312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

Bug bounty programs allow independent security researchers to report bugs to an companies and receive rewards or compensation. These bugs area unit sometimes security exploits and vulnerabilities, although they will additionally embody method problems, hardware flaws, and so on.

The reports area unit usually created through a program travel by associate degree freelance third party (like Bugcrowd or HackerOne). The companies can got wind of (and run) a program curated to the organization’s wants.

Programs is also non-public (invite-only) wherever reports area unit unbroken confidential to the organization or public (where anyone will sign in and join). they will happen over a collection timeframe or with without stopping date (though the second possibility is a lot of common).

Who uses bug bounty programs?

Many major organizations use bug bounties as an area of their security program, together with AOL, Android, Apple, Digital Ocean, and goldman Sachs. you’ll read an inventory of all the programs offered by major bug bounty suppliers, Bugcrowd and HackerOne, at these links.

Why do corporations use bug bounty programs?

Bug bounty programs provide corporations the flexibility to harness an outsized cluster of hackers so as to seek out bugs in their code.

This gives them access to a bigger variety of hackers or testers than they’d be able to access on a one-on-one basis. It {can also|also will|can even|may also|may} increase the probabilities that bugs area unit found and reported to them before malicious hackers can exploit them.

It may also be an honest publicity alternative for a firm. As bug bounties became a lot of common, having a bug bounty program will signal to the general public and even regulators that a corporation incorporates a mature security program.

This trend is likely to continue, as some have began to see bug bounty programs as an business normal that all companies ought to invest in.

Why do researchers and hackers participate in bug bounty programs?

Finding and news bugs via a bug bounty program may end up in each money bonuses and recognition. In some cases, it will be a good thanks to show real-world expertise once you are looking for employment, or will even facilitate introduce you to parents on the protection team within an companies.

This can be full time income for a few of us, income to supplement employment, or the way to point out off your skills and find a full time job.

It may also be fun! it is a nice (legal) probability to check out your skills against huge companies and government agencies.

What area unit the disadvantages of a bug bounty program for independent researchers and hackers?

A lot of hackers participate in these varieties of programs, and it will be tough to form a major quantity of cash on the platform.

In order to say the reward, the hacker has to be the primary person to submit the bug to the program. meaning that in apply, you may pay weeks searching for a bug to use, solely to be the person to report it and build no cash.

Roughly ninety seven of participants on major bug bounty platforms haven’t sold-out a bug.

In fact, a 2019 report from HackerOne confirmed that out of quite three hundred,000 registered users, solely around two.5% received a bounty in their time on the platform.

Essentially, most hackers are not creating a lot of cash on these platforms, and really few square measure creating enough to switch a full time wage (plus they do not have advantages like vacation days, insurance, and retirement planning).

What square measure the disadvantages of bug bounty programs for organizations?

These programs square measure solely helpful if the program ends up in the companies realizeing issues that they weren’t able to find themselves (and if they’ll fix those problems)!

If the companies is not mature enough to be able to quickly rectify known problems, a bug bounty program is not the right alternative for his or her companies.

Also, any bug bounty program is probably going to draw in an outsized range of submissions, several of which can not be high-quality submissions. a corporation must be ready to cope with the exaggerated volume of alerts, and also the risk of a coffee signal to noise magnitude relation (essentially that it’s probably that they’re going to receive quite few unhelpful reports for each useful report).

Additionally, if the program does not attract enough participants (or participants with the incorrect talent set, and so participants are not able to establish any bugs), the program is not useful for the companies.

The overwhelming majority of bug bounty participants consider web site vulnerabilities (72%, per HackerOn), whereas solely a number of (3.5%) value more highly to seek for package vulnerabilities.

This is probably because of the actual fact that hacking in operation systems (like network hardware and memory) needs a big quantity of extremely specialised experience. this implies that firms may even see vital come on investment for bug bounties on websites, and not for alternative applications, notably those that need specialised experience.

This conjointly implies that organizations which require to look at AN application or web site among a selected time-frame may not need to rely on a bug bounty as there is no guarantee of once or if they receive reports.

