Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

CEH v13 defines a white hat hacker as a security professional who performs authorized assessments to identify vulnerabilities and strengthen an organization’s defenses. The defining characteristic of white hat activity is the presence of formal permission—typically through a signed rules-of-engagement, scope of work, and explicit authorization from the organization. CEH emphasizes that white hats adhere to legal boundaries, follow ethical guidelines, and document findings to support remediation. They may use the same tools and methodologies as malicious hackers, but the intent and authorization distinguish them. In contrast, black hats operate without permission and with malicious intent. Grey hats act without authorization but may not have malicious motivations, making them inappropriate in a formal penetration testing engagement. Script kiddies lack professional skill and rely on pre-made tools without understanding the underlying techniques. Therefore, the hacker described is a white hat—an ethical professional performing sanctioned testing.

The correct answer is B. Blind Hijacking because the scenario describes injecting crafted TCP packets into an active client–server session to disrupt the legitimate client and take over the connection, without requiring the attacker to see (or fully rely on seeing) the server’s responses. In CEH-aligned session hijacking classifications, blind hijacking is an active takeover technique at the TCP/session layer where the attacker forges packets (often with predicted or inferred TCP sequence numbers) to insert data into an existing session and potentially desynchronize the legitimate endpoints. By injecting traffic that causes instability (for example, triggering retransmissions, resets, or sequence/ack mismatch), the attacker can effectively push the victim out of sync or off the session while continuing to communicate with the server as if they were the client.

The key clue is that Sarah “injects crafted TCP packets” into an “active communication,” and then the “victim’s connection becomes unstable,” after which Sarah’s system “maintain[s] communication with the server in place of the legitimate client.” This aligns with blind hijacking concepts where the attacker does not simply observe (passive) but actively manipulates the TCP stream to seize control. The attacker’s goal is forced takeover of a live session, which often involves sequence prediction and packet injection to become the effective participant while the real client experiences disruption.

Why the other options are incorrect: Passive session hijacking is eavesdropping/monitoring traffic to capture session identifiers without altering the session; it does not involve injecting packets or destabilizing a connection. Man-in-the-Browser is a client-side attack (typically via malware in the browser) that manipulates transactions within the browser context; it is not a TCP packet injection technique. Active session hijacking is a broad category and is true at a high level, but the question asks for the type—and the specific technique described (TCP injection causing takeover) maps most directly to blind hijacking in CEH-style terminology.

Therefore, Sarah is demonstrating blind session hijacking.

CEH v13 explains that Side-Channel Attacks exploit physical characteristics of cryptographic devices—such as power consumption, timing variations, electromagnetic leakage, or acoustic emissions—to infer confidential data like encryption keys. These attacks do not break the cryptographic algorithm itself but instead analyze unintended signals produced during computation. The scenario describes a classic power analysis and timing analysis attack, where the attacker monitors fluctuations during encryption operations on a smart card. CEH details how Differential Power Analysis (DPA) and Simple Power Analysis (SPA) allow attackers to extract secret keys by statistically correlating measured power traces to cryptographic operations. This type of attack is extremely dangerous because it bypasses mathematical strength and targets hardware implementation flaws. Options A, C, and D do not relate to side-channel exploitation. CEH specifically categorizes this method as observing hardware emissions to deduce secrets, making Option B the most accurate match.

The correct answer is B, Buffer overflow. In CEH vulnerability and exploitation concepts, a buffer overflow occurs when a program writes more data into a fixed-size memory buffer than it was designed to hold. The excess data can overwrite adjacent memory, corrupt control data, crash the application, or allow attacker-controlled code execution. CEH-related material describes buffer overflow as writing too much data into an application’s allocated buffer, potentially overwriting adjacent memory, executing code, or crashing the system. It also explains that buffer overflow attacks rely on lack of boundary testing and, in stack-based cases, may overwrite a return pointer so execution flow switches to malicious code. XSS injects malicious scripts into web pages, CSRF tricks an authenticated user into performing unwanted actions, and SQL injection manipulates database queries. These do not primarily exploit memory corruption. Therefore, the vulnerability associated with memory corruption is buffer overflow.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

This scenario demonstrates tailgating, which is gaining unauthorized physical access to a secure area by following an authorized person through an access-controlled entry point. Priya does not present credentials, swipe a badge, or otherwise authenticate; instead, she leverages normal human behavior and social assumptions during a busy shift change. Because employees assume she belongs there and do not challenge her, she successfully bypasses the physical access control.

Tailgating is common in workplaces with high traffic, open-plan culture, or weak enforcement of “no badge, no entry” rules. Attackers may exploit politeness, distraction, or the desire to hold doors open. It is especially effective during shift changes, deliveries, or when people are carrying items and appreciate someone holding the door. The security weakness being tested here is not the badge technology itself but the human factor: lack of challenge culture and inconsistent adherence to access policies.

Tailgating versus piggybacking: in many security references, piggybacking implies the authorized person knowingly allows the other to enter (e.g., holds the door intentionally after being asked). Tailgating typically implies the intruder enters without explicit permission, often by slipping in behind a group. In this scenario, no one confronts her and they “assume she belongs there,” indicating she is following them in without asking or being granted explicit permission—tailgating.

The other options are unrelated: shoulder surfing is visual observation of sensitive input; dumpster diving is retrieving information from trash. Therefore, the correct answer is C. Tailgating.

The correct answer is B. Implementing a Split DNS Architecture.

The issue is that the same DNS infrastructure is being used for both internal and external name resolution, causing internal namespace details to be exposed externally. Split DNS separates internal and external DNS views so that external users receive only public records, while internal clients can resolve private hostnames and internal service records.

