ECCouncil 312-50v13 - Certified Ethical Hacker Exam (CEHv13)

The Certified Ethical Hacker (CEH) Social Engineering module defines whaling as a highly targeted phishing attack aimed specifically at senior executives or high-ranking personnel.

This scenario exhibits all whaling characteristics: personalization, impersonation of leadership, business-themed content, and tailored malware delivery.

Option D is correct.

Option A involves copying legitimate emails, but does not necessarily target executives.

Option B lacks targeting.

Option C is unrelated to email-based attacks.

CEH stresses executive awareness training to counter whaling attacks.

The correct answer is B. Known-plaintext attack because the scenario explicitly provides paired samples of plaintext and ciphertext for the same underlying data. In a known-plaintext attack, the analyst possesses one or more examples where the original message (plaintext) is known and the corresponding encrypted output (ciphertext) is also available. These pairs can be used to analyze the cipher’s behavior, validate hypotheses about modes/parameters, and—depending on the algorithm, implementation weaknesses, and key management—attempt to recover the encryption key or decrypt other ciphertexts encrypted under the same key.

Here, Evelyn has “original template records (standard headers and form fields)” and their “encrypted counterparts” in the stolen backup set. Medical record formats commonly contain predictable structures (fixed headers, repeated field names, standardized forms), which increases the likelihood of having accurate known plaintext segments. With enough known plaintext/ciphertext pairs, an attacker may identify patterns caused by weak encryption choices, reused keys, reused IVs/nonces, insecure modes (e.g., ECB revealing structure), or flawed custom crypto. Even when strong algorithms are used, known-plaintext material can still be valuable for confirming the encryption scheme and detecting implementation errors.

Why the other options are not correct: Ciphertext-only assumes the attacker has only encrypted data and no plaintext examples—contradicted by the templates. Chosen-plaintext requires the ability to submit arbitrary plaintexts to an encryption oracle and receive ciphertexts, which the scenario does not indicate. Chosen-ciphertext requires the ability to submit ciphertexts to a decryption oracle and observe outputs, also not described.

Because Evelyn has real, matching plaintext-ciphertext pairs from the same dataset, the most appropriate cryptanalytic approach is a known-plaintext attack.

According to CEH v13 Security Operations and Incident Response, zero-day vulnerabilities pose one of the highest operational risks because exploits exist before official remediation is available. When active exploitation is observed and no vendor patch exists, immediate compensating controls must be deployed.

The first and most effective action is implementing virtual patching, typically through a Web Application Firewall (WAF) or Intrusion Prevention System (IPS). CEH v13 defines virtual patching as a security measure that blocks exploitation attempts at the network or application layer without modifying the vulnerable software. This approach allows organizations to maintain service availability while reducing exposure.

Shutting down the server (Option A) may prevent exploitation but introduces unacceptable business disruption and is not recommended as a first response. Backups and incident response planning (Option C) are critical but do not actively prevent exploitation. Passive monitoring (Option D) allows attackers to continue exploiting the vulnerability unchecked.

CEH v13 emphasizes that virtual patching is the preferred first response for zero-day threats, especially when systems are mission-critical. It provides immediate risk reduction while allowing time for vendor patch development and controlled deployment.

CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking façade combined with hidden malicious intent, which matches the scenario perfectly. Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software. Worms (Option C) self-replicate across networks, which is not described here. Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.

A FIN scan is a classic “stealth” TCP scan technique discussed in CEH network scanning methodology. Unlike a TCP Connect scan, which completes the full three-way handshake and is highly visible in logs, a FIN scan sends a TCP packet with only the FIN flag set to a target port. The scan then interprets the target’s response to infer whether the port is open or closed, without establishing a normal TCP session. This matches the scenario’s requirement to “infer port states without completing a full connection” and to keep visibility low.

The logic relies on expected TCP behavior defined for many TCP/IP stacks. For a closed port, the target typically responds with an RST packet, indicating there is no service listening. For an open port, many systems do not respond at all to an unexpected FIN packet (because it does not correspond to an existing connection). That “no response” behavior becomes the signal the tester uses to suspect the port may be open or filtered. CEH emphasizes that because FIN scans do not perform a handshake, they can be less likely to trigger certain basic connection-based logging, and they generate fewer obvious connection events than TCP Connect scans.

