ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

SQL injection testing commonly involves using tautology-based payloads such as 1 OR 1=1, which force SQL queries to evaluate as true. CEH explains that this confirms improper input sanitization and exposes whether user-supplied fields directly influence database queries. The result often returns all records, indicating successful injection.

In CEH v13 Mobile, IoT, and OT Hacking, firmware-level attacks on Programmable Logic Controllers (PLCs) are categorized as high-impact and stealth-oriented threats, often designed to evade traditional network-based defenses. Malicious firmware compromises the integrity of the device itself, allowing attackers persistent and covert control over industrial processes.

The first and most critical step is to verify the integrity of the firmware and software running on the PLCs. CEH v13 emphasizes that before containment or mitigation actions are applied, accurate identification and confirmation of compromise must occur. Firmware inspection enables analysts to detect unauthorized code injections, modified logic blocks, altered checksums, or tampered boot loaders—hallmarks of OT malware such as Stuxnet-like attacks.

Immediate isolation (Option A) may be necessary later, but premature isolation can disrupt industrial operations and destroy volatile forensic evidence. IDS enhancements (Option C) focus on traffic patterns and are ineffective against firmware-resident malware. Restricting remote access (Option D) is preventative but does not validate or remove an existing firmware compromise.

CEH v13 stresses that OT environments require forensic verification at the device level, especially when abnormal behavior originates from controllers themselves. Firmware validation using vendor-approved tools and hash verification is the correct first step to confirm compromise and plan remediation without risking operational safety.

An Evil Twin access point is a malicious wireless access point that impersonates a legitimate Wi-Fi network by copying its SSID and often mimicking other observable characteristics such as security settings and signal behavior. In CEH-aligned wireless attack coverage, the goal is to trick users into connecting to the attacker-controlled AP instead of the real one. Once a victim device associates, the attacker can perform man in the middle interception, capture credentials, observe sensitive traffic, and potentially downgrade protections if the victim is not properly validating the network.

This scenario strongly matches an Evil Twin because the tablet connects to an access point “broadcasting a name and signal similar to the hospital’s secure Wi-Fi,” and Sarah finds an unauthorized device capturing sensitive traffic from connected systems. That combination indicates active impersonation and client deception, not merely an accidental device. A rogue AP is typically an unauthorized access point connected to the internal network, often deployed by employees for convenience, and may not be designed to impersonate the official SSID to lure clients. A misconfigured AP refers to an access point with weak settings or improper security controls, not an attacker-created clone. A honeypot AP is a deliberate decoy set up by defenders to attract attackers, which is the opposite of what is described.

Mitigations emphasized in CEH best practices include using WPA2 Enterprise or WPA3 Enterprise with certificate validation, enabling protected management frames where supported, deploying wireless intrusion detection and prevention to identify spoofed SSIDs and BSSID anomalies, disabling auto-join where possible, and training users to report suspicious network prompts or unexpected reconnect behavior.

In CEH-aligned cloud security discussions, protecting data across its lifecycle is a primary requirement, and a major risk area is how data moves between clients, applications, and cloud services. The scenario states the exposure occurred because there was no encryption during transmission between user devices and cloud storage. That maps directly to the Service and Data Integration risk area because it focuses on the security controls applied when cloud services exchange data with users and with other services, including secure communication channels, API protection, and proper cryptographic enforcement for data in transit.

When data is transmitted without TLS or with weak or misconfigured TLS, it becomes vulnerable to interception and manipulation through man in the middle attacks, traffic sniffing, SSL stripping, or downgrade attacks. In regulated environments such as healthcare, HIPAA expectations strongly align with implementing strong encryption in transit and ensuring secure session establishment, certificate validation, and modern cipher suites. This is not primarily a multi tenancy or physical security issue, which relates to isolation between tenants and the provider’s datacenter controls. It is also not primarily an incident analysis and forensic support issue, which concerns detection, logging, evidence collection, and investigative capability after events occur. Infrastructure security is broader and can include network protections, but the question is specifically about preventing exposure during transmission, which is most precisely addressed by service and data integration controls.

Correct remediation typically includes enforcing HTTPS with modern TLS, enabling HSTS, disabling legacy protocols and weak ciphers, ensuring correct certificate management, using mutual TLS where appropriate, and securing cloud storage access through authenticated, encrypted endpoints and properly secured APIs.

A bootkit is the rootkit type that best matches the described behavior because it compromises the system boot process and executes before the operating system fully loads, often before many security controls, drivers, and monitoring services start. CEH materials describe bootkits as a highly persistent class of malware that targets components such as the Master Boot Record, Volume Boot Record, or bootloader. By gaining execution at boot time, a bootkit can load malicious code very early, then hook or tamper with OS loading routines, kernel initialization, or security mechanisms. This early execution is exactly what the scenario emphasizes: the payload runs “before any system-level drivers or services are active,” enabling covert control while evading traditional user-mode detection.

