Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Cloud-based antivirus relies on data collected from endpoint devices and sends that data to cloud servers for real-time malware analysis. This allows rapid updates and detection of new threats without waiting for local signature updates.

???? Reference – CEH v13 Official Study Guide, Module 20: Cryptography and Malware

“Cloud-based detection systems analyze suspicious files and behaviors in the provider’s environment, enabling faster response and reduced endpoint resource usage.”

❌ Incorrect options:

A. Behavioral-based detection monitors live activity locally.

B. Heuristic-based detection uses rules or behavior patterns locally.

C. Honeypots are decoys for detecting attackers, not antivirus methods.

*REST is not a specification, tool, or framework, but instead is an architectural style for web services that serves as a communication medium between various systems on the web. *RESTful APIs, which are also known as RESTful services, are designed using REST principles and HTTP communication protocols RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE

RESTful API: RESTful API is a RESTful service that is designed using REST principles and HTTP communication protocols. RESTful is a collection of resources that use HTTP methods such as PUT, POST, GET, and DELETE. RESTful API is also designed to make applications independent to improve the overall performance, visibility, scalability, reliability, and portability of an application. APIs with the following features can be referred to as to RESTful APIs: o Stateless: The client end stores the state of the session; the server is restricted to save data during the request processing o Cacheable: The client should save responses (representations) in the cache. This feature can enhance API performance pg. 1920 CEHv11 manual.

https://cloud.google.com/files/apigee/apigee-web-api-design-the-missing-link-ebook.pdf

The HTTP methods GET, POST, PUT or PATCH, and DELETE can be used with these templates to read, create, update, and delete description resources for dogs and their owners. This API style has become popular for many reasons. It is straightforward and intuitive, and learning this pattern is similar to learning a programming language API. APIs like this one are commonly called RESTful APIs, although they do not display all of the characteristics that define REST (more on REST later).

The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking. KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets, even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic. Weak RNG issues are unrelated to WPA2 replay.

Thus, Option B is correct.

The Heartbleed vulnerability (CVE-2014-0160) is a critical buffer over-read flaw in OpenSSL’s implementation of the TLS heartbeat extension. It allows attackers to read portions of memory from a server using vulnerable versions of OpenSSL.

This exposed sensitive data including:

Usernames and passwords

Session tokens

Private encryption keys

From CEH v13 Study Guide – Module 5: Vulnerability Analysis and Module 6: Malware Threats:

“The Heartbleed vulnerability allowed attackers to extract memory contents from the OpenSSL process, including sensitive materials such as private SSL keys. These private keys are used in the TLS protocol to encrypt and decrypt secure communications. Once compromised, attackers could decrypt communications or impersonate the server.”

Private keys being compromised allow attackers to decrypt HTTPS traffic, impersonate trusted servers, and conduct MITM (Man-in-the-Middle) attacks.

Incorrect Options:

A. Public: Public keys are already shared and not a security risk if disclosed.

C. Shared: Vague term not applicable here.

D. Root: Heartbleed doesn’t directly expose root keys; rather, it leaks application memory including private SSL/TLS keys.

The best measure to prevent similar attacks without overly restricting the use of personal devices is to conduct regular cybersecurity awareness training, focusing on phishing attacks. Cybersecurity awareness training is a process of educating and empowering employees on the best practices and behaviors to protect themselves and the organization from cyber threats, such as phishing, malware, ransomware, or data breaches. Cybersecurity awareness training can help the organization mitigate the risk of phishing incidents by providing the following benefits12:

It can increase the knowledge and skills of employees on how to identify and avoid phishing emails, messages, or links, such as by checking the sender, the subject, the content, the attachments, and the URL of the message, and by verifying the legitimacy and authenticity of the message before responding or clicking.

It can enhance the attitude and culture of employees on the importance and responsibility of cybersecurity, such as by encouraging them to report any suspicious or malicious activity, to follow the security policies and guidelines, and to seek help or guidance when in doubt or trouble.

It can reduce the human error and negligence that are often the main causes of phishing incidents, such as by reminding employees to update their devices and applications, to use strong and unique passwords, to enable multi-factor authentication, and to backup their data regularly.

