312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

The correct answer is C. Container orchestration because the described features—automated deployment, scaling, service discovery, and workload management across multiple nodes—are the defining functions of a container orchestration platform, and Kubernetes is the most widely used orchestration system for containers. In CEH-aligned cloud and container security discussions, orchestration refers to the automated coordination of containerized workloads so that applications remain available, scalable, and manageable without administrators manually placing or maintaining each container instance.

In Kubernetes, orchestration is achieved through the control plane and a set of components that continuously maintain the desired state of applications. For example, scheduling places pods onto nodes based on resource availability and constraints; controllers ensure that the correct number of replicas are running; services and DNS enable stable naming and service discovery; and autoscaling mechanisms adjust capacity according to demand. These combined behaviors allow the platform to keep critical services operating “smoothly” even as nodes change, workloads shift, or failures occur.

Why the other options are not the best match: Self-healing is a specific benefit of orchestration (Kubernetes restarts failed containers, reschedules pods, and replaces unhealthy instances), but it does not fully encompass the broader set of capabilities listed, such as deployment automation, scaling, and service discovery. Kube-controller-manager is a particular Kubernetes control-plane component that runs controller processes; it contributes to orchestration internally, but the question asks for the overarching capability responsible for the set of functions, which is container orchestration as a whole. Container vulnerabilities is not a Kubernetes capability; it is a security risk category (e.g., vulnerable images, misconfigurations, runtime exploits).

Therefore, the capability primarily responsible for automated deployment, scaling, service discovery, and multi-node workload management in Kubernetes is container orchestration.

This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

Other options are incorrect because:

XMAS scans send packets with multiple flags set.

SYN/ACK scans are primarily used for firewall rule discovery.

TCP Connect scans complete the full handshake and generate ACKs.

CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.

Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

The correct answer is C. Insecure Data Storage because the vulnerability described is the storage of sensitive information locally on the mobile device in a manner that is not encrypted and is accessible by simply browsing the file system. In mobile application security, this is a classic risk category: when an app stores confidential data (case notes, client records, tokens, documents, cached responses, databases, logs, or exported files) in clear text or in insecure locations, an attacker who gains device access—or uses backup extraction, file explorers, rooted/jailbroken access, or malware with storage permissions—may retrieve that data without needing to authenticate to the application.

The scenario makes the weakness unmistakable: Daniel can use a “standard explorer tool” to open sensitive records “without any authentication.” This indicates the app is failing to apply appropriate protections such as encryption at rest, secure key handling, proper file permissions, and secure storage mechanisms. In secure mobile design, sensitive records should be encrypted using platform-supported protections (e.g., using OS keystores/keychains for keys, encrypting databases/files, and minimizing local retention). Additionally, apps should avoid storing highly sensitive regulated data unless essential, and should implement secure session controls and data lifecycle management (cache control, expiration, remote wipe support in enterprise settings).

Why the other options are not the best fit: Insecure communication concerns data exposure while transmitted over networks (e.g., lack of TLS, weak TLS, MITM susceptibility), whereas the issue here is purely local storage. Improper credential usage relates to mishandling passwords, tokens, or authentication secrets (hard-coded credentials, weak storage of credentials), but the prompt focuses on stored records themselves. Inadequate privacy controls is broader and typically involves over-collection, improper disclosure, or weak user privacy settings, not direct clear-text storage exposure.

Therefore, the most clearly present OWASP Top 10 Mobile Risk is Insecure Data Storage.

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

CEH v13 identifies Idle (Zombie) Scanning as one of the most stealthy reconnaissance techniques. In this method, attackers use a third-party system (the zombie) to send probes to the target, obscuring the attacker’s true identity.

Because the attacker never directly interacts with the target, detection and attribution become extremely difficult. FIN and Xmas scans are stealthy but still originate from the attacker’s IP. TCP connect scans are noisy and easily detected.

CEH v13 highlights idle scanning as the gold standard for stealth reconnaissance, making option D correct.

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

The capability described is Kubernetes self-healing, a core behavior emphasized in CEH cloud and container security coverage when discussing resilience, availability, and fault tolerance in containerized environments. Self-healing means Kubernetes continuously monitors the desired state of workloads and automatically acts when the current state deviates due to failures. If a node crashes, a container exits unexpectedly, or a pod becomes unhealthy, Kubernetes responds by restarting containers, recreating pods, and rescheduling workloads onto healthy nodes to maintain service continuity. This directly matches the scenario where containers are “automatically replaced and rescheduled” from failed nodes to keep payment services highly available.

