ECCouncil Updated 312-50v13 Exam Questions and Answers by lillian

CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP, which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other’s identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

Thomas is most likely using Follow TCP Stream. This Wireshark feature reconstructs the bidirectional application data carried over a TCP connection by reassembling packets in sequence into a readable conversation view. When traffic is unencrypted HTTP, the reassembled stream can reveal full request/response content, including URLs, headers, form parameters, and—critically in this scenario—usernames and passwords transmitted in clear text (for example, within POST body parameters).

The scenario’s language is a direct match: “reconstruct entire conversations between browsers and the server” and “reassembles packet data into a readable stream.” That is exactly what Follow TCP Stream does: it groups packets that belong to the same TCP session and displays the payload as contiguous data, making it far easier than manually inspecting individual packets. This is commonly used during assessments and investigations to understand what data was exchanged, validate whether sensitive data is exposed, and confirm whether protections like TLS are properly applied.

Why the other options are not correct:

Filtering by IP Address (A) helps narrow the packet list to specific hosts but does not reconstruct conversations.

Display Filtering by Protocol (B) can isolate HTTP packets but still leaves the analyst to interpret individual packets without full reassembly.

Monitoring the Specific Ports (C) similarly narrows traffic (e.g., TCP/80 for HTTP) but does not present a reassembled readable session.

Because the goal is quick, readable reconstruction of HTTP login sessions over TCP, the correct answer is D. Follow TCP Stream.

The technique described is decoy scanning. In CEH network scanning methodology, decoy scanning is used to make IDS and logging systems attribute scan traffic to multiple apparent sources instead of the attacker’s true IP address. The attacker configures the scanner to generate additional probe packets that appear to originate from several spoofed decoy IP addresses, mixed with the real attacker’s probes. This creates ambiguity for defenders because IDS alerts and firewall logs show many potential “scanners,” complicating attribution and response actions such as blocking a single source.

A key detail in the prompt is that Lily “includes multiple spoofed IP addresses alongside her own” and still “receives accurate results.” That matches how decoy scanning works in tools like Nmap: the attacker’s real IP must remain in the mix so that replies from the target return to the attacker, enabling accurate interpretation of port states. The decoys mainly exist to confuse monitoring and incident response teams by polluting the log trail.

Option C, IP spoofing, is too general and, by itself, typically prevents the attacker from receiving responses because return traffic goes to the spoofed address. Decoy scanning is a specific, structured use of spoofing combined with the real source to preserve results. Option A refers to stealth flag scans, which reduce handshake visibility but do not involve multiple spoofed sources. Option B, source routing, attempts to control packet paths and is not the described behavior. Therefore, the correct answer is Decoy Scanning.

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.