CEH-aligned reconnaissance material explains that footprinting and DNS-related information gathering can reveal domain names, namespaces, IP addresses, and network details useful for planning attacks . It also describes DNS and WHOIS queries as methods used during footprinting to collect topology and infrastructure information about a target network . Split DNS directly reduces this exposure by preventing public DNS queries from returning internal naming data.

Option A is incorrect because source port and query ID randomization helps reduce DNS spoofing/cache-poisoning risk, not namespace disclosure.

Option C is incorrect because rate limiting controls query volume, while the problem is sensitive information exposure.

Option D is useful for detection and investigation, but it does not prevent external clients from receiving internal DNS details.

Therefore, the best answer is B. Implementing a Split DNS Architecture.

CEH v13 explains that LDAP enumeration is often restricted by Access Control Lists (ACLs). Sensitive directory objects and attributes are frequently protected to prevent unauthorized disclosure.

Even when LDAP is accessible, ACLs can limit the visibility of users, groups, and configuration data.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR ' 1 ' = ' 1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR ' 1 ' = ' 1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP, which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other’s identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

The correct answer is D because the remaining or residual risk is now 10%, which is below the organization’s defined risk threshold of 20%. In CEH risk-management concepts, risk assessment identifies and evaluates the potential damage or loss to assets, and risk treatment decisions include mitigation, avoidance, transfer, or acceptance. Risk acceptance means making an informed decision to accept the remaining potential for damage or loss. The guide also describes minimum acceptable risk as an organization’s threshold based on confidentiality, integrity, availability, and resource decisions. Since controls have already reduced risk from 50% to 10%, additional controls to reach 0% would likely waste resources and reduce business profit. Avoiding the risk could stop the project unnecessarily. Mitigation has already been performed successfully. Therefore, the best business-aligned decision is to formally accept the residual risk and continue the project.

The correct answer is B. CRIME Attack.

The scenario describes a compression-based side-channel attack against encrypted HTTPS traffic. The attacker observes differences in compressed response sizes and uses those differences to infer protected authentication values, such as cookies or session tokens.

CRIME, or Compression Ratio Info-leak Made Easy, abuses TLS/SPDY-level compression behavior. When attacker-controlled input is compressed together with secret values, response-size differences can reveal information about the secret. The CEH cryptography/session-hijacking context discusses attacks against SSL/TLS and secure communications, including man-in-the-middle positioning and cryptographic weaknesses affecting encrypted channels .

Option A. Forbidden Attack is incorrect because it is not the recognized compression side-channel attack described.

Option C. Man-in-the-Browser (MITB) Attack is incorrect because MITB requires malware inside the browser to intercept or modify browser transactions.

Option D. Man-in-the-Middle (MITM) Attack describes the attacker’s position, but not the specific compression-based technique.

Option B. CRIME Attack is correct because the attack extracts secrets by analyzing compressed encrypted response sizes.

Therefore, the best answer is B. CRIME Attack.

The scenario describes a host-level monitoring agent installed on a single workstation that records local system events such as file access, configuration changes, and unauthorized process execution. These are classic indicators of Host-Based Intrusion Detection System (HIDS) functionality. A HIDS runs on an endpoint (server or workstation) and monitors activity on that host, including operating system logs, file integrity, registry/config changes, system calls, application logs, and process behavior. Because it has direct visibility into what is happening locally, it can detect suspicious activity that may not be obvious from network traffic alone.

The clue that “attackers often attempt to disable or evade this type of monitoring to avoid being detected at the host level” also aligns strongly with HIDS. Adversaries commonly try to stop endpoint agents, tamper with logs, or evade detection by living-off-the-land techniques precisely because host-based sensors can catch actions like privilege escalation attempts, persistence mechanisms, malicious process launches, or unauthorized modifications to critical files and configurations.

Why the other options are not the best match:

A Network-Based Firewall (A) is a perimeter or network control that filters traffic based on rules (IPs, ports, protocols). It does not typically record detailed local file/process/configuration events on a single workstation.

A Host-Based Firewall (B) resides on the endpoint but primarily controls inbound/outbound network connections at that host. While it can log connection attempts, it is not chiefly designed to track file access, configuration integrity, or process execution.

A Network-Based IDS (C) analyzes traffic on the network segment (via taps/SPAN) to identify suspicious patterns. It does not require installing an agent on a single workstation and lacks direct visibility into local file and process events.

Therefore, the security system Olivia is demonstrating is D. Host-Based Intrusion Detection System.

Untethered jailbreaking is the only option that matches all key characteristics described: the device can reboot normally without needing a computer, and the jailbreak remains active after the restart with kernel-level modifications still in effect. In CEH-aligned mobile security concepts, the main difference among jailbreak types is what happens after a reboot.

A tethered jailbreak requires a computer to boot the device at all. If the phone restarts without being connected to a computer, it will not complete the boot process. That contradicts the scenario, which explicitly says the device can fully restart without requiring a computer. A semi-tethered jailbreak allows the phone to reboot without a computer, but it boots into a non-jailbroken state, meaning elevated privileges and kernel patching are not active until re-enabled through a tool. A semi-untethered jailbreak is similar in that it can boot normally without a computer, but the jailbreak does not persist automatically; it typically requires re-activating the jailbreak after each reboot to regain kernel patching and privileged access.

The scenario states the restart occurs while still “maintaining a patched kernel” and continuing access to protected filesystem data, which indicates persistence across reboot. That persistence is the defining feature of an untethered jailbreak. From a defensive and assessment perspective, this is considered higher risk because it provides continuous post-reboot privileged access, increasing the window for data access, tampering, and persistence mechanisms compared with reboot-reset jailbreak states.