ECCouncil Updated 312-50v13 Exam Questions and Answers by bruce

The symptoms strongly match MAC flooding, a classic Layer 2 sniffing-related attack discussed in CEH under switch-based network attacks. Ethernet switches maintain a CAM table that maps MAC addresses to physical switch ports. This table allows the switch to forward frames only to the correct destination port, preventing other hosts from seeing traffic not intended for them. In a MAC flooding attack, an attacker generates a very large number of frames with spoofed, random source MAC addresses. The goal is to overflow the switch CAM table so it can no longer reliably store legitimate MAC-to-port mappings.

When the CAM table is full or unstable, many switches fail open by flooding frames out of multiple ports, behaving more like a hub for unknown destinations. That leads to exactly what Marcus observes: devices on segments that should be isolated start receiving traffic they normally would not see, and overall performance degrades due to excessive broadcast-like forwarding. The prompt also mentions “abnormal traffic patterns overwhelming the network,” which aligns with the high-volume frame injection required to poison or overflow the CAM table.

ARP poisoning would primarily redirect traffic through the attacker by manipulating IP-to-MAC mappings within a VLAN, but it would not typically cause widespread flooding and generalized delays across multiple VLANs. DNS cache poisoning affects name resolution rather than Layer 2 forwarding behavior. Switch port stealing targets a specific victim MAC entry to redirect that host’s traffic, but the widespread flooding and overload indicators are more characteristic of MAC flooding. Therefore, MAC flooding is the most likely technique in this scenario.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

TCP port 102 is strongly associated with Siemens S7 communications, commonly referred to as S7comm, which is used by Siemens SIMATIC S7 PLC families and related engineering and HMI components in OT environments. In CEH coverage of ICS and SCADA reconnaissance, identifying industrial protocols by their well-known ports is a standard first step because it quickly narrows down device type, vendor ecosystem, and likely attack surface. When Ethan targets TCP 102 and the scan reveals PLC models used in the automation process, that aligns directly with enumerating Siemens SIMATIC S7 PLCs, since S7comm typically operates over ISO-on-TCP on port 102.

The other options do not match the port-protocol pairing described. Modbus TCP most commonly uses TCP port 502, so “scanning Modbus devices” would be associated with 502 rather than 102. “Capturing Modbus TCP traffic using Wireshark” is passive sniffing and also would focus on Modbus traffic patterns on 502, not an active Nmap sweep on 102. Omron PLCs may use different protocols and ports depending on model and configuration, but TCP 102 is the canonical indicator for Siemens S7 in most defensive and offensive playbooks taught for OT discovery.

From a defensive perspective, CEH-aligned best practices emphasize segmenting OT networks, restricting access to engineering ports like 102, monitoring for scanning behavior, and enforcing allowlisted communications between SCADA, HMIs, and PLCs to reduce the risk of unauthorized enumeration and follow-on manipulation.

According to the CEH System Hacking and Web Application Security modules, Man-in-the-Browser (MitB) attacks are among the most sophisticated and difficult session-hijacking techniques to detect. In MitB attacks, malware operates inside the victim’s browser, allowing attackers to intercept, modify, or inject transactions after authentication has occurred.

CEH documentation highlights that MitB attacks bypass:

Multi-factor authentication

Encrypted cookies

HTTPS/TLS protections

Because the malicious activity occurs at the browser level, security controls perceive transactions as legitimate.

Option B is correct.

Option A (XSS) is detectable via content security policies.

Option C is mitigated by regenerating session IDs.

Option D is ineffective against encrypted sessions.

CEH emphasizes MitB attacks as a critical threat to online banking systems.