Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The correct answer is B. Launching SQL Injection Attacks because the scenario describes moving beyond merely locating inputs or detecting error behavior and into actively sending injection payloads that successfully alter query logic and change returned results. In a typical CEH-aligned SQL injection workflow, testers begin by identifying where user-controlled input enters the application (forms, URL parameters, cookies, headers), then perform basic tests to detect whether inputs affect backend SQL processing. Once a suspected injection point is found, the next step is to launch SQL injection attempts using crafted inputs designed to manipulate the query and demonstrate impact.

In this case, you “craft and submit multiple malicious inputs,” and one payload “successfully manipulates the backend query,” causing the application to return “additional appointment data that was not intended to be displayed.” That outcome is a clear indicator that exploitation is underway: the injection is not hypothetical—it is functioning and changing the application’s behavior in a way that reveals unauthorized data. This is characteristic of executing an SQL injection attack (in-band exploitation), such as using boolean logic manipulation (e.g., conditions that expand result sets) or other query-altering techniques. The emphasis is on the successful manipulation and unauthorized data exposure, which aligns with the attack execution phase.

Why the other options are less correct: Identifying Data Entry Paths would be earlier, when you locate the patient search field as a candidate parameter. Information Gathering and Vulnerability Detection generally refers to discovering and confirming the presence of weaknesses (often via initial probes, errors, or abnormal responses) rather than a confirmed payload that already returns unauthorized data. Database Enumeration is typically the follow-on step once exploitation is confirmed, where the tester extracts metadata such as database names, tables, columns, users, and versions. Here, you are demonstrating the injection’s ability to retrieve extra records, which is the exploitation/attack-launch stage, not full enumeration yet.

Therefore, the step being performed is Launching SQL Injection Attacks.

The correct answer is C. Analyze Firmware.

The firmware image has already been obtained. The tester is now inspecting the binary to understand its format, architecture, readable strings, and low-level structure. This is part of the Analyze Firmware stage.

The referenced firmware analysis material lists commands such as file < bin > , strings, strings -n5 < bin > , strings -tx < bin > , binwalk < bin > , and hexdump -C < bin > as firmware analysis activities used to inspect firmware content and structure .

Option A. Extract the Filesystem is incorrect because filesystem extraction would involve extracting embedded filesystems from the firmware image, commonly with tools such as binwalk -e.

Option B. Obtain Firmware is incorrect because the question states that the tester already received the firmware image.

Option D. Emulate Firmware is incorrect because emulation involves running or simulating the firmware environment, which has not yet occurred.

Therefore, the best answer is C. Analyze Firmware.

The correct answer is Credentialed Scanning. CEH vulnerability assessment guidance explains that credentialed scans use authorized login access on the target system so the scanner can inspect the machine from the inside with a much higher level of accuracy and detail. That is why credentialed scanning can identify installed updates, local policy settings, configuration inconsistencies, file permissions, registry issues, and patch gaps that are not always visible from an external network perspective. The question specifically mentions granular host-level findings that required direct system-level inspection, which is a strong indicator that valid credentials were used to query the target systems. Non-credentialed scanning, by contrast, relies on remote observation and network-visible characteristics, so it generally cannot provide the same depth of internal host information. Automated scanning is too broad a label, and application scanning is limited to application-layer targets rather than host operating-system posture. CEH materials consistently note that credentialed scans produce more accurate vulnerability results and reduce false positives because the scanner can verify software versions, patch states, and security settings directly on the target machine rather than merely inferring them from banners or exposed services.

The correct answer is B. Worm because the defining behavior described is self-replication and autonomous propagation across multiple systems without requiring additional user interaction after the initial infection. In CEH-aligned malware classifications, a worm is a standalone malicious program that can spread automatically over networks by copying itself to other hosts. Worms commonly leverage shared resources (such as shared folders), weak configurations, and credential weaknesses (such as weak administrative passwords or credential reuse) to move laterally and infect additional machines at scale.

The scenario includes multiple classic worm characteristics: (1) only one workstation is initially targeted, (2) the malware then “automatically copies itself into shared folders,” and (3) it spreads using “weak admin credentials,” resulting in rapid infection of “dozens of computers.” That pattern fits worm propagation mechanisms such as exploiting administrative shares, remote execution through obtained credentials, and leveraging network-accessible paths to drop copies of itself. The key discriminator is automation: after initial placement, the malware does the rest, scanning for reachable systems or shares and replicating to them without needing a user to click attachments or run the payload again.

Why the other options are not correct: a logic bomb is typically dormant code that triggers a malicious action when a specific condition or time is met; it is not defined by self-propagation. A backdoor provides unauthorized access for later control, but it does not inherently replicate across the network on its own. Fileless malware emphasizes execution primarily in memory using legitimate tools (e.g., PowerShell/WMI) and minimal disk artifacts; while fileless techniques can be used for lateral movement, the scenario’s emphasis is on the malware copying itself into shared folders and spreading widely, which is the hallmark of a worm.