Finally, it are often probably risky to permit freelance researchers to try to penetrate your network. this could end in public speech act of bugs, inflicting name harm within the limelight (which could end in individuals not eager to purchase the organizations’ product or service), or speech act of bugs to additional malicious third parties, United Nations agency may use this data to focus on the organization.

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

In CEH v13 Malware Threats, BITS is highlighted as a legitimate Windows service frequently abused by attackers for stealthy command-and-control (C2) communication and data exfiltration. BITS is designed to transfer files in the background using idle bandwidth, primarily for Windows Updates and Microsoft services.

Attackers exploit BITS because its traffic closely resembles legitimate Windows update traffic, which is almost always allowed through firewalls, proxies, and endpoint security controls. This makes malicious traffic blend seamlessly into normal network activity, significantly reducing the likelihood of detection.

Option C correctly captures this behavior. BITS does not rely on IP fragmentation (Option A), DNS encryption (Option B), or exclusive HTTP tunneling (Option D). Instead, it leverages trusted system behavior and signed binaries, allowing malware to “live off the land.”

CEH v13 stresses that abuse of trusted services like BITS is a hallmark of advanced persistent threats (APTs) and fileless malware. Detecting such abuse typically requires behavioral monitoring rather than signature-based detection.

Thus, Option C is correct.

The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods12:

Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time.

Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information.

The other options are not as suitable as option D for the following reasons:

A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario3.

B. Attempt to compromise the system through OS-level command shell execution: This option is not relevant because it is not a SQL injection technique, but a post-exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files, or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario4.

C. Try to insert a string value where a number is expected in the input field: This option is not effective because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application does not return any detailed error messages from the database, as in this scenario5.

Social engineering is a non-technical attack that manipulates human behavior to gain access to systems or data. It often involves deception (e.g., phishing, pretexting, baiting) and requires no technical expertise or tools, making it a low-tech yet highly effective method.

Reference – CEH v13 Official Study Guide:

Module 9: Social Engineering

Quote:

“Social engineering exploits human psychology and trust to gain unauthorized access. It is considered a low-tech method because it does not require technical means.”

Incorrect Options Explained:

B. Eavesdropping may require technical tools to intercept data.

C. Scanning involves active use of tools to find vulnerabilities.

D. Sniffing is technical and requires tools to capture network traffic.

Comprehensive and Detailed Explanation:

Tshark is the command-line version of Wireshark. The correct syntax for filtering packets from a subnet:

sudo tshark -f "net 192.168.8.0/24"

This captures only the traffic from that IP range. It’s ideal for cron jobs and automated monitoring.

From CEH v13 Courseware:

Module 8: Sniffing → Tshark and Wireshark Usage

CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses, indicating ARP table manipulation.

This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

In CEH v13 Module 04: Enumeration, identifying services based on well-known port numbers is foundational for enumeration and scanning activities.

Port 21/TCP is assigned to the File Transfer Protocol (FTP).

FTP is a standard protocol used to upload, download, and manage files on a remote server.

During enumeration, open FTP ports can be probed for:

Anonymous login

Banner grabbing

Directory traversal vulnerabilities

Option Clarification:

A. BGP: Runs on TCP port 179.

C. NFS: Commonly uses port 2049.

D. RPC: Dynamically uses multiple ports.

Correct answer is B. FTP (port 21).

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

The sequence of actions that would provide the most comprehensive information about the network’s status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

The other options are not as comprehensive as option B for the following reasons:

A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

CEH v13 highlights that encrypting session data in transit is one of the strongest defenses against session hijacking. IPsec VPN encrypts the entire IP packet, preventing attackers from capturing usable session tokens.

IPS helps detection but not prevention. Physical security and awareness do not address technical hijacking.

Therefore, Option A is correct.

The described method is a classic example of a Side-Channel Attack, specifically a Timing Attack.

Key characteristics:

It exploits variations in response time from a system to infer sensitive information, such as the correct number of characters in a password.

