312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

The correct answer is A. Passive attack because the activity described involves monitoring and capturing information without altering data, system resources, or communications. In CEH-aligned information security concepts, passive attacks are defined by the attacker’s goal of eavesdropping—observing traffic to collect intelligence such as usernames/passwords, session identifiers, network patterns, or sensitive content—while making minimal changes that would trigger detection. The scenario explicitly states that the actor is “silently capturing clear-text credentials” and “analyzing unencrypted traffic,” and that “no modifications have been made to the data.” These are signature indicators of passive attacks such as packet sniffing and traffic analysis.

On an internal Wi-Fi network, passive attacks are particularly effective when encryption is weak or absent, or when users access services that transmit credentials in clear text. An attacker can capture packets and reconstruct sensitive information, especially where legacy protocols or misconfigurations exist. Because passive attackers do not need to inject or modify packets, they often avoid generating anomalies such as retransmissions, spoofed responses, or unexpected routing changes—helping them remain undetected, consistent with the prompt.

Why the other options do not fit: Distribution attack is not the standard classification for this behavior and does not specifically describe silent observation of traffic. Close-in attack refers to attacks that depend on physical proximity (e.g., shoulder surfing, physical tapping, local interception near the target). While Wi-Fi sniffing can require proximity, the defining characteristic in the question is the non-invasive observation with no data modification—i.e., passive attack. Insider attack relates to the attacker’s identity/role (a trusted internal person), which is not established here; the scenario only describes behavior, not who the actor is.

Therefore, the described credential capture and traffic analysis without modification most clearly indicates a passive attack.

SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as “1 OR 1=1 —” is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology for identifying insecure input handling and improper query construction.

WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

Jason’s goal is to capture live SNMP traffic on the wire and manually inspect protocol fields such as community strings, OIDs, and variable bindings within requests and responses. The method described is packet capture and protocol dissection, which is exactly what Wireshark is designed for. Wireshark can capture traffic from an interface (or from a mirrored/SPAN port) and decode SNMP at the protocol level, presenting SNMP PDUs in a human-readable structure. This enables an assessor to view SNMP GET/GETNEXT/GETBULK requests, SET operations (if present), and responses, including the transmitted identifiers and values—useful for verifying whether sensitive SNMP data is exposed in transit.

The scenario explicitly states Jason is not running structured queries and instead wants to observe “SNMP requests and responses in transit,” which rules out tools that actively query devices. SnmpWalk (C) is an active enumeration tool that queries SNMP agents using a community string and walks a subtree of the MIB; that is the opposite of passive traffic inspection. Nmap (A) can scan ports and perform some SNMP-related scripts, but it still operates as an active probing tool rather than a live traffic capture and manual field review platform. SoftPerfect Network Scanner (D) is a network discovery tool for identifying hosts and services; it is not a packet-level sniffer intended for dissecting SNMP messages on the wire.

Additionally, the mention of “manual parsing” is consistent with packet analysis workflows: even though Wireshark decodes SNMP, the analyst still needs to interpret what OIDs and values mean, correlate requests to responses, and assess sensitivity (e.g., community strings in SNMPv1/v2c are not encrypted, and captured traffic may reveal them).

Therefore, the correct method is B. Wireshark.

The risk described is increased attack surface caused by unnecessary services and protocols running on a web server—specifically NetBIOS and SMB. The most direct hardening action to mitigate this is to block/disable unnecessary ports and protocols so they are not exposed to the network and cannot be abused by attackers. Option D captures that principle: reduce exposure by closing ports and restricting protocols that are not required for the server’s role.

A well-hardened web server should run only the services needed to deliver its intended web functionality (e.g., HTTP/HTTPS and necessary management interfaces under strict control). Services like SMB (commonly TCP 445/139) and NetBIOS (UDP 137/138, TCP 139) are not normally required for public-facing web hosting and are frequent targets for enumeration and exploitation. Leaving such services open can enable attackers to perform credential attacks, exploit legacy vulnerabilities, access shared resources, or pivot further into the environment. By blocking or disabling these ports at the host firewall and/or perimeter firewall, the organization reduces reachable attack paths and limits what an external attacker can interact with.

Why the other options are less direct:

Dedicated machine (A) can help separation of duties, but if unnecessary services still run, the attack surface remains.

Risk assessment for patching (B) is important, but it doesn’t immediately remove the exposure created by unneeded services.

Eliminating unnecessary files (C) addresses file-system exposure, not open network services like SMB/NetBIOS.

Because the problem is explicitly about unnecessary open services/protocols, the best mitigation is D. Block all unnecessary ports, ICMP traffic, and protocols (i.e., minimize exposed services).

This scenario matches a Teardrop attack, which exploits IP fragmentation reassembly weaknesses by sending fragments with overlapping or inconsistent offset fields. In a teardrop attack, the attacker crafts IP fragments so that when the target attempts to reassemble them into the original datagram, the fragment offsets and sizes do not align correctly (often overlapping). Vulnerable systems can experience errors in the reassembly process, leading to CPU/memory exhaustion, crashes, or instability in the network stack. The question highlights “manipulated offset fields and overlapping payload offsets,” “repeated attempts to reconstruct,” and “deliberately malformed offsets that trigger processing errors rather than a simple flood,” which are all core teardrop characteristics.

The impact described—system crashes and service disruption without abnormal bandwidth usage—also fits. This is not a volumetric DoS (like ICMP flood); it’s a malformed-packet attack that targets protocol stack processing. The key is that the attacker is exploiting how the target handles fragmented packets, causing excessive processing and failure during reassembly.

