312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

In CEH’s web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack: reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens—the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user’s active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

The correct answer is B. Stealth Virus because the defining characteristic described is hiding malicious presence by intercepting operating system calls and masking changes so that normal tools (including antivirus scans) do not observe the infection. In CEH-aligned malware concepts, stealth viruses are designed to evade detection by concealing modifications to files, boot records, or system areas. They commonly do this by hooking system functions or APIs so that when the OS or a security product requests file contents, sizes, checksums, directory listings, or other metadata, the virus returns clean-looking or original data instead of the infected/modified version. This makes infected files appear to “function normally,” while the malware remains active in memory and persists on disk.

The scenario explicitly mentions that “infected files continue to function normally” and that the malware “conceals its modifications by intercepting operating system calls.” That is the classic behavior of stealth techniques: manipulate what the system reports, not necessarily change the outward behavior of the application. The repeated “no threats detected” results also align: signature-based or basic scanning can be blinded when the malware controls the interface through which the scanner reads target files or system structures.

Why the other options are less correct: a polymorphic virus focuses on changing its code/signature between infections to evade signature-based detection, but the key clue here is OS call interception and hiding modifications, not code mutation. A macro virus targets macro-enabled documents and spreads through macro execution in office applications; it is not primarily defined by OS-level call hooking. A cavity virus (spacefiller) hides by inserting itself into unused areas of a file without changing the file size, but the scenario’s emphasis is on intercepting OS calls to conceal changes, which is more directly the stealth-virus behavior.

Therefore, Ryan most likely deployed a stealth virus.

Wireshark is the primary packet-sniffing tool covered in CEH v13 Network Sniffing. It captures and analyzes live traffic, allowing analysts to view plaintext HTTP packets.

Nessus is a vulnerability scanner, Nmap is for scanning, Netcat is a networking utility. None provide protocol-level inspection like Wireshark.

Thus, Option D is correct.

The attack described is website defacement, which occurs when an attacker gains the ability to modify the content of a website—often the homepage—to display unauthorized messages, propaganda, or vandalism. The scenario explicitly says Mia “alter[s] visible content on the homepage, replacing it with unauthorized messages,” and emphasizes the reputational harm even without data theft. That reputational impact is a hallmark of defacement: it undermines customer trust, signals weak security, and can create regulatory/brand consequences even if no confidential information is exfiltrated.

The stated entry point—“exploiting an unpatched vulnerability in the web server”—is also consistent with defacement. Attackers frequently leverage web server or web application weaknesses (misconfigurations, known CVEs, weak credentials, vulnerable plugins, or insecure file permissions) to gain write access to web content or templates. Once write access is achieved, the attacker can replace HTML pages, alter templates, inject malicious scripts, or modify assets so that visitors see the attacker’s message.

Why the other options are less appropriate:

DNS hijacking (A) redirects users by changing DNS resolution so that the domain points to an attacker-controlled server. That can lead to a fake site, but it’s not the same as modifying the real server’s homepage content.

Frontjacking (B) typically involves UI deception—overlaying or framing content to trick users—rather than server-side modification of the homepage.

File upload exploits (C) are a method that can be used to gain code execution or place malicious files on a server, but the question asks for the type of web server attack being demonstrated. The visible outcome described—unauthorized homepage changes—is best categorized as defacement.

Therefore, Mia is most likely demonstrating D. Website Defacement.

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

Once initial access is obtained—especially through weak or default credentials—the CEH system hacking methodology directs the tester to proceed to privilege escalation. The objective is to elevate user-level access to administrative or system-level privileges so the attacker can perform unrestricted actions such as installing tools, modifying configurations, accessing protected files, and pivoting laterally. CEH materials emphasize using privilege escalation vulnerabilities, such as misconfigured services, kernel exploits, unpatched local privilege escalation flaws, weak file permissions, and token impersonation. A denial-of-service attack is counterproductive and does not support post-exploitation goals. XSS is a web application attack vector and unrelated to operating system privilege manipulation. Brute-forcing the root password is noisy, slow, and unnecessary when authenticated access is already established. Therefore, exploiting a known local privilege escalation vulnerability is the appropriate CEH-aligned next step.

