312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

The correct answer is A. Call Spoofing because the defining behavior in the scenario is manipulating the caller ID information so that the victim’s phone displays a trusted number—specifically, the credit union’s official line. In CEH-aligned social engineering and mobile attack discussions, call spoofing is a technique where an attacker falsifies caller ID data to impersonate a legitimate organization, department, or known contact. This increases credibility and exploits human trust in recognized numbers, making victims more likely to comply with sensitive requests such as disclosing usernames, passwords, or one-time codes.

The attack is also a form of vishing (voice phishing), where the attacker uses phone calls and persuasive pretexts (“mandatory security check”) to trick employees into revealing credentials. The success factor here is the authority and legitimacy signal created by the spoofed number. When staff see what appears to be an official institutional phone number, they are more likely to assume the call is authentic and bypass normal verification steps, especially under time pressure or when framed as a security requirement.

Why the other options are incorrect: OTP hijacking refers to stealing or intercepting one-time passwords (for example via SIM swap, malware, or social engineering focused specifically on MFA/OTP codes). While the attacker could ask for OTPs, the scenario’s core mechanism is the spoofed caller ID, not OTP interception. Bluebugging is a Bluetooth-based attack that gains unauthorized control over a device through Bluetooth vulnerabilities; it is unrelated to caller ID impersonation. SMiShing is phishing via SMS/text messages, not a voice call.

Therefore, the mobile attack vector demonstrated—displaying a trusted institutional number to deceive employees during a credential-harvesting call—is call spoofing.

The method described—sending TCP packets with no flags set—is a NULL scan. In TCP header terminology, a NULL packet has all control flags cleared (no SYN, ACK, FIN, RST, PSH, URG). The scanner then interprets the target’s response behavior to infer port state. Traditionally, for many TCP/IP stacks, a closed port responds with RST, while an open port may respond with no reply (silence) because the packet does not correspond to any valid state in the TCP state machine. This behavior can vary by OS and filtering devices, but the defining characteristic is the “no flags” probe.

The scenario also highlights stealth: compared to a TCP connect scan, which completes a full three-way handshake and is easily logged, NULL scans can be less conspicuous because they avoid a normal connection setup. Some intrusion detection systems focus heavily on repeated SYN handshakes or completed connections; unusual flag scans may slip through weak detection, though modern IDS/IPS can still detect them.

Why the other options are incorrect:

TCP Connect Scan (A) uses the operating system’s connect() call to establish a full TCP connection; it is not a “no flags” technique and is generally noisier.

FIN Scan (B) sends packets with the FIN flag set; it is a different “stealth” scan type, but not “no flags.”

ACK Scan (D) sends packets with the ACK flag set and is typically used to map firewall rules (filtered vs unfiltered), not to determine open vs closed ports in the same way, and again it is not “no flags.”

Therefore, the scanning method is C. NULL Scan.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation.

This scenario clearly describes the need for Time-Based Blind SQL Injection, an advanced SQL injection technique covered in the CEH v13 Web Application Hacking module. Blind SQL injection is used when an application does not return database errors or visible output, making traditional techniques ineffective.

According to CEH v13, Time-Based Blind SQL Injection is particularly useful when:

The backend database type is unknown

Error messages are suppressed

UNION queries fail

No direct data is returned in responses

In this technique, attackers inject SQL statements that deliberately introduce time delays using database-specific functions such as SLEEP(), WAITFOR DELAY, or BENCHMARK(). The ethical hacker then observes the application’s response time to determine whether the injected condition is true or false.

For example:

' OR IF(1=1, SLEEP(5), 0) --

If the application response is delayed, it confirms that the injected SQL statement was executed successfully. CEH v13 categorizes this method as behavioral-based inference, where the attacker extracts information one bit at a time by analyzing timing differences.

Other options are incorrect because:

Content-Based Blind SQL Injection relies on visible differences in responses, which the question states are unavailable.

Union-Based SQL Injection requires knowing column count and data types.

Error-Based SQL Injection depends on database error messages being displayed.

CEH v13 emphasizes Time-Based Blind SQL Injection as a last-resort yet highly effective technique when dealing with hardened applications that suppress output, making it a frequent exam-tested concept.

