312-50v13 Exam Dumps - ECCouncil CEH v13 Questions and Answers

String concatenation is the best match because the technique described is breaking a recognizable SQL keyword or payload into separate pieces so a signature-based WAF rule does not see the full malicious token in one continuous pattern. In CEH-aligned web application testing, many WAF detections rely on matching known strings such as UNION SELECT, OR 1=1, and other classic patterns. If an attacker can cause the database parser to interpret the same meaning while the input appears different at the inspection layer, the WAF may fail to match its rule and the payload can reach the backend.

The prompt explicitly says you “split the query into multiple parts” to avoid detection as “a single signature.” That is the core idea of concatenation-based evasion: represent the same instruction through separated fragments that are recombined or tolerated by the SQL parser, depending on the database and application behavior. This differs from in-line comments, which would typically insert comment markers inside keywords to break signatures while preserving parsing, and differs from hex encoding, which replaces characters or strings with hexadecimal representations. A null byte technique is usually associated with string-termination tricks in older contexts and does not align with splitting SQL keywords for WAF bypass.

Defensively, CEH guidance emphasizes that relying on WAF signatures alone is insufficient. Strong prevention requires parameterized queries, strict server-side input validation, least-privilege database accounts, and monitoring for anomalous query patterns and error behaviors even when obvious signatures are not present.

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

CEH v13 states that the only viable way to attack WPA2-PSK is by capturing the four-way handshake. De-authentication forces clients to reconnect, allowing the handshake to be captured and later cracked offline.

MITM, jamming, and rogue AP attacks do not directly expose the PSK.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

Fingerprinting the running service is the most appropriate technique because the strongest indicator in the scenario is inconsistent protocol behavior and error responses that do not match a legitimate production database service. In CEH reconnaissance guidance, honeypots and decoy systems often emulate common services but may implement only partial protocol stacks or simplified responses. This can lead to anomalies such as incorrect banner strings, malformed or generic error messages, unsupported command handling, unusual protocol negotiation, or responses that do not align with the claimed software version. By fingerprinting, Mia compares observed behavior against expected behavior for the genuine service, including version-specific quirks, command sets, response codes, and timing patterns for particular requests.

In practice, service fingerprinting involves interacting with the service using legitimate and edge-case requests, validating banners and headers, and correlating results with known signatures from real implementations. If the server claims to be a specific database or application service but reacts in ways that real deployments would not, it suggests emulation, instrumentation, or deception typical of honeypots designed to log attacker activity.

Analyzing response time can help, because some honeypots respond too quickly or with uniform timing, but timing alone is less definitive than protocol inconsistencies. MAC address analysis is not reliable for identifying honeypots and is often not visible beyond the local segment. Analyzing system configuration and metadata usually requires deeper access than reconnaissance and is not the primary method when the clue is protocol-level mismatch. Therefore, fingerprinting the running service best fits the observed symptoms.

QUBB ESTION NO: 25 [Mobile Platform and IoT Hacking]

Javier Ruiz from CyberFortress Solutions is tasked with auditing the mobile security practices of Apex Financial Services, a financial firm in Houston, Texas. During a covert penetration test, Javier targets employees ' personal smartphones used to access corporate financial systems. He exploits a vulnerability by installing a malicious app that bypasses access controls, granting him unauthorized entry to sensitive financial data because the devices lack a specific security measure to restrict app access. Based on this vulnerability, which BYOD security guideline is most likely missing in Apex Financial Services ' policy?

A. Review permissions requested by apps before installing them

B. Set passwords for apps to restrict others from accessing them

C. Enforce automatic device locking or implement biometric authentication

D. Use encryption mechanisms to store data

Answer: A

The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.

The scenario states Javier “installs a malicious app that bypasses access controls” and gains access to sensitive financial data because devices “lack a specific security measure to restrict app access.” This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.

Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R & D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R & D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

According to the CEH Cryptography module, strong symmetric encryption algorithms are essential for protecting data confidentiality and obscuring traffic content.

AES (Advanced Encryption Standard) is the industry-standard symmetric encryption algorithm approved by NIST and recommended by CEH for encrypting data in transit and at rest. AES provides strong resistance against cryptanalysis and prevents attackers from deriving meaningful information from encrypted traffic.