In this scenario, if a correct character causes a longer processing time, the attacker can deduce the correct sequence iteratively.

According to CEH v13:

Side-channel attacks do not directly break encryption but rely on observing system behavior like timing, power consumption, or electromagnetic leaks.

These attacks are effective against poorly implemented authentication mechanisms or embedded systems like ICS/SCADA.

Incorrect Options:

B. Denial-of-service is aimed at making systems unavailable, not extracting credentials.

C. HMI-based attacks involve manipulating the human-machine interface of ICS systems.

D. Buffer overflow exploits memory handling flaws, not timing behavior.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Cryptanalysis and Side-Channel Attacks”

Subsection: “Timing Attacks and Password Recovery”

To secure DNS infrastructure, best practices include:

B. Harden DNS Servers: Disable unused services, apply patches, implement secure configurations.

C. Use Split-Horizon DNS: Present different DNS data to internal vs. external users to prevent data leakage.

D. Restrict Zone Transfers: Prevent unauthorized replication of zone data using IP-based access control or TSIG.

E. Subnet Diversity: Place DNS servers on different subnets or networks to enhance resilience.

From CEH v13 Official Courseware:

Module 3: Scanning Networks

Module 20: Cryptography

Incorrect Option:

A: Hosting DNS on multi-purpose servers increases the attack surface and violates security best practices.

Zone transfers (AXFR) are DNS operations that replicate zone data from a primary server to a secondary server. These can be abused during DNS enumeration if improperly secured.

CEH v13 recommends using the following tools for attempting or testing zone transfers:

A. NSLookup – supports AXFR using set type=any or set type=AXFR

C. Dig – dig @ns.example.com example.com AXFR

D. Sam Spade – GUI tool capable of DNS zone transfer

E. Host – command-line tool used for DNS lookups and AXFR

Incorrect Tools:

B. Finger – used for user enumeration, not DNS

F. Netcat – general-purpose networking tool, not specific to DNS

G. Neotrace – used for traceroute/path tracing, not DNS

AES is the industry-standard symmetric encryption algorithm endorsed by CEH v13. It provides strong confidentiality and resists traffic analysis when used with proper modes (e.g., CBC, GCM).

DES is obsolete, HMAC ensures integrity not encryption, PSA is not a standard encryption algorithm.

Thus, Option B is correct.

According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds.

Option D correctly identifies this issue.

Option A describes the symptom, not the root cause.

Option B is unrelated to IDS alert behavior.

Option C can cause missed detections, not excessive alerts.

CEH recommends proper tuning and baseline profiling.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 underscores that modern multi-vector DDoS attacks—particularly SYN floods combined with Layer 7 HTTP floods—cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud-based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH’s recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization's infrastructure.

In CEH v13 Module 01: Introduction to Ethical Hacking, Business Impact Analysis (BIA) is defined as a core component of the risk management process that helps identify and evaluate critical business functions, their dependencies, and the impact of downtime.

BIA is performed to:

Identify critical services and resources.

Determine the impact of their failure.

Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

Prioritize systems for business continuity planning.

Option Clarification:

A. EPR: Emergency Plan Response – not a formal phase in BIA or risk analysis.

C. Risk Mitigation: Involves taking actions to reduce risks, but doesn't identify business-critical services.

D. DRP: Disaster Recovery Planning focuses on restoration, not impact assessment.

Rating CVSS Score

None 0.0

Low 0.1 - 3.9

Medium 4.0 - 6.9

High 7.0 - 8.9

Critical 9.0 - 10.0

https://www.first.org/cvss/v3.0/specification-document

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one's systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.

Qualitative Severity Rating Scale

For some purposes, it is useful to have a textual representation of the numeric Base, Temporal and Environmental scores.

In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

Yagi Antenna

A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

Why Other Options Are Incorrect:

B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz–VHF.