The other options are not as optimal as option D for the following reasons:

A. Provide employees with corporate-owned devices for work-related tasks: This option is not feasible because it contradicts the BYOD policy, which allows employees to use their personal devices for work-related tasks. Providing employees with corporate-owned devices would require the organization to incur additional costs and resources, such as purchasing, maintaining, and securing the devices, as well as training and supporting the employees on how to use them. Moreover, providing employees with corporate-owned devices would not necessarily prevent phishing incidents, as the devices could still be compromised by phishing emails, messages, or links, unless the organization implements strict security controls and policies on the devices, which may limit the user autonomy and productivity3.

B. Implement a mobile device management solution that restricts the installation of non-approved applications: This option is not desirable because it violates the user autonomy and privacy under the BYOD policy, which allows employees to use their personal devices for both personal and professional purposes. Implementing a mobile device management solution that restricts the installation of non-approved applications would require the organization to monitor and control the devices of the employees, which may raise legal and ethical issues, such as data ownership, consent, and compliance. Furthermore, implementing a mobile device management solution that restricts the installation of non-approved applications would not completely prevent phishing incidents, as the employees could still receive phishing emails, messages, or links through the approved applications, unless the organization implements strict security controls and policies on the applications, which may affect the user experience and functionality4.

C. Require all employee devices to use a company-provided VPN for internet access: This option is not sufficient because it does not address the root cause of phishing incidents, which is the human factor. Requiring all employee devices to use a company-provided VPN for internet access would provide the organization with some benefits, such as encrypting the network traffic, hiding the IP address, and bypassing geo-restrictions. However, requiring all employee devices to use a company-provided VPN for internet access would not prevent phishing incidents, as the employees could still fall victim to phishing emails, messages, or links that lure them to malicious websites or applications, unless the organization implements strict security controls and policies on the VPN, which may affect the network performance and reliability.

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.

Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild–Lawrence Berkeley National Laboratory received ten throughout the past year.

DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers–because each came knock on everyone’s door!

The command in question:

wget 192.168.0.15 -q -S

wget is a command-line utility used to retrieve files via HTTP, HTTPS, or FTP.

-q (quiet mode): Suppresses output, except for errors.

-S: Displays the server response headers (even in quiet mode).

In this case, wget is being used to connect to the specified web server (192.168.0.15) and retrieve the HTTP response headers — such as the Server field (e.g., Apache, Nginx), HTTP status codes, and other metadata.

This is a classic example of banner grabbing — the process of capturing metadata (often from headers) to identify the software, version, or configuration of a service.

Incorrect Options:

A. Content enumeration would require directory brute-forcing tools like DirBuster or Gobuster.

C. DoS attacks require high volumes of traffic or specially crafted packets; wget with a single request does not perform flooding.

D. Downloading full site contents would involve options like -r (recursive) or --mirror, which are not used in this command.

Reference – CEH v13 Official Courseware:

Module 03: Scanning Networks

Section: “Banner Grabbing”

Tool Reference: wget, netcat, telnet, curl for banner enumeration

This scenario demonstrates a classic social engineering tactic often referred to as “social media quizzes” or “engagement bait”, commonly used in open-source intelligence gathering (OSINT) and pretexting attacks.

From CEH v13 Module 01: Introduction to Ethical Hacking and Module 09: Social Engineering, attackers may create seemingly innocent posts that ask users to share answers to common questions like:

What was your first pet’s name?

What’s your mother’s maiden name?

What city were you born in?

What’s your favorite food?

These questions mirror the types of security questions used by banks and other services for account recovery or authentication. By answering these in public forums or comments, users unknowingly disclose data that can be used to:

Bypass security questions

Reset passwords

Perform targeted account takeovers

Why Other Options Are Incorrect:

B. Matt's bank account login information was brute forced.

Unlikely. Most banks implement account lockout policies and multi-factor authentication that would prevent brute force attempts.

C. Matt inadvertently provided his password when responding to the post.

Incorrect. Passwords are not usually asked in public-facing posts. Users are unlikely to provide literal passwords unless heavily tricked by phishing.

D. Matt's computer was infected with a keylogger.

Possible but less likely. The context suggests that the only suspicious behavior was responding to the Facebook post, which doesn't imply malware installation or downloading.

