312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2025 Updated)

Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.

A hybrid attack combines a dictionary and brute-force approach. Given that:

Passwords are required to be complex

Users still often choose predictable variations (e.g., Password123!, Welcome@2024)

A hybrid attack is best suited because it applies common mutations to known words—much faster than full brute force and more effective than a plain dictionary attack.

From CEH v13 Courseware:

Module 6: Password Cracking → Attack Techniques

CEH v13 Study Guide states:

“Hybrid attacks combine the speed of dictionary attacks with some of the thoroughness of brute-force. It’s ideal when users use complex but predictable passwords.”

Incorrect Options:

A: Online attacks are slow and may trigger account lockouts.

B: Plain dictionary attacks won’t cover variations like “P@ssw0rd!”

C: Brute-force would be too slow for complex passwords.

The command in question:

wget 192.168.0.15 -q -S

wget is a command-line utility used to retrieve files via HTTP, HTTPS, or FTP.

-q (quiet mode): Suppresses output, except for errors.

-S: Displays the server response headers (even in quiet mode).

In this case, wget is being used to connect to the specified web server (192.168.0.15) and retrieve the HTTP response headers — such as the Server field (e.g., Apache, Nginx), HTTP status codes, and other metadata.

This is a classic example of banner grabbing — the process of capturing metadata (often from headers) to identify the software, version, or configuration of a service.

Incorrect Options:

A. Content enumeration would require directory brute-forcing tools like DirBuster or Gobuster.

C. DoS attacks require high volumes of traffic or specially crafted packets; wget with a single request does not perform flooding.

D. Downloading full site contents would involve options like -r (recursive) or --mirror, which are not used in this command.

Reference – CEH v13 Official Courseware:

Module 03: Scanning Networks

Section: “Banner Grabbing”

Tool Reference: wget, netcat, telnet, curl for banner enumeration

https://blog.mailfence.com/how-do-digital-signatures-work/

https://en.wikipedia.org/wiki/Digital_signature

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or digital messages. Signers can also use them to acknowledge informed consent.

Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private and one public.

Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.

CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as “image.php.jpg,” which may pass superficial validation and still be executed by the server’s interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

CEH courseware describes rootkits as specialized malware designed to conceal their presence while providing persistent, unauthorized access to system-level functions. Rootkits typically modify low-level components of the operating system—such as kernel modules, drivers, or system processes—to hide files, processes, registry keys, and network connections. Their primary purpose is to grant attackers administrative privileges without triggering alerts, making them extremely stealthy and dangerous. CEH emphasizes that rootkits often accompany other malware to maintain long-term control after initial compromise. In contrast, viruses replicate by attaching to files, keyloggers record keystrokes but do not hide system-level access, and ransomware encrypts data rather than conceals operations. The defining characteristics in this scenario—cloaking activity, providing admin-level control, persisting undetected—are directly aligned with rootkit behavior as described in CEH training material.

The CEH web server attack methodology describes reconnaissance as a key phase, where testers gather publicly available information before attempting exploitation. Robots.txt is commonly used by administrators to instruct web crawlers about which directories should not be indexed. CEH emphasizes that attackers regularly review robots.txt because it often exposes sensitive directories unintentionally, providing valuable intelligence about internal structure, configuration paths, administrative pages, and potential weak points. In this scenario, the tester observes “Disallow” entries and then discovers the directories are not protected by authentication, allowing direct access to sensitive files. This falls under information gathering through exposed indexing instructions rather than directory traversal, which involves path-manipulation exploits. The tester is not altering file paths or inserting traversal sequences; instead, they are reviewing publicly available indexing instructions and discovering misconfigured access controls. This perfectly aligns with the reconnaissance phase of the CEH methodology, where attackers learn about server architecture using passive or minimally intrusive techniques.

CEH methodology emphasizes validating and researching identified vulnerabilities to determine exploitability, patch status, and business impact. Even medium-risk findings require investigation to assess their real severity.

To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console.

In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic.

CEH v13 identifies URL parameters used in dynamic SQL queries as common injection points. When user-controlled values are passed directly into database queries without validation, attackers can manipulate query logic. Injecting a test payload such as 1 OR 1=1 into the userID parameter is a standard method to determine whether the application concatenates input into SQL statements. If the page displays all user orders instead of only the authenticated user's orders, this confirms SQL injection. CEH teaches that conditional tautologies are one of the safest and most reliable ways to probe SQL vulnerabilities, especially in GET parameters. JavaScript injection (Option A) tests XSS, not SQLi. Directory traversal (Option C) targets filesystem issues, not database logic. Brute-forcing user credentials (Option D) does not test query sanitization. Therefore, modifying the userID parameter with a SQL injection payload is the correct CEH-aligned method.

SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL database. The attacker injects malicious SQL code into the user input, such as a login form, that is then executed by the database server. This can allow the attacker to access, modify, or delete data, or execute commands on the database server.

The ‘UNION’ SQL keyword is often used in SQL Injection attacks to combine the results of two or more SELECT statements into a single result set. This can allow the attacker to retrieve additional data from other tables or columns that are not intended to be displayed by the application. For example, if the application uses the following query to check the user credentials:

SELECT * FROM users WHERE username = '$username' AND password = '$password'

The attacker can inject a ‘UNION’ statement to append another query, such as:

' OR 1 = 1 UNION SELECT * FROM credit_cards --

This will result in the following query being executed by the database server:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

The first part of the query will always return true, and the second part of the query will return the data from the credit_cards table. The ‘–’ symbol is a comment that will ignore the rest of the query. The attacker can then see the credit card information in the application’s response.

However, some web applications implement security measures to prevent SQL Injection attacks, such as filtering special characters in user inputs. Special characters are symbols that have a special meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters, the application can prevent the attacker from injecting malicious SQL code. For example, if the application replaces single quotes with two single quotes, the previous injection attempt will fail, as the query will become:

SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND password = '$password'

This will result in a syntax error, as the query is not valid SQL.

In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, the strategy that he is most likely to employ is to bypass the special character filter by encoding his malicious input. Encoding is a process of transforming data into a different format, such as hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous injection attempt will become:

%27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--

This will result in the following query being executed by the database server, after the application decodes the input:

SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

This will succeed in returning the credit card information, as the filter will not detect the special characters in the encoded input.

Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.

In CEH v13 Module 09: Social Engineering, spear-phishing is described as a targeted email-based attack in which malicious actors craft highly personalized emails to specific individuals within an organization.

Characteristics from the scenario:

The attacker sends a fraudulent email to an employee.

The email contains a malicious attachment.

Once opened, malware is installed, targeting ICS/SCADA components.

The attack spreads and ultimately damages industrial systems.

This is a classic spear-phishing attack used as the initial infection vector in Advanced Persistent Threats (APT) targeting industrial control systems.

Why Others Are Incorrect:

B. SMiShing: SMS-based phishing; not email-related.

C. Reconnaissance: Pre-attack information gathering, not execution.

D. HMI-based attack: Targets Human-Machine Interface devices, but that’s not how the attack started here.

In CEH v13 Module 06: Malware Threats, code emulation is defined as a technique used by modern antivirus software where a virtual CPU and memory are created to safely execute and analyze malware in a sandboxed environment.

This allows the detection engine to observe runtime behavior of suspicious code without risking the actual system.

It’s more effective than signature-based detection for catching polymorphic and obfuscated malware.

In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

Key Characteristics of Wardriving:

Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

Tools like NetStumbler, Kismet, or WiGLE may be used.

Often includes GPS tagging of discovered networks.

Used to identify unsecured access points for later exploitation.

Option Clarification:

A. GPS mapping: May be used with wardriving, but not the act itself.

B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

C. Wardriving: Correct – searching for Wi-Fi networks while driving.

D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

In an SOA (Start of Authority) record, the fifth value represents the “Expire” interval — the time a secondary DNS server will keep trying to contact the primary server before considering the zone data stale or invalid.

SOA Format:

SOA Primary-NS Hostmaster (Serial Refresh Retry Expire Minimum-TTL)

Given SOA:

(200302028 3600 3600 604800 3600)

Serial: 200302028

Refresh: 3600 seconds

Retry: 3600 seconds

Expire: 604800 seconds = 7 days = 1 week

Minimum TTL: 3600

So, if the secondary DNS cannot contact the primary for 604800 seconds (1 week), it will stop serving that zone’s data.

Blind SQL Injection is a type of SQL injection attack where no error messages or data are directly returned to the attacker. Instead, the attacker sends specially crafted SQL queries that result in true or false responses. Based on how the application responds (such as redirecting to a different page or loading time), the attacker infers information about the backend database.

According to CEH v13:

Blind SQLi is used when standard SQL injection yields no visible output.

It comes in two forms:

Boolean-based: Infers information based on application behavior.

Time-based: Infers information based on server response time delays.

