ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

In CEH v13 Cloud Computing, serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do.

Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

CEH v13 explains that directory traversal (also called path traversal) occurs when an application improperly handles user-supplied input used for file path generation. Attackers exploit this by inserting traversal sequences such as ../ beyond the intended directories, gaining access to sensitive files like /etc/passwd, configuration data, or source code. The vulnerability arises from missing input validation and failure to restrict file access to safe directories. CEH stresses that directory traversal is common in file handling functions such as view, download, or include operations. Brute-forcing credentials (Option A) is unrelated. XSS (Option C) targets script injection into web pages, not file access. Buffer overflow (Option D) manipulates memory, not file paths. Therefore, the scenario represents classic directory traversal exploitation.

This scenario is a classic vishing (voice phishing) attempt: the attacker calls employees, impersonates a vendor, and tries to persuade them to disclose sensitive payment information. The most direct, practical countermeasure that employees can apply in every interaction is verifying the requester’s identity before sharing any information. That means using a trusted verification method—such as calling back using an official number from an internal directory/vendor contract, confirming through a known manager or procurement channel, or following an established verification workflow—rather than trusting the caller ID, the caller’s confidence, or claimed affiliation.

Option B is the best answer because it directly breaks the social engineering tactic being used: pretexting (posing as a vendor) relies on getting the victim to accept identity and urgency without validation. If employees consistently verify identity through independent channels, the attacker’s pretext collapses and the request is denied or escalated. This is the most immediate control at the human decision point, where the data disclosure risk occurs.

Why the other choices are less direct:

Security awareness programs (A) are important, but the question asks for the practical step employees must apply in each interaction. Training supports the behavior; it is not the specific action that stops the call from succeeding.

Policies and procedures (C) provide governance and guidance, but the direct operational control during a phone call is still identity verification.

Two-factor authentication (D) protects login processes but does not prevent an employee from verbally disclosing payment details over the phone.

Therefore, the prioritized countermeasure is B. Employees must verify the identity of individuals requesting information.

SMS Phishing, commonly called smishing, is the correct answer because the attack method is a deceptive text message sent to mobile devices that lures recipients into clicking a malicious link. In CEH-aligned social engineering coverage, smishing is a direct extension of phishing that uses SMS as the delivery channel. The attacker typically creates urgency or authority, such as “critical account update needed,” to trigger fast compliance. The message then pushes the victim to a malicious URL that can deliver malware, prompt credential entry, or enroll the device into a monitoring or management profile depending on platform and permissions. The key indicators in the question are company phones, a crafted message, and a link that installs monitoring software, which fits smishing exactly.

Bluebugging is a Bluetooth-based attack where the attacker exploits Bluetooth weaknesses to gain unauthorized access to a device, read data, place calls, or send messages, and it does not rely on sending a deceptive SMS link. Call spoofing is manipulating caller ID to impersonate a trusted number during voice calls, not delivering a malicious installation link through text. OTP hijacking focuses on intercepting or tricking users into revealing one-time passwords, often through SIM swapping, malware, or real-time phishing, but the scenario emphasizes installing monitoring software through a link rather than capturing a one-time code.

Defenses highlighted in ethical security training include mobile security awareness, blocking unknown links, using mobile threat defense, restricting app installation from untrusted sources, enforcing MDM controls, and monitoring SMS-based social engineering indicators.

SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP, which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other’s identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

The described action is classic web server footprinting through banner grabbing. In CEH reconnaissance methodology, banner grabbing is used to identify a target’s service details by eliciting and analyzing standard protocol responses. When Sofia sends a simple HTTP request such as GET / HTTP/1.0, the server often responds with HTTP headers that may include fields like Server and sometimes X-Powered-By, which can reveal the web server product and version, and occasionally information that hints at the underlying operating system or framework. This disclosure is valuable to attackers because it enables targeted exploitation: once the exact server and version are known, an attacker can correlate that information with known vulnerabilities, misconfigurations, and exploit code.