Why the other options are less accurate:

Fragmentation attack (A) is a broader category and could include many fragmentation-based manipulations, but “overlapping offsets causing reassembly failure” is the classic teardrop pattern.

ICMP flood (B) is bandwidth/packet-rate driven and does not involve IP fragment offset manipulation.

Ping of Death (D) involves oversized ICMP packets (often via fragmentation) exceeding maximum IP size, causing crashes on vulnerable stacks; the scenario instead emphasizes overlapping offsets and reassembly logic errors rather than oversized packet size.

Therefore, Sofia is most likely simulating C. Teardrop Attack.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization ' s infrastructure.

The CEH Web Application Security module explains that race conditions occur when systems improperly handle simultaneous requests, leading to unexpected behavior. In token-based authentication systems, poor synchronization between token expiration checks and validation logic can allow attackers to exploit timing gaps.

The observed pattern—failed attempts with expired tokens followed by successful access—suggests the attacker exploited a race condition where the application inconsistently validated token state.

Option C is correct.

Option A would not involve expired tokens.

Option B is highly impractical given secure token entropy.

Option D typically succeeds without repeated failures.

CEH highlights race conditions as subtle but dangerous logic flaws.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user ' s browser is tricked into submitting unauthorized actions to a trusted application without the user ' s intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker ' s forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim’s authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

This scenario demonstrates a classic case of Session Fixation, a session hijacking technique explicitly covered under the CEH v13 Web Application Hacking module. Session fixation occurs when an attacker sets or predicts a valid session identifier and forces a victim to authenticate using that same session ID.

In the given question, two critical vulnerabilities are highlighted:

The session ID is embedded in the URL

The application does not regenerate the session ID after login

According to CEH v13, secure applications must regenerate session identifiers after successful authentication to prevent fixation attacks. If this does not occur, an attacker can craft a URL containing a known session ID and trick the victim into clicking it. Once the victim logs in, the attacker reuses the same session ID to gain unauthorized access.

CEH documentation states that session fixation is particularly effective when:

Session IDs are passed via URL parameters

Sessions persist across authentication

Secure cookie attributes are not enforced

Other options are incorrect because:

XSS-based cookie theft requires client-side script injection.

DNS cache poisoning is unrelated to session management.

CSRF exploits user trust but does not directly hijack sessions.

Thus, Session Fixation by pre-setting the token in a URL is the most effective attack in this case.

Creating scheduled tasks is the most likely persistence technique because it can be configured to execute automatically at system startup or on reboot without requiring a user to log in or manually launch anything. In CEH-aligned post-exploitation and persistence concepts, attackers commonly use operating system native mechanisms that blend into normal administrative activity. A scheduled task fits this goal well because it can be named to look legitimate, set to run under a specific account, and triggered by events such as system boot, user logon, or a timed schedule. The scenario explicitly states the payload launches on every reboot without user interaction, which aligns with a boot-triggered scheduled task.

Injecting into the startup folder usually triggers execution when a user logs on, not strictly on system reboot, and it depends on an interactive user session. That contradicts the requirement of no user interaction. Modifying file attributes, such as setting hidden or system attributes, improves stealth and makes a file less noticeable, but it does not create an automatic execution mechanism by itself. Installing a keylogger is a capability for capturing keystrokes, not a persistence method, and it does not inherently guarantee execution after reboot unless paired with an auto-start mechanism.

Therefore, the action that directly ensures the binary runs after each reboot in a controlled and reliable way is creating scheduled tasks, which is a classic persistence method emphasized in ethical hacking workflows for demonstrating real-world attacker behavior and improving defensive detection and hardening.

The best answer is B. Cryptographic Failures because the scenario centers on weak protection of sensitive data in transit, enabling an attacker to intercept and manipulate the information. In CEH-aligned web and application security concepts (and consistent with modern web risk categories), cryptographic failures occur when an application does not properly use cryptography or secure transport protections to ensure confidentiality and integrity of sensitive data. If transport encryption is missing, weak, or incorrectly configured, attackers can perform man-in-the-middle style interception, tamper with traffic, steal session material, and exfiltrate regulated data—leading to outcomes like identity theft and payment card fraud, exactly as described.

The references to cookie snooping and downgrade attacks further reinforce this. Cookie snooping is commonly associated with session cookies being exposed due to insecure transport (for example, lack of HTTPS, mixed content, or cookies missing secure attributes), allowing an attacker on the network path to capture session identifiers and hijack accounts. Downgrade attacks occur when an attacker forces a connection to use weaker security settings (such as older TLS versions or insecure cipher suites) or coerces a fallback from HTTPS to HTTP when protections like HSTS are absent or misapplied. Both issues are tightly linked to improper cryptographic configuration and transport-layer security weaknesses.

Why the other options are not the best match: Broken Access Control concerns authorization—what users are allowed to access—not interception/manipulation of traffic. Identification and Authentication Failures focus on login/session identity mechanisms (passwords, MFA, session handling) but the key failure here is the weakness of cryptographic protection for data in transit. Security Misconfiguration can be a contributing cause (e.g., misconfigured TLS), but the question emphasizes the resulting weakness category—insufficient cryptographic/transport protections—making Cryptographic Failures the most precise answer.

Therefore, MediVault’s exposure to interception, manipulation, cookie snooping, and downgrade attacks most clearly indicates Cryptographic Failures.

Local File Inclusion vulnerabilities arise when a web application incorporates user-supplied input into file-handling functions without proper sanitization. CEH courseware emphasizes that attackers can leverage directory traversal sequences (such as ../../) to escape the intended directory structure and access sensitive local files. An LFI payload commonly targets system files like /etc/passwd on Linux to extract user information or escalate the attack further.