ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

A Distributed Control System (DCS) is the best match because the scenario describes multiple automated control loops (temperature, pressure, conveyor speed) that are coordinated by a centralized supervisory network linking multiple controllers across a facility. In industrial environments, a DCS architecture distributes control functions across many controllers located near the process equipment, while supervisory control and operator interfaces coordinate and monitor the overall process. This makes DCS common in continuous and process industries such as steel, chemical, oil and gas, and manufacturing plants where many interdependent loops must operate reliably together.

The scenario’s “centralized supervisory network” is a key DCS hallmark: operators and supervisory systems (often including engineering workstations and HMIs) provide centralized monitoring, setpoints, alarms, and coordination, while the actual loop control is executed by distributed controllers. This differs from a single isolated controller or purely manual operation. The purpose is to maintain stable process control and ensure coordinated behavior across different production areas.

Why the other options don’t fit:

A manual loop (A) implies human-operated control rather than automated feedback loops. The plant is described as having “numerous automated loops,” so manual loop is incorrect.

Open loop (C) control does not use feedback from the output to adjust the input; it is not typical for precise regulation of temperature and pressure where feedback is essential.

Closed loop (D) does describe feedback-based regulation and is true of many industrial loops; however, the question asks for the OT system concept applied based on the overall facility design—specifically a supervisory network coordinating multiple controllers—pointing to the architecture (DCS) rather than the loop type.

Therefore, the correct answer is B. Distributed Control System (DCS).

CEH v13 classifies application-layer DoS attacks as the most difficult to detect and mitigate. A distributed SQL injection-based DoS exploits database query processing by overwhelming backend systems with malicious but syntactically valid requests.

Unlike volumetric attacks, this method generates low-bandwidth, high-impact traffic that appears legitimate. Traditional DDoS protections often fail to identify such traffic, especially when it targets authenticated services like online banking.

UDP floods, Smurf attacks, and ICMP-based attacks are well-known and more easily mitigated with rate limiting and filtering. Zero-day exploits cause service disruption but are not primarily DoS techniques.

CEH v13 highlights that application-layer DoS attacks blend seamlessly with normal traffic patterns, making them exceptionally challenging. Thus, option A is correct.

This activity most accurately describes a DHCP starvation attack. CEH network and sniffing coverage explains that DHCP starvation is a denial-of-service technique in which an attacker rapidly sends large numbers of DHCP requests, usually with spoofed MAC addresses, to consume all available IP addresses in the DHCP pool. Once the pool is exhausted, legitimate clients can no longer obtain valid leases, which produces exactly the symptoms described in the question: repeated address negotiation attempts, failure to receive configuration, and a burst of requests coming from a single interface. A rogue DHCP server is often paired with starvation later, but the key evidence here is the rapid exhaustion behavior rather than the distribution of malicious configurations. IRDP spoofing would manipulate gateway discovery, not primarily deplete DHCP leases, and MAC spoofing alone would not explain widespread address assignment failure across multiple hosts. CEH guidance presents DHCP starvation as both a network disruption issue and a stepping stone for further interception attacks, since denying legitimate DHCP service can set conditions for a rogue DHCP server to take over client configuration and redirect traffic.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

The Certified Ethical Hacker (CEH) Footprinting and Reconnaissance module defines Google Hacking, also known as Google Dorking, as the use of advanced search operators to uncover sensitive information unintentionally exposed on the public internet. This technique remains passive, making it ideal during early reconnaissance.

Google Hacking can reveal:

Exposed configuration files

Backup files (.bak, .old, .zip)

Error messages and stack traces

Source code fragments and scripting errors

These findings often indicate coding weaknesses or insecure configurations within a web application. CEH explicitly highlights Google Dorking as an effective way to identify web application weaknesses without scanning or exploiting the target directly.

Option C is correct because Google Hacking is commonly used to identify coding and configuration weaknesses exposed through indexed files.

Option A may be possible indirectly but is not the primary justification.

Option B is incorrect because Google does not index the Deep Web.

Option D involves internal network discovery, which Google Hacking cannot directly achieve.

CEH emphasizes Google Hacking as a powerful passive reconnaissance technique for discovering exposed vulnerabilities.

Joe’s assignment is best described as network-based vulnerability scanning because the scan is mapping open ports and active services across multiple servers and identifying weaknesses visible through network exposure, such as unnecessary services, weak encryption configurations on network services, and authentication-related flaws reachable over the network. Network-based scanning focuses on discovering and evaluating network-accessible entry points by probing hosts and services, enumerating versions/configurations, and correlating findings to known weaknesses.

