Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The correct answer is D. IPsec (Internet Protocol Security). The question specifically asks for a Layer 3 protocol that can provide end-to-end encryption for FTP traffic. IPsec operates at the Network Layer (Layer 3) of the OSI model and secures IP communications by providing confidentiality, integrity, authentication, and anti-replay protection.

Since standard FTP transmits usernames, passwords, and data in plaintext, it is vulnerable to packet sniffing and man-in-the-middle attacks. By implementing IPsec, all IP packets exchanged between the client and server can be encrypted regardless of the application being used. This means FTP traffic can be protected without modifying the FTP application itself.

Option A (FTPS) uses SSL/TLS to secure FTP but operates at higher layers. Option B (SFTP) is a secure file transfer protocol that runs over SSH and is considered an application-layer solution rather than a Layer 3 protocol. Option C (SSL) provides transport/session-layer encryption and is not a Layer 3 protocol.

CEH Exam Tip:

IPsec = Layer 3 (Network Layer) Encryption

SSL/TLS = Higher-layer Encryption

SFTP = SSH-based Secure File Transfer

FTPS = FTP over SSL/TLS

Therefore, the best answer is D. IPsec.

An HTTP GET POST attack is the most likely answer because the key indicator in the scenario is the measurement unit and behavior: 398 million requests per second. In CEH-aligned DoS and DDoS coverage, volumetric network-layer attacks like SYN floods are typically discussed in packets per second or bits per second, and they primarily exhaust connection tables or bandwidth at Layer 3 and Layer 4. By contrast, an HTTP flood targets Layer 7 and is commonly measured in requests per second because the attacker is sending large volumes of seemingly valid web requests. This overwhelms web servers, application stacks, and upstream components such as reverse proxies, load balancers, and API gateways, leading to degraded performance and dropped sessions, exactly as described when “active connections drop unexpectedly.”

The mention of “customer-facing platforms” and “numerous compromised devices” also matches typical botnet-driven application-layer flooding, where many distributed sources generate massive HTTP request rates to evade simple IP-based blocking. A TCP SACK panic attack is a vulnerability-triggered crash condition related to TCP handling, not a request-rate spike scenario. An RST attack involves sending TCP reset packets to tear down sessions, which would not normally present as an extreme requests-per-second event in server logs.

Therefore, the evidence most strongly supports an application-layer DDoS: an HTTP GET POST flood designed to exhaust server and application resources and cause intermittent service disruption.

The correct answer is A. IMDS Attack.

The scenario describes an attacker executing code from inside a cloud instance and retrieving temporary credentials associated with the instance role. This is characteristic of an Instance Metadata Service (IMDS) attack. Cloud platforms expose metadata services to instances so applications can retrieve configuration and role credentials. If an attacker gains code execution on the instance, they may query IMDS and steal temporary credentials.

A cloud security reference explains that when an EC2 instance is associated with an instance profile, temporary security credentials are automatically provided to the instance through the Instance Metadata Service (IMDS) . In the scenario, the tester abuses this behavior after gaining code execution through the vulnerable web application.

Option B. CPDoS Attack is incorrect because Cache Poisoned Denial-of-Service targets caching behavior to cause service denial.

Option C. Cloud Snooper Attack is incorrect because Cloud Snooper refers to bypassing firewall controls and command-and-control through cloud infrastructure paths.

Option D. Wrapping Attack is incorrect because wrapping attacks commonly target SOAP/XML signatures or request manipulation, not cloud instance metadata credentials.

Therefore, the best answer is A. IMDS Attack.

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

The described behavior aligns precisely with ARP spoofing, also known as ARP poisoning, a common man-in-the-middle attack technique covered extensively in CEH materials. ARP operates at Layer 2 of the OSI model and is responsible for mapping IP addresses to MAC addresses within a local network. Because ARP lacks authentication mechanisms, any host can send forged ARP replies to other devices on the LAN.

In this scenario, Marcus injects crafted messages that alter how two hosts identify each other. This strongly indicates forged ARP replies were sent to both the payroll workstation and the authentication server. By telling each system that his machine’s MAC address corresponds to the other party’s IP address, Marcus positions himself logically between the two endpoints. As a result, traffic is transparently routed through his system without requiring changes to switch configurations, proxies, or VPN tunnels.

This technique enables interception and potential modification of credentials in transit. DNS spoofing affects domain name resolution rather than direct Layer 2 host identification. MAC flooding overflows the switch CAM table to force broadcast behavior but does not specifically manipulate IP-to-MAC mappings between two targeted hosts. Switch port stealing targets MAC table entries but does not rely on altering host identity mappings in the same way ARP poisoning does.

Therefore, ARP spoofing is the most accurate technique described in this scenario.

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target’s systems. CEH materials stress that any action that sends network traffic to the target—such as scanning, probing, fingerprinting, or enumeration—creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.

The correct answer is Clone Phishing. CEH social engineering material explains that clone phishing occurs when an attacker takes a legitimate message previously received by the victim, duplicates its appearance and content, and modifies a malicious element such as a link or attachment. That matches this scenario exactly: the attacker reused genuine branding, the original format, sender display style, and subject line, then changed the embedded hyperlink so users would reauthenticate on a fake portal. Consent phishing is a different cloud-focused technique involving malicious OAuth authorization requests. Search engine phishing relies on manipulating search results so victims voluntarily navigate to a fake site. Tabnabbing involves changing the content of an inactive browser tab to a phishing page. None of those fit as closely as clone phishing. CEH guidance stresses that clone phishing is highly convincing because the message is based on a real prior communication that the victim may remember and trust. Since the attacker preserved almost everything from a legitimate message and altered only the actionable malicious link, the scenario is a textbook example of Clone Phishing.