Option D is correct because AES is efficient, secure, and widely implemented.

Option A (HMAC) provides integrity and authentication, not encryption.

Option B (RSA) is computationally expensive and not suitable for bulk traffic encryption.

Option C (DES) is deprecated due to weak key length.

CEH materials clearly recommend AES over legacy algorithms.

The correct classification is Potentially Unwanted Applications (PUAs). In CEH malware taxonomy, PUAs refer to software that is not strictly malicious in the traditional sense but exhibits undesirable behavior such as displaying intrusive advertisements, modifying browser settings, collecting user data, degrading system performance, or bundling with other freeware without clear user awareness. In this scenario, the toolbar and optimization tool were bundled with a legitimate utility installer and presented with vague descriptions—an extremely common PUA distribution method known as software bundling.

The symptoms described—pop-up ads, homepage modification, sluggish performance, and background data transfers—are consistent with adware or browser hijackers, which fall under the broader PUA classification. Importantly, the question specifies there is no immediate file encryption (which would suggest ransomware) and no self-replication (which would suggest a worm). Botnet agents typically establish command-and-control communication and are designed for coordinated malicious activity such as DDoS or spam campaigns; while unexplained traffic may raise suspicion, the described behavior aligns more closely with adware-style monetization rather than structured botnet activity. Logic bombs are dormant code triggered by specific conditions, which is not indicated here.

From a defensive perspective, CEH recommends secure software acquisition policies, user awareness training, disabling unnecessary bundled installations, implementing endpoint protection with PUA detection enabled, and enforcing application allowlisting to prevent unauthorized or bundled software from executing within the enterprise environment.

A Distributed Control System (DCS) is the best match because the scenario describes multiple automated control loops (temperature, pressure, conveyor speed) that are coordinated by a centralized supervisory network linking multiple controllers across a facility. In industrial environments, a DCS architecture distributes control functions across many controllers located near the process equipment, while supervisory control and operator interfaces coordinate and monitor the overall process. This makes DCS common in continuous and process industries such as steel, chemical, oil and gas, and manufacturing plants where many interdependent loops must operate reliably together.

The scenario’s “centralized supervisory network” is a key DCS hallmark: operators and supervisory systems (often including engineering workstations and HMIs) provide centralized monitoring, setpoints, alarms, and coordination, while the actual loop control is executed by distributed controllers. This differs from a single isolated controller or purely manual operation. The purpose is to maintain stable process control and ensure coordinated behavior across different production areas.

Why the other options don’t fit:

A manual loop (A) implies human-operated control rather than automated feedback loops. The plant is described as having “numerous automated loops,” so manual loop is incorrect.

Open loop (C) control does not use feedback from the output to adjust the input; it is not typical for precise regulation of temperature and pressure where feedback is essential.

Closed loop (D) does describe feedback-based regulation and is true of many industrial loops; however, the question asks for the OT system concept applied based on the overall facility design—specifically a supervisory network coordinating multiple controllers—pointing to the architecture (DCS) rather than the loop type.

Therefore, the correct answer is B. Distributed Control System (DCS).

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user ' s browser is tricked into submitting unauthorized actions to a trusted application without the user ' s intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker ' s forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim’s authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

The Certified Ethical Hacker (CEH) Cryptography module explains that one of the primary challenges in encryption is secure key distribution. Asymmetric encryption, also known as public-key cryptography, was specifically designed to address this issue.

In asymmetric encryption, each entity possesses a public key and a private key. The public key can be shared openly, allowing anyone to encrypt data securely, while only the corresponding private key can decrypt it. CEH documentation highlights that this model eliminates the need to transmit secret keys over insecure channels.

Option D is correct because asymmetric encryption enables secure key exchange without prior trust.

Option B (symmetric encryption) requires a shared secret key and suffers from key distribution challenges.

Option A refers to data-at-rest protection, not key exchange.

Option C provides integrity verification, not encryption.

CEH emphasizes that asymmetric encryption underpins secure protocols such as TLS and digital certificates.