The scenario highlights that the scan “identifies open ports and active services throughout the environment,” producing “a clear map of potential entry points.” That is the core outcome of network-based scanning: a view of the organization’s externally or internally reachable services, where each listening port represents a possible attack path. From there, scanners can detect issues like outdated service versions (implying missing patches), insecure protocols (e.g., weak TLS ciphers), default credentials, and exposed administrative interfaces.

Why the other options are less accurate:

External scanning (B) refers to a scan performed from outside the organization’s perimeter. The scenario says he is scanning across organizational infrastructure and focuses on multiple servers; it doesn’t specify “from the Internet,” so “external” is not the best classification.

Application scanning (C) targets web applications or specific application-layer logic (e.g., SQLi, XSS, auth bypass). Joe’s focus is broader infrastructure exposure and service/port mapping.

Host-based scanning (D) typically involves local, credentialed inspection on the host (patch inventory, local config files, registry) rather than primarily mapping ports/services across many systems. While host-based scanning is valuable, the described output is network entry-point mapping.

Therefore, the scan type that best matches Joe’s task is A. Network-based Scanning.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

CEH v13 defines a white hat hacker as a security professional who performs authorized assessments to identify vulnerabilities and strengthen an organization’s defenses. The defining characteristic of white hat activity is the presence of formal permission—typically through a signed rules-of-engagement, scope of work, and explicit authorization from the organization. CEH emphasizes that white hats adhere to legal boundaries, follow ethical guidelines, and document findings to support remediation. They may use the same tools and methodologies as malicious hackers, but the intent and authorization distinguish them. In contrast, black hats operate without permission and with malicious intent. Grey hats act without authorization but may not have malicious motivations, making them inappropriate in a formal penetration testing engagement. Script kiddies lack professional skill and rely on pre-made tools without understanding the underlying techniques. Therefore, the hacker described is a white hat—an ethical professional performing sanctioned testing.

CEH v13 explains that cryptographic consistency is essential for secure session management. Variable token lengths can leak information about encryption methods, key sizes, or user privilege levels, making sessions vulnerable to cryptanalysis or targeted attacks.

The most effective mitigation is implementing uniform encryption strength across all roles, ensuring consistent key sizes, algorithms, and token formats. While MFA improves authentication and key rotation improves lifecycle management, neither directly resolves cryptographic inconsistency.

CEH v13 stresses that encryption should be role-agnostic and standardized. Therefore, Option C is correct.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization ' s infrastructure.

Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

In the Aircrack-ng suite referenced throughout CEH wireless hacking coverage, Aireplay-ng is the tool used to inject frames into a wireless network. The key phrase in the question is “transmit packets that force client devices to disconnect and reconnect.” That describes a deauthentication attack, where the tester sends 802.11 deauth frames to a client or to the access point, causing the client to drop its association and then reconnect. When a WPA2 client reconnects, the WPA2 four-way handshake is performed again. By forcing this reconnection, an ethical hacker can capture the handshake and later attempt password recovery in an offline process.

Airodump-ng is primarily a passive capture and monitoring tool used to list access points and clients, hop channels, and capture packets and handshakes, but it does not perform packet injection itself. Aircrack-ng is the cracking component that attempts to recover the WPA/WPA2 pre-shared key from a captured handshake using a wordlist or other offline techniques; it is not the tool that kicks clients off the network. Airbase-ng is used for creating a rogue access point or conducting evil twin style attacks, which is different from transmitting deauthentication frames to trigger a handshake.

Therefore, the tool that matches the described action of actively sending frames to force disconnect and reconnect is Aireplay-ng.

CEH v13 identifies Idle (Zombie) Scanning as one of the most stealthy reconnaissance techniques. In this method, attackers use a third-party system (the zombie) to send probes to the target, obscuring the attacker’s true identity.

Because the attacker never directly interacts with the target, detection and attribution become extremely difficult. FIN and Xmas scans are stealthy but still originate from the attacker’s IP. TCP connect scans are noisy and easily detected.

CEH v13 highlights idle scanning as the gold standard for stealth reconnaissance, making option D correct.

According to CEH v13 Cloud Computing, backup integrity and resilience are critical components of cloud security. The 3-2-1 backup model is a widely recommended best practice to mitigate unauthorized access, data corruption, and ransomware-related incidents.

The 3-2-1 rule dictates that organizations should maintain:

3 copies of critical data

Stored on 2 different media types

With 1 copy stored offsite or offline

This approach ensures that even if one backup is compromised, altered, or deleted—as described in the scenario—clean and trusted versions of the data remain available for restoration. CEH v13 emphasizes that offline or immutable backups significantly reduce the impact of malicious modification.

Option A focuses on physical security, which does not protect cloud backups. Option B addresses availability, not integrity. Option C is relevant to web application security, not backup protection.

CEH v13 explicitly highlights backup segregation and redundancy as key countermeasures against cloud data compromise. Therefore, Option D is the most direct and effective mitigation strategy.