ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

The requirement that each device authenticate through a centralized server using unique usernames and passwords aligns directly with 802.1X authentication, which CEH materials describe as port-based Network Access Control used in enterprise wired and wireless environments. In Wi-Fi, 802.1X is typically implemented as WPA2-Enterprise or WPA3-Enterprise and relies on EAP methods with a backend AAA server, most commonly RADIUS. The access point acts as the authenticator, forwarding the client’s authentication exchange to the RADIUS server, which validates the user or device identity and returns an accept or reject decision along with session keys and policy attributes. This provides strong control and auditing because access can be tied to individual identities, supports account disablement, and can enforce different access levels.

The other options do not match the “centralized server with unique credentials” description. Disabling TKIP improves security by removing an outdated encryption protocol, but it does not provide per-user authentication. MAC address filtering is weak because MAC addresses are easily discovered and spoofed, and it does not use centralized identity validation. Upgrading to WPA3 improves cryptographic strength, and WPA3-Enterprise can work with 802.1X, but WPA3 alone does not guarantee centralized username and password authentication unless the enterprise mode with 802.1X is specifically deployed. Therefore, the correct countermeasure that fits the described design is to use 802.1X authentication with a centralized authentication server, enabling strong access control, accountability, and improved resistance to unauthorized device connections.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses—critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH’s description of anonymous LDAP binding.

The correct answer is C. Container orchestration because the described features—automated deployment, scaling, service discovery, and workload management across multiple nodes—are the defining functions of a container orchestration platform, and Kubernetes is the most widely used orchestration system for containers. In CEH-aligned cloud and container security discussions, orchestration refers to the automated coordination of containerized workloads so that applications remain available, scalable, and manageable without administrators manually placing or maintaining each container instance.

In Kubernetes, orchestration is achieved through the control plane and a set of components that continuously maintain the desired state of applications. For example, scheduling places pods onto nodes based on resource availability and constraints; controllers ensure that the correct number of replicas are running; services and DNS enable stable naming and service discovery; and autoscaling mechanisms adjust capacity according to demand. These combined behaviors allow the platform to keep critical services operating “smoothly” even as nodes change, workloads shift, or failures occur.

Why the other options are not the best match: Self-healing is a specific benefit of orchestration (Kubernetes restarts failed containers, reschedules pods, and replaces unhealthy instances), but it does not fully encompass the broader set of capabilities listed, such as deployment automation, scaling, and service discovery. Kube-controller-manager is a particular Kubernetes control-plane component that runs controller processes; it contributes to orchestration internally, but the question asks for the overarching capability responsible for the set of functions, which is container orchestration as a whole. Container vulnerabilities is not a Kubernetes capability; it is a security risk category (e.g., vulnerable images, misconfigurations, runtime exploits).

Therefore, the capability primarily responsible for automated deployment, scaling, service discovery, and multi-node workload management in Kubernetes is container orchestration.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

The correct answer is A. Switch(config)# ip dhcp snooping because the question asks for the global setting that must be enabled first, before applying more specific (granular) DHCP Snooping controls. In Cisco switching, DHCP Snooping is the primary Layer 2 security feature used to mitigate rogue DHCP server attacks. Once enabled, the switch can distinguish between trusted ports (where legitimate DHCP server responses are allowed, typically uplinks toward the authorized DHCP server) and untrusted ports (typically access ports to end-user devices), where DHCP server responses (DHCPOFFER/DHCPACK) are filtered to prevent a rogue server from handing out malicious network configuration (gateway/DNS) to clients.

The scenario’s defense goal—“reject DHCP responses from untrusted ports”—is exactly what DHCP Snooping enforces after it is enabled and ports are assigned trust states. Conceptually, the workflow is:

Enable DHCP Snooping globally (feature activation),

Enable it for the relevant VLAN(s), and

Mark the legitimate DHCP-facing interface(s) as trusted so only those ports can send DHCP server responses.

Options C and D are part of the later, granular steps:

C enables DHCP snooping for a specific VLAN, which is necessary but is not the global prerequisite the question highlights.

D is applied under an interface to designate a port as trusted; again, this is granular and only meaningful after DHCP snooping is activated.

Option B is a different feature (Dynamic ARP Inspection) and is used to mitigate ARP spoofing/poisoning rather than rogue DHCP.

Therefore, the global command Jason should recommend first is Switch(config)# ip dhcp snooping.

SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as “1 OR 1=1 —” is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology for identifying insecure input handling and improper query construction.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

UDP scanning produces reliable " closed " results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

In the CEH Denial-of-Service and Network Attacks coverage, a SYN flood is a classic TCP-based DoS technique that exploits the TCP connection establishment process. In a normal handshake, the client sends SYN, the server replies SYN/ACK, and the client completes with ACK. A SYN flood deliberately sends a high volume of SYN packets (often spoofed) but never completes the final ACK. As CEH describes, this leaves the server holding many half-open connections in SYN_RECEIVED, consuming memory and connection table resources (backlog queue). When the backlog fills, legitimate clients cannot establish connections, degrading availability.

