312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking. KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets, even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic. Weak RNG issues are unrelated to WPA2 replay.

Thus, Option B is correct.

This scenario demonstrates SMTP Enumeration, a classic enumeration technique described in CEH v13 Network Enumeration. SMTP servers may expose commands such as VRFY, EXPN, and RCPT TO, which can be abused to validate user accounts.

When these commands are enabled without restriction, attackers can enumerate valid usernames without authentication. The Nmap script used explicitly leverages these commands, confirming the misconfiguration.

Option B is incorrect because authentication is not bypassed. Option C concerns DNS routing, not user enumeration. Option D relates to encryption, not enumeration capability.

CEH v13 strongly recommends disabling or restricting SMTP user verification commands. Thus, Option A is correct.

The described behavior is consistent with Shell Injection (OS Command Injection). The critical clues are that the application forwards user-supplied input to system-level functions and that crafted input can cause unexpected system commands to execute, resulting in unauthorized control of the underlying operating environment. That is the defining characteristic of command injection: the application constructs or passes command strings to the operating system (directly or indirectly), and inadequate input validation/escaping allows an attacker to alter command structure and execute arbitrary commands.

In an internal administration portal, this often occurs when developers integrate convenience features like “ping a host,” “lookup a file,” “run diagnostics,” “convert/export,” or “invoke a backend script,” and they pass user input into command interpreters or shell calls. If input is not strictly validated (allowlisting) and properly handled (parameterization, safe APIs, escaping), attackers can append operators or metacharacters to change execution flow, allowing system command execution under the application’s privileges.

The other options do not align with “system commands”:

LDAP Injection (B) targets directory queries by manipulating LDAP filter syntax to bypass authentication or extract directory data, not execute OS commands.

SQL Injection (C) manipulates database queries to read/modify database content; while severe, it is fundamentally a database-layer issue, not direct OS command execution as described.

XSS (D) executes script in a user’s browser context, impacting clients, sessions, and web content—not the server’s operating environment through system command execution.

Therefore, the vulnerability being demonstrated is A. Shell Injection.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

The IT team’s action—capping how many requests a single user can make per second and then delaying or dropping aggressive connections—is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.

The key wording in the scenario is that “aggressive connections are delayed or dropped while most legitimate customers continue to use the service.” Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, “too many requests”) when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.

Why the other options are not the best match:

Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.

Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.

Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non-essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.

Thus, the countermeasure strategy being used is A. Rate Limiting.

CEH describes FIN scans as stealthy scans that send packets with the FIN flag without initiating a TCP handshake. According to TCP RFC behavior, closed ports respond with RST packets while open ports ignore the probe, producing no response. This allows enumeration of port states while evading IDS systems that typically monitor SYN-based scans.

The most direct technique demonstrated is D. Compromising secrets, because the attackers abused exposed API keys to authenticate to the cloud provider and execute unauthorized cloud commands. In CEH-aligned cloud attack paths, “secrets” commonly include API keys, access tokens, secret keys, passwords, certificates, and service account credentials. When these secrets are exposed (for example, hard-coded in source code, leaked in public repositories, stored insecurely in endpoints, or logged accidentally), an attacker can use them to gain the same privileges as the legitimate account or service identity.

Once valid API keys are obtained, attackers typically perform actions consistent with the compromised identity’s permissions: spinning up compute, modifying IAM policies, accessing storage, disabling logging, creating new credentials, and pivoting across services. The incident description mentions both resource abuse and lateral movement. Resource abuse is a frequent consequence of stolen cloud credentials because attackers can provision infrastructure on the victim’s account (often for botnets, staging, or other activities). Lateral movement inside the cloud environment can happen when the compromised keys grant access to additional services or when the attacker uses the initial foothold to discover and access other roles, instances, or secrets (for example, by querying metadata services, reading configuration stores, or enumerating IAM privileges).

Why the other options are less accurate: Cryptojacking specifically refers to illicit cryptocurrency mining using hijacked resources; while “resource abuse” could include mining, the key distinguishing factor in the question is the use of exposed API keys to issue commands, which is fundamentally credential/secret compromise. Enumerating S3 buckets is a reconnaissance activity focused on object storage discovery and misconfigurations, not the central mechanism here. A wrapping attack relates to specific cloud/identity token wrapping scenarios and is not indicated by exposed API keys.

Therefore, the incident most clearly demonstrates compromising secrets (exposed API keys).

OSINT-based reconnaissance includes using search engines to identify publicly exposed cloud assets. CEH highlights Google dorking as a passive method to reveal S3 buckets indexed in search engines through patterns such as site:s3.amazonaws.com or keyword-based queries.

The most accurate classification is Design Flaws. CEH web application guidance explains that some vulnerabilities exist not because of a coding typo or a missing patch, but because the underlying workflow, trust model, or business process is architected insecurely. In this scenario, the application relies on sequential client-driven steps for identity verification, yet the server does not independently enforce that each stage is truly completed before granting access. That means the weakness lies in the way the authentication flow was designed, specifically in trusting the client-side sequence more than it should. Poor patch management would relate to unpatched software components. Misconfigurations or weak configurations usually involve deployment or server settings. Application flaws is broader, but the question asks for the best classification, and the bypass of a security workflow due to inadequate stage enforcement is best understood as a design-level weakness. CEH references often connect such issues with business logic flaws, where attackers tamper with parameters or transaction flow to violate expected process integrity. Because the core problem is the insecure design of the multi-step validation sequence, Design Flaws is the best answer.

