Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The correct answer is D because world-writable cron directories allow unauthorized users or attackers to add or modify scheduled tasks. In Linux, cron is used to run commands or scripts automatically at defined times, and CEH-aligned material identifies crontab as the mechanism for listing scheduled jobs/tasks. If cron directories are writable by everyone, an attacker can place a malicious script or cron entry that repeatedly runs after compromise, after login, or after reboot. This supports the CEH system-hacking phase of maintaining access, also called persistence. The uploaded red-team reference specifically associates Linux “permanent access” with cron-based scheduled execution. Linux permissions are based on read, write, and execute rights, and overly permissive settings such as full access for all users create serious control weaknesses. This is not SQL injection or XSS because no web application input is involved. It is not primarily DoS. The best CEH answer is persistence.

In CEH-aligned vulnerability assessment reporting, the Findings section is where the assessor documents what was discovered during scanning and validation in a clear, structured, and actionable way. This portion of the report typically contains the concrete results: identified assets, affected systems, vulnerability details, and evidence that supports each issue. The question states that Nikhil lists the IP addresses of scanned hosts, identifies which machines are affected, and includes tables categorizing vulnerabilities such as outdated software, default credentials, and open ports. These are classic “results” artifacts that belong in Findings because they communicate the observed security weaknesses and where they exist.

The Risk Assessment section generally builds on findings by assigning severity, likelihood, impact, and overall risk ratings, often mapping issues to business consequences and prioritization. While Nikhil may later rate default credentials as critical or open ports as medium depending on exposure, the act of enumerating vulnerabilities and associating them with specific hosts is the findings activity, not risk scoring.

Supporting Information usually contains appendices such as tool configurations, raw scan outputs, methodology references, assumptions, scope boundaries, and glossary items. Although IP lists and tables might appear in an appendix for completeness, the way the prompt describes them, they are being used as the primary categorized presentation of discovered vulnerabilities, which is consistent with the Findings section.

Assessment Overview is typically a high-level summary of scope, objectives, timeline, and approach, not detailed host-by-host vulnerability tables. Therefore, the correct section is Findings.

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.

According to CEH v13 Web Application and Server Security, regular patching and updates are the most effective way to reduce server attack surfaces. Vulnerabilities in web servers, proxies, and supporting services are frequently exploited if patches are delayed.

While architectural choices and directory placement influence organization, they do not mitigate known vulnerabilities. Changing IP addresses does not prevent exploitation, and moving directories does not address underlying software flaws.

CEH v13 consistently emphasizes patch management as a primary defensive control. Therefore, Option C is correct.

The issue described is excessive or inappropriate application permission granting in a BYOD environment. Employees install apps that request access to sensitive device resources—contacts, camera, messaging—despite those permissions not being necessary for the app’s stated purpose. This creates a risk of data harvesting and corporate information leakage if a malicious or overly intrusive app is installed. The most direct guideline to prevent this behavior is to review the permissions requested by apps before installing them.

Mobile operating systems rely heavily on permission models to control access to sensitive data and device capabilities. When users approve broad permissions without scrutiny, they effectively authorize the app to collect and transmit sensitive information. Enforcing a culture and policy of checking permissions (and denying or uninstalling apps that request unnecessary access) directly addresses the root cause in the scenario: user consent enabling excessive privilege at the app level. In a corporate BYOD program, this guideline is often paired with mobile security controls such as enterprise app stores, allowlists/denylists, MDM/MAM policies, and user awareness training, but the question asks for the most direct preventive guideline.

Why the other options are less direct:

Encryption at rest (A) helps protect stored data if the device is lost or compromised, but it does not stop an authorized app from accessing data via granted permissions.

Automatic locking/biometrics (B) reduces unauthorized physical access, but it does not constrain what a permitted app can access while the device is in use.

App passwords (D) can help restrict casual access to an app, but they do not solve the problem of an app legitimately being granted invasive permissions.

Therefore, the best answer is C. Review permissions requested by apps before installing them.

CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.

Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

The correct answer is C, Bollards. Bollards are physical security controls designed to prevent vehicles from entering restricted areas or crashing into buildings, entrances, sensitive facilities, or pedestrian zones. They are commonly installed outside government buildings, data centers, banks, airports, and other critical infrastructure locations to mitigate vehicle-borne threats and unauthorized vehicle access. Depending on the security requirement, bollards may be fixed, removable, retractable, or reinforced to withstand high-impact collisions.

In CEH physical security concepts, organizations use preventive physical controls to protect personnel, equipment, and facilities from unauthorized access and physical attacks. Bollards are considered perimeter security controls because they create a physical barrier between vehicles and protected assets. A receptionist provides administrative access control but cannot physically stop a vehicle. A mantrap is an access-control vestibule used to restrict and verify personnel entry. A turnstile controls pedestrian movement and helps prevent tailgating. Since the question specifically asks about stopping vehicles from crashing through building doors, bollards are the most appropriate and effective security feature.

Answer: C

Insecure communication is defined in CEH’s mobile and IoT security modules as the failure to encrypt sensitive data transmitted between a device and a server. When applications use plain HTTP instead of HTTPS, all traffic—including authentication tokens, user identifiers, and session data—can be monitored and altered by an attacker through network sniffing or man-in-the-middle attacks. CEH emphasizes that insecure transport channels represent one of the most common and critical weaknesses in mobile ecosystems, allowing attackers to harvest credentials or inject malicious commands. Security misconfiguration refers to improper server settings, while SSL pinning issues involve certificate validation bypassing. Insufficient input validation pertains to application-side data validation. None of these align as directly as insecure communication, which precisely describes the unencrypted data exposure.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

The correct answer is B. Replay Attack.

