Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

Behavioral analytics tools establish a baseline of normal system and network behavior, including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation. A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

The correct answer is D. Integrity. In the CIA triad, integrity refers to protecting information from unauthorized alteration, modification, or revision, whether the data is stored at rest or moving across a network. CEH-aligned material explains that integrity ensures data received is exactly the same as the data originally sent, and any addition, deletion, or alteration means integrity has been compromised. The question states that an attack altered the contents of two critical files, which directly indicates unauthorized modification of data. This is an integrity violation because the trustworthiness, accuracy, and reliability of those files can no longer be guaranteed. Availability is incorrect because availability concerns whether systems or data are accessible when needed. Authentication is incorrect because it verifies the identity of a user, device, or process. Confidentiality is also incorrect because confidentiality focuses on secrecy and preventing unauthorized disclosure, not file modification. Therefore, an attack that changes critical file contents is best described as an integrity attack.

This task describes passive reconnaissance using advanced search operators, a technique covered in CEH as search engine reconnaissance or Google dorking. The objective is to find potentially exposed documents on hidden services while avoiding direct interaction with forums or services. The most important element in the query is restricting results to hidden service domains using the site:onion operator. Any option that does not include site:onion is less suitable because it will return results from the public web rather than from .onion resources.

Option A is the strongest fit because it combines three high-value filters: filetype:pdf to focus on document artifacts that are commonly leaked or shared, intitle: " admin access " to target titles suggesting privileged access or administrative information, and site:onion to restrict the scope to hidden services. In CEH reporting and threat intelligence workflows, targeting high-signal keywords such as admin access, credentials, password list, or vpn access in document metadata is a practical way to identify likely leak sources without active engagement.

Option B lacks site:onion, so it fails the hidden-service requirement. Option C includes site:onion but the phrase secure login is more generic and may return many benign pages, reducing precision. Option D includes site:onion and filetype targeting, but user accounts is broader and less indicative of immediate access data than admin access. Therefore, A best supports efficient passive discovery of high-risk documents relevant to credential exposure on hidden services.

This scenario matches a Teardrop attack, which exploits IP fragmentation reassembly weaknesses by sending fragments with overlapping or inconsistent offset fields. In a teardrop attack, the attacker crafts IP fragments so that when the target attempts to reassemble them into the original datagram, the fragment offsets and sizes do not align correctly (often overlapping). Vulnerable systems can experience errors in the reassembly process, leading to CPU/memory exhaustion, crashes, or instability in the network stack. The question highlights “manipulated offset fields and overlapping payload offsets,” “repeated attempts to reconstruct,” and “deliberately malformed offsets that trigger processing errors rather than a simple flood,” which are all core teardrop characteristics.

The impact described—system crashes and service disruption without abnormal bandwidth usage—also fits. This is not a volumetric DoS (like ICMP flood); it’s a malformed-packet attack that targets protocol stack processing. The key is that the attacker is exploiting how the target handles fragmented packets, causing excessive processing and failure during reassembly.

Why the other options are less accurate:

Fragmentation attack (A) is a broader category and could include many fragmentation-based manipulations, but “overlapping offsets causing reassembly failure” is the classic teardrop pattern.

ICMP flood (B) is bandwidth/packet-rate driven and does not involve IP fragment offset manipulation.

Ping of Death (D) involves oversized ICMP packets (often via fragmentation) exceeding maximum IP size, causing crashes on vulnerable stacks; the scenario instead emphasizes overlapping offsets and reassembly logic errors rather than oversized packet size.

Therefore, Sofia is most likely simulating C. Teardrop Attack.

This phase is Information Gathering, the first and most foundational step in an IoT penetration test methodology described in CEH-aligned material. The goal here is to build an accurate inventory of the IoT environment and understand how devices communicate, what hardware and software versions are present, and which protocols and interfaces are in use. Jordan is collecting device models, manufacturer names, firmware versions, and supported protocols such as Zigbee and BLE. That activity maps directly to enumeration and profiling of the target IoT ecosystem, which is performed before any intrusive testing. In CEH methodology terms, this step helps identify the attack surface, including wireless interfaces, management ports, cloud backends, mobile apps, and gateways that bridge IoT networks to enterprise networks.

