312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

In CEH v13 Information Security and Ethical Hacking Overview, a penetration tester is defined as a trusted, authorized security professional hired to simulate real-world attacks in order to identify and exploit vulnerabilities with explicit permission.

The primary objectives of a penetration tester are:

Identify weaknesses in systems, networks, and applications

Demonstrate real-world impact of vulnerabilities

Help organizations improve their security posture

Unlike malicious hackers (Option A) or malware authors (Options B and D), penetration testers operate under strict legal and ethical guidelines, following scopes of engagement and reporting findings responsibly.

CEH v13 emphasizes that penetration testing is proactive defense, not crime. Therefore, Option C accurately defines the role.

The correct answer is B. BitLocker Drive Encryption because the requirements describe native Windows full-disk encryption that integrates tightly with enterprise Windows security features and centralized management. BitLocker is Microsoft’s built-in disk encryption technology designed to provide transparent encryption for the operating system volume and additional fixed/removable drives. It supports hardware-backed startup protection through integration with the Trusted Platform Module (TPM), which can help protect encryption keys and validate boot integrity before unlocking the OS volume. This matches the prompt’s requirement for “hardware-backed startup protection.”

The scenario also emphasizes “centralized key escrow via Active Directory/management policies.” In enterprise deployments, BitLocker recovery information can be backed up to Active Directory and managed through Group Policy / MDM controls, enabling standardized enforcement (encryption settings, recovery key handling, compliance reporting) across servers and endpoints. This is a core operational advantage in regulated environments like healthcare: it enables rapid response (recoverability), consistent policy application, and audit-friendly control of encryption keys—without requiring third-party key management tooling for basic escrow needs.

Additionally, the prompt calls for securing the “system partition and attached data volumes” in a way that is compatible with Windows platform behavior and minimizes disruption. BitLocker supports encrypting both the OS volume and data volumes, and it is designed for transparent operation once enabled, so normal server use and domain authentication continue as expected.

Why the other options are not correct: FileVault is Apple’s full-disk encryption for macOS, not Windows. VeraCrypt and Rohos Disk Encryption are third-party solutions that can provide disk encryption, but they do not match the stated preference for deep Windows enterprise integration with TPM-based startup protection and Active Directory–based recovery key escrow through standard Microsoft management policies.

Therefore, the best solution for this Windows enterprise requirement is BitLocker Drive Encryption.

CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim’s role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

The Certified Ethical Hacker (CEH) Social Engineering module defines tailgating as a physical social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Option C precisely matches CEH’s definition.

Option A is pretexting.

Option B is baiting.

Option D is phishing.

CEH stresses physical security awareness as critical as cyber defenses.

CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user’s security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the-ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

The correct answer is A. Switch(config)# ip dhcp snooping because the question asks for the global setting that must be enabled first, before applying more specific (granular) DHCP Snooping controls. In Cisco switching, DHCP Snooping is the primary Layer 2 security feature used to mitigate rogue DHCP server attacks. Once enabled, the switch can distinguish between trusted ports (where legitimate DHCP server responses are allowed, typically uplinks toward the authorized DHCP server) and untrusted ports (typically access ports to end-user devices), where DHCP server responses (DHCPOFFER/DHCPACK) are filtered to prevent a rogue server from handing out malicious network configuration (gateway/DNS) to clients.

The scenario’s defense goal—“reject DHCP responses from untrusted ports”—is exactly what DHCP Snooping enforces after it is enabled and ports are assigned trust states. Conceptually, the workflow is:

Enable DHCP Snooping globally (feature activation),

Enable it for the relevant VLAN(s), and

Mark the legitimate DHCP-facing interface(s) as trusted so only those ports can send DHCP server responses.

Options C and D are part of the later, granular steps:

C enables DHCP snooping for a specific VLAN, which is necessary but is not the global prerequisite the question highlights.

D is applied under an interface to designate a port as trusted; again, this is granular and only meaningful after DHCP snooping is activated.

Option B is a different feature (Dynamic ARP Inspection) and is used to mitigate ARP spoofing/poisoning rather than rogue DHCP.

Therefore, the global command Jason should recommend first is Switch(config)# ip dhcp snooping.

