ECCouncil Updated 312-50v13 Exam Questions and Answers by adelina

In CEH network security concepts, a common way to verify whether a host is running a sniffer is to test for promiscuous-mode behavior using an active stimulus and then observing whether the suspected machine reacts to traffic it should normally discard. The “ping method” is a classic approach: the tester sends ICMP Echo Request traffic crafted so the Ethernet frame uses an incorrect destination MAC address, while the IP layer still targets the suspected host’s IP. Under normal NIC operation, frames with a destination MAC that does not match the interface (and is not broadcast/multicast) are dropped at the data-link layer and never reach the IP stack, so the host will not respond.

If the interface is in promiscuous mode, the NIC passes more frames up to the operating system for processing. In some configurations, this can allow the IP stack to see and respond to the ICMP request even though the frame’s MAC destination was wrong. That unexpected reply is used as an indicator that the host may be capturing traffic promiscuously, consistent with sniffer presence.

The other options are less aligned with the “classic active verification” described. Reverse DNS monitoring is an indirect heuristic and not a reliable confirmation of promiscuous mode. An NSE script is tool-specific rather than the classic foundational technique the question emphasizes. ARP-based methods exist for sniffer detection, but the option presented is less directly tied to the well-known ICMP incorrect-MAC confirmation described in CEH materials.

This phase is Information Gathering, the first and most foundational step in an IoT penetration test methodology described in CEH-aligned material. The goal here is to build an accurate inventory of the IoT environment and understand how devices communicate, what hardware and software versions are present, and which protocols and interfaces are in use. Jordan is collecting device models, manufacturer names, firmware versions, and supported protocols such as Zigbee and BLE. That activity maps directly to enumeration and profiling of the target IoT ecosystem, which is performed before any intrusive testing. In CEH methodology terms, this step helps identify the attack surface, including wireless interfaces, management ports, cloud backends, mobile apps, and gateways that bridge IoT networks to enterprise networks.

Information gathering is crucial because IoT risk is highly dependent on specific device types and firmware builds. Knowing a firmware version can reveal whether known CVEs apply, whether default credentials are likely, or whether insecure services are commonly enabled. Identifying Zigbee and BLE indicates potential avenues for wireless assessment, such as insecure pairing, weak encryption or key handling, misconfigured access control, and protocol-specific weaknesses.

The other options occur later. Vulnerability scanning is the step where the tester actively checks the identified devices and services for weaknesses using scanners, enumeration probes, or targeted validation. Launch attacks and gain remote access are exploitation steps that follow planning and discovery. Since Jordan is only documenting and understanding the ecosystem, the correct step is Information gathering.

CEH incident response material explains that LLMNR and NBT-NS poisoning is a common credential-harvesting technique in internal networks. These legacy name-resolution protocols operate via broadcast queries. Attackers can listen for these broadcasts and respond faster than legitimate DNS/hosts entries, impersonating the requested resource. Once the victim system attempts to authenticate, it sends NTLM hashes to the attacker-controlled machine. Tools like Responder and Inveigh automate this process, enabling attackers to collect challenge-response hashes for offline cracking. CEH highlights that this method is passive from the victim’s viewpoint and difficult to detect unless monitoring tools watch for anomalous LLMNR/NBT-NS responses. Options A, B, and D refer to other components of password cracking, but none describe the mechanism of capturing hashes via poisoned name resolution. The attacker’s technique directly aligns with exploiting the name-resolution protocol to intercept authentication attempts.

The described technique is HTTP tunneling because Ethan is encapsulating his traffic inside standard web requests on port 80 to blend with normal browsing activity and bypass perimeter defenses that only perform basic port/protocol filtering. HTTP tunneling leverages the fact that many organizations allow outbound (and sometimes inbound) HTTP/HTTPS traffic through firewalls for business needs. If a firewall is not doing deep inspection (such as application-layer proxying, WAF inspection, or strict egress controls), encapsulated traffic can traverse allowed ports while carrying non-HTTP payloads inside the HTTP structure.

The scenario’s core clues are: (1) “encapsulates his traffic inside standard web requests,” (2) uses port 80, and (3) success depends on the firewall “not performing deep application inspection.” These are exactly the conditions where HTTP tunneling is effective: the traffic appears as ordinary HTTP sessions, so the firewall treats it as permitted web traffic even though the content is being used as a carrier for another protocol or command channel.

Why the other options don’t fit:

DNS tunneling (D) also encapsulates traffic, but it uses DNS queries/responses (typically UDP/TCP 53), not HTTP requests on port 80.

Tiny fragments (C) is an evasion method that breaks packets into very small fragments to confuse filtering/IDS reassembly; the scenario is about encapsulation in web requests, not fragmentation.

Source routing (B) attempts to influence packet path using IP options; it is not described here and is commonly blocked/ignored in modern networks.

Therefore, the firewall evasion technique is A. HTTP Tunneling.