Option D, NULL scan, is also a stealth method, but it uses a packet with no flags set. The question specifically highlights leveraging TCP flags and is commonly mapped in CEH-style questions to FIN scanning as the representative “TCP flag stealth scan.” Option B is too generic, and option A is the most detectable. Therefore, FIN scan best aligns with the described stealth reconnaissance strategy.

CEH explains that hash functions alone, such as SHA-256, only provide integrity checks and do not verify authenticity or non-repudiation. Attackers can modify data and recompute the hash.

Digital signatures combine hashing with asymmetric cryptography, ensuring:

Integrity

Authentication

Non-repudiation

Option D is correct.

Options A and B provide confidentiality, not integrity assurance.

Option C secures communication channels, not standalone data integrity.

CEH explicitly recommends digital signatures for protecting data integrity against tampering.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

CEH v13 explains that Side-Channel Attacks exploit physical characteristics of cryptographic devices—such as power consumption, timing variations, electromagnetic leakage, or acoustic emissions—to infer confidential data like encryption keys. These attacks do not break the cryptographic algorithm itself but instead analyze unintended signals produced during computation. The scenario describes a classic power analysis and timing analysis attack, where the attacker monitors fluctuations during encryption operations on a smart card. CEH details how Differential Power Analysis (DPA) and Simple Power Analysis (SPA) allow attackers to extract secret keys by statistically correlating measured power traces to cryptographic operations. This type of attack is extremely dangerous because it bypasses mathematical strength and targets hardware implementation flaws. Options A, C, and D do not relate to side-channel exploitation. CEH specifically categorizes this method as observing hardware emissions to deduce secrets, making Option B the most accurate match.

The behavior described is most consistent with an unauthenticated scan. In CEH-aligned vulnerability assessment methodology, unauthenticated scanning evaluates systems from the perspective of an external or non-privileged entity. The scanner can typically identify network-reachable services, open ports, service banners, protocol fingerprints, and sometimes known vulnerabilities inferred from versions or exposed configurations. However, it cannot reliably inspect host-internal posture such as registry settings, local security policies, installed patch levels, missing hotfixes, detailed configuration baselines, or user and group policy settings because those require authenticated access to query the operating system and installed software inventory directly.

The prompt explicitly states that the results were limited to “open service ports and version banners” and that “deeper registry settings, user policies, and missing patches remain unreported.” That limitation is a hallmark of unauthenticated scanning. The additional clue that “system login prompts were never triggered” and “no credential failures were logged in the SIEM” further confirms that the scanner never attempted to authenticate to endpoints using accounts, SSH/WinRM/WMI, SMB, or agent-based credential checks. If the scan were authenticated or credentialed, you would expect authentication attempts, potential login prompts on some services, and often audit logs or SIEM events reflecting successful or failed logons.

Option C, internal scan, only describes where the scan originates, not whether credentials were used. Options B and D imply authentication and host-level interrogation, which contradicts the observed lack of credential activity and missing patch/policy visibility. Therefore, unauthenticated scanning best explains the outcome.

A logic bomb is malware or malicious code that is deliberately planted within a system and configured to execute when a specific condition is met, such as a particular date and time, a user action, or the presence or absence of a file. CEH materials describe logic bombs as condition-based triggers that can remain dormant for extended periods, producing minimal indicators until the trigger occurs. The most decisive clue in this scenario is the “scheduled task set to a specific date,” followed by abnormal behavior that appears only after that date passes. This is a textbook trigger mechanism used to activate malicious actions while avoiding early detection.

The “odd email from an unfamiliar source” suggests an initial delivery or social engineering vector, but the core behavior is the delayed activation. The later “faint increase in network activity only after the scheduled date passed” aligns with a logic bomb executing a payload such as beaconing, data exfiltration, or enabling remote access. The “unusual code traces on a dormant workstation” further supports the idea of implanted code that was inactive until triggered.

Fileless malware emphasizes execution in memory using legitimate tools such as PowerShell or WMI and is defined more by its living-off-the-land technique than by a date-based trigger. An APT describes a broader campaign style involving long-term, multi-stage intrusion, not a single defining trigger artifact. Ransomware is characterized by encryption and extortion behavior, which is not described. Therefore, the threat is best characterized as a logic bomb.

According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds.

Option D correctly identifies this issue.

Option A describes the symptom, not the root cause.

