ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes worms as standalone malicious programs capable of self-replication without requiring user assistance. Unlike viruses, which need a host file and are triggered typically by user actions, worms propagate autonomously by scanning networks, exploiting vulnerabilities, or copying themselves to accessible machines. Worms are known for causing rapid, widespread damage by consuming bandwidth, degrading system performance, and creating backdoors for attackers. Classic examples such as Conficker, WannaCry, and SQL Slammer reinforce the destructive potential of automated propagation. CEH stresses that worms often use network shares, open ports, or unpatched vulnerabilities to move laterally. In contrast, keyloggers harvest keystrokes, ransomware encrypts data and demands payment, and viruses require user involvement to spread. The behavior in the scenario—automatic replication across the network—is the defining characteristic of worm activity according to CEH’s malware taxonomy.

The finding most directly demonstrates insecure data transfer and storage. The scenario includes two explicit problems: (1) sensitive business records are transmitted “across the network without encryption,” and (2) the same records are “stored in a retrievable format” in the cloud platform. Those two conditions map exactly to data-in-transit and data-at-rest weaknesses. When IoT devices transmit sensitive data without encryption (e.g., plain HTTP, unprotected MQTT, insecure proprietary protocols), attackers who gain network visibility can intercept, read, and potentially modify that data. Similarly, when cloud-stored data is kept in an easily retrievable or improperly protected form (e.g., weak access controls, lack of encryption at rest, overly permissive storage buckets, exposed APIs), attackers can access business records long after transmission.

In IoT ecosystems, data typically flows from sensors to gateways, then to cloud dashboards and analytics services. If encryption and strong access control are not consistently applied across these hops, confidentiality and integrity are at risk. This can lead to competitive harm (exposed inventory/business records), privacy impact (if customer data is included), and operational disruption (tampered records leading to wrong decisions). The scenario is not about the IoT device exposing services like Telnet/FTP (network services), nor about default passwords; it is specifically about how data is transported and stored.

Why the other options are less accurate:

Insecure ecosystem interfaces (A) focuses on APIs, web/mobile apps, and cloud interfaces; while cloud storage access might involve interfaces, the core weakness described is lack of encryption and retrievable storage, which is more directly the data transfer/storage category.

Insecure network services (C) refers to exposed services/ports on IoT devices, not data confidentiality across the pipeline.

Insecure default settings (D) relates to factory defaults (passwords, open ports, insecure configs), not specifically unencrypted transport and weak storage protection.

Therefore, the correct answer is B. Insecure data transfer and storage.

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).

The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.

Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.

CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

TCP NULL scanning is a stealth scanning technique covered in CEH v13 Reconnaissance and Network Scanning. In a NULL scan, all TCP flags are set to zero. According to RFC 793 and CEH documentation, closed ports must respond with a TCP RST (Reset) packet.

If the port is open, the target typically does not respond, making this technique useful for firewall evasion. Therefore:

RST response = Closed port

No response = Open or filtered port

Other options do not apply to NULL scans:

SYN/ACK is associated with SYN scans.

ICMP errors may indicate filtering, not port state.

The correct answer is Spearphone Attack. CEH mobile platform coverage describes Spearphone as a side-channel attack in which motion sensors, such as accelerometers or gyroscopes, are abused to infer or reconstruct audio from vibrations produced by a phone’s loudspeaker. A key feature of this technique is that it may not require direct microphone access, which helps explain why no microphone permission changes or visible recording indicators appeared on the device. That detail is central to the scenario. The installed app continuously collected motion sensor data while speakerphone conversations occurred, and the information was later analyzed remotely to reconstruct acoustic content. That behavior is a textbook match for Spearphone. Android camera hijack attacks involve camera access, not speaker vibration analysis. Camfecting refers to webcam compromise, and Storm Breaker Abuse does not describe this sensor-based audio inference method. CEH materials use this example to show that seemingly low-risk sensors can still create serious privacy and espionage threats when correlated with physical effects such as sound-induced vibration. Because the attack depends on speaker-generated motion data rather than direct audio recording, Spearphone is the best answer.

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

This scenario illustrates physical impersonation, a social engineering tactic discussed in CEH v13 Social Engineering. The attacker exploits trust in appearance and role assumption, dressing as a network technician to gain access without challenge.

Unlike tailgating (which involves following someone), this attack relies on assumed authority and familiarity. CEH v13 categorizes this under impersonation attacks, where attackers pose as employees, contractors, or vendors.

Other options describe different social engineering vectors:

A: Phone-based pretexting

B: Dumpster diving

C: Vishing

Physical impersonation is particularly dangerous because it bypasses technical controls entirely. Option D best matches the scenario.

