ECCouncil Updated 312-50v13 Exam Questions and Answers by rogan

The most likely tool/command is dig @server axfr, which attempts a DNS zone transfer (AXFR) from a specified DNS server. In CEH-aligned reconnaissance and enumeration methodology, DNS is a high-value target because it reveals how an organization’s names map to systems. A successful zone transfer can expose an entire DNS zone database, often including hostnames (subdomains), mail exchanger (MX) records, canonical name (CNAME) aliases, and sometimes internal-facing entries if the zone is misconfigured. The scenario’s outcome—receiving “a full list of subdomains, MX records, and aliases”—matches exactly what an AXFR zone transfer can disclose when a DNS server is improperly configured to allow transfers to unauthorized hosts.

The clue about a “secondary server” is also significant. In DNS architecture, organizations frequently deploy primary (master) and secondary (slave) DNS servers. Secondary servers legitimately request zone transfers from the master to stay synchronized. If the secondary server is misconfigured (for example, allowing AXFR to any requester or to a broader range than intended), an attacker can exploit this and retrieve the zone file. This results in detailed visibility into the organization’s naming scheme and infrastructure layout—information that can be used to identify high-value targets (mail servers, VPN portals, admin hosts), locate staging points, and plan follow-on attacks such as credential harvesting, targeted exploitation, or social engineering.

Why the other options do not fit: smtp-user-enum.pl is used for enumerating valid users on SMTP servers, not DNS records. ldapsearch enumerates directory information from LDAP services, not DNS zones. nbtstat -A queries NetBIOS name tables for Windows hosts, which may reveal local names and shares but not DNS-wide subdomains and MX/CNAME records. Therefore, the enumeration described is most consistent with a DNS zone transfer using dig with AXFR.

An HTTP flood is an application-layer (Layer 7) DoS/DDoS technique that targets web application resources by sending large volumes of seemingly valid HTTP GET/POST requests. Because the traffic can look “legitimate” at the protocol level, controls that primarily focus on network/transport characteristics (such as basic firewalls) are often insufficient. The tool described in the scenario is explicitly inspecting and filtering malicious HTTP traffic while allowing legitimate customer requests—that behavior aligns most directly with a Web Application Firewall (WAF).

A WAF is designed to protect web applications by analyzing HTTP/S requests and responses, applying security rules that detect and block abnormal or malicious patterns. In an HTTP flood scenario, a WAF can enforce rate limiting, detect request anomalies (e.g., repeated requests to resource-intensive endpoints like checkout), identify bot-like behavior, and apply signatures/behavioral policies to mitigate attacks while continuing to permit valid users. The key clue is the focus on HTTP-level inspection and filtering to maintain service continuity—a classic WAF use case during Layer 7 attacks.

Why the other options are less suitable:

A Load Balancer (A) improves availability by distributing traffic across servers, but it does not inherently inspect and filter malicious HTTP requests. It can help absorb load, yet it’s not primarily a security inspection/filtering control.

An Intrusion Prevention System (C) can block malicious activity, but many IPS deployments are stronger at network/transport-layer patterns and may not provide the same depth of application-aware HTTP policy enforcement as a WAF for targeted web endpoints.

A traditional Firewall (D) mainly filters by IP/port/protocol and cannot reliably distinguish malicious vs legitimate HTTP GET/POST floods when they use allowed ports (80/443).

CEH v13 states that DNS server hijacking occurs when attackers compromise the authoritative DNS infrastructure and alter DNS zone records to redirect all legitimate queries to malicious destinations. Unlike DNS cache poisoning, which affects specific resolvers temporarily, server hijacking manipulates the core DNS authority controlling the domain. This results in a complete redirect for all users, regardless of geographic location or device configuration. CEH emphasizes that such attacks can lead to large-scale credential theft, phishing, financial fraud, and session compromise because the attacker presents an identical clone site while retaining full control of DNS routing. DNS tunneling is used for covert data exfiltration and does not redirect traffic. DNS rebinding targets browser policies, not global DNS redirection. DNS amplification is a volumetric DDoS technique unrelated to zone manipulation. The scenario matches DNS server hijacking exactly.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.