Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

CEH v13 identifies AI-powered malware as an emerging advanced threat that adapts its execution based on environmental cues and user behavior. Unlike traditional polymorphic malware, AI-driven malware can dynamically decide when and how to execute actions to avoid detection.

The described traits—behavioral adaptation, idle-time exfiltration, encrypted communication—are hallmarks of AI-assisted malware.

Polymorphic viruses change signatures but do not adapt behavior intelligently. Rootkits focus on hiding presence. Worms propagate aggressively.

Therefore, Option A is correct.

Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

Example 5.19. An idle scan against the RIAA

# nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )

Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental

Nmap scan report for 208.225.90.120

(The 65522 ports scanned but not shown below are in state: closed)

Port       State       Service

21/tcp     open        ftp

25/tcp     open        smtp

80/tcp     open        http

111/tcp    open        sunrpc

135/tcp    open        loc-srv

443/tcp    open        https

1027/tcp   open        IIS

1030/tcp   open        iad1

2306/tcp   open        unknown

5631/tcp   open        pcanywheredata

7937/tcp   open        unknown

7938/tcp   open        unknown

36890/tcp  open        unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization's infrastructure.

According to CEH v13 Network Scanning and Enumeration, ICMP Echo Requests (ping) are commonly filtered by firewalls and intrusion prevention systems to reduce network reconnaissance exposure. When ICMP Echo Replies are not returned but other services remain operational, the most likely explanation is ICMP filtering rather than host unavailability or compromise.

CEH v13 explicitly states that many organizations configure firewalls to block ICMP Echo Requests while allowing other ICMP types or higher-layer protocols. This practice helps prevent attackers from easily mapping live hosts during the reconnaissance phase.

The other options are incorrect because:

Unused IPs would not necessarily have active services.

A breach would typically present additional symptoms.

Network congestion would affect multiple protocols, not just ICMP.

Thus, blocked ICMP is the correct interpretation.

In CEH v13 Module 11: Hacking Wireless Networks, WPA3 is presented as the latest Wi-Fi security protocol, and it includes:

Simultaneous Authentication of Equals (SAE) protocol — a more secure key exchange mechanism.

Replaces WPA2's Pre-Shared Key (PSK) method to prevent dictionary and key recovery attacks.

SAE (a.k.a. Dragonfly) prevents attackers from capturing handshakes for offline cracking.

Option Clarification:

A. WEP: Obsolete and weak.

B. WPA: Early improvement over WEP, still vulnerable.

C. WPA2: Uses PSK and vulnerable to key reinstallation attacks (KRACK).

D. WPA3: Correct – uses SAE/Dragonfly, resistant to known attacks.

CEH v13 explains that when traditional enumeration techniques—such as SMB null sessions—are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage—making Option B the correct choice.

AES is the industry-standard symmetric encryption algorithm endorsed by CEH v13. It provides strong confidentiality and resists traffic analysis when used with proper modes (e.g., CBC, GCM).

DES is obsolete, HMAC ensures integrity not encryption, PSA is not a standard encryption algorithm.

Thus, Option B is correct.

CEH v13 classifies state-sponsored hackers as highly skilled professionals who operate under government direction to conduct espionage, intelligence gathering, sabotage, or cyber warfare. These attackers often target foreign governments, critical infrastructure, and strategic industries.

The defining characteristics are:

Government backing

National or geopolitical objectives

Advanced resources and long-term campaigns

Options B, C, and D do not fit. Organized hackers are typically financially motivated cybercriminal groups. Gray hats operate without authorization but not for national interests. Hacktivists pursue ideological or political causes independently.

CEH v13 explicitly associates covert intelligence operations with state-sponsored actors, making Option A correct.

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

Reconnaissance is the first phase of ethical hacking and also part of the cyber kill chain. It involves gathering publicly available information about a target, such as employee names, company structure, and branding, which is later used in social engineering or phishing attacks.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“Reconnaissance involves gathering information from public sources such as websites, social networks, and press releases. This is used to craft targeted phishing messages or exploit organizational weaknesses.”

Incorrect Options Explained:

A & B. Not formal terms in ethical hacking.

D. Enumeration involves interacting with systems to extract technical data.

This form of testing is known as Fuzzing. Fuzzing (or fuzz testing) is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.

In the CEH v13 courseware and study guide:

Module 6: Malware Threats

Subsection: Malware Analysis and Reverse Engineering Techniques

CEH v13 Official Study Guide and iLabs Practical

The CEH v13 guide states:

“Fuzzing is used as a software testing technique that involves sending malformed or unexpected inputs to an application in order to detect vulnerabilities such as buffer overflows, crashes, or unexpected behavior. It is particularly useful during vulnerability assessments and exploit development.”

Thus, Fuzzing helps identify vulnerabilities due to improper input validation and is widely used in vulnerability discovery and exploit testing.

Incorrect Options:

A. Randomizing: Not a recognized security testing method.

B. Bounding: Refers to setting limits or constraints; not relevant here.

C. Mutating: Can be part of fuzzing (mutation-based fuzzing), but not the umbrella term.

The most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold. This option works as follows:

The Cyber Kill Chain Methodology is a framework that describes the stages of a cyberattack from the perspective of the attacker. It helps defenders to understand the attacker’s objectives, tactics, and techniques, and to design effective countermeasures. The Cyber Kill Chain Methodology consists of seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives12.

The delivery stage is the third stage in the Cyber Kill Chain Methodology, and it involves sending or transmitting the weaponized payload to the target system. The delivery stage can use various methods, such as email attachments, web links, removable media, or network protocols. The delivery stage aims to reach the target system and bypass any security controls, such as firewalls, antivirus, or email filters12.