This scenario describes Living-off-the-Land (LotL) malware techniques, where attackers modify or abuse legitimate system binaries and services to evade detection. CEH v13 identifies this as a highly stealthy persistence mechanism commonly used in advanced persistent threats (APTs).

The most effective countermeasure is file integrity monitoring (FIM), specifically by tracking cryptographic hashes of critical system executables. CEH v13 emphasizes that monitoring file hashes enables early detection of unauthorized modifications to binaries such as PowerShell, cmd.exe, or Windows services.

Backups (Option A) aid recovery but do not prevent or detect compromise. Antivirus updates (Option C) often fail against modified legitimate tools. Firewall hardening (Option D) reduces attack surface but does not detect tampering of trusted binaries.

CEH v13 explicitly recommends hash-based integrity verification as a core defense against stealthy persistence mechanisms. Therefore, option B is correct.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

Qualys VM is the best match because the scenario emphasizes enterprise vulnerability management for a hybrid environment with agent-based endpoint coverage, continuous monitoring, alerting, and centralized visibility across both on-premises and cloud systems. In CEH-aligned security operations concepts, vulnerability management is not only about running periodic scans, but also about maintaining an accurate, continuously updated view of asset exposure, prioritizing risk, and producing actionable remediation workflows. A platform designed for hybrid infrastructures commonly includes lightweight agents for endpoints, cloud connectors, unified dashboards, continuous assessment, and notification or alerting features to support real-time risk decisions. Qualys VM is widely recognized for delivering vulnerability management through a centralized cloud platform with broad asset visibility and support for continuous assessment models that align with large-scale, distributed environments.

The other options are less aligned with the full requirement set. Nikto is a focused web server and web application scanner and does not represent an enterprise-wide vulnerability management platform for endpoints and hybrid assets. OpenVAS is a capable open-source vulnerability scanner, but it is typically implemented as a scanning solution rather than a full hybrid vulnerability management platform with the same level of integrated agent-based endpoint coverage, centralized cloud visibility, and operational alerting described. Nessus is a strong vulnerability scanner and can support agents in some deployments, but the scenario’s emphasis on broad hybrid infrastructure visibility and centralized, continuous monitoring with alerting most strongly aligns with Qualys VM as a vulnerability management platform.

The correct answer is D. Hardware/Firmware Rootkit because the scenario describes persistence that remains even after multiple OS reinstalls and executes before the operating system loads, while evading OS-level antivirus and forensic scans. In CEH-aligned malware/rootkit concepts, hardware/firmware rootkits embed malicious code into firmware components such as BIOS/UEFI, device firmware (for example, NIC firmware, storage controller firmware, HDD/SSD firmware), or other embedded hardware layers. Because firmware is separate from the operating system’s file system, reinstalling the OS typically does not remove the implant.

The clue “resides deep inside the system hardware” and “executes before the OS is loaded” aligns with firmware-level execution in the boot chain. Firmware rootkits can run during early startup, initialize malicious hooks, and then hand off control to the OS in a way that hides their presence. This makes them extremely difficult to detect using conventional host-based tools, because those tools operate after the OS is running and generally cannot easily inspect or validate firmware integrity. The mention of “unusual activity on network cards and storage devices” is also a strong indicator: compromised NIC or storage firmware can manipulate traffic, exfiltrate data, or alter reads/writes while remaining invisible to file-based scanning.

Why the other options are less accurate: a boot-loader-level rootkit typically infects the bootloader on disk; while it runs early, it may be removed by disk reimaging or certain reinstall workflows. A kernel-level rootkit resides within the OS kernel and is generally removed by reinstalling the OS. A hypervisor-level rootkit (virtualization-based) can be stealthy, but it still generally depends on software layers that may not survive repeated OS reinstalls unless paired with firmware persistence.

Therefore, the persistence across reinstalls and pre-OS execution most clearly indicate a hardware/firmware rootkit.

This scenario clearly aligns with a Pulse Wave DDoS attack, a sophisticated denial-of-service technique described in CEH v13 Network and Perimeter Hacking. Unlike traditional volumetric DDoS attacks that rely on sustained flooding, pulse wave attacks deliver short, extremely high-volume bursts of traffic, followed by periods of inactivity.