Option B is unrelated to IDS alert behavior.

Option C can cause missed detections, not excessive alerts.

CEH recommends proper tuning and baseline profiling.

This scenario describes an Android rooting approach where the attacker installs a rooting tool directly on the device as an APK and uses it to exploit vulnerabilities to gain elevated privileges. The key feature that makes this approach effective, as stated in the question, is that it works without requiring a computer connection. That aligns directly with option B: “It is an APK that can run directly on the device without a PC.”

Rooting tools packaged as APKs are effective in environments where physical access is limited to the device itself (or where connecting to a PC is impractical or would raise suspicion). Once installed, such an app can attempt privilege escalation by leveraging known weaknesses in the OS, drivers, or vendor components, aiming to obtain root-level access. From a security assessment standpoint, this demonstrates that mobile devices may be at risk if users can install untrusted applications, if the device is not fully patched, or if application controls (enterprise MDM policies, app allowlisting, unknown-sources restrictions) are weak.

The other options are inconsistent with Android APK-based rooting as described. “Tethered jailbreak” terminology applies to iOS jailbreaking, not Android rooting, and the scenario explicitly says no computer connection is required. Weak SSL validation relates to application-layer transport security issues rather than privilege escalation to root. Bluetooth pairing flaws are a different attack class and are not indicated here; the described method is an on-device exploit chain initiated by installing a rooting APK.

Therefore, the feature that makes this rooting approach effective in the scenario is B: it runs directly on the device as an APK without needing a PC.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

The observed behavior most closely matches the Digital Signature Algorithm (DSA). The strongest indicators are: (1) a fresh random value is generated for each signature operation, and (2) the math operates in a subgroup defined by public domain parameters using modular arithmetic, and (3) signatures are verified using a public verification key, not by “decrypting” the message.

DSA is a signature-only asymmetric algorithm derived from discrete logarithm principles. It uses public domain parameters commonly represented as (p, q, g), where p is a large prime, q is a prime divisor of p−1, and g is a generator of a subgroup of order q. For each signature, DSA requires a unique per-message secret random number k. This ephemeral k is crucial: reusing it (or generating it predictably) can expose the private key. The scenario’s emphasis on “fresh random value for each signature operation” aligns directly with this core DSA requirement.

By contrast, RSA signatures can be implemented in different ways (often involving modular exponentiation with padding) and do not inherently require a fresh random per-signature secret like DSA’s k (although some padding schemes may involve randomness). Diffie-Hellman is primarily a key exchange algorithm, not a signing algorithm. ElGamal can be used for signatures and also uses randomness, but the mention of “subgroup defined by public domain parameters” and the classic per-signature random value requirement most strongly aligns with the standard description of DSA used in many security curricula and assessments.

Therefore, based on the signature process characteristics described, the best match is A. DSA.

The correct answer is B. Rogue AP because the scenario describes an unauthorized access point that has been physically connected to the internal wired network and is providing network access on the corporate VLAN without approval or inventory records. In CEH-aligned wireless security concepts, a rogue access point is any AP that is installed on an organization’s network without authorization, creating an unmanaged entry point that bypasses standard security controls. The key indicators here are: it is “previously unknown,” “neither provisioned by IT nor listed in the asset inventory,” and it is “physically connected to the hospital’s internal switch.”

The fact that the device is issuing IP addresses suggests it may be running a DHCP service or bridging into the internal network in a way that places clients directly onto the corporate VLAN. This can allow attackers to gain internal access from nearby wireless range and can also cause network instability if its DHCP responses conflict with the legitimate DHCP infrastructure. Additionally, the device “relaying internal traffic and providing remote connectivity back to an external host” points to an attacker using it as a covert foothold—effectively an unauthorized wireless bridge into the internal network and a channel for command-and-control or remote access.

Why not the other options: a misconfigured AP implies a legitimate AP deployed by IT but configured insecurely (weak encryption, default credentials, poor segmentation). A honeypot AP is typically deployed deliberately (often by defenders) to attract attackers for detection and research, not stealthy backhaul to an external host. An evil twin AP is a spoofed wireless AP that impersonates a legitimate SSID to lure victims; it does not necessarily require being physically plugged into the internal switch, and the defining trait is impersonation of a real AP/SSID. The defining trait here is unauthorized installation on the wired network, which is most directly a rogue access point.