ECCouncil 312-50v13 Dumps Questions Answers

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.

Rachel is using the Ping method for sniffer detection. The distinguishing behavior in the scenario is that she sends ICMP echo requests (pings) crafted so that the Layer 2 MAC address is incorrect/mismatched, while the Layer 3 IP destination is correct. Under normal circumstances, a host’s network interface card (NIC) should drop frames not addressed to its MAC address. However, when a NIC is set to promiscuous mode (as sniffers often require), it can accept frames regardless of destination MAC and pass them up the stack. If the operating system then processes the encapsulated IP packet and responds (e.g., sends an ICMP echo reply), that response suggests the host is accepting frames it normally would ignore—an indicator consistent with promiscuous mode sniffing.

This technique is used as a heuristic: by intentionally violating normal Ethernet delivery rules and observing whether the target still responds, you can infer that the interface may be capturing traffic not explicitly addressed to it. It’s not perfect—modern drivers, switches, VLAN configurations, and host firewall behavior can affect results—but the scenario’s “mismatched MAC but correct IP” plus “the suspected machine responds” is the classic signature of the ping-based promiscuous-mode test.

Why the other options are less suitable:

ARP method (B) typically involves ARP-based tricks (non-broadcast ARP requests or crafted ARP traffic) to test how the target responds; the scenario explicitly describes ICMP behavior.

DNS method (C) relates to DNS queries/resolution behavior and does not match the ICMP/MAC mismatch test.

Nmap sniffer-detect (NSE) (D) is a specific scripted approach, but the question asks for the underlying technique being used; the described action matches the Ping method.

Therefore, the correct answer is A. Ping Method.

This scenario is a textbook example of a Whaling Attack, a highly targeted phishing technique described in the CEH v13 Social Engineering module. Whaling specifically targets senior executives or high-ranking individuals, exploiting their authority, access privileges, and decision-making roles.

In the given case, the attacker crafts a personalized email, impersonates the CEO, and uses legitimate corporate branding to build trust. The malicious PDF attachment delivers a backdoor, aligning with CEH v13 descriptions of advanced spear-phishing techniques used against executives.

CEH v13 differentiates whaling from other phishing types:

Broad phishing targets large groups indiscriminately.

Pharming redirects users via DNS manipulation.

Email clone attacks copy legitimate emails but typically target peers, not executives.

Whaling attacks are particularly dangerous because executives often bypass security scrutiny and possess elevated system access. CEH v13 emphasizes executive awareness training as a key mitigation strategy.

Therefore, the correct answer is Whaling attack aimed at high-ranking personnel.