312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

The scenario describes a program that appears legitimate (a software update installer that “functions normally”) while secretly placing additional malicious components onto the system, which later execute to establish remote access. That is the defining behavior of a dropper. A dropper’s primary role is to deliver (drop) malware payloads onto a host—writing files to disk or unpacking embedded components—often while disguising itself as a benign application. The malicious components may then be executed immediately or staged for later activation to reduce suspicion and increase persistence.

This differs from a downloader, which typically contains minimal payload and focuses on contacting a remote server to fetch malware after initial execution. In this case, the description emphasizes that “additional malware components are silently placed on the system,” implying the payload is being installed/deposited locally by the initial program rather than primarily downloaded. An injector focuses on injecting code into another running process (process injection) to evade detection or run under another process context; it does not inherently describe the act of placing additional components as separate hidden files. A wrapper is a technique where a malicious program is bound or “wrapped” with a legitimate one so that both run; while wrappers can be used in trojanized installers, the question emphasizes the behind-the-scenes placement of additional components for later activation, which is the classic dropper behavior.

The key indicators are: (1) user executes an installer that appears normal, (2) hidden malware components are deposited without the user’s knowledge, and (3) those components later activate for remote access. That chain matches a dropper’s purpose: stealthy malware delivery and staging.

Therefore, the correct answer is D. Dropper.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

This scenario strongly suggests a race condition attack in the application’s token validation logic, as described in CEH v13 Web Application Hacking. A race condition occurs when an application processes multiple requests simultaneously and fails to properly synchronize validation checks.

The presence of multiple failed attempts using expired tokens followed by successful access within a short time window indicates the attacker exploited a timing flaw. During this window, the system may have inconsistently validated token expiration, allowing an expired token to be accepted.

Option A is unlikely because the logs specifically reference expired tokens. Option B is incorrect because replaying expired tokens should fail unless a validation flaw exists. Option C is highly improbable due to token entropy.

CEH v13 highlights race conditions as advanced logic flaws that are difficult to detect and often missed during standard testing. They are commonly exploited in authentication, payment processing, and session management systems.

Therefore, Option D is the correct and CEH-aligned answer.

The persistence described—“automatically launch every time the system is restarted” with no user interaction—most commonly aligns with Registry Run keys on Windows. Run keys are a classic persistence mechanism where an attacker adds a value referencing their executable to locations such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run (per-user) or HKLM\Software\Microsoft\Windows\CurrentVersion\Run (system-wide). When Windows starts (and/or when a user logs in, depending on the key), the operating system processes these entries and launches the referenced program automatically. This provides reliable persistence across reboots and is frequently used because it is simple, effective, and blends with legitimate startup entries.

The scenario indicates Meera placed a binary in a hidden directory and configured it to auto-launch after restarts. Registry-based autoruns fit that exact pattern: the binary can reside anywhere (including a hidden folder), while the registry entry points to it. The persistence survives reboot and does not require the attacker to be present.

Why the other options are less likely given the phrasing:

Startup Folder (C) can also auto-launch programs, but it commonly implies a shortcut or executable placed in the user’s startup directory and is generally tied to user logon behavior. The question emphasizes “every time the system is restarted” and is most often tested in CEH contexts as registry autorun persistence.

Scheduled Tasks (A) can run at startup or on triggers and is a valid persistence technique, but the scenario does not mention task scheduling, triggers, or task configuration.

Creating a new service (B) would typically imply installing a Windows service, often requiring elevated privileges and presenting as a managed service; the scenario frames it as a lightweight binary planted and configured to auto-launch, which aligns more naturally with Run keys.

Therefore, the most likely persistence technique is D. Registry run keys.

According to the CEH Sniffing and Network Protocol Attacks module, covert channels represent one of the most sophisticated and difficult-to-detect data interception techniques. These channels hide malicious communication within legitimate protocol behavior, making them extremely challenging for traditional IDS/IPS and packet inspection tools to identify.

Industrial and legacy protocols such as Modbus, widely used in OT and legacy enterprise environments, lack encryption and authentication by design. CEH documentation highlights that attackers can manipulate unused or poorly validated Modbus fields to covertly transmit or intercept data while appearing as normal control traffic.

Option D is correct because covert channels over trusted legacy protocols blend seamlessly with legitimate traffic and bypass many security controls.

Option A is not a sniffing technique but a data-hiding method.

Option B describes exploitation, not sniffing.

Option C is a theoretical evasion method but is more detectable through reassembly.

CEH emphasizes covert channels as one of the most formidable sniffing challenges.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.

Thus, Option B is the correct answer.

CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker’s machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance—exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them. Therefore, ARP poisoning is the correct root cause.

Whaling is the correct answer because the scenario describes a highly targeted phishing attempt aimed at a “big fish”—a senior executive (the CEO). In CEH terminology, whaling is a specialized form of phishing that focuses on high-profile, high-authority individuals (e.g., CEOs, CFOs, directors) to maximize impact. These targets often have access to sensitive data, financial approvals, privileged systems, and strategic communications, making their credentials significantly more valuable than those of typical employees.

The attacker (Clara) uses classic social engineering drivers emphasized in CEH training: authority (impersonating the legal department), urgency/fear (a “pending lawsuit”), and trust in internal processes (a link to a supposed internal portal). This combination is designed to short-circuit normal verification behavior and prompt quick compliance. The inclusion of a credential-harvesting link aligns with common phishing goals: capturing usernames/passwords, enabling account takeover, and potentially facilitating broader compromise (e.g., email access for business email compromise, lateral movement, or privileged escalation).

Why the other options are less accurate: Spear phishing is also targeted, but it is a broader category aimed at specific individuals or groups at any level. The defining clue here is the executive-level target, which elevates it to whaling. Clone phishing involves copying a legitimate email previously received and swapping a malicious link or attachment—this detail is not present. Consent phishing typically abuses legitimate OAuth/app consent flows rather than a fake portal requesting credentials.

This scenario describes SNMP Enumeration, a technique covered under CEH v13 Reconnaissance and Enumeration. Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries, enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access. The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3, which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.

The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses, forcing the switch to broadcast traffic like a hub.

Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port, which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

Option A relates more closely to ARP poisoning rather than MAC flooding.

Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

Option C is common in NAT environments and is not malicious by itself.

CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

The correct answer is B. Predictive analysis because the client’s primary objective is to anticipate future attack patterns before they occur, and the described AI-enabled platform is explicitly being used to forecast potential attack vectors based on historical breaches and anomaly data. In CEH-aligned coverage of modern security capabilities, AI-driven approaches add value by learning from large datasets (logs, alerts, incidents, threat intelligence, and observed attacker behaviors) to identify trends, detect weak signals, and predict the most likely next steps an adversary may take. This directly supports proactive defense planning rather than purely reactive response.

In this scenario, the platform ingests “previous breaches and anomaly data” and produces forward-looking insights. That is the essence of predictive analysis: applying machine learning/analytics to estimate where attacks may emerge (for example, which assets are most at risk, which tactics are trending, what misconfigurations correlate with compromise, or which sequences of events often precede an intrusion). This helps defenders prioritize controls, patching, monitoring, and hardening to disrupt the projected attack paths ahead of time. It also aligns with the retail client’s desire to know whether their defenses can “anticipate” attacks, not merely document them after the fact.

Why the other options are less correct: Scalability is a benefit of AI (automating large-scale analysis), but it does not specifically address forecasting future attack vectors. Enhanced reporting improves how findings are communicated, but it is not the key capability described. Simulation and testing refers to running scenarios or automated testing in environments to measure resilience; that can be AI-assisted, but the prompt focuses on analyzing historical and anomaly data to predict likely attacks, which maps most directly to predictive analysis.

Therefore, the most critical benefit of AI-driven ethical hacking in this case is predictive analysis.

The Certified Ethical Hacker (CEH) Malware Threats module explains that attackers often abuse legitimate system services to blend malicious traffic with normal system behavior. Background Intelligent Transfer Service (BITS) is a Windows service designed to transfer files in the background using idle network bandwidth.

Attackers leverage BITS because its traffic closely resembles legitimate Windows Update traffic, which is commonly allowed through firewalls and proxy servers. CEH documentation states that BITS-based malware can download payloads, upload stolen data, and maintain persistence without triggering security alerts.

Option A is correct because BITS traffic appears legitimate and trusted, making it difficult for security devices to distinguish malicious usage.

Option B is incorrect because BITS does not operate exclusively through HTTP tunneling; it primarily uses HTTP/HTTPS in a legitimate manner.

Option C is incorrect because IP fragmentation is not a core feature of BITS.

Option D is incorrect because BITS does not rely on encrypted DNS traffic.

CEH emphasizes that living-off-the-land (LotL) techniques—using native tools like BITS—are increasingly favored by attackers due to their stealth and reliability.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR ' 1 ' = ' 1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR ' 1 ' = ' 1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

In CEH v13 Cryptography, this threat is formally referred to as “Harvest Now, Decrypt Later” (HNDL). It describes a long-term cryptographic risk where adversaries intercept and store encrypted communications today, even though they cannot decrypt them with current computational capabilities. The expectation is that future quantum computers will be powerful enough to break widely used public-key cryptographic algorithms.

