312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

The best answer is BPDU Guard on edge ports. CEH network defense material explains that BPDU Guard is used on access or edge ports where end-user devices are expected, not switches. If a device connected to such a port begins sending Bridge Protocol Data Units, the switch treats that as an abnormal condition and can shut the port down or place it in an error-disabled state. This prevents unauthorized or misconfigured devices from participating in spanning-tree and influencing root bridge election or topology decisions. That matches the scenario, where a newly connected device introduced a more favorable bridge priority and triggered spanning-tree recalculations. Root Guard is also related to protecting spanning-tree hierarchy, but it is typically applied where you want to prevent a downstream switch from becoming root while still allowing BPDU participation under controlled conditions. CEH exam framing usually expects BPDU Guard when the threat originates from an end-host-facing access port in a conference room or office edge location. Because the goal is to stop unauthorized edge-connected devices from affecting spanning-tree at all, enabling BPDU Guard on edge ports is the most appropriate control.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.

Insecure communication is defined in CEH’s mobile and IoT security modules as the failure to encrypt sensitive data transmitted between a device and a server. When applications use plain HTTP instead of HTTPS, all traffic—including authentication tokens, user identifiers, and session data—can be monitored and altered by an attacker through network sniffing or man-in-the-middle attacks. CEH emphasizes that insecure transport channels represent one of the most common and critical weaknesses in mobile ecosystems, allowing attackers to harvest credentials or inject malicious commands. Security misconfiguration refers to improper server settings, while SSL pinning issues involve certificate validation bypassing. Insufficient input validation pertains to application-side data validation. None of these align as directly as insecure communication, which precisely describes the unencrypted data exposure.

A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.

Cloud-based DDoS mitigation services provide upstream traffic scrubbing, detecting and filtering high-volume attacks such as DNS amplification and HTTP floods before the traffic reaches the victim’s network. These services use distributed infrastructures capable of handling multi-vector attacks that surpass the capacity of traditional on-premises firewalls and IDS. Traffic scrubbing centers distinguish legitimate traffic from malicious traffic, allowing normal operations to continue without service disruption.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

The Certified Ethical Hacker (CEH) Web Application Security module emphasizes that client-side controls cannot be trusted.

Disabling JavaScript allows attackers to bypass:

Password complexity enforcement

CAPTCHA validation

Input validation logic

Option B is the simplest and most effective CEH-approved method.

Option A is unnecessary and noisy.

Option C risks detection.

Option D is effective but more complex and detectable.

CEH explicitly teaches testers to disable JavaScript to evaluate server-side enforcement.

An Application-Level Firewall, commonly called an application-level gateway or proxy firewall, inspects traffic at the application layer and enforces rules based on specific application protocols and commands. In CEH-aligned coverage of perimeter defenses, this firewall type is distinguished by its ability to understand protocol behavior and content for services such as DNS and SSH, rather than relying only on IP addresses, ports, and basic connection state.

The question states the filtering system “analyzes incoming SSH and DNS requests to block unauthorized access attempts.” That wording points directly to application-aware inspection: it is evaluating protocol-specific requests, not merely allowing or denying traffic based on port numbers. A packet filtering firewall generally makes decisions using network and transport layer information such as source and destination IP, protocol, and port, without parsing DNS queries or SSH negotiation details. A circuit-level gateway firewall focuses on validating session establishment and connection properties, typically without deep inspection of the application commands inside the session. A stateful multilayer inspection firewall can track connection state and sometimes incorporate deeper inspection, but the strongest and most explicit match to “analyzes SSH and DNS requests” in CEH terminology is the application-level firewall, which uses proxies or protocol engines to parse and filter application traffic.

From an ethical testing perspective, attempts to “craft specific payloads” often involve probing how the firewall validates protocol fields, handles malformed requests, or enforces policy on application commands. Defenders mitigate these risks through strict proxy policy configuration, robust protocol validation, patching, logging, and limiting exposed services to only what is required.

CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure. Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

An Evil Twin access point is a malicious wireless access point that impersonates a legitimate Wi-Fi network by copying its SSID and often mimicking other observable characteristics such as security settings and signal behavior. In CEH-aligned wireless attack coverage, the goal is to trick users into connecting to the attacker-controlled AP instead of the real one. Once a victim device associates, the attacker can perform man in the middle interception, capture credentials, observe sensitive traffic, and potentially downgrade protections if the victim is not properly validating the network.

This scenario strongly matches an Evil Twin because the tablet connects to an access point “broadcasting a name and signal similar to the hospital’s secure Wi-Fi,” and Sarah finds an unauthorized device capturing sensitive traffic from connected systems. That combination indicates active impersonation and client deception, not merely an accidental device. A rogue AP is typically an unauthorized access point connected to the internal network, often deployed by employees for convenience, and may not be designed to impersonate the official SSID to lure clients. A misconfigured AP refers to an access point with weak settings or improper security controls, not an attacker-created clone. A honeypot AP is a deliberate decoy set up by defenders to attract attackers, which is the opposite of what is described.

Mitigations emphasized in CEH best practices include using WPA2 Enterprise or WPA3 Enterprise with certificate validation, enabling protected management frames where supported, deploying wireless intrusion detection and prevention to identify spoofed SSIDs and BSSID anomalies, disabling auto-join where possible, and training users to report suspicious network prompts or unexpected reconnect behavior.

According to the Certified Ethical Hacker (CEH) IDS/IPS and Evasion Techniques module, packet fragmentation is a technique attackers use to split malicious payloads into smaller fragments so that signature-based IDS sensors may fail to reassemble and inspect the complete packet.

CEH explains that anomaly-based IDS systems are more effective against fragmentation evasion because they analyze behavioral deviations rather than relying solely on known signatures. Fragmented traffic often deviates from baseline network behavior in terms of packet size, sequencing, and reassembly anomalies.

Option A is correct because anomaly-based detection can identify abnormal fragmentation behavior even if the payload itself does not match known signatures.

Option B is unreliable, as attackers do not use consistent intervals.

Option C is impractical, since legitimate traffic may be fragmented.

Option D is less effective because signature-based IDS systems can be bypassed by fragmentation techniques.

CEH recommends packet normalization and anomaly-based detection as effective countermeasures.

CEH’s social engineering principles highlight psychological manipulation techniques such as authority, urgency, trust exploitation, and impersonation. In this scenario, the attacker leverages “perceived authority,” a powerful influence tactic where the social engineer poses as someone with legitimate power or sanctioned access—such as a technician, auditor, or vendor representative. CEH emphasizes that referencing real employee names, using technical terminology, and impersonating trusted third-party partners increases believability and reduces verification resistance. The receptionist’s acceptance of the attacker’s presence without verifying credentials matches classical authority-based exploitation. Leaked credentials, physical security logs, and network segmentation issues do not relate to human-layer social engineering. The situation clearly reflects the manipulation of trust and authority as described in CEH’s psychological attack vectors.

RST hijacking is a TCP session hijacking technique emphasized in CEH materials under network attacks against established communications. In TCP, a Reset flag packet is used to abruptly tear down a connection. If an attacker can observe the session and determine the correct parameters such as IP addresses, ports, and an in-window sequence number, they can forge a TCP RST packet that appears to come from one endpoint. This can force the victim side to drop the session, making the legitimate client suddenly lose responsiveness.

The key clue in the scenario is that Rachel “observes a client-server communication” and then injects crafted packets that disrupt the client while the server continues to communicate with Rachel’s system. That behavior matches the practical use of RST hijacking in demonstrations: terminate or desynchronize the victim endpoint while keeping the server-side session usable long enough for the attacker to inject traffic with valid sequence and acknowledgment values. In a switched LAN, this is often paired with sniffing or traffic visibility to reliably craft the reset packet and subsequent injected packets.

Blind hijacking is different because the attacker cannot see the traffic and must guess sequence numbers, which contradicts the “observes communication” detail. UDP hijacking is not applicable because UDP is connectionless and does not use session state or RST flags. “TCP/IP hijacking” is a broad category, but the question asks for the specific technique used to disrupt the client via crafted packets, which is best identified as RST hijacking.

VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods—switch spoofing and double tagging—allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH’s network perimeter attack methodology.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.