Therefore, Sophia is most likely demonstrating a worm.

Fragmentation is a well-known firewall and IDS evasion technique covered in CEH materials. The attacker breaks a malicious packet into smaller IP fragments so that simple filtering devices, especially those relying mainly on basic header checks or stateless rules, may fail to reconstruct the original payload and therefore miss the malicious content. To counter this, defenses must track packet state and perform reassembly or validation of fragmented traffic so the security control can evaluate the complete communication stream rather than isolated fragments.

Stateful Packet Inspection is the control most aligned with this requirement. A stateful inspection firewall maintains a state table of active connections and monitors traffic as part of an ongoing session. Because it tracks session context, it can handle fragmented packets more effectively by correlating fragments to the original flow and applying policy after reconstructing or normalizing traffic. In CEH-aligned descriptions, this directly reduces the effectiveness of fragmentation-based evasion, overlapping with the concept of traffic normalization that removes ambiguity attackers try to exploit.

Deep Packet Inspection examines payload beyond headers, but the key success factor in stopping fragmentation evasion is state tracking and reassembly, which is characteristic of stateful inspection and state-aware security devices. Signature-based and anomaly-based detection can help detect malicious patterns or unusual behavior, but without reliable reassembly and session context, fragmented payloads may not match signatures and may appear benign in isolation. Therefore, the most likely measure used to identify and block fragmented packets in this scenario is Stateful Packet Inspection.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

CEH v13 defines passive reconnaissance as information gathering without interacting directly with the target or alerting them. The goal is to remain undetected while collecting intelligence from publicly available sources.

Directly interacting with a threat actor on forums—even under a pseudonym—constitutes active engagement. CEH v13 warns that such interaction risks exposure, attribution, and legal complications. It can alert the adversary, cause them to alter behavior, or even retaliate.

WHOIS lookups, DNS queries, archived web content, and anonymous browsing are all passive techniques endorsed in CEH v13. These methods do not notify the target and leave minimal trace.

Thus, Option A should be avoided to maintain a low profile.

The correct answer is D. ntpq -p [host].

The scenario requires querying the active NTP service to review its current associations and operational state. The ntpq utility is designed to query and monitor the NTP daemon. CEH-aligned NTP enumeration material states that ntpq is a command-line utility used to query the NTP server, monitor ntpd operations, and determine performance. It also states that the -p option prints a list of peers known to the server and summarizes their state .

Option A. ntptrace is incorrect because ntptrace follows the chain of NTP servers back to the primary time source. The scenario specifically says Kevin is not tracing the upstream hierarchy.

Option B. ntpq [-inp] [-c command] [host] [...] is a general syntax form for ntpq, but the most precise command for viewing peer associations and state is ntpq -p [host].

Option C. ntpdc is incorrect because although ntpdc can query ntpd, it is more associated with querying daemon state and requesting state changes. The question asks for the command to review current associations and operational status, which is most directly matched by ntpq -p.

Option D. ntpq -p [host] is correct because it directly queries the NTP service and prints peer association/status information.

Therefore, the best answer is D. ntpq -p [host].

The correct answer is C, Parameter tampering. In web application hacking, hidden fields are HTML form fields used to pass values back to the server, but they are only hidden from normal browser display, not from the user or attacker. CEH web application material explains that hidden fields are embedded in HTML forms to maintain values sent back to the server, and attacks challenge the assumption that hidden fields cannot be viewed or modified by examining the HTML source and changing the request before it reaches the server. This directly matches parameter tampering because the attacker modifies client-side parameters such as form fields, cookies, query strings, or URL parameters to alter application behavior. CEH material also describes parameter/form tampering as manipulating parameters during client-server communication, including URL values and web page form fields. SQL injection targets database queries, XSS injects script into pages, and CSRF tricks authenticated users into submitting unwanted requests. Hidden-field manipulation is therefore a form of parameter tampering.

The Certified Ethical Hacker (CEH) Malware Threats module explains that attackers often abuse legitimate system services to blend malicious traffic with normal system behavior. Background Intelligent Transfer Service (BITS) is a Windows service designed to transfer files in the background using idle network bandwidth.

Attackers leverage BITS because its traffic closely resembles legitimate Windows Update traffic, which is commonly allowed through firewalls and proxy servers. CEH documentation states that BITS-based malware can download payloads, upload stolen data, and maintain persistence without triggering security alerts.

Option A is correct because BITS traffic appears legitimate and trusted, making it difficult for security devices to distinguish malicious usage.

Option B is incorrect because BITS does not operate exclusively through HTTP tunneling; it primarily uses HTTP/HTTPS in a legitimate manner.

