

Hence, option A correctly resolves a domain name to its IP address.

Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

Comprehensive and Detailed Explanation:

An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

From CEH v13 Courseware:

Module 19: Incident Response and Forensics → Incident Handling Procedures

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

Agent-based scanners reside on a single machine but can scan several machines on the same network.

Network-based scanner

A network-based vulnerability scanner, in simplistic terms, is the process of identifying loopholes on a computer’s network or IT assets, which hackers and threat actors can exploit. By implementing this process, one can successfully identify their organization’s current risk(s). This is not where the buck stops; one can also verify the effectiveness of your system's security measures while improving internal and external defenses. Through this review, an organization is well equipped to take an extensive inventory of all systems, including operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and much more.

Agent-based scanner

Agent-based scanners make use of software scanners on each and every device; the results of the scans are reported back to the central server. Such scanners are well equipped to find and report out on a range of vulnerabilities.

NOTE: This option is not suitable for us, since for it to work, you need to install a special agent on each computer before you start collecting data from them.

In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.

Key Features of Burp Suite:

Captures all HTTP requests and responses.

Allows for manual testing of input parameters, headers, and cookies.

Includes tools such as Intruder, Repeater, Scanner, and Decoder.

Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.

Option Review:

A. Maskgen: Used for generating masks, not a web proxy.

B. Dimitry: A footprinting tool, not used for request/response testing.

C. Burpsuite: Correct. Designed for web application vulnerability analysis.

D. Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.

Zero-day exploits are considered the most dangerous mobile attack vector in CEH v13 Mobile Platform Hacking. These exploits abuse previously unknown vulnerabilities, meaning no patches, signatures, or defenses exist at the time of attack.

In healthcare environments, mobile devices access sensitive EHR systems and operate under strict compliance requirements. Zero-day exploits can bypass mobile OS security, sandboxing, and antivirus controls entirely.

App spoofing and Bluejacking are easier to detect and mitigate through user awareness and Bluetooth controls. Side-channel attacks are highly specialized and rare in enterprise mobile environments.

CEH v13 stresses that zero-day attacks pose the greatest risk due to lack of detection mechanisms, making Option A correct.

Web Server Attacks - DNS Server Hijacking Attacker compromises the DNS server and changes the DNS settings so that all the requests coming towards the target web server are redirected to his/her own malicious server. (P.1623/1607)

In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

Correct SOAP Characteristics:

Structured model for data exchange, used in SOAP envelopes.

Built on XML format.

Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

Option B is incorrect because:

While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.