ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

According to the CEH attack methodology, once an attacker obtains initial access—whether through exploitation, misconfiguration, or credential compromise—the next critical phase is privilege escalation. Gaining system-level or administrative control is essential for maintaining persistence, accessing protected data, modifying system configurations, and pivoting further into the network. Privilege escalation exploits target kernel flaws, misconfigured services, improper permission settings, or vulnerable drivers. CEH emphasizes that performing a DoS attack disrupts the engagement and provides no strategic advantage. Similarly, CSRF targets web applications rather than operating systems, and brute-force password attempts are inefficient, noisy, and often ineffective once local access has already been established. By leveraging privilege escalation techniques, the tester converts limited user access into full system control, enabling comprehensive post-exploitation activities aligned with CEH system hacking procedures.

CEH v13 highlights the importance of route tracing during internal reconnaissance to identify key infrastructure devices such as distribution switches, firewalls, and core routers. When a single IP address consistently appears as the penultimate hop across multiple network paths, this typically indicates that the device serves as a core router responsible for inter-VLAN or inter-subnet routing. Core routers aggregate traffic from various segments before forwarding to endpoint subnets, explaining why it appears before diverse destinations. CEH emphasizes recognizing core infrastructure because compromising such devices provides attackers with significant visibility and potential control over network-wide communications. DNS poisoning would affect name resolution, not hop patterns. Loopback misconfigurations would affect single hosts, not multiple segments. A transparent proxy would appear only for traffic routed through application-layer inspection, not all traceroute tests. The consistency across subnets strongly points to a centralized routing device.

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router’s web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

The correct answer is Host-based Scanning. CEH vulnerability assessment material explains that host-based scanning focuses on individual systems such as servers, desktops, and workstations, and is intended to discover local security weaknesses including file permissions, registry permissions, patch issues, configuration errors, installed software problems, and operating-system-level exposures. The question explicitly mentions Windows servers and workstations, valid logins to each device, and inspection targets such as registry settings and local file permissions. Those are classic indicators of host-based scanning. Network-based scanning would focus more on exposed network services, listening ports, protocol behavior, and remotely visible vulnerabilities. External scanning is concerned with internet-facing exposure from outside the organization. Application scanning is too narrow because the scenario is not limited to a specific software application but instead covers broad system-level posture. CEH guidance often notes that host-based vulnerability scans may be credentialed so the scanner can inspect the internal configuration of each machine in detail. Because the assessment is centered on system-specific misconfigurations and local security settings across endpoints and servers, host-based scanning is the best classification.

In CEH-aligned vulnerability assessment reporting, the Findings section is where the assessor documents what was discovered during scanning and validation in a clear, structured, and actionable way. This portion of the report typically contains the concrete results: identified assets, affected systems, vulnerability details, and evidence that supports each issue. The question states that Nikhil lists the IP addresses of scanned hosts, identifies which machines are affected, and includes tables categorizing vulnerabilities such as outdated software, default credentials, and open ports. These are classic “results” artifacts that belong in Findings because they communicate the observed security weaknesses and where they exist.

The Risk Assessment section generally builds on findings by assigning severity, likelihood, impact, and overall risk ratings, often mapping issues to business consequences and prioritization. While Nikhil may later rate default credentials as critical or open ports as medium depending on exposure, the act of enumerating vulnerabilities and associating them with specific hosts is the findings activity, not risk scoring.

Supporting Information usually contains appendices such as tool configurations, raw scan outputs, methodology references, assumptions, scope boundaries, and glossary items. Although IP lists and tables might appear in an appendix for completeness, the way the prompt describes them, they are being used as the primary categorized presentation of discovered vulnerabilities, which is consistent with the Findings section.

Assessment Overview is typically a high-level summary of scope, objectives, timeline, and approach, not detailed host-by-host vulnerability tables. Therefore, the correct section is Findings.

The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed.

By using hardware load balancers and cloud-based traffic distribution, organizations can:

Absorb large volumes of attack traffic

Maintain service availability

Ensure legitimate users are served

Option B is correct and directly matches CEH’s definition.