This is not information gathering from robots.txt, which is a web file used to suggest crawler behavior and sometimes reveals hidden paths but does not inherently expose server software versions. It is also not directory brute forcing, which involves systematically guessing directories and files to find hidden endpoints. Vulnerability scanning is broader and typically involves automated checks to detect vulnerabilities; while banner information can be an input to scanning, the technique shown here is specifically identification through response headers.

CEH-aligned mitigation includes disabling or minimizing server signature information, removing unnecessary headers, keeping server software patched, and using secure configurations and reverse proxies to reduce information leakage during reconnaissance.

Ping of Death is a classic Denial-of-Service technique in which an attacker sends oversized or malformed IP packets that exceed the maximum allowed size when reassembled. In IP networks, the maximum packet size is 65,535 bytes. Historically, attackers exploited fragmentation by sending a series of IP fragments that, when reassembled by the target, resulted in a packet larger than the permitted limit or produced an invalid buffer condition. Vulnerable systems could crash, reboot, or become unstable because the network stack mishandled the reassembly process or failed to properly validate packet length and structure.

The scenario matches this behavior precisely: Sofia transmits “oversized, malformed packets” and the server “crashes intermittently due to processing failures.” That symptom is more consistent with a malformed-packet handling flaw than with pure traffic volume. An ICMP flood and an ACK flood are volumetric or resource-exhaustion attacks that overwhelm bandwidth or connection-handling capacity, typically degrading performance rather than directly causing crashes from malformed packet parsing. A Smurf attack is an amplification-based ICMP attack using broadcast addresses to multiply traffic toward a victim; again, it is about volume, not crafted malformed packets that trigger parsing failures.

CEH guidance highlights that PoD-style attacks exploit improper packet validation and reassembly logic. Modern systems are generally patched, but poorly maintained devices, legacy OS stacks, and some embedded implementations can still exhibit instability when exposed to malformed fragmentation and reassembly edge cases.

Virtual Patching is a risk-mitigation technique emphasized in CEH v13 Security Operations. It involves deploying compensating controls—such as WAF rules, IPS signatures, or firewall policies—to block exploitation attempts without modifying the vulnerable system.

CEH v13 highlights virtual patching as especially useful when:

Downtime is unacceptable

Vendor patches are delayed

Legacy systems are in use

Monitoring alone does not prevent exploitation, and shutting down systems is often impractical. Virtual patching provides immediate protection while maintaining availability.

Qualys VM is the best match because the scenario emphasizes enterprise vulnerability management for a hybrid environment with agent-based endpoint coverage, continuous monitoring, alerting, and centralized visibility across both on-premises and cloud systems. In CEH-aligned security operations concepts, vulnerability management is not only about running periodic scans, but also about maintaining an accurate, continuously updated view of asset exposure, prioritizing risk, and producing actionable remediation workflows. A platform designed for hybrid infrastructures commonly includes lightweight agents for endpoints, cloud connectors, unified dashboards, continuous assessment, and notification or alerting features to support real-time risk decisions. Qualys VM is widely recognized for delivering vulnerability management through a centralized cloud platform with broad asset visibility and support for continuous assessment models that align with large-scale, distributed environments.

The other options are less aligned with the full requirement set. Nikto is a focused web server and web application scanner and does not represent an enterprise-wide vulnerability management platform for endpoints and hybrid assets. OpenVAS is a capable open-source vulnerability scanner, but it is typically implemented as a scanning solution rather than a full hybrid vulnerability management platform with the same level of integrated agent-based endpoint coverage, centralized cloud visibility, and operational alerting described. Nessus is a strong vulnerability scanner and can support agents in some deployments, but the scenario’s emphasis on broad hybrid infrastructure visibility and centralized, continuous monitoring with alerting most strongly aligns with Qualys VM as a vulnerability management platform.

