Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The IT team’s action—capping how many requests a single user can make per second and then delaying or dropping aggressive connections—is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.

The key wording in the scenario is that “aggressive connections are delayed or dropped while most legitimate customers continue to use the service.” Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, “too many requests”) when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.

Why the other options are not the best match:

Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.

Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.

Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non-essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.

Thus, the countermeasure strategy being used is A. Rate Limiting.

If a system stores passwords in weak or reversible formats, attackers can perform offline cracking. CEH emphasizes dictionary attacks as the fastest and most efficient method to exploit weak hashing practices. This avoids detection and leverages known password patterns to recover plaintext credentials.

VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods—switch spoofing and double tagging—allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH’s network perimeter attack methodology.

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.

Option B is correct.

Option A is active engagement.

Option C aids anonymity but not monitoring.

Option D is illegal and unethical.

CEH strongly promotes automated alerting for competitive intelligence.

CEH v13 clarifies that nbtstat is used only for NetBIOS name table enumeration, not for listing shared resources. Tags such as < 20 > indicate file server services, but share enumeration requires tools like net view or SMB enumeration utilities.

Thus, the inability to list shares is due to tool limitation, not service configuration. Option C is correct.

The behavior described is most consistent with an unauthenticated scan. In CEH-aligned vulnerability assessment methodology, unauthenticated scanning evaluates systems from the perspective of an external or non-privileged entity. The scanner can typically identify network-reachable services, open ports, service banners, protocol fingerprints, and sometimes known vulnerabilities inferred from versions or exposed configurations. However, it cannot reliably inspect host-internal posture such as registry settings, local security policies, installed patch levels, missing hotfixes, detailed configuration baselines, or user and group policy settings because those require authenticated access to query the operating system and installed software inventory directly.

The prompt explicitly states that the results were limited to “open service ports and version banners” and that “deeper registry settings, user policies, and missing patches remain unreported.” That limitation is a hallmark of unauthenticated scanning. The additional clue that “system login prompts were never triggered” and “no credential failures were logged in the SIEM” further confirms that the scanner never attempted to authenticate to endpoints using accounts, SSH/WinRM/WMI, SMB, or agent-based credential checks. If the scan were authenticated or credentialed, you would expect authentication attempts, potential login prompts on some services, and often audit logs or SIEM events reflecting successful or failed logons.

Option C, internal scan, only describes where the scan originates, not whether credentials were used. Options B and D imply authentication and host-level interrogation, which contradicts the observed lack of credential activity and missing patch/policy visibility. Therefore, unauthenticated scanning best explains the outcome.

CEH v13 identifies Idle (Zombie) Scanning as one of the most stealthy reconnaissance techniques. In this method, attackers use a third-party system (the zombie) to send probes to the target, obscuring the attacker’s true identity.

Because the attacker never directly interacts with the target, detection and attribution become extremely difficult. FIN and Xmas scans are stealthy but still originate from the attacker’s IP. TCP connect scans are noisy and easily detected.

CEH v13 highlights idle scanning as the gold standard for stealth reconnaissance, making option D correct.

CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request—usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user’s active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

Email headers typically contain multiple time-related fields, but they do not all carry the same evidentiary value for tracing message handling. In CEH-aligned reconnaissance and email analysis, the most reliable way to determine when an email was processed by the sender’s infrastructure is to examine the earliest “Received” header entry—specifically, the timestamp showing when the message was accepted by the sender’s originating mail server (the first mail transfer agent in the chain). This aligns with option C: the date and time received by the originator’s email servers.

The “Date” header (option A) is set by the sender’s mail client and can be manipulated or misconfigured, making it less trustworthy for forensic timing. Option B (sender’s mail server) is useful for identifying infrastructure and routing, but it does not directly provide the exact processing moment unless paired with the correct “Received” timestamp. Option D (authentication system such as SPF/DKIM/DMARC results) helps validate whether a message is authorized for a domain and detect spoofing, but it does not pinpoint when the sender’s system processed the email.

CEH guidance emphasizes that analysts should correlate multiple “Received” lines from bottom to top (earliest to latest), validate time zones, and look for inconsistencies such as impossible hops, private IP anomalies, or missing hops that indicate header forgery. However, for the specific “moment processed by the sender’s system,” the first acceptance timestamp at the origin mail server is the key artifact.

Tautology-based SQL injection tests, such as using ' OR ' 1 ' = ' 1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).

The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.

Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.

CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router’s web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR ' 1 ' = ' 1 to test whether unauthorized data is returned. However, within CEH’s theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.