The defining characteristics described—intermittent spikes exceeding 300 Gbps, regular intervals (every 10 minutes), and temporary recovery—are hallmark indicators of pulse wave attacks. CEH v13 explains that attackers use this method to overwhelm server resources, trigger auto-scaling failures, exhaust mitigation thresholds, and evade detection systems that rely on sustained traffic baselines.

Option A is incorrect because UDP floods are continuous. Option B (HTTP GET flood) targets the application layer with sustained requests. Option C (PDoS) permanently damages hardware, which does not match the recurring pattern.

Pulse wave attacks are particularly effective against large platforms like streaming services because they:

Exploit elasticity limits of cloud infrastructure

Confuse rate-based detection systems

Cause repeated service degradation without long attack durations

CEH v13 emphasizes that pulse wave attacks are difficult to mitigate without adaptive, behavior-based DDoS protection. Therefore, Option D is the correct and CEH-aligned answer.

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker ' s code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

Passive reconnaissance focuses on collecting intelligence without interacting with the target ' s systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

Side jacking, as defined in CEH v13 Web Application Hacking, is a form of session hijacking where an attacker captures valid session identifiers—usually cookies—by sniffing network traffic. This attack is particularly effective when applications fail to encrypt session cookies using HTTPS.

In CEH v13, side jacking is commonly associated with attacks performed on unsecured wireless networks, where attackers passively monitor traffic using packet sniffers such as Wireshark. If session cookies are transmitted in plaintext, the attacker can replay them to impersonate the victim without needing login credentials.

Option B precisely matches this definition: capturing unencrypted session cookies and reusing them to gain unauthorized access.

Other options describe different attack types:

A is credential harvesting via social engineering.

C is network exploitation.

D is cross-site scripting (XSS).

CEH v13 emphasizes enforcing HTTPS, Secure and HttpOnly cookie flags, and session regeneration as defenses against side jacking.

This attack is a classic example of Piggybacked SQL Injection, covered in CEH v13 Web Application Hacking. Piggybacked queries allow attackers to append additional malicious SQL commands to an existing query using a delimiter such as a semicolon.

The payload executes the original query followed by a destructive command (DROP TABLE). UNION-based injections retrieve data, Boolean-based injections infer logic, and error-based injections rely on error messages—not destructive execution.

CEH v13 explicitly describes piggybacked queries as capable of data destruction and privilege escalation, making Option A correct.

This scenario primarily simulates dumpster diving because the key action involves retrieving sensitive information from discarded materials and then using it to gain access. In CEH social engineering coverage, dumpster diving is a physical information-gathering technique where an attacker searches trash, recycling bins, unsecured disposal containers, or shredding waste to find documents and artifacts that can be exploited. Common targets include access codes, employee directories, printed emails, shipping labels, invoices, internal memos, and partially shredded documents—exactly what Priya finds in the unsecured maintenance container. The question even emphasizes “discarded packaging,” “shipping labels,” “shredded office material,” and a “crumpled document listing temporary access codes,” which are classic dumpster-diving indicators.

The later use of recovered access codes to enter the break room is the impact of the dumpster-diving phase, but the primary social engineering technique tested is how improper disposal leads to compromise. Tailgating would involve following an authorized person through a secure door without proper authentication. Eavesdropping refers to listening in on conversations or communications to capture sensitive information. Shoulder surfing involves visually observing someone’s screen or keyboard while they enter credentials or view confidential data. None of those describe the initial method of obtaining the access codes.

CEH-aligned mitigations include enforcing clean-desk and secure disposal policies, using locked disposal bins, shredding sensitive documents properly with secure destruction processes, training staff on handling printed data, and restricting access to loading docks and waste areas. Regular audits of disposal practices and physical security checks reduce the likelihood that attackers can harvest usable access details from trash.

CEH v13 distinguishes between vertical and horizontal privilege escalation. Vertical escalation occurs when an attacker moves upward in the hierarchy of privileges—such as from a regular user to an administrator or root—by exploiting vulnerabilities, misconfigurations, or insecure privilege boundaries. This allows the attacker to perform tasks that were previously restricted, such as modifying system settings, accessing sensitive data, installing malware, or controlling the entire environment. Horizontal escalation, on the other hand, involves accessing another user’s resources at the same privilege level, which the other options describe. Exploiting unquoted service paths or weak access controls may facilitate privilege abuse, but they do not inherently elevate the user to a higher privilege tier unless they specifically lead to administrative execution. The scenario that aligns perfectly with the CEH definition of vertical privilege escalation is the escalation from regular user to administrator.