CEH covers advanced cryptanalytic attacks, including Meet-in-the-Middle (MITM) attacks, which are especially effective against multi-round symmetric encryption schemes. When an algorithm encrypts data twice using different keys, the naive brute-force method would require testing every possible combination of both keys—a time complexity of 2ⁿ × 2ⁿ. Meet-in-the-Middle dramatically reduces this complexity by splitting the problem in half. Attackers encrypt the plaintext using all potential values of the first key and store the results. They then decrypt the final ciphertext using all possible values of the second key. When an intermediate value matches one in storage, the corresponding key pair is identified. CEH highlights that this approach exploits the lack of key independence between two encryption layers, demonstrating how doubling encryption does not always double security. This attack is well-known for targeting 2DES, one of the historical examples covered in CEH. It is not related to side-channel attacks, brute-force flooding, or permutation reversal; it strictly relies on midpoint matching to reduce computational workload.

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

Fileless malware is the best match because the scenario highlights memory-resident execution with no malicious files written to disk and activity that disappears after a reboot. In CEH-aligned malware concepts, fileless attacks commonly leverage legitimate system tools and trusted processes, often called living off the land, to execute malicious logic without dropping traditional executables. PowerShell is one of the most frequently abused components for this purpose because it can download, decode, and run scripts directly in memory, including obfuscated commands that evade simple signature-based scans. The prompt explicitly states that endpoint scanners find no malicious files on disk, yet telemetry detects a trusted process executing obfuscated PowerShell commands in memory. That combination strongly indicates fileless behavior.

The fact that the anomaly vanishes on reboot also fits fileless techniques that rely on volatile memory artifacts rather than persistent file-based implants. While fileless attacks can establish persistence through registry run keys, scheduled tasks, WMI, or other mechanisms, the question emphasizes no footprint and reboot clearing the activity, which is consistent with a purely in-memory foothold or a short-lived execution chain.

A worm is characterized by self-replication across systems, which is not described. A trojan usually involves a malicious file disguised as legitimate software, conflicting with the “no files on disk” observation. A rootkit focuses on stealth and hiding by modifying system internals and can persist, but the scenario’s defining indicators are PowerShell in-memory execution and lack of disk artifacts, which aligns most directly with fileless malware.

SMS Phishing, commonly called smishing, is the correct answer because the attack method is a deceptive text message sent to mobile devices that lures recipients into clicking a malicious link. In CEH-aligned social engineering coverage, smishing is a direct extension of phishing that uses SMS as the delivery channel. The attacker typically creates urgency or authority, such as “critical account update needed,” to trigger fast compliance. The message then pushes the victim to a malicious URL that can deliver malware, prompt credential entry, or enroll the device into a monitoring or management profile depending on platform and permissions. The key indicators in the question are company phones, a crafted message, and a link that installs monitoring software, which fits smishing exactly.

Bluebugging is a Bluetooth-based attack where the attacker exploits Bluetooth weaknesses to gain unauthorized access to a device, read data, place calls, or send messages, and it does not rely on sending a deceptive SMS link. Call spoofing is manipulating caller ID to impersonate a trusted number during voice calls, not delivering a malicious installation link through text. OTP hijacking focuses on intercepting or tricking users into revealing one-time passwords, often through SIM swapping, malware, or real-time phishing, but the scenario emphasizes installing monitoring software through a link rather than capturing a one-time code.

Defenses highlighted in ethical security training include mobile security awareness, blocking unknown links, using mobile threat defense, restricting app installation from untrusted sources, enforcing MDM controls, and monitoring SMS-based social engineering indicators.

CEH’s SQL Injection coverage distinguishes between classic (error-based), union-based, boolean-based blind, and time-based blind SQL injection. Time-based blind SQL injection is used when the application does not return database errors or query results to the attacker (no visible output), but the attacker can infer execution behavior by measuring response delays.

A time-based payload intentionally triggers a database delay function (for example, SLEEP(), WAITFOR DELAY, pg_sleep() depending on DBMS). If the injection is successful, the page response time increases predictably, confirming that attacker-controlled SQL is being executed.

Option C is the correct time-based blind probe because it uses conditional logic (IF(1=1, SLEEP(5), 0)) to cause a measurable delay only when the injected condition evaluates true. CEH teaches that this technique is particularly effective against hardened applications that suppress errors and sanitize outputs, because timing becomes the side-channel for confirmation.

Option A and Option D are UNION-based payload patterns intended to extract data via returned result sets, which time-based blind scenarios typically do not provide. Option B is a classic authentication-bypass/boolean test; it can indicate injection but does not specifically validate time-based blind behavior when output is not observable.

