Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The correct answer is IMDS Attack. CEH cloud security material explains that cloud instances often obtain temporary credentials from an Instance Metadata Service, commonly called IMDS, which supplies identity and role-based access details to workloads running on the virtual machine. If an attacker gains code execution on the instance, even through a separate web application flaw, the attacker may query the metadata endpoint locally and retrieve temporary credentials associated with the instance role. That is precisely what happens in this scenario: the tester runs a script on the VM, extracts temporary role credentials, and then uses them to enumerate storage and other services within the same cloud account. Wrapping attacks target SOAP message manipulation, while cloud snooper and CP DoS do not match the behavior of harvesting role credentials from local cloud metadata. CEH emphasizes that overprivileged instance roles and exposed metadata access can allow attackers to pivot from a single compromised workload into broader cloud service access. Because the key step is retrieving temporary credentials from the instance metadata service, the best match is IMDS Attack.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

This scenario clearly aligns with a Pulse Wave DDoS attack, a sophisticated denial-of-service technique described in CEH v13 Network and Perimeter Hacking. Unlike traditional volumetric DDoS attacks that rely on sustained flooding, pulse wave attacks deliver short, extremely high-volume bursts of traffic, followed by periods of inactivity.

The defining characteristics described—intermittent spikes exceeding 300 Gbps, regular intervals (every 10 minutes), and temporary recovery—are hallmark indicators of pulse wave attacks. CEH v13 explains that attackers use this method to overwhelm server resources, trigger auto-scaling failures, exhaust mitigation thresholds, and evade detection systems that rely on sustained traffic baselines.

Option A is incorrect because UDP floods are continuous. Option B (HTTP GET flood) targets the application layer with sustained requests. Option C (PDoS) permanently damages hardware, which does not match the recurring pattern.

Pulse wave attacks are particularly effective against large platforms like streaming services because they:

Exploit elasticity limits of cloud infrastructure

Confuse rate-based detection systems

Cause repeated service degradation without long attack durations

CEH v13 emphasizes that pulse wave attacks are difficult to mitigate without adaptive, behavior-based DDoS protection. Therefore, Option D is the correct and CEH-aligned answer.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

CEH v13 identifies Idle (Zombie) Scanning as one of the most stealthy reconnaissance techniques. In this method, attackers use a third-party system (the zombie) to send probes to the target, obscuring the attacker’s true identity.

Because the attacker never directly interacts with the target, detection and attribution become extremely difficult. FIN and Xmas scans are stealthy but still originate from the attacker’s IP. TCP connect scans are noisy and easily detected.

CEH v13 highlights idle scanning as the gold standard for stealth reconnaissance, making option D correct.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

This scenario matches a session fixation attack because Michael sets up a valid session identifier with the application first, then forces the victim to authenticate while using that same pre-established session. In CEH terms, session fixation occurs when an attacker “fixes” or plants a known session ID in the victim’s browser, typically via a crafted URL parameter, cookie setting through a subdomain, or a redirect that preserves a session token. If the application does not regenerate the session ID after login, the victim’s authentication becomes bound to the attacker-known session. The attacker can then reuse that same session ID to access the application as the victim, exactly as described when Michael “uses that session to access the portal” after the employee logs in.

The other options do not fit the mechanism. Session sniffing relies on capturing session tokens from network traffic, usually when encryption is missing or weak, but the question focuses on a link and a pre-initialized session rather than intercepting traffic. Session replay generally refers to capturing and replaying authentication exchanges or tokens, not pre-setting a session before the victim authenticates. “Session donation” is not the standard CEH label for this behavior and is not the best match to the described flow.

CEH-recommended mitigations include regenerating session IDs immediately after authentication and privilege changes, rejecting session IDs supplied in URLs, setting Secure and HttpOnly cookie flags, enforcing SameSite where appropriate, implementing short idle timeouts, and adding server-side controls to detect concurrent use or abnormal session binding changes.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

The CEH SQL Injection module defines stacked (piggybacked) queries as attacks where an attacker appends an additional SQL statement using a statement delimiter such as a semicolon.

In this scenario, the attacker executed a second query (DROP TABLE users) after the original query, resulting in destructive behavior.

Option B is correct.

Option A retrieves data, not execute destructive commands.

Option C infers logic outcomes.

Option D relies on error messages for data extraction.

CEH classifies stacked queries as high-impact SQL injection attacks.

The attackers described are most consistent with black hat hackers because their actions are clearly unauthorized, intentionally harmful, and motivated by financial gain. They compromise a financial institution, deploy credential-stealing malware, exfiltrate customer account data, and then sell the stolen information on underground forums. This aligns with criminal hacking behavior: monetizing access and stolen data through illicit marketplaces, fraud, and repeated targeting of similar victims.

The scenario explicitly rules out ideologically motivated activity: “no political or social statements are made.” That makes hacktivists unlikely, since hacktivism typically involves a political, social, or ideological motive and often seeks publicity for a cause (defacements, leaks, DDoS protests). It also rules out ethical categories: white hat hackers operate with authorization and report findings to improve security rather than steal and sell credentials. Script kiddies are generally low-skill attackers who rely on existing tools and scripts; while they can cause harm, the scenario highlights sustained targeting, credential theft, and underground monetization—behavior more strongly associated with organized cybercriminals/black hats.

Black hats typically pursue objectives like theft of credentials, financial fraud, ransomware deployment, and sale of access or data. Their operations often emphasize anonymity, operational security, and repeatability across many similar targets—consistent with “continuing to target similar organizations for financial gain.”

Therefore, the most likely category is A. Black Hat hackers.

The described behavior is consistent with Shell Injection (OS Command Injection). The critical clues are that the application forwards user-supplied input to system-level functions and that crafted input can cause unexpected system commands to execute, resulting in unauthorized control of the underlying operating environment. That is the defining characteristic of command injection: the application constructs or passes command strings to the operating system (directly or indirectly), and inadequate input validation/escaping allows an attacker to alter command structure and execute arbitrary commands.

In an internal administration portal, this often occurs when developers integrate convenience features like “ping a host,” “lookup a file,” “run diagnostics,” “convert/export,” or “invoke a backend script,” and they pass user input into command interpreters or shell calls. If input is not strictly validated (allowlisting) and properly handled (parameterization, safe APIs, escaping), attackers can append operators or metacharacters to change execution flow, allowing system command execution under the application’s privileges.

The other options do not align with “system commands”:

LDAP Injection (B) targets directory queries by manipulating LDAP filter syntax to bypass authentication or extract directory data, not execute OS commands.

SQL Injection (C) manipulates database queries to read/modify database content; while severe, it is fundamentally a database-layer issue, not direct OS command execution as described.

XSS (D) executes script in a user’s browser context, impacting clients, sessions, and web content—not the server’s operating environment through system command execution.

Therefore, the vulnerability being demonstrated is A. Shell Injection.

This scenario describes SNMP Enumeration, a technique covered under CEH v13 Reconnaissance and Enumeration. Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries, enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access. The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3, which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.