The behavior described matches the countermeasure commonly referred to in CEH materials as escaping or encoding special characters, most notably the single quote character. SQL injection frequently relies on breaking out of a quoted string in the SQL statement using the single quote, then appending logical operators such as OR 1=1, comments, or additional clauses. When an application replaces special characters with escaped equivalents before the SQL statement is executed, it attempts to ensure the input is treated purely as data rather than executable SQL syntax. A classic example is transforming a single quote into an escaped form such as \ ' or doubling it to ' ' depending on the database and escaping rules. By doing so, the database parser interprets the quote as part of the literal string value, preventing the attacker from terminating the string and altering query logic.

Option B is therefore the best fit because it precisely describes encoding or escaping the single quote, which is the most commonly targeted delimiter in SQL injection payloads. Option A, user input validation, is broader and typically refers to allowlisting accepted characters and formats, but the question specifically emphasizes replacement with escaped equivalents rather than rejecting invalid input. Option D, parameterized queries or prepared statements, is the strongest modern control recommended in CEH guidance because it separates code from data at the API level, but it is different from character escaping and does not rely on rewriting input characters. Option C limits damage but does not prevent injection. The observed mechanism is clearly single-quote encoding.

Side jacking, as defined in CEH v13 Web Application Hacking, is a form of session hijacking where an attacker captures valid session identifiers—usually cookies—by sniffing network traffic. This attack is particularly effective when applications fail to encrypt session cookies using HTTPS.

In CEH v13, side jacking is commonly associated with attacks performed on unsecured wireless networks, where attackers passively monitor traffic using packet sniffers such as Wireshark. If session cookies are transmitted in plaintext, the attacker can replay them to impersonate the victim without needing login credentials.

Option B precisely matches this definition: capturing unencrypted session cookies and reusing them to gain unauthorized access.

Other options describe different attack types:

A is credential harvesting via social engineering.

C is network exploitation.

D is cross-site scripting (XSS).

CEH v13 emphasizes enforcing HTTPS, Secure and HttpOnly cookie flags, and session regeneration as defenses against side jacking.

According to the CEH Vulnerability Assessment and Incident Response modules, vulnerabilities with high CVSS scores and potential RCE must be treated as active threats.

CEH best practices recommend:

Immediate containment (network isolation)

Investigation and impact analysis

Patch application

Recovery

Option D follows the CEH incident response lifecycle precisely.

Option C is incomplete without containment.

Options A and B are unsafe.

CEH emphasizes containment before remediation.

In CEH v13 Cryptography, this threat is formally referred to as “Harvest Now, Decrypt Later” (HNDL). It describes a long-term cryptographic risk where adversaries intercept and store encrypted communications today, even though they cannot decrypt them with current computational capabilities. The expectation is that future quantum computers will be powerful enough to break widely used public-key cryptographic algorithms.

CEH v13 emphasizes that quantum algorithms such as Shor’s Algorithm can theoretically break RSA, DSA, and ECC by efficiently solving integer factorization and discrete logarithm problems. However, the defining feature of this threat is not the act of breaking encryption itself, but rather the strategic collection and storage of encrypted data in advance.

Option C is incomplete because it focuses only on the cryptographic mechanism rather than the threat model. Options B and D are unrelated to the scenario described and refer to quantum communication integrity issues, not long-term cryptographic exposure.

CEH v13 highlights that sensitive data with long confidentiality lifetimes—such as government records, financial data, healthcare information, and intellectual property—is especially vulnerable to this threat. As a result, organizations are encouraged to adopt quantum-resistant (post-quantum) cryptographic algorithms proactively.

Thus, Option A accurately describes the threat model and aligns with CEH v13’s treatment of future cryptographic risks.

The Certified Ethical Hacker (CEH) Malware Threats module explains that attackers often abuse legitimate system services to blend malicious traffic with normal system behavior. Background Intelligent Transfer Service (BITS) is a Windows service designed to transfer files in the background using idle network bandwidth.

Attackers leverage BITS because its traffic closely resembles legitimate Windows Update traffic, which is commonly allowed through firewalls and proxy servers. CEH documentation states that BITS-based malware can download payloads, upload stolen data, and maintain persistence without triggering security alerts.

Option A is correct because BITS traffic appears legitimate and trusted, making it difficult for security devices to distinguish malicious usage.

Option B is incorrect because BITS does not operate exclusively through HTTP tunneling; it primarily uses HTTP/HTTPS in a legitimate manner.

Option C is incorrect because IP fragmentation is not a core feature of BITS.

Option D is incorrect because BITS does not rely on encrypted DNS traffic.

CEH emphasizes that living-off-the-land (LotL) techniques—using native tools like BITS—are increasingly favored by attackers due to their stealth and reliability.

Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.