Pass the ECCouncil CEH v13 312-50v13 Questions and answers with CertsForce

The CEH SQL Injection module defines stacked (piggybacked) queries as attacks where an attacker appends an additional SQL statement using a statement delimiter such as a semicolon.

In this scenario, the attacker executed a second query (DROP TABLE users) after the original query, resulting in destructive behavior.

Option B is correct.

Option A retrieves data, not execute destructive commands.

Option C infers logic outcomes.

Option D relies on error messages for data extraction.

CEH classifies stacked queries as high-impact SQL injection attacks.

The key indicator is that the switch’s CAM table was overwhelmed and the attacker’s machine started receiving traffic not originally destined for it. That is the hallmark of MAC flooding. Switches maintain a CAM (Content Addressable Memory) table mapping MAC addresses to switch ports. Under normal conditions, this allows a switch to forward frames only to the correct destination port (unicast switching). In a MAC flooding attack, the attacker sends a large volume of frames with many spoofed source MAC addresses, rapidly filling the CAM table. Once the table is full, the switch may fail open for unknown unicast traffic and begin broadcasting (flooding) frames out multiple ports, similar to a hub-like behavior. This causes unintended packet exposure and allows the attacker to capture traffic from other hosts, enabling sniffing of multiple sessions.

The scenario explicitly mentions switch instability, traffic leakage, receiving packets not destined for the attacker, and CAM table exhaustion—these are directly aligned with MAC flooding mechanics.

Why the other options don’t match as well:

ARP poisoning (C) is a man-in-the-middle technique that manipulates ARP caches to redirect traffic through the attacker. It does not typically overwhelm the switch’s CAM table, and the symptom is traffic redirection rather than CAM exhaustion.

VLAN hopping (B) is a VLAN segmentation bypass (e.g., switch spoofing or double-tagging) and is about crossing VLAN boundaries, not causing CAM table overflow and switch-wide flooding behavior. The mention of multiple VLANs seeing leakage could be a downstream consequence of flooding/misconfiguration, but the decisive clue is CAM table overload.

DNS poisoning (A) targets name resolution and would not produce CAM table exhaustion or switch instability.

Therefore, Sarah most likely used D. MAC Flooding.

CEH v13 highlights that SNMPv1/v2 environments configured with default community strings such as " public " or " private " present significant security risks because they allow unauthorized users to query system information. SNMP enumeration can reveal processes, interfaces, routing tables, users, device configurations, and more. The snmp-processes Nmap NSE script is specifically designed to enumerate running processes on an SNMP-enabled host. It queries the Host Resources MIB (HR-MIB), which stores operational information about system processes, CPU usage, and memory consumption. This information provides attackers with insights into what services may be exploitable or misconfigured. CEH stresses that SNMPv2 is particularly vulnerable due to lack of encryption and authentication hardening. By enumerating processes, penetration testers can identify potential privilege escalation paths, outdated services, or rogue applications that may aid lateral movement. Other scripts such as snmp-sysdescr or snmp-interfaces retrieve system description or interface data but do not enumerate processes.

This scenario is a classic session fixation attack. In session fixation, the attacker sets or “fixes” a known session identifier (session ID) for the victim before the victim authenticates. The attacker then persuades the victim to use that predetermined session—often by embedding the session ID into a URL, link, or cookie setting mechanism. Once the victim logs in, the application incorrectly continues using the same session ID (rather than issuing a new one upon authentication). As a result, the attacker can reuse that known session ID to access the victim’s authenticated session context.

The described sequence matches session fixation exactly: James first crafts a session and obtains a session ID, then shares it with the victim via a link, the victim clicks and logs in, and “their activity is bound to the attacker’s pre-assigned session.” Later, James accesses the session and retrieves the victim’s input—demonstrating that authentication was tied to an attacker-controlled session token.

Why the other options do not fit:

Session replay (B) involves capturing a valid session token (e.g., via sniffing, XSS, or leakage) and replaying it, but it does not require pre-setting the token before the victim logs in.

Session prediction (C) is about guessing or calculating valid session IDs due to weak randomness. Here the attacker does not guess; he deliberately provides a session ID he already controls.

“Session donation (A)” is not the standard classification for this well-known web session weakness in CEH-style taxonomy; the described behavior aligns with fixation.

Therefore, the correct answer is D. Session Fixation Attack.

The Certified Ethical Hacker (CEH) Cloud Computing and Data Protection module emphasizes the importance of resilient backup strategies to protect against data tampering, ransomware, and unauthorized modification.

The 3-2-1 backup model is a widely recommended best practice referenced in CEH materials. It requires maintaining:

3 copies of data

Stored on 2 different media types

With 1 copy stored offsite

This approach ensures that even if cloud backups are compromised or altered, clean and uncompromised versions remain available. CEH documentation highlights this model as a core defense against data integrity attacks in cloud environments.

