Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

Google Hacking, also known as Google Dorking, is a passive reconnaissance technique covered in CEH v13 Reconnaissance Techniques. It involves using advanced search operators to uncover sensitive information that has been inadvertently indexed by search engines.

CEH v13 explains that Google Hacking can reveal exposed files, directories, configuration files, backups, login portals, error messages, and sensitive documents. This information often resides on the Deep Web, meaning it is not easily accessible through normal browsing but is still indexed by search engines.

Option D correctly reflects this capability. Google Hacking does not analyze source code directly (Option A), map internal networks (Option C), or primarily detect phishing sites (Option B), although it may indirectly assist with those tasks.

Because Google Hacking relies solely on publicly available data and does not interact directly with target systems, it fits perfectly within passive footprinting, making it legally and ethically appropriate when authorized.

CEH v13 emphasizes Google Hacking as a powerful method to identify unintended data exposure. Therefore, Option D is the correct justification.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker ' s code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.

The correct answer is D. SIMjacker.

SIMjacker is a mobile attack technique that uses specially crafted binary SMS messages targeting SIM-card functionality, historically associated with the S@T Browser environment. The attack can trigger device actions without visible user interaction, including collecting location or device information and sending it to an attacker-controlled destination.

The scenario states that the device received binary-formatted SMS messages, the messages were not visible to the user, and the phone automatically transmitted cellular location identifiers and device-related data. These are the strongest indicators of SIMjacker.

CEH-aligned mobile security material identifies SMS-based attacks and mobile malware as common mobile attack vectors and notes that mobile threats can steal personal and sensitive data from devices .

Option A. Call Spoofing is incorrect because the attack does not involve falsifying caller ID.

Option B. OTP Hijacking is incorrect because the scenario does not involve stealing one-time passwords.

Option C. SMiShing is incorrect because SMiShing requires a fraudulent text message designed to trick the user into clicking or responding. Here, no user interaction occurred.

Option D. SIMjacker is correct because invisible binary SMS messages triggered automatic device data transmission.

Therefore, the best answer is D. SIMjacker.

The correct answer is C. Preparation.

The activity described occurs before credential abuse, lateral movement, persistence, or internal expansion. The adversary is gathering intelligence, mapping exposed services, preparing exploit frameworks, and testing malware against defensive tools. These actions represent the pre-attack preparation stage of an Advanced Persistent Threat.

APT activity is characterized by defined objectives, long-term probing, advanced resources, specialized skills and methods, and a high tolerance for remaining undetected . The scenario clearly describes these characteristics: the attacker spends months gathering intelligence, building tools, testing malware, and preparing a coordinated attack plan.

Option A. Persistence is incorrect because persistence occurs after initial access, when the attacker establishes a way to maintain access to the compromised environment.

Option B. Expansion is incorrect because expansion involves moving deeper into the environment, escalating privileges, or spreading laterally after compromise.

Option D. Initial Intrusion is incorrect because initial intrusion refers to the first successful compromise of the target environment. The scenario specifically states that these activities occurred before credential abuse or lateral movement.

Therefore, the best answer is C. Preparation.

The correct answer is D because, in DNS, a zone is the administrative portion of the DNS namespace that contains DNS resource records for that portion of the domain tree. These records define how names are resolved and how services are located. Examples include A records for host-to-IP mapping, MX records for mail servers, NS records for name servers, CNAME records for aliases, PTR records for reverse lookups, and SOA records that identify the authoritative DNS server for the zone. In CEH reconnaissance and footprinting topics, DNS information is important because a DNS zone can reveal valuable network details such as hostnames, mail servers, name servers, and other infrastructure information. Option A is too broad because a zone is not merely a collection of domains. Option B is vague and does not define the zone itself. Option C is too narrow because alias records are only CNAME records, one type of DNS resource record. Therefore, a DNS zone is best defined as a collection of resource records.

The correct answer is D, BOLA, or Broken Object Level Authorization. This occurs when an API accepts an object identifier supplied by the user, such as an account ID, order ID, invoice ID, or user ID, but fails to verify whether the authenticated user is authorized to access that specific object. CEH web application hacking material describes this same weakness as an authorization flaw/insecure direct object reference: an application uses IDs to distinguish users, and an attacker changes an ID value in the request to access another user’s profile. CEH material also explains that unauthorized access to another user’s resources represents horizontal privilege escalation and that function-level access issues occur when the application does not check authorization before returning protected information. Mass assignment involves binding unexpected fields, XSS involves script injection, and SQLi involves malicious database queries. The key issue here is missing object-level authorization, so BOLA is the best answer.

The scenario describes a Layer 7 (application-layer) denial-of-service pattern: Javier sends a wave of repetitive web requests that specifically overload backend scripts responsible for search queries and form submissions. This is characteristic of an HTTP GET/POST attack, where the attacker floods a web application with large volumes of HTTP requests—commonly GET requests for pages/resources and POST requests that trigger server-side processing (login, checkout, searches, form handlers). Because these requests can be syntactically valid and target costly operations, they can quickly exhaust CPU, memory, threads, database connections, or application worker pools, resulting in slow responses and timeouts for legitimate users—exactly what the customers experience here.