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

The firewall described is doing more than simple header checks: it is validating session state and also performing some application-level analysis. That combination is characteristic of a Stateful Multilayer Inspection Firewall. This firewall type expands beyond traditional packet filtering by tracking the state of network connections (e.g., TCP handshake progression, established sessions, expected flags and sequence behavior) and applying inspection across multiple OSI layers. Because it understands whether traffic belongs to a legitimate, established session, it can block many spoofed or out-of-context packets that might pass a stateless filter.

The mention of being harder to bypass with fragmentation or tunneling attacks further supports this. Stateless packet-filtering firewalls mainly rely on source/destination IP, port, and protocol fields. Attackers may attempt fragmentation to split payloads across packets and evade simplistic inspection, or use tunneling to encapsulate traffic to hide prohibited content. A stateful multilayer firewall, by maintaining connection tables and reassembling or correlating traffic with session context, is better equipped to detect anomalies that do not align with valid session behavior and to apply deeper inspection policies.

Why the other choices are less fitting:

A Packet Filtering Firewall (A) focuses on basic header fields and is typically stateless, matching the opposite of what Mia observed.

An Application-Level Firewall (C) (proxy firewall) can do deep application inspection, but the scenario emphasizes a multilayer approach combining state tracking with application-level checks—more aligned with stateful multilayer inspection than a pure application proxy model.

A Circuit-Level Gateway Firewall (D) validates session establishment (e.g., TCP handshakes) and creates virtual circuits, but it generally does not perform meaningful application-level analysis of the content.

Therefore, the best match is B. Stateful Multilayer Inspection Firewall.

The correct answer is HTTP Server Core because the scenario describes the primary module of a web server that processes incoming requests and coordinates with additional modules responsible for encryption, URL rewriting, and authentication. In CEH-aligned web server architecture concepts, the core HTTP engine is responsible for handling client requests, managing connections, parsing HTTP headers, and passing requests to the appropriate modules for further processing.

Modern web servers such as Apache HTTP Server or Nginx operate using a modular architecture. The core component manages the fundamental HTTP protocol operations, while optional or loadable modules extend functionality. For example, SSL or TLS modules handle encryption, rewrite modules manage URL manipulation, and authentication modules enforce access controls. The description in the question clearly aligns with this architecture, where a central processing unit works in conjunction with supporting modules.

The other options do not fit. The Document Root refers only to the directory location from which web content is served. A Virtual Document Tree relates to how URLs are logically mapped to file paths. An Application Server is a separate server component that processes business logic, often interacting with backend systems, rather than directly managing HTTP request parsing at the core level.

Therefore, Jake is analyzing the HTTP Server Core, which is responsible for handling incoming requests and integrating modular security and performance features within the web server environment.

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

The scenario describes a wireless discovery method where the tester only listens to the airwaves and does not transmit probe requests or inject frames. In CEH terms, this is passive reconnaissance, commonly referred to as passive footprinting in the wireless context. Passive footprinting relies on capturing and analyzing existing 802.11 management traffic such as beacon frames (periodically broadcast by access points) and probe responses sent to other clients, allowing the tester to identify SSIDs, BSSIDs (MAC addresses of access points), channel numbers, supported data rates, and sometimes security capabilities, all without generating traffic that could alert administrators or trigger wireless intrusion detection systems.

Active footprinting, by contrast, involves transmitting frames—most notably probe requests—to solicit probe responses from access points, which increases detectability. The question explicitly says Ethan does not send probe requests and does not inject data packets, which rules out active methods. “Network Discovery Software” is too generic; tools can be used for either passive or active discovery, but the technique in use is defined by behavior on the wireless medium, not the presence of software. “Wash” is a specific tool/command associated with enumerating WPS-enabled access points; while it can be used during reconnaissance, the question is testing the broader technique rather than a specific utility, and the defining characteristic here is silent listening.

CEH defensive guidance notes that passive discovery is stealthier because it leverages normal beaconing behavior. Organizations mitigate reconnaissance by using wireless monitoring, rogue AP detection, strong encryption configurations, disabling unnecessary broadcasts where feasible, and maintaining continuous wireless security assessments.