The indicators in your scenario align exactly with CEH’s SYN flood fingerprints: incomplete handshakes and accumulation of half-open connections. The goal is resource exhaustion at the connection-management layer rather than bandwidth saturation.

Option B (Ping of Death) involves malformed/oversized ICMP packets and does not match SYN_RECEIVED behavior. Option C (UDP flood) targets UDP services/ports and creates different symptoms (high UDP traffic, ICMP unreachable messages, service degradation) without half-open TCP states. Option D (Smurf) is ICMP-based amplification via broadcast addresses—again unrelated to incomplete TCP handshakes.

CEH also notes mitigations such as SYN cookies, increasing backlog, reducing SYN-RECEIVED timers, rate limiting, and upstream filtering—further reinforcing that the described event is a SYN flood.

NFS Enumeration is the correct choice because the scenario is centered on TCP port 2049 and the use of a standard utility to list exported remote file systems. In CEH-aligned reconnaissance and enumeration, port 2049 is the primary service port for Network File System NFS. When a tester identifies 2049 as open on a Linux or UNIX-like host, a common next step is to enumerate NFS exports to learn which directories are shared and what access rules apply. The “standard utility” described is consistent with tools such as showmount, which queries the target to retrieve a list of exported file systems and, in some cases, the clients allowed to mount them. This directly supports the stated objective of “requesting a list of remote file systems shared across the network” to map accessible resources.

The distractor checks mentioned in the scenario reinforce why the answer is NFS. Telnet enumeration would relate to TCP 23 and interactive plaintext terminal access, not file-share exports. NTP enumeration aligns to UDP 123 and focuses on time synchronization information and server behavior, not shared directories. SNMP enumeration typically involves UDP 161 and extracts device and system details via community strings and management information bases. NetBIOS enumeration is associated with Windows networking services such as UDP 137 and TCP 139, which are unrelated to NFS on 2049.

Therefore, the active enumeration method demonstrated is NFS enumeration through export listing on TCP port 2049.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use, attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options—certificate validation, integer overflow, and null pointer dereference—do not involve timing-based race conditions. The scenario exactly matches CEH’s description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

The correct answer is D. Hardware/Firmware Rootkit because the scenario describes persistence that remains even after multiple OS reinstalls and executes before the operating system loads, while evading OS-level antivirus and forensic scans. In CEH-aligned malware/rootkit concepts, hardware/firmware rootkits embed malicious code into firmware components such as BIOS/UEFI, device firmware (for example, NIC firmware, storage controller firmware, HDD/SSD firmware), or other embedded hardware layers. Because firmware is separate from the operating system’s file system, reinstalling the OS typically does not remove the implant.

The clue “resides deep inside the system hardware” and “executes before the OS is loaded” aligns with firmware-level execution in the boot chain. Firmware rootkits can run during early startup, initialize malicious hooks, and then hand off control to the OS in a way that hides their presence. This makes them extremely difficult to detect using conventional host-based tools, because those tools operate after the OS is running and generally cannot easily inspect or validate firmware integrity. The mention of “unusual activity on network cards and storage devices” is also a strong indicator: compromised NIC or storage firmware can manipulate traffic, exfiltrate data, or alter reads/writes while remaining invisible to file-based scanning.

Why the other options are less accurate: a boot-loader-level rootkit typically infects the bootloader on disk; while it runs early, it may be removed by disk reimaging or certain reinstall workflows. A kernel-level rootkit resides within the OS kernel and is generally removed by reinstalling the OS. A hypervisor-level rootkit (virtualization-based) can be stealthy, but it still generally depends on software layers that may not survive repeated OS reinstalls unless paired with firmware persistence.

Therefore, the persistence across reinstalls and pre-OS execution most clearly indicate a hardware/firmware rootkit.

This question focuses on API Security, Webhooks abuse, and Webshell mitigation, all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D, as it directly addresses the root causes and persistence mechanisms of the compromise.

According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.

Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.

Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.

Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access. CEH v13 identifies webshell detection as a key defensive measure during incident response and post-exploitation containment.

Other options are incomplete:

A WAF alone cannot detect all webshells.

IP blocking is ineffective against spoofed or cloud-based attacks.

MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.

Therefore, Option D provides the most comprehensive, CEH v13–aligned mitigation strategy.

The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections.

Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth, making it difficult to detect using traditional network-based defenses.

Option C accurately matches the described symptoms and CEH’s definition.

Options A and B are network-layer flooding attacks, which were explicitly ruled out.

Option D is a packet fragmentation attack, not an application-layer DoS technique.

CEH stresses tuning connection timeouts and using reverse proxies as mitigations.