ECCouncil Updated 312-50v13 Exam Questions and Answers by kyron

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR '1'='1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR '1'='1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

The scenario emphasizes that Daniel “begins capturing and reviewing live network traffic” to identify unauthorized session behaviors. In CEH-aligned network analysis practice, the most direct method to confirm session hijacking when you already have a packet capture is manual packet analysis using packet sniffing tools. By inspecting live traffic, Daniel can correlate sessions, verify whether multiple sources are reusing the same session identifiers, identify abnormal TCP sequence and acknowledgment behavior, and detect patterns such as duplicated cookies/tokens, replayed requests, inconsistent client IP or user-agent shifts, or sudden session reuse across hosts. This approach provides evidentiary detail beyond an alert and allows validation before escalation.

An IDS can be helpful, but it is a detection system that generates alerts based on signatures or anomalies; it does not inherently “confirm” the issue unless it provides clear supporting evidence, and the question specifically frames Daniel’s action as hands-on traffic review. Checking for predictable session tokens is a preventive and diagnostic step for weak session management design, but it does not directly confirm an in-progress hijacking event from observed network behavior. Monitoring for ACK storms can indicate certain TCP-level hijacking/desynchronization conditions, but it is narrower and may not apply to application-layer session hijacking, which is far more common in enterprise environments and would be validated by inspecting session identifiers and request flows in the capture.

Therefore, given the described workflow and the need to confirm unauthorized session activity from live traffic, CEH methodology aligns best with manual packet analysis using sniffing tools.

The scenario points directly to information gathering from the robots.txt file. A robots.txt file is typically located at the root of a website (e.g., https://example.com/robots.txt) and is intended to instruct search engine crawlers which paths should or should not be indexed. During web reconnaissance, testers often review robots.txt because it can unintentionally disclose sensitive directories, administrative panels, staging paths, backup locations, or restricted areas that the organization hoped would remain obscure. The scenario explicitly says Sofia found “a crawler directive at the server’s root” that “allows unintended indexing of restricted areas,” and that this “reveals internal paths.” That is exactly the kind of leakage that can come from misconfigured or overly revealing crawler directives.

This is considered an early-stage reconnaissance / information gathering technique because it does not require exploitation. It leverages publicly accessible configuration hints to map the application’s hidden structure. Even when robots.txt is used correctly, the listed disallowed entries can still serve as a roadmap of interesting targets; if configured incorrectly (for example, allowing indexing or exposing sensitive paths), it can increase exposure by helping those paths surface in search results or be discovered faster by attackers.

Why the other options are less accurate:

Vulnerability Scanning (A) implies using scanners to identify known flaws; here, the tester is manually/strategically inspecting a crawler directive for exposed paths.

Web Server Footprinting/Banner Grabbing (C) focuses on identifying server type/version and technologies via headers or responses, not discovering hidden paths from crawler directives.

Directory Brute Forcing (D) uses wordlists to guess directories; Sofia’s discovery comes from a disclosed list of paths, not brute-force guessing.

Therefore, the technique is B. Information Gathering from robots.txt File.