D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

For example, if the application uses the following query to display the username of a user based on the user ID:

SELECT username FROM users WHERE id = '$id'

The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

SELECT username FROM users WHERE id = '1'

The application might display an error message like this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

Comprehensive and Detailed Explanation From CEH v13 Guide:

R-U-Dead-Yet? (RUDY) is a DoS tool that targets web applications by sending slow HTTP POST requests with large Content-Length headers. This consumes server resources, leading to a denial of service.

CEH v13 Reference:

Module 9: Denial-of-Service – DoS Tools

“R-U-Dead-Yet? (RUDY) sends long-form POST requests to consume server-side sessions and exhaust resources without completing the transaction.”

Comprehensive and Detailed Explanation:

Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.

From CEH v13 Official Study Guide:

Module 1: Introduction to Ethical Hacking → Hacker Types

“Script kiddies are unskilled attackers who use tools created by others.”

These types of attacks occur when faults or glitches are INJECTED into the Power supply that can be used for remote execution.

In authentication, Multi-Factor Authentication (MFA) involves using more than one category of authentication factors:

Something you know (e.g., password)

Something you have (e.g., RFID badge, token)

Something you are (e.g., biometrics like fingerprints, facial recognition, gait)

In this scenario:

The RFID badge is "something you have" (a physical object).

The gait recognition (walking pattern) captured by the camera is a biometric—"something you are" (a physical characteristic).

Together, these two methods represent two distinct authentication factors, thereby implementing true multi-factor authentication.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Topic: Authentication Mechanisms

Quote:

“Examples of multi-factor authentication include combining biometrics (something you are) with a smart card or badge (something you have). Gait recognition is considered a behavioral biometric and falls under ‘something you are’.”

Incorrect Options Explained:

A. Incorrect — gait and RFID represent two separate factor types, not one.

C. No evidence in the scenario supports high false positives.

D. Gait analysis is a recognized biometric method and can be used for identification.

CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user’s security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the-ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.

Whaling is an advanced social engineering technique that targets high-profile individuals, such as executives, managers, or celebrities, by impersonating them or someone they trust, such as a colleague, partner, or vendor. The attacker creates a fake Linkedin profile, pretending to be a high-ranking official from a well-established company, and uses it to connect with other employees within the organization. The attacker then leverages the trust and authority of the fake profile to gain access to exclusive corporate events and proprietary project details shared within the network. This way, the attacker can launch targeted attacks against the organization, such as stealing sensitive data, compromising systems, or extorting money.

The most likely immediate threat to the organization is the loss of confidential information and intellectual property, which can damage the organization’s reputation, competitiveness, and profitability. The attacker can also use the information to launch further attacks, such as ransomware, malware, or sabotage, against the organization or its partners and customers.

The other options are not as accurate as whaling for describing this scenario. Pretexting is a social engineering technique that involves creating a false scenario or identity to obtain information or access from a victim. However, pretexting usually involves direct communication with the victim, such as a phone call or an email, rather than creating a fake Linkedin profile and connecting with the victim’s network. Spear phishing is a social engineering technique that involves sending a personalized and targeted email to a specific individual or group, usually containing a malicious link or attachment. However, spear phishing does not involve creating a fake Linkedin profile and connecting with the victim’s network. Baiting and involuntary data leakage are not social engineering techniques, but rather possible outcomes of social engineering attacks. Baiting is a technique that involves offering something enticing to the victim, such as a free download, a gift card, or a job opportunity, in exchange for information or access. Involuntary data leakage is a situation where the victim unintentionally or unknowingly exposes sensitive information to the attacker, such as by clicking on a malicious link, opening an infected attachment, or using an unsecured network. References:

Whaling: What is a whaling attack?

Advanced Social Engineering Attack Techniques

Top 8 Social Engineering Techniques and How to Prevent Them

Weaponization

The adversary analyzes the data collected in the previous stage to identify the

vulnerabilities and techniques that can exploit and gain unauthorized access to the

target organization. Based on the vulnerabilities identified during analysis, the adversary

selects or creates a tailored deliverable malicious payload (remote-access malware

weapon) using an exploit and a backdoor to send it to the victim. An adversary may

target specific network devices, operating systems, endpoint devices, or even

individuals within the organization to carry out their attack. For example, the adversary

may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: o Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability

o Creating a phishing email campaign o Leveraging exploit kits and botnets

https://en.wikipedia.org/wiki/Kill_chain

The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Below you can find detailed information on each.