Reference from CEH v13 Study Guide and Course Material:

CEH v13 Official Module 09 – Social Engineering, Slide: Common Social Engineering Techniques (Quizzes, Pretexting)

CEH Engage – Social Engineering Phase

EC-Council iLabs – Performing Social Engineering Attacks Simulation

CEH v13 Courseware Notes – Reconnaissance Using OSINT and Public Social Platforms

CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities—especially those related to outdated or unsupported server software—are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.

Comprehensive and Detailed Explanation:

An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

From CEH v13 Courseware:

Module 19: Incident Response and Forensics → Incident Handling Procedures

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR '1'='1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR '1'='1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered "safe," they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections—precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

In CEH v13 Module 10 & 12: Vulnerability Analysis and Web Hacking, Netsparker is introduced as a leading automated web vulnerability scanner capable of detecting:

SQL Injection

Cross-site Scripting (XSS)

Local File Inclusion (LFI)

Misconfigured services

Authentication issues

It performs:

Crawling, attack simulation, and detailed reporting.

Ideal for automated assessment of web servers and applications.

Option Clarification:

A. Infoga: Email information gathering tool.

B. WebCopier Pro: Used for offline website downloading.

C. Netsparker: Purpose-built web vulnerability scanner.

D. NCollector Studio: Website archiving tool, not vulnerability-focused.

-sA (TCP ACK scan)

This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.

The Sarbanes-Oxley Act of 2002 could be a law the U.S. Congress passed on July thirty of that year to assist defend investors from fallacious money coverage by companies.Also called the SOX Act of 2002 and also the company Responsibility Act of 2002, it mandated strict reforms to existing securities rules and obligatory powerful new penalties on law breakers.

The Sarbanes-Oxley law Act of 2002 came in response to money scandals within the early 2000s involving in public listed corporations like Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds cask capitalist confidence within the trustiness of company money statements Associate in Nursingd light-emitting diode several to demand an overhaul of decades-old restrictive standards.

This scenario illustrates physical impersonation, a social engineering tactic discussed in CEH v13 Social Engineering. The attacker exploits trust in appearance and role assumption, dressing as a network technician to gain access without challenge.

Unlike tailgating (which involves following someone), this attack relies on assumed authority and familiarity. CEH v13 categorizes this under impersonation attacks, where attackers pose as employees, contractors, or vendors.

Other options describe different social engineering vectors:

A: Phone-based pretexting

B: Dumpster diving

C: Vishing

Physical impersonation is particularly dangerous because it bypasses technical controls entirely. Option D best matches the scenario.

In CEH v13 Malware Threats, BITS is highlighted as a legitimate Windows service frequently abused by attackers for stealthy command-and-control (C2) communication and data exfiltration. BITS is designed to transfer files in the background using idle bandwidth, primarily for Windows Updates and Microsoft services.

Attackers exploit BITS because its traffic closely resembles legitimate Windows update traffic, which is almost always allowed through firewalls, proxies, and endpoint security controls. This makes malicious traffic blend seamlessly into normal network activity, significantly reducing the likelihood of detection.

Option C correctly captures this behavior. BITS does not rely on IP fragmentation (Option A), DNS encryption (Option B), or exclusive HTTP tunneling (Option D). Instead, it leverages trusted system behavior and signed binaries, allowing malware to “live off the land.”

CEH v13 stresses that abuse of trusted services like BITS is a hallmark of advanced persistent threats (APTs) and fileless malware. Detecting such abuse typically requires behavioral monitoring rather than signature-based detection.

Thus, Option C is correct.

The CEH Network Scanning module explains that ICMP Echo Requests are often filtered or blocked by firewalls, routers, or host-based security controls as a defensive measure to reduce reconnaissance exposure.

When systems fail to respond to ICMP Echo Requests but continue to function normally for other services, CEH indicates that this behavior typically means ICMP traffic is being blocked, not that the host is offline or compromised.

Option B is correct.

Option A would affect all services.

Option C lacks supporting indicators.

Option D is speculative and unreliable.

CEH emphasizes that ICMP filtering is common in hardened networks.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.