The scenario describes a wireless discovery method where the tester only listens to the airwaves and does not transmit probe requests or inject frames. In CEH terms, this is passive reconnaissance, commonly referred to as passive footprinting in the wireless context. Passive footprinting relies on capturing and analyzing existing 802.11 management traffic such as beacon frames (periodically broadcast by access points) and probe responses sent to other clients, allowing the tester to identify SSIDs, BSSIDs (MAC addresses of access points), channel numbers, supported data rates, and sometimes security capabilities, all without generating traffic that could alert administrators or trigger wireless intrusion detection systems.

Active footprinting, by contrast, involves transmitting frames—most notably probe requests—to solicit probe responses from access points, which increases detectability. The question explicitly says Ethan does not send probe requests and does not inject data packets, which rules out active methods. “Network Discovery Software” is too generic; tools can be used for either passive or active discovery, but the technique in use is defined by behavior on the wireless medium, not the presence of software. “Wash” is a specific tool/command associated with enumerating WPS-enabled access points; while it can be used during reconnaissance, the question is testing the broader technique rather than a specific utility, and the defining characteristic here is silent listening.

CEH defensive guidance notes that passive discovery is stealthier because it leverages normal beaconing behavior. Organizations mitigate reconnaissance by using wireless monitoring, rogue AP detection, strong encryption configurations, disabling unnecessary broadcasts where feasible, and maintaining continuous wireless security assessments.

Blowfish is the only option that matches all the technical characteristics described. In CEH cryptography concepts, symmetric algorithms are commonly distinguished by their structure (block cipher versus stream cipher), block size, and supported key lengths. The question states the algorithm encrypts data in 64-bit blocks and supports a variable key size ranging from 32 bits up to 448 bits, and it was introduced as a replacement for DES. Blowfish fits precisely: it is a symmetric block cipher with a 64-bit block size and a configurable key length from 32 to 448 bits, designed to be fast in software and positioned historically as an alternative to older ciphers such as DES.

The other choices do not align with these identifying properties. RC4 is a stream cipher and does not operate on fixed-size blocks, so it cannot match the 64-bit block requirement. AES is a block cipher but uses a 128-bit block size with fixed key sizes of 128, 192, or 256 bits, not 32 to 448 bits. Twofish, while related historically as a successor-era design, also uses a 128-bit block size and fixed key sizes up to 256 bits, so it does not match either.

From a CEH perspective, the mention of variable key sizes also hints at risk evaluation: shorter keys in any cipher can be brute-forced, so secure deployments require strong key length selection and proper key management. Additionally, Blowfish’s 64-bit block size can be a concern in large-volume encryption scenarios due to block collision risks, which is why modern systems often prefer 128-bit block ciphers for new designs.

The correct answer is A. Switch(config)# ip dhcp snooping because the question asks for the global setting that must be enabled first, before applying more specific (granular) DHCP Snooping controls. In Cisco switching, DHCP Snooping is the primary Layer 2 security feature used to mitigate rogue DHCP server attacks. Once enabled, the switch can distinguish between trusted ports (where legitimate DHCP server responses are allowed, typically uplinks toward the authorized DHCP server) and untrusted ports (typically access ports to end-user devices), where DHCP server responses (DHCPOFFER/DHCPACK) are filtered to prevent a rogue server from handing out malicious network configuration (gateway/DNS) to clients.

The scenario’s defense goal—“reject DHCP responses from untrusted ports”—is exactly what DHCP Snooping enforces after it is enabled and ports are assigned trust states. Conceptually, the workflow is:

Enable DHCP Snooping globally (feature activation),

Enable it for the relevant VLAN(s), and

Mark the legitimate DHCP-facing interface(s) as trusted so only those ports can send DHCP server responses.

Options C and D are part of the later, granular steps:

C enables DHCP snooping for a specific VLAN, which is necessary but is not the global prerequisite the question highlights.