A low-and-slow scanning technique spreads probe attempts over long intervals, reducing the chance of triggering IDS signatures that rely on detecting rapid or high-volume scans. CEH highlights timing-based evasion as an effective method for reconnaissance against networks with strict perimeter controls.

This describes a rule-based or logic-based password attack, which CEH v13 classifies as a smart, targeted guessing technique. Attackers use known patterns—such as naming conventions, dates, or personal interests—to reduce the keyspace and increase success rates.

Option A accurately reflects this methodology. Option B is brute force, which is random and exhaustive. Option C is physical observation. Option D describes hybrid attacks without structured logic.

CEH v13 emphasizes that pattern-based attacks are highly effective when attackers possess prior intelligence. Therefore, Option A is correct.

Jason’s goal is to capture live SNMP traffic on the wire and manually inspect protocol fields such as community strings, OIDs, and variable bindings within requests and responses. The method described is packet capture and protocol dissection, which is exactly what Wireshark is designed for. Wireshark can capture traffic from an interface (or from a mirrored/SPAN port) and decode SNMP at the protocol level, presenting SNMP PDUs in a human-readable structure. This enables an assessor to view SNMP GET/GETNEXT/GETBULK requests, SET operations (if present), and responses, including the transmitted identifiers and values—useful for verifying whether sensitive SNMP data is exposed in transit.

The scenario explicitly states Jason is not running structured queries and instead wants to observe “SNMP requests and responses in transit,” which rules out tools that actively query devices. SnmpWalk (C) is an active enumeration tool that queries SNMP agents using a community string and walks a subtree of the MIB; that is the opposite of passive traffic inspection. Nmap (A) can scan ports and perform some SNMP-related scripts, but it still operates as an active probing tool rather than a live traffic capture and manual field review platform. SoftPerfect Network Scanner (D) is a network discovery tool for identifying hosts and services; it is not a packet-level sniffer intended for dissecting SNMP messages on the wire.

Additionally, the mention of “manual parsing” is consistent with packet analysis workflows: even though Wireshark decodes SNMP, the analyst still needs to interpret what OIDs and values mean, correlate requests to responses, and assess sensitivity (e.g., community strings in SNMPv1/v2c are not encrypted, and captured traffic may reveal them).

Therefore, the correct method is B. Wireshark.

The observed behavior most closely matches the Digital Signature Algorithm (DSA). The strongest indicators are: (1) a fresh random value is generated for each signature operation, and (2) the math operates in a subgroup defined by public domain parameters using modular arithmetic, and (3) signatures are verified using a public verification key, not by “decrypting” the message.

DSA is a signature-only asymmetric algorithm derived from discrete logarithm principles. It uses public domain parameters commonly represented as (p, q, g), where p is a large prime, q is a prime divisor of p−1, and g is a generator of a subgroup of order q. For each signature, DSA requires a unique per-message secret random number k. This ephemeral k is crucial: reusing it (or generating it predictably) can expose the private key. The scenario’s emphasis on “fresh random value for each signature operation” aligns directly with this core DSA requirement.

By contrast, RSA signatures can be implemented in different ways (often involving modular exponentiation with padding) and do not inherently require a fresh random per-signature secret like DSA’s k (although some padding schemes may involve randomness). Diffie-Hellman is primarily a key exchange algorithm, not a signing algorithm. ElGamal can be used for signatures and also uses randomness, but the mention of “subgroup defined by public domain parameters” and the classic per-signature random value requirement most strongly aligns with the standard description of DSA used in many security curricula and assessments.

Therefore, based on the signature process characteristics described, the best match is A. DSA.

CEH v13 defines a white hat hacker as a security professional with explicit authorization to perform penetration testing, vulnerability assessments, and exploitation attempts within legal and contractual boundaries. Their objective is to strengthen security, not compromise it. White hats follow structured methodologies, document findings, and provide remediation recommendations. A black hat (Option A) acts maliciously and without permission. A grey hat (Option B) operates without authorization but without harmful intent, which is not compliant with corporate penetration testing procedures. Script kiddies (Option C) rely on pre-built tools without deep knowledge and are not employed for legitimate engagements. Therefore, the individual described is a white hat, operating under legal and ethical guidelines with organizational consent.

CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

This scenario matches a Teardrop attack, which exploits IP fragmentation reassembly weaknesses by sending fragments with overlapping or inconsistent offset fields. In a teardrop attack, the attacker crafts IP fragments so that when the target attempts to reassemble them into the original datagram, the fragment offsets and sizes do not align correctly (often overlapping). Vulnerable systems can experience errors in the reassembly process, leading to CPU/memory exhaustion, crashes, or instability in the network stack. The question highlights “manipulated offset fields and overlapping payload offsets,” “repeated attempts to reconstruct,” and “deliberately malformed offsets that trigger processing errors rather than a simple flood,” which are all core teardrop characteristics.

The impact described—system crashes and service disruption without abnormal bandwidth usage—also fits. This is not a volumetric DoS (like ICMP flood); it’s a malformed-packet attack that targets protocol stack processing. The key is that the attacker is exploiting how the target handles fragmented packets, causing excessive processing and failure during reassembly.

Why the other options are less accurate:

Fragmentation attack (A) is a broader category and could include many fragmentation-based manipulations, but “overlapping offsets causing reassembly failure” is the classic teardrop pattern.

ICMP flood (B) is bandwidth/packet-rate driven and does not involve IP fragment offset manipulation.

Ping of Death (D) involves oversized ICMP packets (often via fragmentation) exceeding maximum IP size, causing crashes on vulnerable stacks; the scenario instead emphasizes overlapping offsets and reassembly logic errors rather than oversized packet size.

Therefore, Sofia is most likely simulating C. Teardrop Attack.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

The described behavior aligns precisely with ARP spoofing, also known as ARP poisoning, a common man-in-the-middle attack technique covered extensively in CEH materials. ARP operates at Layer 2 of the OSI model and is responsible for mapping IP addresses to MAC addresses within a local network. Because ARP lacks authentication mechanisms, any host can send forged ARP replies to other devices on the LAN.

In this scenario, Marcus injects crafted messages that alter how two hosts identify each other. This strongly indicates forged ARP replies were sent to both the payroll workstation and the authentication server. By telling each system that his machine’s MAC address corresponds to the other party’s IP address, Marcus positions himself logically between the two endpoints. As a result, traffic is transparently routed through his system without requiring changes to switch configurations, proxies, or VPN tunnels.

This technique enables interception and potential modification of credentials in transit. DNS spoofing affects domain name resolution rather than direct Layer 2 host identification. MAC flooding overflows the switch CAM table to force broadcast behavior but does not specifically manipulate IP-to-MAC mappings between two targeted hosts. Switch port stealing targets MAC table entries but does not rely on altering host identity mappings in the same way ARP poisoning does.

Therefore, ARP spoofing is the most accurate technique described in this scenario.

An Evil Twin access point is a malicious wireless access point that impersonates a legitimate Wi-Fi network by copying its SSID and often mimicking other observable characteristics such as security settings and signal behavior. In CEH-aligned wireless attack coverage, the goal is to trick users into connecting to the attacker-controlled AP instead of the real one. Once a victim device associates, the attacker can perform man in the middle interception, capture credentials, observe sensitive traffic, and potentially downgrade protections if the victim is not properly validating the network.

This scenario strongly matches an Evil Twin because the tablet connects to an access point “broadcasting a name and signal similar to the hospital’s secure Wi-Fi,” and Sarah finds an unauthorized device capturing sensitive traffic from connected systems. That combination indicates active impersonation and client deception, not merely an accidental device. A rogue AP is typically an unauthorized access point connected to the internal network, often deployed by employees for convenience, and may not be designed to impersonate the official SSID to lure clients. A misconfigured AP refers to an access point with weak settings or improper security controls, not an attacker-created clone. A honeypot AP is a deliberate decoy set up by defenders to attract attackers, which is the opposite of what is described.

Mitigations emphasized in CEH best practices include using WPA2 Enterprise or WPA3 Enterprise with certificate validation, enabling protected management frames where supported, deploying wireless intrusion detection and prevention to identify spoofed SSIDs and BSSID anomalies, disabling auto-join where possible, and training users to report suspicious network prompts or unexpected reconnect behavior.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.