A replay attack occurs when an attacker captures a valid communication and later retransmits it to make the receiving system accept the old message as legitimate. The important clue is that the analyst does not decrypt or modify the signal; the captured transmission is simply reused.

CEH-aligned material describes replay attacks as attacks in which captured traffic is reused to gain access or reproduce a valid transaction . CEH IoT material also lists Replay Attack among IoT attack types .

Option A. BlueBorne Attack is incorrect because BlueBorne targets Bluetooth vulnerabilities.

Option C. Rolling Code Attack is incorrect because rolling-code attacks involve capturing or interfering with changing code sequences, often while jamming the receiver. The scenario says the original transmission is simply replayed.

Option D. Sybil Attack is incorrect because a Sybil attack uses multiple forged identities to influence a network.

Therefore, the best answer is B. Replay Attack.

Non-repudiation is the security principle that prevents a sender from denying having performed a specific action, such as sending a message or approving a transaction. In CEH-aligned cryptography, non-repudiation is most commonly achieved using digital signatures backed by public key cryptography and, in many real-world deployments, supported by digital certificates and a trusted certificate authority. When Alice digitally signs the email contract, she uses her private key to create a signature that is mathematically tied to both her identity and the exact content of the message. Bob can then use Alice’s corresponding public key to verify the signature. If verification succeeds, it provides strong evidence that the message originated from the holder of Alice’s private key and that the content has not been altered since it was signed.

This is different from confidentiality, which is about preventing unauthorized disclosure of message contents through encryption. It is also distinct from integrity alone: integrity ensures the message was not modified, but non-repudiation adds accountability by binding the action to a specific signer in a way that can be demonstrated to a third party. Availability is unrelated here, as it concerns ensuring systems and data are accessible when needed.

CEH materials emphasize that non-repudiation depends on proper key management and trust infrastructure. If Alice’s private key is compromised, the evidentiary value is weakened. Therefore, protecting private keys with secure storage, access controls, and revocation mechanisms is essential to preserve non-repudiation.

The correct answer is D. NTP Enumeration.

The scenario describes querying a time synchronization service and receiving information about internal client systems. This directly maps to Network Time Protocol (NTP) enumeration.

CEH-aligned enumeration material explains that NTP runs on UDP port 123 and is used to synchronize time across a network. Querying an NTP server may reveal a list of connected systems, including system names, IP addresses, and internal network information when the NTP server is placed in a DMZ or screened subnet . Another CEH reference states that NTP enumeration can reveal host information connected to the NTP server, client IP addresses, machine names, operating system information, and internal IP information depending on deployment .

Option A. NFS Enumeration is incorrect because NFS enumeration focuses on network file shares and exported directories.

Option B. NetBIOS Enumeration is incorrect because NetBIOS enumeration targets names, shares, sessions, and Windows network information.

Option C. SNMP Enumeration is incorrect because SNMP enumeration queries device management information using MIB/OID data.

Option D. NTP Enumeration is correct because the service being queried is a time synchronization service exposing client and internal network information.

Therefore, the best answer is D. NTP Enumeration.

This scenario aligns with a Golden SAML attack because the attacker is not stealing a user password or bypassing MFA directly; instead, the attacker compromises the identity trust mechanism itself and forges valid authentication assertions. In federated cloud environments, the identity provider issues signed assertions that cloud services trust. Once the signing material is obtained, an attacker can create forged SAML tokens that appear fully legitimate to the relying cloud applications. That is why the access in logs appears normal and why no credential replay or multifactor prompt is required. This distinguishes the technique from Man-in-the-Cloud, which commonly abuses synchronization tokens, and from Cloud Hopper, which is associated with service-provider pivoting and long-term intrusion campaigns. CEH cloud coverage emphasizes that cloud trust relationships, identity infrastructure, and the mechanisms used to broker access are critical attack surfaces because compromise at that layer can grant broad service access with little visible anomaly. In practical defensive terms, protecting token-signing infrastructure is as important as protecting privileged user credentials in a cloud identity architecture.

The correct answer is A because the client can already see the wireless network and is sending association requests, which means the SSID and channel are likely correct. In wireless networking, association is the process of a client connecting to an access point. CEH wireless material explains that clients must associate with an AP before using the network, and MAC filtering is a control that allows only listed wireless NIC MAC addresses to associate with the AP. If the client’s MAC address is missing from the allowed list, the WAP may ignore or reject the association attempt. DHCP is not the best answer because DHCP occurs after Layer 2 wireless association, when the client is already connected enough to request IP configuration. The client also cannot be on the wrong channel if it can see the network and send association frames. Therefore, the most likely problem is MAC filtering on the WAP.

The correct answer is RSA. CEH cryptography coverage describes RSA as a widely used asymmetric algorithm that supports encryption and digital signatures and is commonly deployed in public-key infrastructures. The question states that the transaction data is hashed, the hash is signed with the sender’s private key, and the recipient verifies the signature with the matching public key. That is the classic RSA signature model presented in CEH materials. The additional clue is that the same algorithm is said to support encryption, digital signatures, and secure communications use cases. Diffie-Hellman is mainly a key exchange mechanism and is not used for digital signatures in the way described here. DSA is designed for digital signatures, but not for general encryption. ElGamal can support encryption and signatures, but CEH exam framing most strongly associates this full combination of encryption plus digital-signature verification with RSA. CEH references repeatedly emphasize RSA as the standard asymmetric cryptosystem for confidentiality, authentication, integrity, and nonrepudiation in enterprise communications. Because the described implementation combines hashing, private-key signing, and public-key verification within a broad asymmetric framework, RSA is the most accurate answer.