Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed.

By using hardware load balancers and cloud-based traffic distribution, organizations can:

Absorb large volumes of attack traffic

Maintain service availability

Ensure legitimate users are served

Option B is correct and directly matches CEH’s definition.

Option A drops all traffic, including legitimate requests.

Option C focuses on traffic analysis rather than distribution.

Option D limits traffic rather than distributing it.

CEH strongly recommends load balancing as a core DDoS resilience mechanism.

Whaling is the correct answer because the scenario describes a highly targeted phishing attempt aimed at a “big fish”—a senior executive (the CEO). In CEH terminology, whaling is a specialized form of phishing that focuses on high-profile, high-authority individuals (e.g., CEOs, CFOs, directors) to maximize impact. These targets often have access to sensitive data, financial approvals, privileged systems, and strategic communications, making their credentials significantly more valuable than those of typical employees.

The attacker (Clara) uses classic social engineering drivers emphasized in CEH training: authority (impersonating the legal department), urgency/fear (a “pending lawsuit”), and trust in internal processes (a link to a supposed internal portal). This combination is designed to short-circuit normal verification behavior and prompt quick compliance. The inclusion of a credential-harvesting link aligns with common phishing goals: capturing usernames/passwords, enabling account takeover, and potentially facilitating broader compromise (e.g., email access for business email compromise, lateral movement, or privileged escalation).

Why the other options are less accurate: Spear phishing is also targeted, but it is a broader category aimed at specific individuals or groups at any level. The defining clue here is the executive-level target, which elevates it to whaling. Clone phishing involves copying a legitimate email previously received and swapping a malicious link or attachment—this detail is not present. Consent phishing typically abuses legitimate OAuth/app consent flows rather than a fake portal requesting credentials.

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

The correct answer is B. Global Catalog Service (TCP/UDP 3268).

The key indicators are directory-related information across multiple domains, organization-wide object searches, and the dedicated port 3268. The CEH enumeration reference lists LDAP on TCP/UDP 389 and Global Catalog Service on TCP/UDP 3268 as separate services used during enumeration .

The Global Catalog is used in Active Directory environments to search directory objects across the forest, not merely within a single domain. This fits the scenario better than standard LDAP on port 389.

Option A is incorrect because Microsoft RPC Endpoint Mapper on port 135 maps RPC services, not forest-wide directory objects.

Option C is incorrect because LDAP on port 389 is directory access, but the scenario specifically describes cross-domain/global directory searches.

Option D is incorrect because SIP is used for voice/video signaling, not Active Directory enumeration.

Therefore, the best answer is B. Global Catalog Service (TCP/UDP 3268).

CEH v13 defines the five phases of ethical hacking as a structured methodology that mirrors real-world attack progression:

Reconnaissance – Information gathering

Scanning – Identifying live hosts, ports, and vulnerabilities

Gaining Access – Exploiting vulnerabilities

Maintaining Access – Establishing persistence

Covering Tracks – Removing evidence

Option C matches this exact sequence. CEH v13 emphasizes that understanding this order is critical for both attackers and defenders, as it enables systematic testing and effective mitigation strategies.

All other options misplace phases and contradict the CEH methodology.

The highest-priority proactive control “to embed into the organization’s development lifecycle” is including quantum-resistance checks in the SDLC and code review processes. The scenario emphasizes a company-wide, long-term risk reduction strategy while development continues on a major refactor. In that context, the most scalable and durable control is governance and engineering hygiene: ensuring that new features and refactored components do not reintroduce weak or legacy cryptography and that teams consistently select algorithms and key sizes aligned with modern guidance and future migration plans.

Embedding checks into the SDLC means instituting standards and guardrails such as approved cryptographic libraries, banned algorithm lists (e.g., legacy RSA key sizes, deprecated curves, weak hashes), cryptography design reviews, automated dependency scanning for crypto usage, and CI/CD policy gates that flag noncompliant implementations. This approach reduces “crypto sprawl,” prevents new technical debt, and creates a structured path to transition toward post-quantum or quantum-resistant approaches as the organization modernizes systems.

