ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

 DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

â–  HOSTMIB.MIB: Monitors and manages host resources

â–  LNMIB2.MIB: Contains object types for workstation and server services

â–  MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

â–  WINS.MIB: For the Windows Internet Name Service (WINS)

DNS spoofing (also known as DNS cache poisoning) occurs when an attacker intercepts or falsifies DNS responses to redirect traffic or exfiltrate data. The appropriate way to prevent such attacks includes:

Implementing DNS anti-spoofing techniques

Using DNSSEC (DNS Security Extensions)

Ensuring proper DNS configurations and validation of responses

From CEH v13:

Module 3: Scanning Networks

Topic: DNS Poisoning and Spoofing Attacks

Defensive Measures: DNS Hardening

CEH v13 Study Guide states:

“To prevent DNS spoofing and cache poisoning, organizations should use DNSSEC, configure anti-spoofing protections, and restrict zone transfers. DNS Anti-spoofing solutions validate responses and ensure data integrity.”

Incorrect Options:

A: Logging may detect but not prevent.

B: Disabling DNS timeouts is unrelated and harmful.

D: Prevents zone transfers, not spoofing specifically.

A mirror site may be a website or set of files on a computer server that has been copied to a different computer server in order that the location or files are available from quite one place. A mirror site has its own URL, but is otherwise just like the principal site. Load-balancing devices allow high-volume sites to scale easily, dividing the work between multiple mirror sites.

A mirror site is typically updated frequently to make sure it reflects the contents of the first site. In some cases, the first site may arrange for a mirror site at a bigger location with a better speed connection and, perhaps, a better proximity to an outsized audience.

If the first site generates an excessive amount of traffic, a mirror site can ensure better availability of the web site or files. For websites that provide copies or updates of widely used software, a mirror site allows the location to handle larger demands and enables the downloaded files to arrive more quickly. Microsoft, Sun Microsystems and other companies have mirror sites from which their browser software are often downloaded.

Mirror sites are wont to make site access faster when the first site could also be geographically distant from those accessing it. A mirrored web server is usually located on a special continent from the principal site, allowing users on the brink of the mirror site to urge faster and more reliable access.

Mirroring an internet site also can be done to make sure that information are often made available to places where access could also be unreliable or censored. In 2013, when Chinese authorities blocked access to foreign media outlets just like the Wall Street Journal and Reuters, site mirroring was wont to restore access and circumvent government censorship.

Session Replay Attacks are highlighted in CEH v13 Web Application Hacking as one of the most sophisticated and difficult-to-detect session hijacking techniques. In this attack, adversaries capture valid session tokens or encrypted session identifiers and replay them to impersonate legitimate users.

Unlike credential stuffing, which relies on login attempts and can be detected through authentication anomalies, session replay occurs after authentication, using legitimate session artifacts. Clickjacking and CSRF manipulate user interactions but do not directly hijack session tokens.

CEH v13 explains that session replay attacks are especially dangerous in environments where session tokens are predictable, long-lived, or improperly bound to client attributes such as IP address or device fingerprint. Because the attacker reuses valid session data, traditional detection mechanisms often fail.

The replayed session appears legitimate to the server, making fraud detection extremely difficult without advanced behavioral analytics. This makes session replay attacks particularly effective in online retail environments where transactions are frequent and time-sensitive.

Thus, Option D correctly identifies the most challenging attack.

The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

The other options are not as effective as option A for the following reasons:

B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

CEH v13 explains that IDS systems are often tuned to detect active scanning behavior, especially port scans and TCP/UDP probing that generate recognizable signatures. The command nmap -sn -PE performs a pure ICMP Echo Request ping sweep without sending any TCP SYN, UDP probes, or other packets normally associated with port enumeration. Since this mode disables port scanning entirely, it produces minimal traffic that resembles legitimate network behavior. CEH emphasizes that many networks allow ICMP Echo traffic internally for diagnostics, so such pings may not be treated as suspicious unless rate thresholds are exceeded. Because the tester avoided SYN packets, ACK probes, and UDP scans, the IDS saw no malicious pattern or connection attempts. The effectiveness of this technique is highlighted in CEH under passive and stealth reconnaissance, where minimal interaction is used to avoid detection. Thus, the scan succeeded because it relied solely on ICMP host discovery, not port scanning.