Option C is incorrect because IP fragmentation is not a core feature of BITS.

Option D is incorrect because BITS does not rely on encrypted DNS traffic.

CEH emphasizes that living-off-the-land (LotL) techniques—using native tools like BITS—are increasingly favored by attackers due to their stealth and reliability.

The correct answer is C, Graphical Identification and Authentication DLL. GINA (Graphical Identification and Authentication) is a Microsoft Windows component historically responsible for handling interactive logon functions, including user authentication, secure attention sequences (such as Ctrl+Alt+Del), password changes, and user session management. In CEH system hacking and password attack topics, GINA is often discussed because attackers may attempt to replace or modify authentication-related components to capture user credentials. Malicious programs and credential-stealing tools have historically targeted the GINA mechanism to intercept usernames and passwords entered during the Windows logon process.

Understanding GINA is important in ethical hacking because it illustrates how authentication systems can be abused when attackers gain sufficient privileges on a system. Such attacks are closely related to credential theft, privilege escalation, keylogging, and persistence techniques. The other options are not valid security terms associated with Microsoft authentication architecture. Therefore, from a CEH perspective, GINA refers to the Graphical Identification and Authentication Dynamic Link Library used by older Windows operating systems to manage interactive authentication processes.

CEH’s social engineering principles highlight psychological manipulation techniques such as authority, urgency, trust exploitation, and impersonation. In this scenario, the attacker leverages “perceived authority,” a powerful influence tactic where the social engineer poses as someone with legitimate power or sanctioned access—such as a technician, auditor, or vendor representative. CEH emphasizes that referencing real employee names, using technical terminology, and impersonating trusted third-party partners increases believability and reduces verification resistance. The receptionist’s acceptance of the attacker’s presence without verifying credentials matches classical authority-based exploitation. Leaked credentials, physical security logs, and network segmentation issues do not relate to human-layer social engineering. The situation clearly reflects the manipulation of trust and authority as described in CEH’s psychological attack vectors.

The correct answer is C. Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service.

The scenario describes a large-scale DDoS attack that exceeds the organization’s local mitigation capacity. The traffic is rerouted through an upstream filtering or scrubbing infrastructure that absorbs malicious traffic and forwards legitimate traffic back to the organization. This is the function of an ISP-backed or specialized DDoS mitigation/scrubbing service.

CEH-aligned DDoS countermeasure material notes that, for a true DDoS attack, the practical answer is often involvement of the upstream ISP because endpoint-level defenses may not keep up with a sophisticated global botnet attack .

Option A. RFC 3704 Filtering is incorrect because ingress/egress filtering helps reduce spoofed traffic but does not describe large-scale traffic scrubbing.

Option B. Cisco IPS Source IP Reputation Filtering is incorrect because source reputation filtering alone does not match upstream traffic rerouting and scrubbing.

Option D. Black Hole Filtering is incorrect because blackholing drops traffic, often including legitimate traffic, while the scenario says clean traffic is forwarded back to the retailer.

Therefore, the best answer is C. Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service.

According to CEH v13 Security Operations and Incident Response, backdoors are stealth mechanisms that allow attackers persistent access. Indicators such as unexplained outbound traffic, unauthorized file modifications, and irregular reboots strongly suggest post-compromise persistence mechanisms.

CEH v13 recommends a behavioral and host-based detection approach for backdoor identification. Continuous monitoring of system and file activity helps detect unauthorized binaries, registry changes, and scheduled tasks. Anomaly detection identifies deviations from normal system behavior, which is critical for uncovering hidden backdoors that evade signature-based detection.

Additionally, advanced anti-malware tools with heuristic and memory analysis capabilities are essential to identify sophisticated backdoors that traditional antivirus may miss. These tools can detect rootkits, fileless persistence, and covert communication channels.

The other options are preventative but not investigative. Immediate reboots may destroy volatile evidence, while password policies and ACLs do not detect existing compromises. Therefore, option B provides the most effective and CEH-aligned response.

The correct answer is C, Preparation. In the incident response lifecycle, preparation is the stage performed before an actual incident occurs. This phase focuses on making the organization ready to respond effectively by creating the incident response plan, forming the incident response team, assigning roles and responsibilities, defining escalation paths, and testing communication procedures. CEH incident management material lists “Preparation for Incident Response” as the first incident response process before detection, classification, notification, containment, investigation, eradication, recovery, and post-incident activities. It also emphasizes setting up an incident response team, identifying the people who should be contacted during an intrusion, and defining lines of communication. Containment occurs after an incident is detected and aims to limit damage. Notification involves informing affected users or stakeholders. Recovery restores affected systems to normal operation. Since building the team and testing communication happen before an incident, the correct phase is Preparation.