Why the other choices are not the best “highest priority” SDLC-embedded control:

Encrypt stored data with quantum-resistant algorithms (B) may be appropriate for protecting long-lived sensitive data (“harvest now, decrypt later”), but it is a targeted technical control and may not be feasible immediately across many services during refactoring. It also does not by itself prevent developers from continuing to implement legacy public-key schemes elsewhere.

Quantum-specific firewalls (C) is not a realistic or standard control for post-quantum readiness in typical enterprise environments.

Fragmenting data across locations (D) can help resilience/confidentiality in some designs but does not address the core issue: preventing continued reliance on weak public-key cryptography.

Therefore, the best answer is A. Include quantum-resistance checks in SDLC and code review processes.

Ping of Death is a classic Denial-of-Service technique in which an attacker sends oversized or malformed IP packets that exceed the maximum allowed size when reassembled. In IP networks, the maximum packet size is 65,535 bytes. Historically, attackers exploited fragmentation by sending a series of IP fragments that, when reassembled by the target, resulted in a packet larger than the permitted limit or produced an invalid buffer condition. Vulnerable systems could crash, reboot, or become unstable because the network stack mishandled the reassembly process or failed to properly validate packet length and structure.

The scenario matches this behavior precisely: Sofia transmits “oversized, malformed packets” and the server “crashes intermittently due to processing failures.” That symptom is more consistent with a malformed-packet handling flaw than with pure traffic volume. An ICMP flood and an ACK flood are volumetric or resource-exhaustion attacks that overwhelm bandwidth or connection-handling capacity, typically degrading performance rather than directly causing crashes from malformed packet parsing. A Smurf attack is an amplification-based ICMP attack using broadcast addresses to multiply traffic toward a victim; again, it is about volume, not crafted malformed packets that trigger parsing failures.

CEH guidance highlights that PoD-style attacks exploit improper packet validation and reassembly logic. Modern systems are generally patched, but poorly maintained devices, legacy OS stacks, and some embedded implementations can still exhibit instability when exposed to malformed fragmentation and reassembly edge cases.

The correct answer is C. Wi-Fi Keylogger.

The device is physically placed inline between the keyboard and the desktop, so it is hardware-based. However, the defining feature in the question is that it forwards captured keystrokes over the organization’s wireless environment. That makes the most precise answer Wi-Fi Keylogger.

CEH system hacking material explains that keylogging is the process of monitoring or recording user keyboard actions and that keyloggers may be hardware-based or software-based. It also lists wireless-capable hardware devices such as KeyGrabber Nano Wi-Fi and KeyGrabber Wi-Fi Premium among hardware keylogging devices .

Option A. Hardware Keylogger is broadly true, but less precise because the question emphasizes wireless forwarding.

Option B. Acoustic/CAM Keylogger is incorrect because the device is not inferring keystrokes from sound, camera capture, or electromagnetic observation.

Option D. Bluetooth Keylogger is incorrect because the scenario specifies forwarding through the company’s Wi-Fi environment, not Bluetooth.

Therefore, the best answer is C. Wi-Fi Keylogger.

Security awareness and training is the most effective primary countermeasure against social engineering because these attacks exploit human trust, curiosity, urgency, and lack of familiarity with deception tactics rather than purely technical weaknesses. In CEH guidance, phishing, vishing, and baiting succeed when users fail to recognize red flags such as unexpected requests, pressure to act quickly, suspicious links or attachments, caller spoofing, or offers that seem too good to be true. A structured awareness program directly reduces the chance of disclosure by teaching employees how to identify common pretexts, verify unusual requests, and follow safe reporting procedures.

While identity verification (option B) is an important practice, employees typically perform it correctly only when they have been trained on verification steps, escalation paths, and what “good verification” looks like under pressure. Two-factor authentication (option C) helps protect accounts even if credentials are stolen, but it does not prevent employees from sharing sensitive information such as customer data, internal documents, OTP codes, or approving fraudulent requests—many social engineering campaigns aim beyond passwords. Policies and procedures (option D) are necessary, but policies alone are often ignored or misunderstood without ongoing training, reinforcement, and real-world simulations.