The exploitation stage is the fourth stage in the Cyber Kill Chain Methodology, and it involves executing the malicious payload on the target system. The exploitation stage can use various techniques, such as buffer overflows, code injection, or privilege escalation. The exploitation stage aims to exploit a vulnerability or a weakness in the target system and gain access to its resources, such as files, processes, or memory12.

The installation stage is the fifth stage in the Cyber Kill Chain Methodology, and it involves installing a backdoor or a malware on the target system. The installation stage can use various tools, such as rootkits, trojans, or ransomware. The installation stage aims to establish a foothold on the target system and maintain persistence, which means to survive reboots, updates, or scans12.

Therefore, the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold, because:

This action follows the logical sequence of the Cyber Kill Chain Methodology, as it is the next stage after the delivery stage.

This action is consistent with the attacker’s goal, as it allows the attacker to gain access and control over the target system and prepare for further actions.

This action is feasible, as the attacker has already delivered the malicious payload to the target system and may have bypassed some security controls.

The other options are not as probable as option B for the following reasons:

A. The attacker will attempt to escalate privileges to gain complete control of the compromised system: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the exploitation stage or the installation stage. Privilege escalation is a method of increasing the level of access or permissions on a system, such as from a normal user to an administrator. Privilege escalation can help the attacker to gain complete control of the compromised system, but it is not a mandatory step, as the attacker may already have sufficient privileges or may use other techniques to achieve the same goal12.

C. The attacker will initiate an active connection to the target system to gather more data: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the command and control stage or the actions on objectives stage. An active connection is a communication channel that allows the attacker to send commands or receive data from the target system, such as a remote shell or a botnet. An active connection can help the attacker to gather more data from the target system, but it is not a necessary step, as the attacker may already have enough data or may use other techniques to obtain more data12.

D. The attacker will start reconnaissance to gather as much information as possible about the target: This option is not probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather the first stage. Reconnaissance is the process of collecting information about the target, such as its IP address, domain name, network structure, services, vulnerabilities, or employees. Reconnaissance is usually done before the delivery stage, as it helps the attacker to identify the target and plan the attack. Reconnaissance can be done again after the delivery stage, but it is not the most likely action, as the attacker may already have enough information or may focus on other actions12.

This scenario describes a worm infection, as defined in CEH v13 Malware Threats. Worms are self-replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic, system crashes, and resource exhaustion, which aligns with the symptoms described.

CEH v13 differentiates worms from other malware:

Ransomware encrypts data but does not self-propagate aggressively.

Trojans require user execution.

Rootkits focus on stealth and persistence rather than replication.

The appropriate response prioritizes containment and eradication. Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

Comprehensive and Detailed Explanation:

This is a classic example of social engineering. When a system is well-secured technically, attackers often turn to exploiting human vulnerabilities — such as:

Talking to employees and gaining their trust

Bribing disgruntled or low-level staff

Gaining physical access or insider information through manipulation

From CEH v13 Courseware:

Module 7: Social Engineering

Incorrect Options:

A: Zero-days are rare and expensive; not always feasible.

C: DDoS is disruptive, not data-oriented.

D: MiTM is a complex network-based attack, unlikely effective against a hardened internal mainframe.

Hashing algorithms are specifically designed to ensure data integrity. A hash function takes an input and returns a fixed-length string, called a hash or message digest. Even a small change in the input results in a completely different hash, making it useful for detecting tampering.

Common hashing algorithms include:

MD5 (now obsolete for secure uses)

SHA-1, SHA-2, SHA-3

HMAC (Hashed Message Authentication Code)

From CEH v13 Courseware:

Module 20: Cryptography

Topic: Hash Functions and Data Integrity

CEH v13 Study Guide states:

“Hashing algorithms provide integrity by generating a unique digital fingerprint of data. Any alteration in the message content will result in a different hash value, indicating that the integrity has been compromised.”

Incorrect Options:

A: Symmetric algorithms provide confidentiality.

B: Asymmetric algorithms provide confidentiality and authentication.

D: "Integrity algorithms" is not a formal cryptographic term.

This scenario describes steganographic sniffing, a highly sophisticated technique covered in CEH v13 Network Sniffing and Steganography. By embedding sensitive data inside legitimate image files—such as CT scans—attackers can intercept or exfiltrate patient information while avoiding detection.

Option D represents a steganography-based covert channel, which is extremely difficult to identify because:

The file appears legitimate

Standard encryption and IDS tools do not flag it

Medical images naturally contain large data volumes

Options A and B involve malware, which is more detectable. Option C involves text-based covert channels, which are easier to analyze than binary image embedding.

CEH v13 identifies steganography as one of the hardest data-hiding techniques to detect, making Option D correct.

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.

The PSH (Push) flag in TCP instructs the sending system to:

Immediately deliver data to the application.

Avoid waiting for additional buffered data to form a full segment.

This is important in interactive communications like Telnet or SSH, where the delay in transmission would degrade the user experience.

From CEH v13 Courseware:

Module 3: Scanning Networks → TCP Flags and Packet Structure

Zone transfers (AXFR) are DNS operations that replicate zone data from a primary server to a secondary server. These can be abused during DNS enumeration if improperly secured.

CEH v13 recommends using the following tools for attempting or testing zone transfers:

A. NSLookup – supports AXFR using set type=any or set type=AXFR

C. Dig – dig @ns.example.com example.com AXFR

D. Sam Spade – GUI tool capable of DNS zone transfer

E. Host – command-line tool used for DNS lookups and AXFR

Incorrect Tools:

B. Finger – used for user enumeration, not DNS

F. Netcat – general-purpose networking tool, not specific to DNS

G. Neotrace – used for traceroute/path tracing, not DNS

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.