https://github.com/verovaleros/bluedriving

Bluedriving is a bluetooth wardriving utility. It can capture bluetooth devices, lookup their services, get GPS information and present everything in a nice web page. It can search for and show a lot of information about the device, the GPS address and the historic location of devices on a map. The main motivation of this tool is to research about the targeted surveillance of people by means of its cellular phone or car. With this tool you can capture information about bluetooth devices and show, on a map, the points where you have seen the same device in the past.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR 'T'='T'; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = 'input';

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR 'T'='T'; --';

The expression 'T'='T' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.

Key Features of Burp Suite:

Captures all HTTP requests and responses.

Allows for manual testing of input parameters, headers, and cookies.

Includes tools such as Intruder, Repeater, Scanner, and Decoder.

Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.

Option Review:

A. Maskgen: Used for generating masks, not a web proxy.

B. Dimitry: A footprinting tool, not used for request/response testing.

C. Burpsuite: Correct. Designed for web application vulnerability analysis.

D. Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

The protocol that you would recommend to the team to achieve the secure exchange of the symmetric key is the Diffie-Hellman protocol. The Diffie-Hellman protocol is a key agreement protocol that allows two or more parties to establish a shared secret key over an unsecured communication channel, without having to exchange the key itself. The Diffie-Hellman protocol works as follows12:

The parties agree on a large prime number p and a generator g, which are public parameters that can be known by anyone.

Each party chooses a random private number a or b, which are kept secret from anyone else.

Each party computes a public value A or B, by raising g to the power of a or b modulo p, i.e., A = g^a mod p and B = g^b mod p.

Each party sends their public value A or B to the other party over the unsecured channel.

Each party computes the shared secret key K, by raising the received public value to the power of their own private number modulo p, i.e., K = A^b mod p = B^a mod p.

The parties can now use the shared secret key K to encrypt and decrypt the data using a symmetric key encryption algorithm, such as AES or 3DES.

The Diffie-Hellman protocol can ensure the secure exchange of the symmetric key because it relies on the mathematical difficulty of computing discrete logarithms, which means that it is hard to find the private numbers a or b given the public values A or B, g, and p. Therefore, an attacker who intercepts the public values A or B cannot easily compute the shared secret key K, and thus cannot decrypt the data encrypted with K12.

The other options are not as appropriate as option B for the following reasons:

A. Implementing SSL certificates on your company’s web servers: This option is not relevant because SSL certificates are not used to exchange symmetric keys, but to authenticate the identity of the web servers and to establish a secure connection using public key encryption. SSL certificates are digital certificates that contain the public key and the identity information of the web server, and are issued and signed by a trusted certificate authority (CA). When a client connects to a web server, the web server sends its SSL certificate to the client, who verifies it with the CA. If the verification is successful, the client and the web server use the public key in the certificate to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or SSL certificates34.

C. Switching all data transmission to the HTTPS protocol: This option is not sufficient because HTTPS protocol is not a protocol for exchanging symmetric keys, but a protocol for securing web traffic using SSL or TLS encryption. HTTPS protocol is a combination of HTTP protocol and SSL or TLS protocol, which means that it uses HTTP for the application layer communication and SSL or TLS for the transport layer encryption. When a client requests a web page from a web server using HTTPS protocol, the client and the web server establish a secure connection using SSL or TLS protocol, which involves the exchange of SSL certificates and a symmetric key, as explained in option A. Then, the client and the web server use the symmetric key to encrypt and decrypt the HTTP data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or HTTPS protocol5 .

D. Utilizing SSH for secure remote logins to the servers: This option is not applicable because SSH is not a protocol for exchanging symmetric keys, but a protocol for securing remote access to servers using public key authentication and encryption. SSH is a protocol that allows a client to securely connect to a server and execute commands or transfer files over an encrypted channel. SSH uses public key cryptography to authenticate the identity of the server and the client, and to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve remote logins or SSH protocol .