The best answer is BPDU Guard on edge ports. CEH network defense material explains that BPDU Guard is used on access or edge ports where end-user devices are expected, not switches. If a device connected to such a port begins sending Bridge Protocol Data Units, the switch treats that as an abnormal condition and can shut the port down or place it in an error-disabled state. This prevents unauthorized or misconfigured devices from participating in spanning-tree and influencing root bridge election or topology decisions. That matches the scenario, where a newly connected device introduced a more favorable bridge priority and triggered spanning-tree recalculations. Root Guard is also related to protecting spanning-tree hierarchy, but it is typically applied where you want to prevent a downstream switch from becoming root while still allowing BPDU participation under controlled conditions. CEH exam framing usually expects BPDU Guard when the threat originates from an end-host-facing access port in a conference room or office edge location. Because the goal is to stop unauthorized edge-connected devices from affecting spanning-tree at all, enabling BPDU Guard on edge ports is the most appropriate control.

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.

The correct answer is A. Call Spoofing because the defining behavior in the scenario is manipulating the caller ID information so that the victim’s phone displays a trusted number—specifically, the credit union’s official line. In CEH-aligned social engineering and mobile attack discussions, call spoofing is a technique where an attacker falsifies caller ID data to impersonate a legitimate organization, department, or known contact. This increases credibility and exploits human trust in recognized numbers, making victims more likely to comply with sensitive requests such as disclosing usernames, passwords, or one-time codes.

The attack is also a form of vishing (voice phishing), where the attacker uses phone calls and persuasive pretexts (“mandatory security check”) to trick employees into revealing credentials. The success factor here is the authority and legitimacy signal created by the spoofed number. When staff see what appears to be an official institutional phone number, they are more likely to assume the call is authentic and bypass normal verification steps, especially under time pressure or when framed as a security requirement.

Why the other options are incorrect: OTP hijacking refers to stealing or intercepting one-time passwords (for example via SIM swap, malware, or social engineering focused specifically on MFA/OTP codes). While the attacker could ask for OTPs, the scenario’s core mechanism is the spoofed caller ID, not OTP interception. Bluebugging is a Bluetooth-based attack that gains unauthorized control over a device through Bluetooth vulnerabilities; it is unrelated to caller ID impersonation. SMiShing is phishing via SMS/text messages, not a voice call.

Therefore, the mobile attack vector demonstrated—displaying a trusted institutional number to deceive employees during a credential-harvesting call—is call spoofing.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

The CEH web server attack methodology describes reconnaissance as a key phase, where testers gather publicly available information before attempting exploitation. Robots.txt is commonly used by administrators to instruct web crawlers about which directories should not be indexed. CEH emphasizes that attackers regularly review robots.txt because it often exposes sensitive directories unintentionally, providing valuable intelligence about internal structure, configuration paths, administrative pages, and potential weak points. In this scenario, the tester observes “Disallow” entries and then discovers the directories are not protected by authentication, allowing direct access to sensitive files. This falls under information gathering through exposed indexing instructions rather than directory traversal, which involves path-manipulation exploits. The tester is not altering file paths or inserting traversal sequences; instead, they are reviewing publicly available indexing instructions and discovering misconfigured access controls. This perfectly aligns with the reconnaissance phase of the CEH methodology, where attackers learn about server architecture using passive or minimally intrusive techniques.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

The highest-priority proactive control “to embed into the organization’s development lifecycle” is including quantum-resistance checks in the SDLC and code review processes. The scenario emphasizes a company-wide, long-term risk reduction strategy while development continues on a major refactor. In that context, the most scalable and durable control is governance and engineering hygiene: ensuring that new features and refactored components do not reintroduce weak or legacy cryptography and that teams consistently select algorithms and key sizes aligned with modern guidance and future migration plans.

Embedding checks into the SDLC means instituting standards and guardrails such as approved cryptographic libraries, banned algorithm lists (e.g., legacy RSA key sizes, deprecated curves, weak hashes), cryptography design reviews, automated dependency scanning for crypto usage, and CI/CD policy gates that flag noncompliant implementations. This approach reduces “crypto sprawl,” prevents new technical debt, and creates a structured path to transition toward post-quantum or quantum-resistant approaches as the organization modernizes systems.

Why the other choices are not the best “highest priority” SDLC-embedded control:

Encrypt stored data with quantum-resistant algorithms (B) may be appropriate for protecting long-lived sensitive data (“harvest now, decrypt later”), but it is a targeted technical control and may not be feasible immediately across many services during refactoring. It also does not by itself prevent developers from continuing to implement legacy public-key schemes elsewhere.

Quantum-specific firewalls (C) is not a realistic or standard control for post-quantum readiness in typical enterprise environments.

Fragmenting data across locations (D) can help resilience/confidentiality in some designs but does not address the core issue: preventing continued reliance on weak public-key cryptography.

Therefore, the best answer is A. Include quantum-resistance checks in SDLC and code review processes.