ECCouncil Updated 312-50v13 Exam Questions and Answers by chaim

A Kernel-level rootkit operates at the core of the operating system (OS kernel), enabling the attacker to:

Modify or replace kernel code

Load malicious kernel modules

Hide files, processes, and backdoors at a level that is difficult for standard security tools to detect

According to CEH v13:

Kernel-mode rootkits are highly stealthy and dangerous because they run with the highest privileges.

These rootkits modify system calls and memory structures in the kernel space to conceal malicious activity.

Incorrect Options:

A. User-mode rootkits operate at the application layer and are less stealthy than kernel-level rootkits.

B. Library-level rootkits manipulate standard libraries (like libc) to intercept calls.

D. Hypervisor-level rootkits run beneath the OS (e.g., via virtualization) and are extremely rare and complex.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Rootkits”

Subsection: “Kernel-Mode Rootkits vs. User-Mode Rootkits”

While the question as shown appears slightly misformatted, this closely resembles the Windows command:

ping -t 192.168.0.101

Here:

-t means to ping continuously until manually stopped.

In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

Option A. t – Correct (ping continuously)

Why Others Are Incorrect:

B. s: Not a valid option in Windows ping.

C. a: Used to resolve the hostname from an IP (not related to this).

D. n: Specifies the number of echo requests to send.

The attacker has most likely used RST hijacking, which is a type of network-level session hijacking technique that exploits the TCP reset (RST) mechanism. TCP reset is a way of terminating an established TCP connection by sending a packet with the RST flag set, indicating that the sender does not want to continue the communication. RST hijacking involves sending a forged RST packet to one or both ends of a TCP connection, using a spoofed source IP address and a guessed acknowledgment number, to trick them into believing that the other end has closed the connection. As a result, the victim’s connection is reset and the attacker can take over the session or launch a denial-of-service attack12.

The other options are not correct for the following reasons:

A. TCP/IP hijacking: This option is a general term that refers to any type of network-level session hijacking technique that targets TCP/IP connections. RST hijacking is a specific type of TCP/IP hijacking, but not the only one. Other types of TCP/IP hijacking include SYN hijacking, source routing, and sequence prediction3.

B. UDP hijacking: This option is not applicable because UDP is a connectionless protocol that does not use TCP reset mechanism. UDP hijacking is a type of network-level session hijacking technique that targets UDP connections, such as DNS or VoIP. UDP hijacking involves intercepting and modifying UDP packets to redirect or manipulate the communication between the sender and the receiver4.

D. Blind hijacking: This option is not accurate because blind hijacking is a type of network-level session hijacking technique that does not require injecting RST packets. Blind hijacking involves guessing the sequence and acknowledgment numbers of a TCP connection without being able to see the responses from the target. Blind hijacking can be used to inject malicious data or commands into an active TCP session, but not to reset the connection5.

Passive OS fingerprinting involves observing traffic from a remote host and analyzing it to infer details about the operating system without actively sending packets or probes. This is useful in stealthy reconnaissance where avoiding detection is critical.

tcpdump is a packet analyzer that captures traffic in real time. By analyzing certain TCP/IP header fields such as TTL (Time-To-Live), window size, TCP options, and DF (Don't Fragment) flags, attackers can passively deduce the operating system of the target host.

CEH v13 Guide states:

“Passive fingerprinting tools like tcpdump and Wireshark allow the attacker to capture packets and analyze them for OS-specific traits, making it possible to identify the OS without sending packets to the target system.”

Reference – CEH v13 Study Guide:

Module 02: Footprinting and Reconnaissance, Section: “OS Fingerprinting Techniques”, Subsection: “Passive OS Fingerprinting”

Incorrect Options Explained:

A: nmap is primarily an active scanning tool (though it has limited passive capabilities).

C: tracert is used for tracing packet routes, not OS fingerprinting.

D: ping checks host availability and latency, not OS details.

‒‒‒‒‒‒‒‒‒‒‒‒‒‒‒