D is applied under an interface to designate a port as trusted; again, this is granular and only meaningful after DHCP snooping is activated.

Option B is a different feature (Dynamic ARP Inspection) and is used to mitigate ARP spoofing/poisoning rather than rogue DHCP.

Therefore, the global command Jason should recommend first is Switch(config)# ip dhcp snooping.

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

A FIN scan is a classic “stealth” TCP scan technique discussed in CEH network scanning methodology. Unlike a TCP Connect scan, which completes the full three-way handshake and is highly visible in logs, a FIN scan sends a TCP packet with only the FIN flag set to a target port. The scan then interprets the target’s response to infer whether the port is open or closed, without establishing a normal TCP session. This matches the scenario’s requirement to “infer port states without completing a full connection” and to keep visibility low.

The logic relies on expected TCP behavior defined for many TCP/IP stacks. For a closed port, the target typically responds with an RST packet, indicating there is no service listening. For an open port, many systems do not respond at all to an unexpected FIN packet (because it does not correspond to an existing connection). That “no response” behavior becomes the signal the tester uses to suspect the port may be open or filtered. CEH emphasizes that because FIN scans do not perform a handshake, they can be less likely to trigger certain basic connection-based logging, and they generate fewer obvious connection events than TCP Connect scans.

Option D, NULL scan, is also a stealth method, but it uses a packet with no flags set. The question specifically highlights leveraging TCP flags and is commonly mapped in CEH-style questions to FIN scanning as the representative “TCP flag stealth scan.” Option B is too generic, and option A is the most detectable. Therefore, FIN scan best aligns with the described stealth reconnaissance strategy.

Passive reconnaissance is emphasized throughout CEH as an essential method for gathering intelligence without alerting monitoring systems. When the tester cannot interact with the live site, they must rely entirely on third-party archives or cached content stored by search engines or internet archival services. Google’s cache function provides previously stored versions of web pages exactly for this purpose. CEH explains that attackers frequently use cached content to retrieve outdated login portals, administrative pages, exposed directories, or other sensitive elements that may no longer appear on the live web server. Unlike operators such as intext or intitle, which query live indexed metadata, the cache operator retrieves historical snapshots without accessing the target website. The link operator identifies backlinks but does not provide historical page content. Only the cache operator directly supports viewing previous versions of pages passively, aligning perfectly with the requirement to avoid detection while gathering intelligence on legacy web content.

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Option C precisely matches CEH’s definition.

Option A is pretexting.

Option B is baiting.

Option D is phishing.

CEH stresses physical security awareness as critical as cyber defenses.

The correct answer is D. Twofish because the question explicitly describes a symmetric cipher that: (1) works on 128-bit blocks, (2) supports keys up to 256 bits, and (3) was a finalist in the AES selection process intended to replace DES. Twofish matches all of these characteristics. It is a symmetric block cipher designed by Bruce Schneier and colleagues, and it was one of the five AES finalists (along with Rijndael, Serpent, RC6, and MARS). Twofish uses a 128-bit block size and allows key sizes of 128, 192, or 256 bits, aligning precisely with the “up to 256-bit keys” clue.

Why the other choices do not fit: RC4 is a stream cipher, not a 128-bit block cipher, and it is not an AES finalist. AES itself (Rijndael) is the algorithm that ultimately won the AES competition; the prompt says the algorithm was a finalist, not necessarily the winner, and the description is intended to distinguish a finalist option from AES itself. Blowfish supports variable key lengths up to 448 bits but uses a 64-bit block size, not 128-bit blocks, and it was not an AES finalist (Twofish was designed as Blowfish’s successor with a larger block size to address modern requirements).

In practical terms, the block size and key size characteristics matter for security and performance: 128-bit blocks are standard for modern symmetric encryption, and 256-bit keys provide a high security margin for long-term protection of sensitive logs. The mention of AES finalization also signals that this algorithm belongs to the same generation of modern block ciphers designed with strong resistance to cryptanalysis and efficient software/hardware implementation.

Therefore, based on the stated properties and its AES finalist status, the symmetric encryption algorithm is Twofish.