1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different vulnerabilities.

3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different USB drives, e-mail attachments, and websites for this purpose.

4. Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to exploit the target’s vulnerability/vulnerabilities.

5. Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

6. Command and Control: The malware gives the intruder/attacker access to the network/system.

7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even data destruction.

The network is using an uncrackable encryption method, which makes it difficult to crack the Wi-Fi password. WPA2 Personal with AES encryption is the strongest form of security offered by Wi-Fi devices at the moment, and it should be used for all purposes. AES stands for Advanced Encryption Standard, and it is a symmetric-key algorithm that uses a 128-bit, 192-bit, or 256-bit key to encrypt and decrypt data. AES is considered to be uncrackable by brute force attacks, as it would take an impractical amount of time and computational power to try all possible key combinations12. Therefore, unless you have access to the Wi-Fi password or the encryption key, you will not be able to decrypt the network traffic and crack the password.

The other options are not correct for the following reasons:

A. The Wi-Fi password is too complex and long: This option is not relevant because the Wi-Fi password is not directly used to encrypt the network traffic. Instead, the password is used to generate a Pre-Shared Key (PSK), which is then used to derive a Pairwise Master Key (PMK), which is then used to derive a Pairwise Transient Key (PTK), which is then used to encrypt the data. Therefore, the complexity and length of the password do not affect the encryption strength, as long as the password is not easily guessed or leaked34.

B. Your hacking tool is outdated: This option is not plausible because even if your hacking tool is outdated, it would not affect your ability to capture the network traffic and attempt to crack the password. The hacking tool may not support the latest Wi-Fi standards or protocols, but it should still be able to capture the raw data packets and save them in a file. The cracking process would depend on the encryption algorithm and the key, not on the hacking tool.

D. The network is using MAC address filtering: This option is not feasible because MAC address filtering is a technique that restricts network access and communication to trusted devices based on their MAC addresses, which are unique identifiers assigned to network interfaces. MAC address filtering can prevent unauthorized devices from joining the network, but it cannot prevent authorized devices from capturing the network traffic. Moreover, MAC address filtering can be easily bypassed by spoofing the MAC address of an allowed device56.

A service-based solution offered by an auditing firm would be the most appropriate type of vulnerability assessment solution for the large e-commerce organization, given their requirements. A service-based solution is a type of vulnerability assessment that is performed by external experts who have the skills, tools, and experience to conduct a thorough and comprehensive analysis of the target system or network. A service-based solution can imitate the outside view of attackers, as the experts are not familiar with the internal details or configurations of the organization. A service-based solution can also perform well-organized inference-based testing, which is a type of testing that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. A service-based solution can scan automatically against continuously updated databases, as the experts have access to the latest security intelligence and threat feeds. A service-based solution can also support multiple networks, as the experts can use different techniques and tools to scan different types of networks, such as wired, wireless, cloud, or hybrid12.

The other options are not as appropriate as option B for the following reasons:

A. Inference-based assessment solution: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Inference-based testing is a testing method that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. Inference-based testing can be performed by service-based, product-based, or tree-based solutions, depending on the scope, objectives, and resources of the assessment3.

C. Tree-based assessment approach: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Tree-based testing is a testing method that uses a hierarchical structure to organize and prioritize the vulnerabilities based on their severity, impact, and exploitability. Tree-based testing can be performed by service-based, product-based, or inference-based solutions, depending on the scope, objectives, and resources of the assessment4.

