Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

CEH training emphasizes that highly tailored social engineering attacks—those exploiting trust in internal workflows and perceived technical authority—are far more effective than generic or mass-distributed phishing attempts. A fake IT support portal that mirrors internal systems leverages procedural familiarity: IT departments commonly instruct employees to log into support portals for troubleshooting, credential verification, or ticket updates. When the attacker enhances the pretext with insider terminology and references to real internal systems, employees are more likely to trust the portal and enter credentials. CEH highlights that successful social engineering attacks mimic legitimate processes to avoid suspicion. Phone calls posing as executives often introduce risk due to real-time interaction and scrutiny. Generic phishing lacks personalization and is easily detected. Physical impersonation introduces operational risk and may not yield credentials. Therefore, a fake IT support portal aligned with IT workflows is the optimal method.

The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking. KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets, even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic. Weak RNG issues are unrelated to WPA2 replay.

Thus, Option B is correct.

The correct answer is B. BitLocker Drive Encryption because the requirements describe native Windows full-disk encryption that integrates tightly with enterprise Windows security features and centralized management. BitLocker is Microsoft’s built-in disk encryption technology designed to provide transparent encryption for the operating system volume and additional fixed/removable drives. It supports hardware-backed startup protection through integration with the Trusted Platform Module (TPM), which can help protect encryption keys and validate boot integrity before unlocking the OS volume. This matches the prompt’s requirement for “hardware-backed startup protection.”

The scenario also emphasizes “centralized key escrow via Active Directory/management policies.” In enterprise deployments, BitLocker recovery information can be backed up to Active Directory and managed through Group Policy / MDM controls, enabling standardized enforcement (encryption settings, recovery key handling, compliance reporting) across servers and endpoints. This is a core operational advantage in regulated environments like healthcare: it enables rapid response (recoverability), consistent policy application, and audit-friendly control of encryption keys—without requiring third-party key management tooling for basic escrow needs.

Additionally, the prompt calls for securing the “system partition and attached data volumes” in a way that is compatible with Windows platform behavior and minimizes disruption. BitLocker supports encrypting both the OS volume and data volumes, and it is designed for transparent operation once enabled, so normal server use and domain authentication continue as expected.

Why the other options are not correct: FileVault is Apple’s full-disk encryption for macOS, not Windows. VeraCrypt and Rohos Disk Encryption are third-party solutions that can provide disk encryption, but they do not match the stated preference for deep Windows enterprise integration with TPM-based startup protection and Active Directory–based recovery key escrow through standard Microsoft management policies.

Therefore, the best solution for this Windows enterprise requirement is BitLocker Drive Encryption.

Passive reconnaissance focuses on collecting intelligence without interacting with the target ' s systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

The Certified Ethical Hacker (CEH) Cloud Computing and Data Protection module emphasizes the importance of resilient backup strategies to protect against data tampering, ransomware, and unauthorized modification.

The 3-2-1 backup model is a widely recommended best practice referenced in CEH materials. It requires maintaining:

3 copies of data

Stored on 2 different media types

With 1 copy stored offsite

This approach ensures that even if cloud backups are compromised or altered, clean and uncompromised versions remain available. CEH documentation highlights this model as a core defense against data integrity attacks in cloud environments.

Option D directly mitigates the risk of backup tampering.

Options A, B, and C address unrelated security concerns and do not protect backup integrity.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections.

Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth, making it difficult to detect using traditional network-based defenses.

Option C accurately matches the described symptoms and CEH’s definition.

Options A and B are network-layer flooding attacks, which were explicitly ruled out.

Option D is a packet fragmentation attack, not an application-layer DoS technique.

CEH stresses tuning connection timeouts and using reverse proxies as mitigations.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

CEH v13 highlights HTML smuggling as a modern technique used to bypass perimeter defenses by leveraging browser-side execution. Instead of downloading a malware file directly—which firewalls and IDS can detect—an attacker embeds obfuscated JavaScript or HTML within an attachment. When the victim opens the file, the browser reconstructs the payload locally using APIs like Blob or URL.createObjectURL. This method avoids external network transfers during the payload creation stage, allowing it to bypass content filters, sandboxing, and inline inspection tools. CEH emphasizes that HTML smuggling is especially dangerous because it operates within the browser environment, which security appliances implicitly trust. Port forwarding (Option B) relates to tunneling traffic, not file reconstruction. XSS (Option C) requires injecting scripts into web pages, not delivering malware. HTTP header spoofing (Option D) manipulates request metadata, not payload construction. Therefore, HTML smuggling precisely matches the described behavior.

The symptoms strongly match MAC flooding, a classic Layer 2 sniffing-related attack discussed in CEH under switch-based network attacks. Ethernet switches maintain a CAM table that maps MAC addresses to physical switch ports. This table allows the switch to forward frames only to the correct destination port, preventing other hosts from seeing traffic not intended for them. In a MAC flooding attack, an attacker generates a very large number of frames with spoofed, random source MAC addresses. The goal is to overflow the switch CAM table so it can no longer reliably store legitimate MAC-to-port mappings.

When the CAM table is full or unstable, many switches fail open by flooding frames out of multiple ports, behaving more like a hub for unknown destinations. That leads to exactly what Marcus observes: devices on segments that should be isolated start receiving traffic they normally would not see, and overall performance degrades due to excessive broadcast-like forwarding. The prompt also mentions “abnormal traffic patterns overwhelming the network,” which aligns with the high-volume frame injection required to poison or overflow the CAM table.

ARP poisoning would primarily redirect traffic through the attacker by manipulating IP-to-MAC mappings within a VLAN, but it would not typically cause widespread flooding and generalized delays across multiple VLANs. DNS cache poisoning affects name resolution rather than Layer 2 forwarding behavior. Switch port stealing targets a specific victim MAC entry to redirect that host’s traffic, but the widespread flooding and overload indicators are more characteristic of MAC flooding. Therefore, MAC flooding is the most likely technique in this scenario.

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

Cloud-based DDoS mitigation services provide upstream traffic scrubbing, detecting and filtering high-volume attacks such as DNS amplification and HTTP floods before the traffic reaches the victim’s network. These services use distributed infrastructures capable of handling multi-vector attacks that surpass the capacity of traditional on-premises firewalls and IDS. Traffic scrubbing centers distinguish legitimate traffic from malicious traffic, allowing normal operations to continue without service disruption.

Session Replay Attacks are highlighted in CEH v13 Web Application Hacking as one of the most sophisticated and difficult-to-detect session hijacking techniques. In this attack, adversaries capture valid session tokens or encrypted session identifiers and replay them to impersonate legitimate users.

Unlike credential stuffing, which relies on login attempts and can be detected through authentication anomalies, session replay occurs after authentication, using legitimate session artifacts. Clickjacking and CSRF manipulate user interactions but do not directly hijack session tokens.

CEH v13 explains that session replay attacks are especially dangerous in environments where session tokens are predictable, long-lived, or improperly bound to client attributes such as IP address or device fingerprint. Because the attacker reuses valid session data, traditional detection mechanisms often fail.

The replayed session appears legitimate to the server, making fraud detection extremely difficult without advanced behavioral analytics. This makes session replay attacks particularly effective in online retail environments where transactions are frequent and time-sensitive.

Thus, Option D correctly identifies the most challenging attack.