CEH-aligned best practice is a layered approach: start with awareness training, reinforce it with clear handling policies, require verification for sensitive requests, conduct phishing simulations, and ensure employees know how to report suspicious emails/calls immediately. This combination reduces both successful compromise and the impact of attempts, but training is the foundational priority because it directly targets the human element being attacked.

RST hijacking is a TCP session hijacking technique emphasized in CEH materials under network attacks against established communications. In TCP, a Reset flag packet is used to abruptly tear down a connection. If an attacker can observe the session and determine the correct parameters such as IP addresses, ports, and an in-window sequence number, they can forge a TCP RST packet that appears to come from one endpoint. This can force the victim side to drop the session, making the legitimate client suddenly lose responsiveness.

The key clue in the scenario is that Rachel “observes a client-server communication” and then injects crafted packets that disrupt the client while the server continues to communicate with Rachel’s system. That behavior matches the practical use of RST hijacking in demonstrations: terminate or desynchronize the victim endpoint while keeping the server-side session usable long enough for the attacker to inject traffic with valid sequence and acknowledgment values. In a switched LAN, this is often paired with sniffing or traffic visibility to reliably craft the reset packet and subsequent injected packets.

Blind hijacking is different because the attacker cannot see the traffic and must guess sequence numbers, which contradicts the “observes communication” detail. UDP hijacking is not applicable because UDP is connectionless and does not use session state or RST flags. “TCP/IP hijacking” is a broad category, but the question asks for the specific technique used to disrupt the client via crafted packets, which is best identified as RST hijacking.

The correct answer is D because the scenario describes Business Email Compromise, commonly called BEC. In BEC, attackers compromise or misuse a trusted business email account and send believable internal messages to employees, finance teams, executives, or partners. The key clues are “compromise a legitimate email account,” “convincing internal messages,” and “urgent actions.” CEH social engineering concepts explain that computer-based social engineering includes phishing and crafted emails that appear legitimate, while spear phishing targets an individual or small group within an organization. However, this question is more specific than ordinary phishing or spear phishing because the attacker is using a legitimate compromised account rather than only a fake or spoofed email. CEH email-hijacking content also describes compromised email accounts sending messages to people the victim knows and email messages containing requests such as money transfers. Therefore, spoofing, phishing, and spear phishing are related, but Business Email Compromise is the most precise answer.

The correct answer is A, Long dwell time. In CEH security operations and threat-detection concepts, an Advanced Persistent Threat, or APT, is characterized by advanced techniques, persistence, stealth, and a long-term objective. CEH-related material describes an APT as a continuous process of stealing information, often focused on private organizations or political motives, and explains that “persistent” involves continuous monitoring and data fetching from a target. It also lists APT criteria such as timeliness, meaning time spent probing and accessing the target, and risk tolerance, meaning the ability to remain undetected. Long dwell time means the attacker remains inside the environment for an extended period before detection, often performing internal reconnaissance, privilege escalation, lateral movement, credential theft, persistence, and quiet data exfiltration. Malware spam is usually broad and noisy, a one-time exploit lacks persistence, and brute force is only a technique. Therefore, long dwell time best indicates APT behavior.

The correct answer is A. Insecure Design.

The issue is not just a single input validation bug. The scenario describes recurring weaknesses across multiple applications, inconsistent controls between teams, and the need to standardize security requirements across future development efforts. That points to a design-level problem, not just a patching or configuration issue.

CEH-aligned secure development material emphasizes that threat modeling identifies and reviews threats, trust boundaries, data flows, vulnerabilities, and weaknesses in application security design . Web application mitigation guidance also identifies server-side validation, whitelisting or blacklisting of input characters, sanitization, output validation, encoding, prepared statements, parameterized queries, and bind variables as mitigations for input validation flaws .

Option B. Broken Access Control is incorrect because the scenario focuses on inconsistent input-handling and validation design, not unauthorized access to functions or objects.

Option C. Security Misconfiguration is incorrect because the root problem is not an incorrectly configured server or framework setting.

Option D. Cryptographic Failures / Sensitive Data Exposure is incorrect because the issue is not about weak encryption or exposure of protected data through cryptographic failure.

Therefore, the best answer is A. Insecure Design.