This also explains why administrators see suspicious network activity but forensics do not easily find malicious user-level artifacts. Bootkits can hide by manipulating what the OS and security tools can see after startup, including concealing files, processes, registry keys, or even redirecting reads so scanners receive “clean” data. Because the malicious component is anchored in the boot chain, it can survive reboots and remain present even if many OS-level indicators are cleaned.

A kernel-mode rootkit operates within the OS kernel but typically loads after the OS begins booting and drivers initialize. A hypervisor rootkit relies on virtualization to sit beneath the OS at runtime, but the scenario specifically highlights boot-time execution prior to drivers and services. Firmware rootkits persist in BIOS/UEFI or device firmware, which is possible, but the most direct match to “boot process compromise below the OS” in CEH terminology is a bootkit.

According to the CEH Network and Perimeter Security module, one of the most effective and widely used firewall evasion techniques is the use of encrypted communication channels. When traffic is encrypted using protocols such as HTTPS, TLS, or VPN tunnels, traditional firewalls and packet-inspection tools may be unable to inspect payload contents unless SSL/TLS inspection is explicitly enabled.

CEH documentation explains that attackers commonly encrypt command-and-control (C2) traffic to:

Blend in with legitimate encrypted traffic

Bypass content-based inspection

Evade signature-based detection

Option B is therefore correct.

Option A (IP spoofing) is less effective against stateful firewalls.

Option C is a human-focused attack, not firewall evasion.

Option D has no relevance to firewall bypass techniques.

CEH highlights encryption misuse as a major blind spot in perimeter defenses.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

CEH v13 defines a white hat hacker as a security professional who performs authorized assessments to identify vulnerabilities and strengthen an organization’s defenses. The defining characteristic of white hat activity is the presence of formal permission—typically through a signed rules-of-engagement, scope of work, and explicit authorization from the organization. CEH emphasizes that white hats adhere to legal boundaries, follow ethical guidelines, and document findings to support remediation. They may use the same tools and methodologies as malicious hackers, but the intent and authorization distinguish them. In contrast, black hats operate without permission and with malicious intent. Grey hats act without authorization but may not have malicious motivations, making them inappropriate in a formal penetration testing engagement. Script kiddies lack professional skill and rely on pre-made tools without understanding the underlying techniques. Therefore, the hacker described is a white hat—an ethical professional performing sanctioned testing.

An HTTP GET POST attack is the most likely answer because the key indicator in the scenario is the measurement unit and behavior: 398 million requests per second. In CEH-aligned DoS and DDoS coverage, volumetric network-layer attacks like SYN floods are typically discussed in packets per second or bits per second, and they primarily exhaust connection tables or bandwidth at Layer 3 and Layer 4. By contrast, an HTTP flood targets Layer 7 and is commonly measured in requests per second because the attacker is sending large volumes of seemingly valid web requests. This overwhelms web servers, application stacks, and upstream components such as reverse proxies, load balancers, and API gateways, leading to degraded performance and dropped sessions, exactly as described when “active connections drop unexpectedly.”

The mention of “customer-facing platforms” and “numerous compromised devices” also matches typical botnet-driven application-layer flooding, where many distributed sources generate massive HTTP request rates to evade simple IP-based blocking. A TCP SACK panic attack is a vulnerability-triggered crash condition related to TCP handling, not a request-rate spike scenario. An RST attack involves sending TCP reset packets to tear down sessions, which would not normally present as an extreme requests-per-second event in server logs.

Therefore, the evidence most strongly supports an application-layer DDoS: an HTTP GET POST flood designed to exhaust server and application resources and cause intermittent service disruption.

Sherlock is the correct choice because it is specifically designed for OSINT-style username enumeration across a very large number of websites. In CEH-aligned reconnaissance, one common task is “alias correlation,” where the tester checks whether the same username exists across multiple social networks, forums, and content platforms. Sherlock automates this by querying many supported sites and reporting where an account with a given username appears to exist. This directly matches the question’s requirement: “cross-platform username correlation by scanning hundreds of social networking sites.”

The prompt also specifies what the tool does not do: it “does not natively support geolocation tracking or visualizing identity relationships.” That limitation aligns with Sherlock’s role as a focused username discovery tool rather than an analysis platform. By comparison, Creepy is associated with geolocation-focused OSINT, particularly collecting and correlating location metadata from social media posts and images, which is the opposite of the stated limitation. Maltego is well known for relationship analysis and link visualization, allowing investigators to build graphs of people, emails, domains, and social entities—again contradicting the “does not visualize identity relationships” constraint. Social Searcher is more oriented toward searching and monitoring public social media content and mentions, not primarily high-volume username existence checking across hundreds of sites in the same manner.

In CEH reconnaissance workflows, Sherlock fits early-stage enumeration to expand a target’s footprint, after which analysts may pivot into tools like Maltego for link analysis or geolocation tools when location exposure is part of the assessment.