Incorrect Options:

A. Time-based SQLi is a sub-type of Blind SQLi, but the question describes Boolean-based behavior.

B. Union SQL injection uses the UNION keyword to fetch additional rows; requires visible output.

C. Error-based SQL injection relies on database error messages.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Types of SQL Injection”

Subsection: “Blind SQL Injection (Boolean and Time-Based)”

===========

In the context of security testing, test automation plays a critical role in improving the speed and consistency of testing activities. However, it cannot entirely replace manual testing because certain security vulnerabilities—especially logic flaws or issues with session management—often require human intuition and contextual understanding.

According to CEH v13 Official Courseware – Module 05 (Vulnerability Analysis), and confirmed in the CEH v13 Study Guide, automated testing is best suited for:

Repetitive benchmark tests

Regression testing

Scanning for known vulnerabilities

Ensuring consistency across environments

However, manual testing is still essential for:

Business logic testing

Security misconfiguration identification

Discovering zero-day flaws

The honey trap is a technique where an attacker targets a person online by pretending to be an attractive person and then begins a fake online relationship to obtain confidential information about the target company. In this technique, the victim is an insider who possesses critical information about the target organization.

Baiting is a technique in which attackers offer end users something alluring in exchange for

important information such as login details and other sensitive data. This technique relies on

the curiosity and greed of the end-users. Attackers perform this technique by leaving a physical

device such as a USB flash drive containing malicious files in locations where people can easily

find them, such as parking lots, elevators, and bathrooms. This physical device is labeled with a

legitimate company's logo, thereby tricking end-users into trusting it and opening it on their

systems. Once the victim connects and opens the device, a malicious file downloads. It infects

the system and allows the attacker to take control.

For example, an attacker leaves some bait in the form of a USB drive in the elevator with the

label "Employee Salary Information 2019" and a legitimate company's logo. Out of curiosity and

greed, the victim picks up the device and opens it up on their system, which downloads the

bait. Once the bait is downloaded, a piece of malicious software installs on the victim's system,

giving the attacker access.

Out-of-band SQL injection occurs when an attacker is unable to use an equivalent channel to launch the attack and gather results. … Out-of-band SQLi techniques would believe the database server’s ability to form DNS or HTTP requests to deliver data to an attacker. Out-of-band SQL injection is not very common, mostly because it depends on features being enabled on the database server being used by the web application. Out-of-band SQL injection occurs when an attacker is unable to use the same channel to launch the attack and gather results.

Out-of-band techniques, offer an attacker an alternative to inferential time-based techniques, especially if the server responses are not very stable (making an inferential time-based attack unreliable).

Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.

To ensure both confidentiality and non-repudiation for secure email communication, you need to use a combination of symmetric and asymmetric cryptography. Symmetric encryption is a method of encrypting and decrypting data using the same secret key, which is faster and more efficient than asymmetric encryption. Asymmetric encryption is a method of encrypting and decrypting data using a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide authentication, integrity, and non-repudiation, as well as key distribution.

The cryptographic technique that would best serve the purpose is to apply asymmetric encryption with RSA and use the private key for signing. RSA is a widely used algorithm for asymmetric encryption, which is based on the difficulty of factoring large numbers. RSA can be used to encrypt data, as well as to generate digital signatures, which are a way of proving the identity and authenticity of the sender and the integrity of the message.

The steps to implement this technique are as follows1:

Generate a pair of keys for each user: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret and protected by the user.

When a user wants to send an email to another user, they first encrypt the email content with a symmetric key, such as AES, which is a strong and efficient algorithm for symmetric encryption. The symmetric key is then encrypted with the recipient’s public key, using RSA. The encrypted email and the encrypted symmetric key are then sent to the recipient.

The sender also generates a digital signature for the email, using their private key and a hash function, such as SHA-256, which is a secure and widely used algorithm for generating hashes. A hash function is a mathematical function that takes any input and produces a fixed-length output, called a hash or a digest, that uniquely represents the input. A digital signature is a hash of the email that is encrypted with the sender’s private key, using RSA. The digital signature is then attached to the email and sent to the recipient.

When the recipient receives the email, they first decrypt the symmetric key with their private key, using RSA. They then use the symmetric key to decrypt the email content, using AES. They also verify the digital signature by decrypting it with the sender’s public key, using RSA, and comparing the resulting hash with the hash of the email, using the same hash function. If the hashes match, it means that the email is authentic and has not been tampered with.

Using this technique, the email communication is secure because:

The confidentiality of the email content is ensured by the symmetric encryption with AES, which is hard to break without knowing the symmetric key.

The symmetric key is also protected by the asymmetric encryption with RSA, which is hard to break without knowing the recipient’s private key.