The finding most directly demonstrates insecure data transfer and storage. The scenario includes two explicit problems: (1) sensitive business records are transmitted “across the network without encryption,” and (2) the same records are “stored in a retrievable format” in the cloud platform. Those two conditions map exactly to data-in-transit and data-at-rest weaknesses. When IoT devices transmit sensitive data without encryption (e.g., plain HTTP, unprotected MQTT, insecure proprietary protocols), attackers who gain network visibility can intercept, read, and potentially modify that data. Similarly, when cloud-stored data is kept in an easily retrievable or improperly protected form (e.g., weak access controls, lack of encryption at rest, overly permissive storage buckets, exposed APIs), attackers can access business records long after transmission.

In IoT ecosystems, data typically flows from sensors to gateways, then to cloud dashboards and analytics services. If encryption and strong access control are not consistently applied across these hops, confidentiality and integrity are at risk. This can lead to competitive harm (exposed inventory/business records), privacy impact (if customer data is included), and operational disruption (tampered records leading to wrong decisions). The scenario is not about the IoT device exposing services like Telnet/FTP (network services), nor about default passwords; it is specifically about how data is transported and stored.

Why the other options are less accurate:

Insecure ecosystem interfaces (A) focuses on APIs, web/mobile apps, and cloud interfaces; while cloud storage access might involve interfaces, the core weakness described is lack of encryption and retrievable storage, which is more directly the data transfer/storage category.

Insecure network services (C) refers to exposed services/ports on IoT devices, not data confidentiality across the pipeline.

Insecure default settings (D) relates to factory defaults (passwords, open ports, insecure configs), not specifically unencrypted transport and weak storage protection.

Therefore, the correct answer is B. Insecure data transfer and storage.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

The correct answer is B. NTP Enumeration because the indicators and the data obtained match enumeration of the Network Time Protocol (NTP) service, which commonly runs on UDP port 123. In CEH-aligned reconnaissance and enumeration concepts, attackers often enumerate exposed services to learn configuration and internal details that can assist with follow-on attacks. When NTP is reachable from untrusted networks and is misconfigured (or supports certain query modes), it can leak information about the time server’s peers, synchronization status, and operational metrics such as offset and delay—exactly the attributes described in the scenario.

The prompt also notes that Joe can gather internal hostnames and client IP addresses connected to the time server. This aligns with how NTP can reveal associated systems and relationships: time servers often have multiple internal clients, upstream peers, or configured associations. Queries that expose peer/association information can unintentionally disclose internal naming conventions, IP address ranges, and network structure—valuable intelligence for an attacker conducting mapping and target selection. In addition, time infrastructure is frequently centralized, so enumerating it can provide a hub-like view of the environment.

Why the other options are incorrect: DNS zone transfer enumeration is associated with DNS AXFR and typically yields DNS records such as subdomains and MX/CNAME entries—not NTP peers/offsets/delays and not UDP 123. VoIP enumeration targets telephony protocols and services (e.g., SIP) on different ports and would not center on time synchronization metrics. NetBIOS enumeration involves ports 137–139 and returns NetBIOS name and session information, not NTP operational data.

Therefore, the technique used to obtain peer, offset, delay, and connected client details from a UDP/123 time server is NTP enumeration.

The correct answer is B, Path traversal. A file download feature that accepts a user-controlled path is vulnerable when the application does not properly validate, normalize, or restrict the requested file location. In CEH web application and web server attack concepts, directory or path traversal allows an attacker to access restricted directories outside the intended web root by using sequences such as ../, encoded characters, or manipulated URL/path values. CEH material describes directory traversal as an attack where the attacker attempts to access restricted directories and execute commands outside intended web server directories, also known as dot-dot-slash, directory climbing, or backtracking. CEH web server material also states that attackers may use dots and slash sequences to access directories outside the root directory and reveal sensitive system information. SQLi targets database queries, XSS injects scripts, and CSRF abuses authenticated browser requests. Here, the vulnerable input is a file path, so the attack is path traversal.

The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.

The scenario states Javier “installs a malicious app that bypasses access controls” and gains access to sensitive financial data because devices “lack a specific security measure to restrict app access.” This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.

Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

The tool described matches Fern WiFi Cracker because CEH wireless assessment workflows commonly reference GUI-based auditing utilities that combine packet capture, wireless injection support, and key recovery attempts in one interface. The scenario specifically mentions three core capabilities: capturing wireless packets, sending de-authentication frames to trigger client reconnects, and attempting to recover the encryption key. Those steps align with the typical WPA cracking methodology discussed in CEH learning paths: capture the WPA handshake when a client connects, optionally force a reconnection by sending de-authentication frames, then perform an offline attack against the captured handshake using a wordlist or brute-force approach. Fern WiFi Cracker is known for presenting these functions through a graphical interface, making it a common example of an “all-in-one” Wi-Fi auditing tool.

The other options are defensive monitoring and prevention platforms, not offensive auditing tools used to actively deauthenticate clients or attempt key recovery. RFProtect, Cisco Adaptive Wireless IPS, and WatchGuard Wi-Fi Cloud WIPS are Wireless Intrusion Prevention and Monitoring solutions designed to detect rogue access points, identify attacks such as deauthentication floods, enforce wireless security policies, and generate alerts for security teams. They are used to stop or respond to attacks rather than conduct packet capture plus key-recovery attempts as part of an assessment.

Because the question emphasizes a single graphical interface that captures traffic, injects deauth frames, and attempts key recovery, the correct match among the choices is Fern WiFi Cracker.