CEH v13 emphasizes that quantum algorithms such as Shor’s Algorithm can theoretically break RSA, DSA, and ECC by efficiently solving integer factorization and discrete logarithm problems. However, the defining feature of this threat is not the act of breaking encryption itself, but rather the strategic collection and storage of encrypted data in advance.

Option C is incomplete because it focuses only on the cryptographic mechanism rather than the threat model. Options B and D are unrelated to the scenario described and refer to quantum communication integrity issues, not long-term cryptographic exposure.

CEH v13 highlights that sensitive data with long confidentiality lifetimes—such as government records, financial data, healthcare information, and intellectual property—is especially vulnerable to this threat. As a result, organizations are encouraged to adopt quantum-resistant (post-quantum) cryptographic algorithms proactively.

Thus, Option A accurately describes the threat model and aligns with CEH v13’s treatment of future cryptographic risks.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user ' s browser is tricked into submitting unauthorized actions to a trusted application without the user ' s intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker ' s forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim’s authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

The correct answer is Deauthentication Attack. CEH wireless security coverage explains that deauthentication attacks abuse 802.11 management frames to force wireless clients to disconnect from an access point. When spoofed deauthentication frames are transmitted, client devices believe they have been instructed to terminate the association and must reconnect manually or automatically. That matches the scenario exactly: carefully crafted management frames are sent, connected laptops immediately lose association, and the disruptions occur only while those frames are being transmitted. Jamming is different because it disrupts wireless communication through radio-frequency interference rather than valid-looking 802.11 management messages. Eavesdropping is passive interception, and an evil twin involves a rogue access point impersonating a legitimate one. CEH materials describe deauthentication attacks as common wireless denial and disruption techniques and also note that they may be used to force reconnects for handshake capture during broader wireless attacks. Because the question focuses on targeted disconnects caused by crafted management frames, the most accurate classification is Deauthentication Attack.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

In the CEH Denial-of-Service and Network Attacks coverage, a SYN flood is a classic TCP-based DoS technique that exploits the TCP connection establishment process. In a normal handshake, the client sends SYN, the server replies SYN/ACK, and the client completes with ACK. A SYN flood deliberately sends a high volume of SYN packets (often spoofed) but never completes the final ACK. As CEH describes, this leaves the server holding many half-open connections in SYN_RECEIVED, consuming memory and connection table resources (backlog queue). When the backlog fills, legitimate clients cannot establish connections, degrading availability.

The indicators in your scenario align exactly with CEH’s SYN flood fingerprints: incomplete handshakes and accumulation of half-open connections. The goal is resource exhaustion at the connection-management layer rather than bandwidth saturation.

Option B (Ping of Death) involves malformed/oversized ICMP packets and does not match SYN_RECEIVED behavior. Option C (UDP flood) targets UDP services/ports and creates different symptoms (high UDP traffic, ICMP unreachable messages, service degradation) without half-open TCP states. Option D (Smurf) is ICMP-based amplification via broadcast addresses—again unrelated to incomplete TCP handshakes.

CEH also notes mitigations such as SYN cookies, increasing backlog, reducing SYN-RECEIVED timers, rate limiting, and upstream filtering—further reinforcing that the described event is a SYN flood.

CEH describes SQL injection testing as a core part of web application assessment. One of the first and safest validation techniques is using a tautology-based SQL injection payload, such as ' OR ' 1 ' = ' 1. If the application concatenates user input directly into SQL queries, such an input will cause the query to always evaluate as true, often returning additional records such as multiple user profiles. This confirms the presence of SQL injection without causing destructive effects like dropping tables. Testing XSS does not validate SQL injection, brute-forcing credentials is unrelated, and directory traversal attacks target file path manipulation rather than backend queries. CEH emphasizes avoiding destructive queries and starting with non-intrusive injection payloads that reveal improper input sanitization, making ' OR ' 1 ' = ' 1 the correct technique for confirming SQL injection vulnerabilities in URL parameters.

This scenario describes an Android rooting approach where the attacker installs a rooting tool directly on the device as an APK and uses it to exploit vulnerabilities to gain elevated privileges. The key feature that makes this approach effective, as stated in the question, is that it works without requiring a computer connection. That aligns directly with option B: “It is an APK that can run directly on the device without a PC.”

