ECCouncil Updated 312-50v13 Exam Questions and Answers by cassian

DNS cache snooping is an enumeration technique where the attacker queries a DNS server to check whether a specific domain has been recently resolved by the server (i.e., it exists in the cache). If a positive response is received with low latency, it indicates that the domain was visited recently.

Key points:

Used to infer user browsing habits or visited domains.

Helps attackers identify user interests or potential targets.

Incorrect Options:

A. DNS zone walking is used to list all domain names in a DNS zone (with misconfigured DNS servers), not for cached record inspection.

C. DNSSEC zone walking applies only when DNSSEC is misconfigured.

D. DNS cache poisoning is a manipulation technique, not a passive enumeration method.

Reference – CEH v13 Official Courseware:

Module 04: Enumeration

Section: “DNS Enumeration”

Subsection: “DNS Cache Snooping and Timing Analysis”

Tool Reference: dig, nslookup

=

A Stealth or Tunneling Virus is designed specifically to evade detection by antivirus software and system monitoring tools. These viruses work by intercepting and modifying the operating system’s service call interrupts (such as INT 13h and INT 21h in DOS systems), which are used to access files or system services.

By hooking into these interrupts, the virus can return clean or forged data to antivirus scanners, thus hiding its malicious presence from detection tools.

Tunneling viruses may also operate at a lower level to evade even more advanced antivirus detection methods, making them particularly dangerous and hard to detect.

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Section: Types of Viruses

Quote:

“Tunneling viruses attempt to avoid detection by antivirus programs by installing themselves in the interrupt handler chain. These viruses intercept operating system calls to conceal their activities.”

Incorrect Options Explained:

A. Macro viruses target applications like Microsoft Word/Excel and use embedded macros, but do not alter service call interrupts.

C. Cavity viruses insert code into empty spaces in files without changing the file size but do not modify interrupts.

D. Polymorphic viruses mutate their code to avoid signature-based detection but do not typically interfere with system interrupts directly.

In CEH v13 Reconnaissance Techniques, passive monitoring of competitors’ online presence is a legitimate and effective intelligence-gathering activity. One of the most efficient tools for this purpose is Google Alerts.

Google Alerts allow analysts to receive automated notifications when new content containing specific keywords—such as company names, products, or executives—is indexed online. This enables continuous, passive surveillance without repeatedly visiting websites manually.

Option B directly addresses the analyst’s goal of staying updated efficiently.

Option A is illegal and unethical.

Option C involves direct interaction, which may reveal the analyst’s presence.

Option D provides anonymity but does not actively monitor changes.

CEH v13 strongly encourages automation in reconnaissance to reduce noise, effort, and detection risk. Therefore, Option B is the correct and CEH-aligned answer.

In CEH v13 Module 11: Hacking Wireless Networks, it is explained that disabling SSID broadcast only hides the SSID from casual scanning, not from determined attackers.

When a legitimate client connects to a hidden SSID, the SSID is included in the probe request and association packets, which can be easily sniffed using tools like Wireshark or Kismet.

Leaving authentication open adds no real protection.

Attackers can still capture traffic and use it to determine the SSID and connect to the access point.