In CEH v13 Module 14: Cryptography, CAST-128 is defined as a symmetric block cipher based on a Feistel structure with:

Block size of 64 bits

12 or 16 rounds, depending on key size

Uses 8×32-bit S-boxes with complex structures (including bent functions)

Operates with modular addition/subtraction, XOR, key-dependent rotations, and masking keys (Km) and rotation keys (Kr)

All features described in the scenario match the CAST-128 algorithm.

Option Clarification:

B. AES: Operates on 128-bit blocks, uses Substitution-Permutation Network (SPN), not Feistel.

C. GOST: Russian block cipher, also Feistel-based, but structure and key use differ.

D. DES: Feistel cipher with 64-bit block size, but uses 16 rounds and simpler S-boxes.

Correct answer is A. CAST-128

Bob wants Alice to verify that the message hasn’t been tampered with. This is a use case for ensuring data integrity and authenticity. The process described matches the creation of a digital signature:

Bob computes a checksum (typically a cryptographic hash) of the message.

Then, he encrypts this checksum (hash) using his own private key.

Alice receives the message and decrypts the checksum using Bob’s public key.

If the decrypted checksum matches the hash she computes from the received message, she confirms the message’s integrity and authenticity.

This is a fundamental principle of digital signatures.

Incorrect Options:

A. Alice's private key is never used by others; it's confidential.

B. Encrypting with Alice’s public key ensures confidentiality, not authenticity.

D. Bob’s public key is used by the receiver to verify authenticity, not for encryption in this context.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Digital Signatures”

Subsection: “Using Private Keys to Sign and Public Keys to Verify”

CEH Engage Lab: Email Signing and Verification

=

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

Comprehensive and Detailed Explanation:

Social engineering is a psychological manipulation technique used by attackers to trick individuals into divulging confidential or personal information that may be used for fraudulent purposes.

It relies on human interaction and may involve tactics such as:

Impersonation

Pretexting

Phishing

Baiting

Rather than attacking systems directly, attackers exploit human trust and error.

From CEH v13 Courseware:

Module 7: Social Engineering

Dragonblood allows an attacker in range of a password-protected Wi-Fi network to get the password and gain access to sensitive information like user credentials, emails and mastercard numbers. consistent with the published report:

“The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, like protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is suffering from several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3’s Simultaneous Authentication of Equals (SAE) handshake, commonly referred to as Dragonfly, is suffering from password partitioning attacks.”

Our Wi-Fi researchers at WatchGuard are educating businesses globally that WPA3 alone won’t stop the Wi-Fi hacks that allow attackers to steal information over the air (learn more in our recent blog post on the topic). These Dragonblood vulnerabilities impact alittle amount of devices that were released with WPA3 support, and makers are currently making patches available. one among the most important takeaways for businesses of all sizes is to know that a long-term fix might not be technically feasible for devices with lightweight processing capabilities like IoT and embedded systems. Businesses got to consider adding products that enable a Trusted Wireless Environment for all kinds of devices and users alike.

Recognizing that vulnerabilities like KRACK and Dragonblood require attackers to initiate these attacks by bringing an “Evil Twin” Access Point or a Rogue Access Point into a Wi-Fi environment, we’ve been that specialize in developing Wi-Fi security solutions that neutralize these threats in order that these attacks can never occur. The Trusted Wireless Environment framework protects against the “Evil Twin” Access Point and Rogue Access Point. one among these hacks is required to initiate the 2 downgrade or side-channel attacks referenced in Dragonblood.

What’s next? WPA3 is an improvement over WPA2 Wi-Fi encryption protocol, however, as we predicted, it still doesn’t provide protection from the six known Wi-Fi threat categories. It’s highly likely that we’ll see more WPA3 vulnerabilities announced within the near future.

To help reduce Wi-Fi vulnerabilities, we’re asking all of you to hitch the Trusted Wireless Environment movement and advocate for a worldwide security standard for Wi-Fi.

File system permissions

Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.