Option A drops all traffic, including legitimate requests.

Option C focuses on traffic analysis rather than distribution.

Option D limits traffic rather than distributing it.

CEH strongly recommends load balancing as a core DDoS resilience mechanism.

CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.

By encrypting malicious traffic—using HTTPS, VPN tunnels, or encrypted C2 channels—attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.

IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls. Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.

Therefore, Option C is the correct and CEH-aligned answer.

Amanda’s primary enumeration focus is a “file transfer” service that allows anonymous login and directory listing. That clearly indicates FTP, which runs on TCP port 21 (control channel). Anonymous FTP misconfiguration is a well-known exposure risk because it can allow unauthenticated users to browse or download files, and sometimes even upload content depending on permissions. Enumerating FTP typically includes validating anonymous access, listing directories, checking readable file contents, identifying writable folders, and verifying whether the server leaks banners, system type, or user/account hints.

The scenario also mentions background UDP traffic related to NetBIOS name lookups, which corresponds to UDP port 137 (NetBIOS Name Service). While NetBIOS is more common in Windows environments, it can still appear on networks with mixed systems or legacy compatibility services. The question asks which ports and services to prioritize given her enumeration activity, which includes FTP access weaknesses and noticing NetBIOS name lookup traffic.

Option B (TCP 21 and UDP 137) matches both:

TCP 21 = FTP control port, directly tied to anonymous login and directory enumeration.

UDP 137 = NetBIOS Name Service, matching the observed name-lookup traffic.

Why the other options don’t fit:

TCP 23 is Telnet (A), not the described file transfer service.

TCP 25 is SMTP (C), unrelated to anonymous file transfer login.

TCP 139 is NetBIOS Session Service (D), more associated with SMB over NetBIOS, not specifically with UDP name lookups, and it omits the FTP port central to her activity.

Therefore, the correct choice is B. TCP 21 and UDP 137.

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization’s internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

CEH v13 describes Agent Smith–style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third-party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android’s APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern.

CEH defines ethical hacking as the authorized, structured, and permission-based process of identifying vulnerabilities to strengthen an organization’s security posture. Ethical hackers operate under a signed scope-of-work and follow legal boundaries. Malicious hackers, by contrast, exploit systems without permission, often with harmful or criminal intent. CEH emphasizes that both ethical and malicious hackers may use similar tools, techniques, and methodologies; the distinction lies entirely in authorization, intent, and legality. Ethical hacking is conducted to improve defenses, while malicious hacking targets exploitation, theft, or disruption. Nothing in CEH materials suggests that toolsets or work styles distinguish the two groups; permission and lawful operation remain the central differentiators.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

This is a SYN flood because the attack floods the target with TCP SYN packets (connection initiation). The server responds by allocating resources and sending SYN-ACK replies, moving each connection into a half-open state while it waits for the client’s final ACK to complete the three-way handshake. In a SYN flood, that final ACK never arrives (often because the source addresses are spoofed or because the attacker deliberately does not complete the handshake). As a result, the server’s backlog queue of pending connections fills up, consuming memory/connection slots and preventing legitimate users from establishing new sessions.

The scenario’s language matches the mechanics precisely: “flood of TCP connection initiation packets,” “exhausting the server’s backlog of half-open connections,” and “never receives the final ACK.” Those are the classic identifiers of SYN flooding.

Why the other options are incorrect:

ACK flood (A) involves flooding with TCP ACK packets; it does not primarily create half-open handshakes because ACKs are not the connection-initiation step.

TCP SACK Panic (B) refers to a specific vulnerability/issue related to TCP Selective Acknowledgment processing, not a generic handshake backlog exhaustion attack pattern.

APT attack (C) is not a DoS attack type; it refers to advanced persistent threat campaigns and is unrelated to TCP handshake flooding.

Therefore, Aisha is simulating D. SYN Flood Attack.

Once the base DN is identified through LDAP namingContexts, CEH teaches that the next step in enumeration is to query the directory tree using this DN. This allows retrieval of users, groups, computers, and other AD objects. LDAP-based enumeration requires valid search filters rooted in the base DN.

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.