CEH mitigation guidance includes parameterized queries, strict input validation, least-privilege DB accounts, WAF tuning, and centralized logging to detect anomalous query timing patterns.

Android Debug Bridge (ADB) is a powerful debugging interface that, if misconfigured, allows attackers to execute commands remotely. CEH v13 identifies exposed ADB as a critical mobile security risk, especially in enterprise environments.

The most effective countermeasure is to disable ADB entirely, except when explicitly required for development or troubleshooting, and only within tightly controlled environments. This directly removes the attack vector.

VPNs and biometrics improve security but do not prevent ADB abuse. Updating MDM systems is important but does not eliminate the risk if ADB remains enabled.

CEH v13 explicitly recommends strict ADB control as a best practice. Therefore, Option C is the correct answer.

CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target’s infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute-force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT-based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses—critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH’s description of anonymous LDAP binding.

CEH emphasizes that application-layer DoS attacks are often the most difficult to detect and mitigate because they can mimic legitimate user behavior while exhausting backend resources. A distributed SQL injection–driven DoS (Option B) can be especially challenging: attackers send requests that appear valid at the HTTP level, but the injected or crafted parameters force the application/database to execute expensive queries (heavy joins, sleep/delay functions, or costly operations). When distributed across many sources, the traffic can look like normal customer usage—successful TCP handshakes, valid HTTP requests, and realistic user-agent patterns—while still causing database connection pool exhaustion, CPU spikes, lock contention, and degraded response times.

Option A (Smurf) and Option D (UDP/DNS flooding) are more volumetric/network-layer patterns and are typically mitigated with upstream DDoS scrubbing, rate limiting, and filtering, and are more readily detectable via traffic anomalies. Option C (zero-day RCE) is severe, but it is not primarily a “DoS technique” in CEH classification; it’s an exploitation scenario that may lead to service outage, but the detection/mitigation path centers on exploit prevention, EDR, patching, and containment rather than DoS controls. In CEH terms, Option B aligns best with a sophisticated, scenario-like DoS that blends into normal app activity.

CEH mitigation approaches for application-layer DoS include WAF rules, input validation/parameterization (preventing SQLi), query cost controls, rate limiting by behavior, caching, database hardening, and anomaly detection at the application and database tiers.

The correct choice is the SOA record because it uniquely provides authoritative administrative and operational metadata about a DNS zone. In CEH reconnaissance techniques, DNS enumeration is a high-value passive and semi-passive method to learn about an organization’s infrastructure without actively attacking hosts. The Start of Authority record defines core parameters of the zone and identifies the primary authoritative name server for that domain. Most importantly for this question, the SOA record contains fields that directly match “serial number and refresh interval,” which are classic SOA elements used for zone replication and synchronization behavior between primary and secondary DNS servers.

An SOA record typically includes the primary name server, the responsible party field often formatted like an email address for the zone administrator, the zone serial number, and timing values such as refresh, retry, expire, and minimum TTL. These details can reveal change frequency, operational practices, and sometimes administrative contact clues, all of which are relevant in reconnaissance and reporting.

The other record types do not meet the requirement. MX records identify mail exchangers for the domain but do not include serial or refresh parameters. NS records list authoritative name servers but lack administrative timing metadata. TXT records store arbitrary text such as SPF, DKIM, DMARC, or verification strings and are useful for email security posture analysis, but they do not provide the zone control fields the question references. Since the question explicitly calls out serial and refresh interval, the SOA record is the only option that fits completely.

Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking. Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior, rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

Thus, Option B is the most effective and CEH-aligned IDS configuration.

Amanda’s primary enumeration focus is a “file transfer” service that allows anonymous login and directory listing. That clearly indicates FTP, which runs on TCP port 21 (control channel). Anonymous FTP misconfiguration is a well-known exposure risk because it can allow unauthenticated users to browse or download files, and sometimes even upload content depending on permissions. Enumerating FTP typically includes validating anonymous access, listing directories, checking readable file contents, identifying writable folders, and verifying whether the server leaks banners, system type, or user/account hints.

The scenario also mentions background UDP traffic related to NetBIOS name lookups, which corresponds to UDP port 137 (NetBIOS Name Service). While NetBIOS is more common in Windows environments, it can still appear on networks with mixed systems or legacy compatibility services. The question asks which ports and services to prioritize given her enumeration activity, which includes FTP access weaknesses and noticing NetBIOS name lookup traffic.