Rooting tools packaged as APKs are effective in environments where physical access is limited to the device itself (or where connecting to a PC is impractical or would raise suspicion). Once installed, such an app can attempt privilege escalation by leveraging known weaknesses in the OS, drivers, or vendor components, aiming to obtain root-level access. From a security assessment standpoint, this demonstrates that mobile devices may be at risk if users can install untrusted applications, if the device is not fully patched, or if application controls (enterprise MDM policies, app allowlisting, unknown-sources restrictions) are weak.

The other options are inconsistent with Android APK-based rooting as described. “Tethered jailbreak” terminology applies to iOS jailbreaking, not Android rooting, and the scenario explicitly says no computer connection is required. Weak SSL validation relates to application-layer transport security issues rather than privilege escalation to root. Bluetooth pairing flaws are a different attack class and are not indicated here; the described method is an on-device exploit chain initiated by installing a rooting APK.

Therefore, the feature that makes this rooting approach effective in the scenario is B: it runs directly on the device as an APK without needing a PC.

The described bypass is most consistent with using an in-line comment technique. Many simplistic SQL injection filters look for specific “blocked” keywords such as SELECT, UNION, OR, or DROP as contiguous strings. If the tester breaks a keyword apart by inserting tokens the database will ignore—most commonly comment delimiters—the filter may fail to match the forbidden keyword, while the SQL parser still reconstructs the intended meaning. For example, inserting comment markers inside a keyword can cause the application-layer filter to miss the pattern, yet the database can still process the statement depending on the DBMS and parsing rules. This is why comment-based obfuscation is a common SQLi evasion approach against weak signature filters.

The scenario’s wording “broken apart with unexpected symbols” maps well to comment markers such as /**/ (or other DBMS-specific comment forms). These characters look “unexpected” to a naïve filter, but to the SQL engine they are treated as comments/whitespace and effectively ignored during parsing, allowing the attacker’s intended keyword to be interpreted correctly.

Why the other options are less aligned:

String concatenation (A) is an obfuscation approach where attackers build keywords/strings using concatenation operators or functions (DBMS-specific). The scenario emphasizes splitting keywords with symbols that the DB interprets correctly as separators/ignored content, which more directly matches comment insertion.

Hex encoding (B) encodes parts of a payload (strings, sometimes function names) in hexadecimal form. That is a different technique than splitting keywords with inserted symbols.

Null byte (D) is historically used to terminate strings in certain contexts (more common in older file/path handling bugs) and is not the primary technique for bypassing keyword filters in modern SQL parsing.

Therefore, the SQL injection evasion technique is C. In-line Comment.

CEH v13 identifies Slowloris as a low-bandwidth yet highly effective application-layer DoS technique that works by opening many HTTP connections and sending headers very slowly, never completing the request. Because the server must maintain these half-open HTTP sessions, its connection pool becomes saturated, preventing it from servicing legitimate users. Slowloris is particularly dangerous because it does not rely on malformed packets, high traffic volume, or protocol abuses; instead, it mimics legitimate HTTP behavior, making it difficult for firewalls or IDS systems to distinguish malicious traffic. This aligns exactly with the described scenario, where thousands of legitimate-looking HTTP connections are gradually consuming server resources. Fragmentation attacks (Option B) target packet reconstruction, UDP floods (Option C) generate high-bandwidth noise, and SYN floods (Option D) impact the TCP handshake layer, not the HTTP header behavior. Slowloris’ unique use of slow HTTP headers directly matches the symptoms described.

The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification, followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action.

Option A is the correct initial response because it focuses on real-time monitoring and log analysis, which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker’s techniques, persistence level, and impact.

Option B, while valuable, is more appropriate after initial identification. Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

Option D represents a containment strategy, not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC–IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described—rapid MAC address spoofing and exhaustion of DHCP leases—matches the precise definition of DHCP starvation as documented in CEH materials.

Ethical hacking, as defined throughout CEH courseware, is the authorized and legitimate process of identifying vulnerabilities, weaknesses, and misconfigurations in information systems. The primary objective is to strengthen security by discovering issues before malicious actors can exploit them. Ethical hackers follow strict legal guidelines, obtain written permission, and operate within a defined scope to ensure their activities contribute positively to the organization’s security posture. Unlike malicious hacking, the intent is not to steal data, cause harm, or disrupt operations. Ethical hackers use the same tools, techniques, and methodologies that attackers use, but with the purpose of remediation and risk reduction. CEH emphasizes that ethical hacking supports defense-in-depth strategies by enabling organizations to harden their environments and proactively mitigate threats. Therefore, identifying and fixing vulnerabilities is the central mission of ethical hacking.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.