Information gathering is crucial because IoT risk is highly dependent on specific device types and firmware builds. Knowing a firmware version can reveal whether known CVEs apply, whether default credentials are likely, or whether insecure services are commonly enabled. Identifying Zigbee and BLE indicates potential avenues for wireless assessment, such as insecure pairing, weak encryption or key handling, misconfigured access control, and protocol-specific weaknesses.

The other options occur later. Vulnerability scanning is the step where the tester actively checks the identified devices and services for weaknesses using scanners, enumeration probes, or targeted validation. Launch attacks and gain remote access are exploitation steps that follow planning and discovery. Since Jordan is only documenting and understanding the ecosystem, the correct step is Information gathering.

The correct answer is A, Mimikatz. In CEH system hacking and post-exploitation topics, Windows credential attacks commonly focus on hashes, cached credentials, Kerberos tickets, and authentication material stored in memory or in Windows credential stores. The CEH-related material identifies Mimikatz as the de facto standard tool for extracting credentials from Windows memory and states that it can steal hashes, PIN codes, and Kerberos tickets from memory, as well as support pass-the-hash, pass-the-ticket, and Golden Ticket attacks. This directly matches the question’s phrase “dumps Windows hashes.” John the Ripper is mainly a password-cracking tool used after hashes are obtained. Hydra is primarily an online login/password attack tool for network services. Aircrack-ng is used mainly for wireless password/key cracking. Therefore, among the options, Mimikatz is the tool most specifically associated with dumping Windows credentials and hashes during the system hacking phase.

CEH v13 describes relay attacks as credential forwarding techniques where attackers trick systems into authenticating to malicious servers, capturing hashes, and relaying them to privileged services. The described scenario aligns exactly with the PetitPotam attack, a known MS-EFSRPC abuse method that forces Windows domain controllers to perform NTLM authentication to attacker-controlled hosts. CEH discusses how relay attacks combined with Active Directory Certificate Services (AD CS) misconfigurations can allow attackers to request privileged certificates, effectively gaining domain administrator privileges without cracking hashes or accessing LSASS. CRIME (Option B) targets TLS compression and is unrelated. Browser token theft (Option C) applies to web sessions, not domain controllers. Session donation (Option D) is not part of Windows authentication hijacking. Thus, the scenario clearly represents a PetitPotam NTLM relay attack.

According to CEH v13 Security Operations and Incident Response, the first step in incident handling is identification and analysis, not immediate containment or remediation. The observed sequence—failed logins followed by abnormal outbound traffic—suggests a potential compromise, but the exact nature, scope, and impact are still unknown.

Option C aligns precisely with CEH v13’s incident response lifecycle. Real-time monitoring and detailed log analysis allow the analyst to determine whether the activity represents credential stuffing, brute-force compromise, malware-based exfiltration, or a false positive. This step preserves evidence, establishes timelines, and helps identify indicators of compromise (IOCs).

Immediately disconnecting the server (Option B) may be necessary later, but doing so prematurely can destroy volatile forensic evidence, disrupt business operations, and alert the attacker. Auditing outbound traffic alone (Option A) is too narrow and skips proper correlation of authentication logs, system logs, and process activity. Forcing credential changes (Option D) without understanding the attack vector may fail to stop malware-based persistence.

CEH v13 emphasizes that containment actions must be informed by analysis, otherwise organizations risk responding to symptoms rather than root causes. Therefore, the correct initial action is to observe, analyze, and identify, making Option C the correct answer.

The correct answer is A. Passive Online Attack.

The analyst is not directly guessing passwords, forcing authentication, or stealing a password database for later cracking. Instead, he is positioned on the network and sniffing authentication exchanges while legitimate users authenticate normally.

CEH-aligned password attack material defines a passive online attack as sniffing network traffic in the hope of intercepting a clear-text password, capturing authentication material, replaying authentication, or performing man-in-the-middle activity . Another CEH reference states that passive online password hacking can be performed by sniffing packets and capturing clear-text passwords or hashes for later analysis .

Option B. Non-Electronic Attack is incorrect because non-electronic attacks include methods such as shoulder surfing, dumpster diving, and social engineering.

Option C. Active Online Attack is incorrect because active online attacks involve directly communicating with the victim system, such as password guessing or brute-force attempts.

Option D. Offline Attack is incorrect because offline attacks involve stealing password hashes or files and cracking them separately.

