ECCouncil Updated 312-50v13 Exam Questions and Answers by enid

CEH v13 states that DNS server hijacking occurs when attackers compromise the authoritative DNS infrastructure and alter DNS zone records to redirect all legitimate queries to malicious destinations. Unlike DNS cache poisoning, which affects specific resolvers temporarily, server hijacking manipulates the core DNS authority controlling the domain. This results in a complete redirect for all users, regardless of geographic location or device configuration. CEH emphasizes that such attacks can lead to large-scale credential theft, phishing, financial fraud, and session compromise because the attacker presents an identical clone site while retaining full control of DNS routing. DNS tunneling is used for covert data exfiltration and does not redirect traffic. DNS rebinding targets browser policies, not global DNS redirection. DNS amplification is a volumetric DDoS technique unrelated to zone manipulation. The scenario matches DNS server hijacking exactly.

Fragmentation is a well-known firewall and IDS evasion technique covered in CEH materials. The attacker breaks a malicious packet into smaller IP fragments so that simple filtering devices, especially those relying mainly on basic header checks or stateless rules, may fail to reconstruct the original payload and therefore miss the malicious content. To counter this, defenses must track packet state and perform reassembly or validation of fragmented traffic so the security control can evaluate the complete communication stream rather than isolated fragments.

Stateful Packet Inspection is the control most aligned with this requirement. A stateful inspection firewall maintains a state table of active connections and monitors traffic as part of an ongoing session. Because it tracks session context, it can handle fragmented packets more effectively by correlating fragments to the original flow and applying policy after reconstructing or normalizing traffic. In CEH-aligned descriptions, this directly reduces the effectiveness of fragmentation-based evasion, overlapping with the concept of traffic normalization that removes ambiguity attackers try to exploit.

Deep Packet Inspection examines payload beyond headers, but the key success factor in stopping fragmentation evasion is state tracking and reassembly, which is characteristic of stateful inspection and state-aware security devices. Signature-based and anomaly-based detection can help detect malicious patterns or unusual behavior, but without reliable reassembly and session context, fragmented payloads may not match signatures and may appear benign in isolation. Therefore, the most likely measure used to identify and block fragmented packets in this scenario is Stateful Packet Inspection.

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

The correct answer is B. Cryptographically binding authentication tokens to the TLS connection context.

The scenario describes a defense against session token replay. The attacker/tester has a valid authentication identifier, but the application rejects it when it is reused from a different machine and a different encrypted channel. This indicates that the token is not accepted by itself; it is tied to the original TLS-secured session context.

CEH-aligned session hijacking material explains that session replay occurs when an attacker captures an authentication token and replays the request to obtain unauthorized access. It also describes session hijacking as taking over an authenticated session after authentication has already completed . TLS material explains that TLS provides secure communication, peer authentication, shared-secret generation, and secure session establishment between endpoints . Binding the token to the TLS context prevents a captured token from being reused over a different TLS connection.

Option A. Encrypting DNS resolution traffic using DNS over HTTPS is incorrect because DNS over HTTPS protects DNS lookups, not application session tokens.

Option C. Applying IPsec protection at the network layer is incorrect because IPsec protects traffic at the network layer. The question specifically describes an application-issued authentication identifier being validated against the original secure exchange.

Option D. Enforcing HTTP Strict Transport Security is incorrect because HSTS forces browsers to use HTTPS, but it does not cryptographically bind a token to a specific TLS channel.

Therefore, the best answer is B. Cryptographically binding authentication tokens to the TLS connection context.