While several Kubernetes components participate in achieving this outcome, the feature name most aligned with the described behavior is self-healing. Kubernetes uses controllers and the scheduler to implement it: deployments and replica sets ensure the correct number of pod replicas exist; liveness and readiness probes detect unhealthy containers; and when nodes become NotReady, pods are evicted and recreated elsewhere. This is exactly how Kubernetes supports uninterrupted operations for critical applications such as payment processing platforms.

Option B, kube-controller-manager, is a control-plane component that runs multiple controllers, and it contributes to enforcing desired state, but the question asks for the feature capability rather than the specific internal process that provides it. Option C, container orchestration, is broader and includes deployment, scaling, and management, but it is less precise than self-healing for the specific behavior of automatic replacement and rescheduling after failures. Option A is unrelated to availability behavior.

WEP is the only option that matches the combination of RC4 and a 24-bit initialization vector. In CEH materials, WEP is described as an early Wi-Fi security standard that uses the RC4 stream cipher together with a short 24-bit IV that is concatenated with a shared secret key to form the per-packet RC4 key stream. The critical weakness is that a 24-bit IV is far too small for busy networks. Because there are only about 16.7 million possible IV values, IV reuse occurs quickly, especially under high traffic. When IVs repeat, the same RC4 key stream can be reused, allowing attackers to apply statistical attacks against captured packets and recover the WEP key. CEH emphasizes that the problem is not only IV reuse but also weaknesses in how WEP uses RC4 with IVs, enabling practical key recovery using readily available tools once enough packets are collected.

WPA and WPA2 improved on WEP by introducing stronger key management and integrity protections. WPA uses TKIP, which still relies on RC4 in many deployments, but it does not use a simple 24-bit IV in the same weak manner as WEP and includes per-packet key mixing and additional integrity checks. WPA2 and WPA3 move away from RC4 entirely, using AES-based protections such as CCMP for WPA2 and more modern enhancements in WPA3. Therefore, the observed RC4 with a 24-bit IV precisely identifies WEP.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

This question focuses on API Security, Webhooks abuse, and Webshell mitigation, all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D, as it directly addresses the root causes and persistence mechanisms of the compromise.

According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.

Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.

Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.

Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access. CEH v13 identifies webshell detection as a key defensive measure during incident response and post-exploitation containment.

Other options are incomplete:

A WAF alone cannot detect all webshells.

IP blocking is ineffective against spoofed or cloud-based attacks.

MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.

Therefore, Option D provides the most comprehensive, CEH v13–aligned mitigation strategy.

CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.

This scenario precisely matches Time-Based Blind SQL Injection, a technique detailed in CEH v13 Web Application Hacking. When applications suppress error messages and sanitize outputs, attackers rely on response timing to infer whether injected SQL statements are executed.

In time-based SQL injection, the attacker injects database-specific delay functions (such as WAITFOR DELAY, DBMS_LOCK.SLEEP, or SLEEP()). If the injected condition is true, the database pauses execution, causing a noticeable delay.

The key indicators described—no visible output but increased response time—are classic signs of time-based SQL injection. CEH v13 explains that this method is particularly useful when:

Errors are hidden

UNION queries fail

Output is not reflected

Union-based and out-of-band SQL injections require data exfiltration channels or visible outputs, which are absent here. “Heavy query-based” is not a formal CEH classification.

Thus, Option A is the correct answer.

Reconnaissance is the correct phase because the scenario explicitly states Sarah starts by gathering publicly available information about employees and infrastructure. In the Cyber Kill Chain, reconnaissance is the first phase where an attacker collects intelligence to understand the target and identify the most effective paths for compromise. In CEH-aligned methodology, this includes open-source intelligence activities such as discovering employee names, roles, emails, technology stack clues, exposed services, and organizational patterns that help craft realistic and convincing attack lures.

The question mentions that Sarah plans to craft a mock phishing email and later deploy a harmless payload. Those actions map to later kill chain phases: delivery is when the phishing email or malicious link is sent to the target, and exploitation is when a vulnerability is triggered to execute code or gain access. Weaponization is the step where an attacker prepares the malicious artifact, such as packaging an exploit with a payload or preparing a document or link to deliver. However, the key wording is that Sarah “begins” by collecting public information and is asked which phase she should prioritize to simulate the adversary’s approach effectively. That is reconnaissance, because effective phishing and subsequent steps depend on accurate target profiling, believable pretexts, and identifying likely weak points based on what is learned during intelligence gathering.

Therefore, to match the described starting point and the kill chain sequence, the prioritized phase is Reconnaissance.