Option A. Passive Online Attack is correct because the analyst captures authentication traffic by monitoring the network.

Therefore, the best answer is A. Passive Online Attack.

The correct answer is C. Initial Sequence Number (ISN).

The question specifically states that the analyst records the sequence numbers returned in SYN/ACK responses and analyzes whether those values are predictable or incremental. That means the analyst is examining the target’s Initial Sequence Number generation behavior.

CEH session hijacking material explains that during the TCP three-way handshake, the server responds with a SYN/ACK that includes an ISN, or Initial Sequence Number . It also states that sequence numbers are important for reliable communication and can be crucial in hijacking because an attacker must successfully guess or predict sequence numbers . Another CEH-aligned reference explains that the ISN is exchanged during the handshake and that sequence-number behavior can reveal implementation characteristics .

Option A. TCP Timestamp Analysis is incorrect because TCP timestamp analysis examines timestamp option values, clock behavior, or uptime estimation, not SYN/ACK sequence-number generation.

Option B. TCP Window Size is incorrect because TCP window size refers to how much data can be sent before acknowledgment is required. It is not the sequence-number attribute described in the question.

Option D. Time to Live (TTL) is incorrect because TTL is an IP header field used to limit packet lifetime and can help infer OS or hop distance, but it is unrelated to SYN/ACK sequence-number predictability.

Therefore, the best answer is C. Initial Sequence Number (ISN).

The correct answer is C. Ping method by sending packets with an incorrect MAC address.

The scenario describes testing whether a network card is processing packets not intended for it. That is exactly what promiscuous mode does. In promiscuous mode, a NIC accepts frames even when they are not addressed to its own MAC address.

CEH sniffing material explains that the Ping Method detects a sniffer by sending a ping request to the suspect IP address with a spoofed MAC address. If the NIC is not in promiscuous mode, it will not respond. If the suspect system is running a sniffer, it may respond to the packet .

Option A. DNS method is incorrect because the scenario does not describe reverse DNS lookup behavior.

Option B. NSE script can be used for promiscuous-mode detection in some cases, but the question specifically describes crafted packets used to test acceptance of traffic not addressed to the host.

Option D. ARP method is another sniffer detection method, but it relies on non-broadcast ARP cache behavior. The scenario’s wording most directly matches the ping method with an incorrect or spoofed MAC address.

Therefore, the best answer is C. Ping method by sending packets with an incorrect MAC address.

The correct answer is A. Firmware update attack because the scenario describes an attacker delivering an unauthenticated, non-cryptographically verified update/package to a controller and successfully altering its operational logic. In IoT/OT environments, controllers (PLCs, RTUs, PACs, and embedded industrial devices) often support updating firmware or logic over the network for maintenance. If the device does not verify the source, integrity, and authenticity of update packages—typically through signed firmware, certificates, and secure update channels—an attacker can replace legitimate code with a maliciously modified version.

Sameer’s demonstration maps directly to a firmware/logic update compromise: he uploads “altered instructions” and changes how the controller processes commands during operations. This is exactly the type of risk highlighted in OT security: unauthorized modification of controller logic can cause unsafe states, disrupt production, damage equipment, or create stealthy manipulation that is difficult to detect. The explicit mention of “without checking the origin or cryptographic validity” indicates missing controls like digital signatures, hash verification, and trusted update mechanisms, which are central to firmware update security.

Why the other options are less accurate: Forged malicious device usually refers to introducing a rogue or cloned device into the environment to impersonate legitimate equipment. Remote access using backdoor implies an existing hidden access mechanism rather than abuse of the update mechanism itself. Exploit kits are typically collections of exploits used to compromise systems, commonly discussed more in endpoint/web contexts; they don’t specifically describe the act of pushing an altered firmware/logic package that the controller accepts due to missing validation.

Therefore, the technique is best categorized as a firmware update attack, leveraging weak or absent authenticity/integrity checks on update packages to modify OT controller behavior.

Operational Technology and ICS environments often suffer from misconfigurations such as unchanged factory-default passwords. CEH identifies exploiting default credentials as a direct and effective method because ICS devices frequently lack strong authentication controls. Using these built-in credentials grants immediate unauthorized access to supervisory controls, enabling adversaries to manipulate configurations, disrupt processes, or escalate attacks across critical systems.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.