Option B (TCP 21 and UDP 137) matches both:

TCP 21 = FTP control port, directly tied to anonymous login and directory enumeration.

UDP 137 = NetBIOS Name Service, matching the observed name-lookup traffic.

Why the other options don’t fit:

TCP 23 is Telnet (A), not the described file transfer service.

TCP 25 is SMTP (C), unrelated to anonymous file transfer login.

TCP 139 is NetBIOS Session Service (D), more associated with SMB over NetBIOS, not specifically with UDP name lookups, and it omits the FTP port central to her activity.

Therefore, the correct choice is B. TCP 21 and UDP 137.

The scenario emphasizes that Daniel “begins capturing and reviewing live network traffic” to identify unauthorized session behaviors. In CEH-aligned network analysis practice, the most direct method to confirm session hijacking when you already have a packet capture is manual packet analysis using packet sniffing tools. By inspecting live traffic, Daniel can correlate sessions, verify whether multiple sources are reusing the same session identifiers, identify abnormal TCP sequence and acknowledgment behavior, and detect patterns such as duplicated cookies/tokens, replayed requests, inconsistent client IP or user-agent shifts, or sudden session reuse across hosts. This approach provides evidentiary detail beyond an alert and allows validation before escalation.

An IDS can be helpful, but it is a detection system that generates alerts based on signatures or anomalies; it does not inherently “confirm” the issue unless it provides clear supporting evidence, and the question specifically frames Daniel’s action as hands-on traffic review. Checking for predictable session tokens is a preventive and diagnostic step for weak session management design, but it does not directly confirm an in-progress hijacking event from observed network behavior. Monitoring for ACK storms can indicate certain TCP-level hijacking/desynchronization conditions, but it is narrower and may not apply to application-layer session hijacking, which is far more common in enterprise environments and would be validated by inspecting session identifiers and request flows in the capture.

Therefore, given the described workflow and the need to confirm unauthorized session activity from live traffic, CEH methodology aligns best with manual packet analysis using sniffing tools.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

According to the Certified Ethical Hacker (CEH) Reconnaissance and Footprinting module, DNS cache snooping is a passive information-gathering technique used to determine whether a specific DNS record exists in a server’s cache. Attackers commonly use the dig +norecurse option to prevent the DNS server from querying other DNS servers, thereby revealing only cached results.

When a DNS server responds with NOERROR but does not return an answer, it indicates that the domain name itself is valid, but the requested record is not present in the DNS cache. CEH documentation explains that this situation usually occurs when no internal client has recently queried that domain, so the DNS server has no cached entry for it.

Option A is incorrect because a cached record would return a valid answer section.

Option B is incorrect because NOERROR explicitly means the DNS query was processed successfully.

Option D is incorrect because an expired or non-existent domain would typically return NXDOMAIN, not NOERROR.

CEH materials highlight that attackers use DNS cache snooping to infer user behavior, internal browsing habits, and potential target systems within an organization—making option C the correct conclusion.

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

Credential stuffing is the best match because the scenario highlights automated login attempts across many accounts with an unusually high success rate, occurring in the aftermath of a breach. In CEH-aligned system hacking concepts, credential stuffing is the automated testing of known username and password pairs—typically harvested from prior breaches—against a different service. Because many users reuse passwords across sites, attackers often achieve a higher-than-normal success rate compared to guessing-based attacks. This “high success rate” across numerous accounts is a key indicator that the attacker is not randomly guessing, but replaying valid credentials at scale using bots or automation frameworks.

Password spraying differs in that the attacker tries a small set of common passwords (or one password) across many accounts to avoid lockouts. Spraying generally yields a lower success rate and is driven by guessing rather than replaying known credential pairs. A brute force attack is even noisier and typically involves repeated guessing for a single account or small set of accounts; it is both slower and far less likely to produce a high success rate across many users in a short period. Phishing attacks can lead to account takeovers, but the pattern described would more often show targeted victims and varied sources rather than broad, automated, multi-account authentication bursts with consistently successful logins.

CEH defensive guidance emphasizes layered controls: enforce MFA, monitor for abnormal login velocity and credential reuse indicators, deploy bot detection and rate limiting, use breached-password checks, implement adaptive authentication, and tune lockout and detection policies to disrupt automated credential replay without enabling denial-of-service against legitimate users.