ECCouncil Updated 312-50v13 Exam Questions and Answers by kyron

CEH v13 identifies spear-phishing as one of the most effective and targeted social engineering methods. It involves crafting highly personalized messages that reference real events, internal processes, or upcoming activities to build credibility and reduce suspicion. In this scenario, referencing board meetings—an event executive assistants frequently handle—creates a believable and urgent context for the request. CEH emphasizes that personalization significantly increases success rates because recipients perceive the sender as someone with legitimate access to internal information. A phone call impersonating IT support (Option B) is less convincing for retrieving agenda access-specific credentials. Mass phishing (Option C) lacks personalization and is easily flagged. LinkedIn social engineering (Option D) is long-term and less effective for obtaining immediate credentials. Therefore, a tailored spear-phishing email is the most effective approach.

RST hijacking is a TCP session hijacking technique emphasized in CEH materials under network attacks against established communications. In TCP, a Reset flag packet is used to abruptly tear down a connection. If an attacker can observe the session and determine the correct parameters such as IP addresses, ports, and an in-window sequence number, they can forge a TCP RST packet that appears to come from one endpoint. This can force the victim side to drop the session, making the legitimate client suddenly lose responsiveness.

The key clue in the scenario is that Rachel “observes a client-server communication” and then injects crafted packets that disrupt the client while the server continues to communicate with Rachel’s system. That behavior matches the practical use of RST hijacking in demonstrations: terminate or desynchronize the victim endpoint while keeping the server-side session usable long enough for the attacker to inject traffic with valid sequence and acknowledgment values. In a switched LAN, this is often paired with sniffing or traffic visibility to reliably craft the reset packet and subsequent injected packets.

Blind hijacking is different because the attacker cannot see the traffic and must guess sequence numbers, which contradicts the “observes communication” detail. UDP hijacking is not applicable because UDP is connectionless and does not use session state or RST flags. “TCP/IP hijacking” is a broad category, but the question asks for the specific technique used to disrupt the client via crafted packets, which is best identified as RST hijacking.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements. Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

CEH v13 describes relay attacks as credential forwarding techniques where attackers trick systems into authenticating to malicious servers, capturing hashes, and relaying them to privileged services. The described scenario aligns exactly with the PetitPotam attack, a known MS-EFSRPC abuse method that forces Windows domain controllers to perform NTLM authentication to attacker-controlled hosts. CEH discusses how relay attacks combined with Active Directory Certificate Services (AD CS) misconfigurations can allow attackers to request privileged certificates, effectively gaining domain administrator privileges without cracking hashes or accessing LSASS. CRIME (Option B) targets TLS compression and is unrelated. Browser token theft (Option C) applies to web sessions, not domain controllers. Session donation (Option D) is not part of Windows authentication hijacking. Thus, the scenario clearly represents a PetitPotam NTLM relay attack.