Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Google Hacking, also known as Google Dorking, is a passive reconnaissance technique covered in CEH v13 Reconnaissance Techniques. It involves using advanced search operators to uncover sensitive information that has been inadvertently indexed by search engines.

CEH v13 explains that Google Hacking can reveal exposed files, directories, configuration files, backups, login portals, error messages, and sensitive documents. This information often resides on the Deep Web, meaning it is not easily accessible through normal browsing but is still indexed by search engines.

Option D correctly reflects this capability. Google Hacking does not analyze source code directly (Option A), map internal networks (Option C), or primarily detect phishing sites (Option B), although it may indirectly assist with those tasks.

Because Google Hacking relies solely on publicly available data and does not interact directly with target systems, it fits perfectly within passive footprinting, making it legally and ethically appropriate when authorized.

CEH v13 emphasizes Google Hacking as a powerful method to identify unintended data exposure. Therefore, Option D is the correct justification.

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

CEH teaches that ARP-based attacks vary in sophistication from basic poisoning to more specialized techniques such as switch port stealing. In environments where ARP poisoning defenses or inspection tools limit traditional attacks, attackers may exploit timing vulnerabilities in ARP reply behavior. Switch port stealing works by sending spoofed ARP replies at precisely the right moment—before the legitimate ARP response from the target host—causing the switch’s CAM table to update temporarily and associate the target’s IP address with the attacker’s MAC address. CEH emphasizes that switches trust the latest ARP update, so even brief timing windows enable partial packet interception. This is different from fully persistent ARP poisoning, which continuously overwrites ARP tables, and from passive sniffing, which cannot capture unicast traffic on a switched network. This attack is particularly useful when ARP spoofing is mitigated because it relies on opportunistic timing rather than full table poisoning. The intermittent nature of intercepted packets matches CEH’s description of switch port stealing behavior.

The correct answer is A. Creepy because the task is specifically about extracting and analyzing geolocation information (geotags) from publicly shared media and mapping that data to real-world locations to infer employee movement patterns. In CEH-aligned reconnaissance/OSINT workflows, geolocation intelligence is a common element of footprinting because it can reveal sensitive operational details such as office locations, travel routines, meeting venues, home addresses, and patterns of presence/absence. Tools designed for geolocation OSINT help testers identify whether staff are unintentionally exposing location metadata through social media posts, uploaded photos, or other public sources.

Creepy is purpose-built for geolocation reconnaissance: it collects location metadata associated with content and presents results in a way that supports mapping and timeline-style analysis, helping analysts correlate people, posts, and coordinates. This directly supports the goal of evaluating whether employees are disclosing sensitive information about office routines by publishing geotagged images. When used in an authorized assessment, such tooling helps demonstrate risk in a measurable way—for example, showing clusters of posts around a specific building, repeated visits at predictable times, or regular travel routes that could support surveillance, targeted social engineering, or physical intrusion planning.

Why the other options are less suitable: Social Searcher is primarily used for monitoring and searching social media content by keywords, usernames, hashtags, and mentions; it is useful for broad OSINT collection but is not specifically focused on geotag extraction and movement mapping. Sherlock is designed to find a username across many platforms, helping link identities, but it does not specialize in geolocation mapping. Maltego is a powerful link-analysis platform that can correlate entities (people, domains, emails, social profiles) and can support OSINT investigations, but for the narrow requirement of extracting and mapping geotagged location data from media, Creepy is the most direct and purpose-specific tool.

Therefore, the best tool for this geotagged image movement analysis task is Creepy.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

The correct answer is C. Regenerate the session ID after a successful login to prevent session fixation attacks because the weakness described is the textbook condition for session fixation. In session fixation, an attacker sets or predicts a victim’s session identifier before the victim authenticates (for example, by sending a crafted link containing a session ID, forcing a known token into the victim’s browser via a URL parameter, or leveraging an application behavior that creates a session for unauthenticated users). If the application fails to issue a new session identifier after authentication, the attacker can reuse the already-known session ID once the victim logs in, effectively taking over the authenticated session.