D. Product-based solution installed on a private network: This option is a type of vulnerability assessment solution, but it may not meet all the requirements of the large e-commerce organization. A product-based solution is a type of vulnerability assessment that is performed by using software or hardware tools that are installed on the organization’s own network. A product-based solution can scan automatically against continuously updated databases, as the tools can be configured to download and apply the latest security updates and patches. However, a product-based solution may not imitate the outside view of attackers, as the tools may have limited access or visibility to the external network or the internet. A product-based solution may also not perform well-organized inference-based testing, as the tools may rely on predefined rules or signatures to detect and report vulnerabilities, rather than using logical reasoning and deduction. A product-based solution may also not support multiple networks, as the tools may be designed or optimized for a specific type of network, such as wired, wireless, cloud, or hybrid .

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker's code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

A Multipartite Virus is designed to infect both the boot sector and executable files of a system. This makes it more complex and harder to remove than viruses that target only one area. It can spread in multiple ways and activate under different conditions depending on whether the infected file or boot sector is accessed first.

CEH v13 Official Curriculum states:

“Multipartite viruses infect both the boot sector and program files. They are difficult to remove and can reinfect the system unless both locations are cleaned simultaneously.”

Incorrect Options:

A. Polymorphic viruses change their code signatures but do not necessarily target both boot and executable areas.

B. Stealth viruses conceal their presence, often by intercepting system calls.

D. Macro viruses infect macro-enabled files, typically in Microsoft Office documents.

Reference – CEH v13 Guide:

Module 06: Malware Threats

Topic: Types of Malware – Multipartite Viruses

An untethered jailbreak is one that allows a telephone to finish a boot cycle when being pwned with none interruption to jailbreak-oriented practicality.

Untethered jailbreaks area unit the foremost sought-after of all, however they’re additionally the foremost difficult to attain due to the powerful exploits and organic process talent they need. associate unbound jailbreak is sent over a physical USB cable association to a laptop or directly on the device itself by approach of associate application-based exploit, like a web site in campaign.

Upon running associate unbound jailbreak, you’ll be able to flip your pwned telephone off and on once more while not running the jailbreak tool once more. all of your jailbreak tweaks and apps would then continue in operation with none user intervention necessary.

It’s been an extended time since IOS has gotten the unbound jailbreak treatment. the foremost recent example was the computer-based Pangu break, that supported most handsets that ran IOS nine.1. We’ve additionally witnessed associate unbound jailbreak within the kind of JailbreakMe, that allowed users to pwn their handsets directly from the mobile campaign applications programme while not a laptop.

https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives-and-false-negatives/

False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.

A DNS zone file contains resource records (RRs) that define mappings and configurations for domains and subdomains. The standard records found in a zone file include:

SOA (Start of Authority): Indicates the beginning of the zone file.

NS (Name Server): Specifies the authoritative name servers.

A (Address): Maps hostnames to IPv4 addresses.

MX (Mail Exchange): Specifies mail servers.

These records are essential for the DNS resolution process and mail routing.

From CEH v13 Official Courseware:

Module 3: DNS Enumeration

Topic: DNS Record Types

CEH v13 Study Guide states:

“A zone file contains all the resource records including SOA, NS, A, and MX. These define name server authority, IP resolution, and mail server routing.”

Incorrect Options:

A: DNS is a protocol, not a resource record.

B: PTR is for reverse DNS, typically in a separate reverse zone file.

C: AXFR is a DNS transfer mechanism, not an RR in the zone file.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 identifies XML Signature Wrapping (XSW) attacks, also known simply as Wrapping attacks, as a major threat against SOAP-based web services. These attacks exploit weak XML parsing and insufficient validation of signed message components. SOAP messages often include digitally signed sections, but if the server validates the signature without confirming the correct position or structure of the signed elements, attackers can duplicate, move, or wrap signed content inside a modified XML envelope. This allows an attacker to inject malicious payloads while still presenting a valid signature. CEH details how this can lead to unauthorized execution, privilege escalation, or bypassing authentication controls in SOAP APIs. Cloud snooping, cryptanalysis, and IMDS abuse do not involve message duplication or signature misplacement. The scenario precisely matches CEH’s definition of a Wrapping Attack in SOAP/XML security.