Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

CEH v13 outlines a structured approach to vulnerability assessment and exploitation. After identifying a high-severity vulnerability, the next critical step is verification and research, not immediate exploitation. This ensures accuracy, reduces false positives, and avoids unnecessary risk. CEH emphasizes that testers must validate vulnerability details, confirm version applicability, assess exploit availability (e.g., Metasploit, Exploit-DB), and evaluate potential impact. Attempting DoS attacks (Option A) is prohibited unless explicitly scoped and does not align with responsible testing. Brute-force attacks (Option B) are unrelated to software version vulnerabilities. Ignoring the issue (Option D) violates CEH methodology. The correct process is to research and verify—ensuring exploitation is safe, relevant, and authorized. This aligns with CEH’s vulnerability management lifecycle: discovery → verification → prioritization → exploitation (when allowed) → reporting.

CEH explains that hash functions alone, such as SHA-256, only provide integrity checks and do not verify authenticity or non-repudiation. Attackers can modify data and recompute the hash.

Digital signatures combine hashing with asymmetric cryptography, ensuring:

Integrity

Authentication

Non-repudiation

Option D is correct.

Options A and B provide confidentiality, not integrity assurance.

Option C secures communication channels, not standalone data integrity.

CEH explicitly recommends digital signatures for protecting data integrity against tampering.

CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.

Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

According to CEH v13, black box testing refers to a testing approach where the ethical hacker has no prior knowledge of the internal structure, source code, or configuration of the system.

The attacker simulates a real-world external attacker, relying solely on discovery and exploitation techniques.

White box testing = full knowledge

Gray box testing = partial knowledge

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

CEH v13 clarifies that nbtstat is used only for NetBIOS name table enumeration, not for listing shared resources. Tags such as <20> indicate file server services, but share enumeration requires tools like net view or SMB enumeration utilities.

Thus, the inability to list shares is due to tool limitation, not service configuration. Option C is correct.

https://en.wikipedia.org/wiki/RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

Authentication and authorization

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials.

The RADIUS server then returns one of three responses to the NAS:

1) Access-Reject,

2) Access-Challenge,

3) Access-Accept.

Access-Reject

The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

Access-Challenge

Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

Access-Accept

The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

In CEH v13 Cloud Computing, serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do.

Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

Just like any other service that accepts usernames and passwords for logging in, AWS users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any other method of social engineering, may find yourself with an AWS users’ credentials within the hands of an attacker.

If a user only uses API keys for accessing AWS, general phishing techniques could still use to gain access to other accounts or their pc itself, where the attacker may then pull the API keys for aforementioned AWS user.

With basic opensource intelligence (OSINT), it’s usually simple to collect a list of workers of an organization that use AWS on a regular basis. This list will then be targeted with spear phishing to do and gather credentials. an easy technique may include an email that says your bill has spiked 500th within the past 24 hours, “click here for additional information”, and when they click the link, they’re forwarded to a malicious copy of the AWS login page designed to steal their credentials.

An example of such an email will be seen within the screenshot below. it’s exactly like an email that AWS would send to you if you were to exceed the free tier limits, except for a few little changes. If you clicked on any of the highlighted regions within the screenshot, you’d not be taken to the official AWS web site and you’d instead be forwarded to a pretend login page setup to steal your credentials.

These emails will get even more specific by playing a touch bit additional OSINT before causing them out. If an attacker was ready to discover your AWS account ID on-line somewhere, they could use methods we at rhino have free previously to enumerate what users and roles exist in your account with none logs contact on your side. they could use this list to more refine their target list, further as their emails to reference services they will know that you often use.

For reference, the journal post for using AWS account IDs for role enumeration will be found here and the journal post for using AWS account IDs for user enumeration will be found here.

During engagements at rhino, we find that phishing is one in all the fastest ways for us to achieve access to an AWS environment.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker’s root registry.

Web workers give two primary degrees of security instruments

Access Control Lists (ACLs)

Root index

An Access Control List is utilized in the approval cycle. It is a rundown which the web worker’s manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

The root registry is a particular index on the worker record framework in which the clients are kept. Clients can’t get to anything over this root.

For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn’t approach C:\Windows yet approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages.

This weakness can exist either in the web worker programming itself or in the web application code.

To play out a registry crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly discover any default documents and registries on the framework.

What an assailant can do if your site is defenseless

With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the client which is related with “the site”. Along these lines everything relies upon what the site client has been offered admittance to in the framework.