The non-repudiation of the email is ensured by the digital signature with RSA, which is hard to forge without knowing the sender’s private key.

The digital signature also provides authentication and integrity of the email, as it proves that the email was sent by the sender and has not been altered in transit.

A honeypot may be a trap that an IT pro lays for a malicious hacker, hoping that they will interact with it during a way that gives useful intelligence. It’s one among the oldest security measures in IT, but beware: luring hackers onto your network, even on an isolated system, are often a dangerous game.

honeypot may be a good starting place: “A honeypot may be a computer or computing system intended to mimic likely targets of cyberattacks.” Often a honeypot are going to be deliberately configured with known vulnerabilities in situation to form a more tempting or obvious target for attackers. A honeypot won’t contain production data or participate in legitimate traffic on your network — that’s how you’ll tell anything happening within it’s a results of an attack. If someone’s stopping by, they’re up to no good.

That definition covers a various array of systems, from bare-bones virtual machines that only offer a couple of vulnerable systems to ornately constructed fake networks spanning multiple servers. and therefore the goals of these who build honeypots can vary widely also , starting from defense thorough to academic research. additionally , there’s now an entire marketing category of deception technology that, while not meeting the strict definition of a honeypot, is certainly within the same family. But we’ll get thereto during a moment.

honeypots aim to permit close analysis of how hackers do their dirty work. The team controlling the honeypot can watch the techniques hackers use to infiltrate systems, escalate privileges, and otherwise run amok through target networks. These sorts of honeypots are found out by security companies, academics, and government agencies looking to look at the threat landscape. Their creators could also be curious about learning what kind of attacks are out there, getting details on how specific sorts of attacks work, or maybe trying to lure a specific hackers within the hopes of tracing the attack back to its source. These systems are often inbuilt fully isolated lab environments, which ensures that any breaches don’t end in non-honeypot machines falling prey to attacks.

Production honeypots, on the opposite hand, are usually deployed in proximity to some organization’s production infrastructure, though measures are taken to isolate it the maximum amount as possible. These honeypots often serve both as bait to distract hackers who could also be trying to interrupt into that organization’s network, keeping them faraway from valuable data or services; they will also function a canary within the coalpit , indicating that attacks are underway and are a minimum of partially succeeding.

Types of Password Attacks - Active Online Attacks: Internal Monologue Attack Attackers perform an internal monologue(獨自) attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user.Attacker disables the security controls of NetNTLMv1, extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users. (P.594/578)

Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc. (P.2884/2868)

https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html

Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

===========

https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html

Fileless malware can easily evade various security controls, organizations need to focus on monitoring, detecting, and preventing malicious activities instead of using traditional approaches such as scanning for malware through file signatures.Also known as non-malware, infects legitimate software, applications, and other protocols existing in the system to perform various malicious activities.It resides in the system’s RAM. It injects malicious code into the running processes. (P.966/950)

The hosts file on a computer maps domain names to IP addresses locally. By modifying this file, an attacker can redirect traffic destined for legitimate sites (e.g., www.MyPersonalBank.com) to malicious IP addresses (e.g., a phishing server).

The hosts file takes precedence over DNS queries, making it a simple but powerful tool for local redirection.

Windows hosts file location: C:\Windows\System32\drivers\etc\hosts

Linux/Unix hosts file location: /etc/hosts

Reference – CEH v13 Official Study Guide:

Module 6: Malware Threats

Quote:

“Attackers can redirect users to phishing or malware sites by altering the local hosts file, bypassing DNS resolution.”

Incorrect Options:

A. boot.ini is for boot configuration, not DNS resolution.

B. sudoers controls administrative privileges in Linux.

C. networks is for defining network names, not URL resolution.

===========

CEH v13 states that DNS server hijacking occurs when attackers compromise the authoritative DNS infrastructure and alter DNS zone records to redirect all legitimate queries to malicious destinations. Unlike DNS cache poisoning, which affects specific resolvers temporarily, server hijacking manipulates the core DNS authority controlling the domain. This results in a complete redirect for all users, regardless of geographic location or device configuration. CEH emphasizes that such attacks can lead to large-scale credential theft, phishing, financial fraud, and session compromise because the attacker presents an identical clone site while retaining full control of DNS routing. DNS tunneling is used for covert data exfiltration and does not redirect traffic. DNS rebinding targets browser policies, not global DNS redirection. DNS amplification is a volumetric DDoS technique unrelated to zone manipulation. The scenario matches DNS server hijacking exactly.