The scenario explicitly states that “the same authentication token assigned before login continues to be valid without being refreshed,” and that the attacker could “trick a victim into authenticating with a value already known to the attacker.” Those statements describe session fixation precisely: authentication is “bound” to a pre-existing session identifier rather than a newly generated post-login token. The most direct and widely recommended mitigation is to invalidate the old session and regenerate a fresh session ID immediately after successful authentication (and also after privilege changes such as elevating to an admin role). This breaks the attacker’s knowledge advantage, because even if they forced a pre-login session ID, it becomes useless after login.

Why the other options are less correct: A (SSL/TLS) protects confidentiality and integrity in transit but does not prevent an attacker from fixing a session ID if they can set it through other means. B (restrictive cache directives) helps prevent sensitive pages from being stored in caches but does not address session ID reuse. D can reduce exposure by limiting pre-auth sessions, but many applications legitimately require them (shopping carts, CSRF tokens), and it is not as direct or complete as regenerating the session identifier at authentication boundaries.

Therefore, the correct countermeasure is to regenerate the session ID after login.

According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping, a Layer 2 security feature that classifies switch ports as either trusted or untrusted. DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers. DHCP snooping directly mitigates this threat.

CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.

According to the CEH Network and Perimeter Security module, one of the most effective and widely used firewall evasion techniques is the use of encrypted communication channels. When traffic is encrypted using protocols such as HTTPS, TLS, or VPN tunnels, traditional firewalls and packet-inspection tools may be unable to inspect payload contents unless SSL/TLS inspection is explicitly enabled.

CEH documentation explains that attackers commonly encrypt command-and-control (C2) traffic to:

Blend in with legitimate encrypted traffic

Bypass content-based inspection

Evade signature-based detection

Option B is therefore correct.

Option A (IP spoofing) is less effective against stateful firewalls.

Option C is a human-focused attack, not firewall evasion.

Option D has no relevance to firewall bypass techniques.

CEH highlights encryption misuse as a major blind spot in perimeter defenses.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

The best answer is Block all unnecessary ports, ICMP traffic, and unnecessary protocols such as NetBIOS and SMB. CEH web server hardening guidance emphasizes reducing the attack surface of internet-facing servers by disabling or filtering unnecessary services and protocols that are not required for web operation. In the scenario, Apache was compromised through an outdated vulnerability, but the answer options ask for the best hardening strategy among the listed choices. Option C reflects standard server-hardening practice by minimizing exposed network services and blocking protocols that are irrelevant or risky on a web server. A dedicated machine can support separation of roles, but it does not directly address service exposure. A risk assessment is useful for prioritization, not as the immediate control itself. Eliminating unnecessary files within jar files is not a standard Apache-specific hardening measure. CEH materials consistently recommend hardening web servers by closing unnecessary ports, disabling superfluous protocols, limiting reachable services, and reducing the overall attack surface in addition to patching. Among the available options, blocking unnecessary ports and protocols is the most appropriate security recommendation.

Information Leakage is the most accurate threat category because the scenario centers on sensitive data becoming publicly accessible through unintended disclosure. In CEH coverage, information leakage refers to the exposure of confidential or internal details to unauthorized parties through oversharing, misconfiguration, poor operational security, or improper handling of information. Here, the data is already visible on public forums, meaning an attacker does not need to exploit a vulnerability in a system directly at first; they can simply collect and correlate exposed details such as employee names, email formats, internal hostnames, software versions, configuration snippets, IP ranges, or screenshots.

This aligns strongly with reconnaissance and OSINT techniques emphasized in CEH: adversaries routinely harvest publicly available information to build an attack plan, identify privileged targets, guess usernames, craft phishing lures, locate externally exposed services, or tailor further exploitation using revealed versions and settings. While social engineering can be a follow-on step, the core issue described is not persuading users to reveal information interactively. Instead, the organization’s risk stems from information already leaked due to careless online behavior.

Corporate espionage is a motive rather than a specific technique category, and system and network attacks describe active exploitation and intrusion attempts, which come after the intelligence-gathering stage. Therefore, to simulate the adversary’s method of gathering what has been exposed, Michael should focus on information leakage: identifying what is publicly disclosed, how it can be aggregated, and what attack paths it enables, then recommending containment and policy and awareness controls.