Option D directly mitigates the risk of backup tampering.

Options A, B, and C address unrelated security concerns and do not protect backup integrity.

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

The correct answer is D. Exposed Bearer Tokens in Logs.

The scenario states that authentication artifacts associated with Kubernetes service accounts are appearing in logs or system-generated output. If those values can be reused to access cluster resources, they are functioning as bearer credentials. A bearer token grants access to whoever possesses it, so exposing it in logs creates a serious privilege-reuse risk.

Option A. No Certificate Revocation is incorrect because the weakness does not involve inability to revoke TLS or client certificates.

Option B. Unauthenticated HTTPS Connections is incorrect because the issue is not that HTTPS connections lack authentication. The issue is that valid authentication tokens are being logged.

Option C. No Non-repudiation is incorrect because non-repudiation concerns proving who performed an action. The scenario concerns credential exposure.

Option D. Exposed Bearer Tokens in Logs is correct because service-account bearer tokens recorded in logs could be reused by anyone who can access those logs.

Therefore, the best answer is D. Exposed Bearer Tokens in Logs.

The scenario best matches Traffic IQ Professional because it describes a tool used to generate and replay diverse traffic patterns through a firewall to validate rule enforcement and detection under simulated attack conditions. The key functions here are traffic generation, replay, and the ability to model both legitimate and malicious flows to test whether the firewall correctly handles evasion attempts and policy enforcement. Traffic generation/replay platforms are used in security validation and firewall testing to emulate real-world network behaviors at scale and to assess how devices respond to crafted or replayed traffic profiles.

Why the other tools are less suitable:

Nmap (A) is primarily a scanner for host discovery, port scanning, and service enumeration, with some scripting capabilities. It is not chiefly a traffic generation/replay system for exercising a firewall with diverse controlled flows.

Colasoft Packet Builder (C) can craft packets and build custom traffic at the packet level, which is useful for creating specific test packets. However, the scenario emphasizes broader “diverse traffic patterns” and replay of flows in a way typically associated with traffic modeling/validation suites rather than single-packet construction.

Metasploit (D) is an exploitation framework used to develop and execute exploits and payloads. While it can generate certain traffic, its primary purpose is not comprehensive traffic generation and replay to validate firewall policies under many traffic types.

Traffic IQ Professional is the best fit because it aligns with a firewall test plan focused on simulating legitimate and malicious traffic profiles, including evasion-style patterns, and demonstrating how the perimeter device behaves under controlled conditions. This approach is often used to evaluate whether a firewall can consistently enforce security policies, detect anomalies, and resist evasion techniques without overblocking legitimate traffic.

Therefore, the most likely tool is B. Traffic IQ Professional.

The correct answer is C. Sherlock.

Sherlock is used to search for a username across many social networking and online platforms. Its primary purpose is cross-platform username correlation. It does not natively provide geolocation tracking like Creepy, and it does not provide relationship-graph visualization like Maltego.

CEH-aligned reconnaissance material describes Maltego as a tool that gathers information from different sources and represents relationships through graph-based analysis . Another reference explains that OSINT username-correlation tools can verify whether a username or profile exists across hundreds of platforms . Sherlock matches that username-correlation function.

Option A. Maltego is incorrect because Maltego is used for relationship graphing and visual investigation.

Option B. Creepy is incorrect because Creepy is associated with geolocation intelligence from social media and image metadata.

Option D. Social Searcher is incorrect because it is mainly used for searching and monitoring social media content, not broad username enumeration across hundreds of sites.

Option C. Sherlock is correct because it specializes in checking whether a username exists across many online platforms.

Therefore, the best answer is C. Sherlock.

SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as “1 OR 1=1 —” is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology for identifying insecure input handling and improper query construction.

Outdated encryption protocols such as SSL 3.0 and TLS 1.0 contain numerous cryptographic weaknesses, making them susceptible to downgrade attacks, cipher-suite vulnerabilities, and interception. CEH explains that weak SSL/TLS configurations expose encrypted traffic to man-in-the-middle attacks because attackers can exploit vulnerabilities such as BEAST, POODLE, or weak ciphers to decrypt or manipulate data in transit. These flaws compromise confidentiality and integrity, allowing attackers to observe login credentials, session identifiers, or sensitive information. XSS and SQL injection exploit entirely different web vulnerabilities unrelated to encryption strength. Brute-forcing SSL handshakes is computationally infeasible and not relevant. Therefore, a MitM attack targeting the outdated protocol is the most effective exploitation method.

The IT team’s action—capping how many requests a single user can make per second and then delaying or dropping aggressive connections—is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.

The key wording in the scenario is that “aggressive connections are delayed or dropped while most legitimate customers continue to use the service.” Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, “too many requests”) when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.

Why the other options are not the best match:

Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.

Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.

Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non-essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.

Thus, the countermeasure strategy being used is A. Rate Limiting.