Illustration of a Directory Traversal assault by means of web application code

In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

GET http://test.webarticles.com/show.asp?view=oldarchive.html HTTP/1.1

Host: test.webarticles.com

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed on the web server, show.asp retrieves the file oldarchive.html from the server’s file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1

Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal attack via web server

Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

A covert channel is a communication method used to transfer information in a way that violates security policy, often by repurposing legitimate protocols or functions for unauthorized communication.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Topic: Covert Communication and Data Exfiltration Techniques

CEH v13 Study Guide states:

“A covert channel exploits unintended uses of legitimate communication protocols. It allows data to be transmitted without detection by hiding the communication inside seemingly benign traffic.”

Incorrect Options:

A: A non-standard port may aid in hiding services, but doesn’t constitute a covert channel.

C: Multiplexing is a normal communication mechanism.

D: WEP is insecure, but this isn’t related to covert channels.

This scenario describes fileless malware using covert command-and-control (C2) channels over commonly allowed protocols such as HTTP and DNS, a technique heavily emphasized in CEH v13 Malware Threats. Such malware avoids writing files to disk and instead leverages memory, legitimate system tools, and trusted protocols to evade traditional defenses.

Signature-based antivirus updates (Option A) are ineffective against fileless malware because there are no static artifacts to match. Blocking known malware ports (Option C) is also ineffective, as the malware intentionally uses ports 80 and 53, which must remain open for normal business operations. Restricting plain HTTP (Option B) may reduce visibility but does not stop DNS tunneling or encrypted malicious traffic.

CEH v13 identifies behavioral analytics as the most effective countermeasure against advanced malware. Behavioral solutions establish a baseline of normal system and network activity, then detect anomalies such as:

Unusual outbound DNS query patterns

Abnormal HTTP beaconing intervals

Legitimate applications behaving suspiciously

PowerShell or system tools generating network traffic unexpectedly

By monitoring how systems behave rather than what files exist, behavioral analytics can identify stealthy C2 communications and disrupt them early. Therefore, Option D is the most effective and CEH-aligned response.

The TPM is a chip that's part of your computer's motherboard — if you bought an off-the-shelf PC, it's soldered onto the motherboard. If you built your own computer, you can buy one as an add-on module if your motherboard supports it. The TPM generates encryption keys, keeping part of the key to itself

Burp Suite is a comprehensive web vulnerability scanner and testing suite widely used in penetration testing and ethical hacking.

Key features include:

Intercepting proxy: Allows inspection and modification of traffic between the browser and target server.

Session hijacking/testing tools

Intruder and Repeater modules for customized payload injection

Sequencer module for testing session token randomness

Extensibility through plugins and custom scripts

Incorrect Options:

A. Nmap is a network scanning tool, not used for intercepting web traffic.

C. CxSAST (Checkmarx) is a static application security testing (SAST) tool.

D. Wireshark is a packet analyzer but does not include intercepting proxy features or token testing.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Burp Suite as a Web Vulnerability Testing Tool”

CEH iLab: Using Burp Suite for Web App Testing

=

Hootsuite may be a social media management platform that covers virtually each side of a social media manager’s role.

With only one platform users area unit ready to do the easy stuff like reverend cool content and schedule posts on social media in all the high to managing team members and measure ROI.

There area unit many totally different plans to decide on from, from one user set up up to a bespoken enterprise account that’s appropriate for much larger organizations.

Conducting location search on social media sites such as Twitter, Instagram, and Facebook helps attackers to detect the geolocation of the target. This information further helps attackers to perform various social engineering and non-technical attacks. Many online tools such as Followerwonk, Hootsuite, and Sysomos are available to search for both geotagged and non-geotagged information on social media sites. Attackers search social media sites using these online tools using keywords, usernames, date, time, and so on...

In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

Tool Breakdown:

John the Ripper: A powerful password cracking tool that supports many hash formats.

Hashcat: GPU-based, extremely fast password hash cracking tool.

THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

Netcat: Not a password cracking tool — it’s a network utility used for:

Remote shell connections

Banner grabbing

File transfers

Port scanning

Therefore:

C. Netcat is the correct answer — it is not used for password cracking.

A Kernel-level rootkit operates at the core of the operating system (OS kernel), enabling the attacker to:

Modify or replace kernel code

Load malicious kernel modules

Hide files, processes, and backdoors at a level that is difficult for standard security tools to detect

According to CEH v13:

Kernel-mode rootkits are highly stealthy and dangerous because they run with the highest privileges.

These rootkits modify system calls and memory structures in the kernel space to conceal malicious activity.

Incorrect Options:

A. User-mode rootkits operate at the application layer and are less stealthy than kernel-level rootkits.

B. Library-level rootkits manipulate standard libraries (like libc) to intercept calls.

D. Hypervisor-level rootkits run beneath the OS (e.g., via virtualization) and are extremely rare and complex.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Rootkits”

Subsection: “Kernel-Mode Rootkits vs. User-Mode Rootkits”