Why the other options don’t fit as well:

Slowloris (A) is also an application-layer technique, but it works differently: it holds many connections open by sending partial HTTP headers very slowly, aiming to exhaust the server’s concurrent connection capacity. The question emphasizes repetitive requests overloading backend scripts, not slow, incomplete requests holding sockets open.

UDP Flood (B) is a network/transport-layer volumetric attack that sends massive UDP packets to random or targeted ports, consuming bandwidth and host resources. It doesn’t specifically target web scripts handling search/forms.

Peer-to-Peer Attack (C) typically involves abusing P2P networks or reflection/amplification through distributed peers; it’s not described as direct repetitive web requests to application endpoints.

The key indicators are: (1) web requests (2) targeting script-driven functions like search and form submissions, and (3) resulting in user-facing slowness/timeouts due to overwhelmed application processing. These align most directly with D. HTTP GET/POST Attack.

When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH-aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

In CEH v13 Cryptography, this threat is formally referred to as “Harvest Now, Decrypt Later” (HNDL). It describes a long-term cryptographic risk where adversaries intercept and store encrypted communications today, even though they cannot decrypt them with current computational capabilities. The expectation is that future quantum computers will be powerful enough to break widely used public-key cryptographic algorithms.

CEH v13 emphasizes that quantum algorithms such as Shor’s Algorithm can theoretically break RSA, DSA, and ECC by efficiently solving integer factorization and discrete logarithm problems. However, the defining feature of this threat is not the act of breaking encryption itself, but rather the strategic collection and storage of encrypted data in advance.

Option C is incomplete because it focuses only on the cryptographic mechanism rather than the threat model. Options B and D are unrelated to the scenario described and refer to quantum communication integrity issues, not long-term cryptographic exposure.

CEH v13 highlights that sensitive data with long confidentiality lifetimes—such as government records, financial data, healthcare information, and intellectual property—is especially vulnerable to this threat. As a result, organizations are encouraged to adopt quantum-resistant (post-quantum) cryptographic algorithms proactively.

Thus, Option A accurately describes the threat model and aligns with CEH v13’s treatment of future cryptographic risks.

The correct answer is C, Severity scoring. CVSS stands for Common Vulnerability Scoring System. In CEH vulnerability analysis and vulnerability management topics, CVSS is used to measure and communicate how severe a vulnerability is. The CEH material explains that CVSS captures the principal characteristics of a vulnerability and produces a numerical score that reflects its severity. That score can then be translated into qualitative ratings such as low, medium, high, and critical, helping organizations assess and prioritize remediation activities. CVSS is not an encryption mechanism, because it does not protect data or perform cryptographic operations. It is also not exploitation, because it does not attack or take advantage of vulnerabilities. Auditing may use CVSS results as supporting evidence, but CVSS itself is specifically a scoring framework. Therefore, in this question, the best and most precise CEH-aligned answer is Severity scoring.

ARP spoofing–based session hijacking is identified in CEH v13 Web Application and Network Attacks as one of the most stealthy and difficult-to-detect session compromise techniques, especially within internal or VPN-connected networks.

In ARP spoofing, attackers poison ARP caches to position themselves as a man-in-the-middle (MitM). Once in place, they can silently intercept, modify, or replay session data—even when encryption is used—by redirecting traffic transparently between endpoints.

Option A (sidejacking) is mitigated by HTTPS. Option C (session guessing) is noisy and detectable. Option D (cookie poisoning) relies on weak validation and is easier to detect via integrity checks.

CEH v13 highlights ARP spoofing as particularly dangerous because:

It exploits trusted local network behavior

It does not require breaking encryption directly

It is often invisible to users and applications

Therefore, Option B is the most challenging to detect and mitigate and is the correct answer.

The correct answer is IMDS Attack. CEH cloud security material explains that cloud instances often obtain temporary credentials from an Instance Metadata Service, commonly called IMDS, which supplies identity and role-based access details to workloads running on the virtual machine. If an attacker gains code execution on the instance, even through a separate web application flaw, the attacker may query the metadata endpoint locally and retrieve temporary credentials associated with the instance role. That is precisely what happens in this scenario: the tester runs a script on the VM, extracts temporary role credentials, and then uses them to enumerate storage and other services within the same cloud account. Wrapping attacks target SOAP message manipulation, while cloud snooper and CP DoS do not match the behavior of harvesting role credentials from local cloud metadata. CEH emphasizes that overprivileged instance roles and exposed metadata access can allow attackers to pivot from a single compromised workload into broader cloud service access. Because the key step is retrieving temporary credentials from the instance metadata service, the best match is IMDS Attack.