312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

Regional Internet Registries (RIRs):

ARIN (American Registry for Internet Numbers)

AFRINIC (African Network Information Center)

APNIC (Asia Pacific Network Information Center)

RIPE (Réseaux IP Européens Network Coordination Centre)

LACNIC (Latin American and Caribbean Network Information Center)

In this scenario, users outside the organization (like Smith and Joseph on dial-up) see the defaced site, while Joseph on the internal corporate network sees the legitimate site. Tripwire confirms that the files on the actual web server are intact. This clearly indicates that the attack was not on the server itself, but rather on how external users are being directed to a malicious server.

This behavior is indicative of a DNS poisoning attack. The attacker poisoned the DNS cache of an external DNS resolver, redirecting www.masonins.com to a malicious server. Internal DNS servers, unaffected by the poisoning, still resolved to the correct IP address.

From CEH v13:

Module 3: DNS Poisoning and Spoofing

Module 5: Vulnerability Analysis

CEH v13 Study Guide states:

“DNS poisoning involves injecting false information into a DNS resolver’s cache, causing users to be redirected to malicious websites without changing the actual web server’s content.”

Incorrect Options:

A: ARP spoofing affects local network address resolution, not global DNS.

B: SQL injection is used to exploit databases, not alter DNS records.

D: Routing table injection affects traffic routes, but wouldn’t explain DNS-level redirection discrepancies.

The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

The other options are not as effective as option A for the following reasons:

B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from being attacked due to misconfigured settings or parameters3.

C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP: This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols.

However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

In CEH v13 Module 03: Scanning Networks, ICMP scan types are covered under host discovery techniques in Nmap/Zenmap.

The -PP option in Nmap is used to perform an ICMP timestamp request scan.

This method sends an ICMP timestamp request and listens for a timestamp reply from the target.

It helps analysts determine the system uptime and verify whether the host is alive (for stealthy discovery).

Option Clarification:

A. -PY: SCTP INIT Ping (used for SCTP-based hosts).

B. -PU: UDP Ping (sends UDP packets).

C. -PP: ICMP Timestamp Ping — correct answer.

D. -Pn: Skips host discovery (treats all hosts as alive), not a ping type.

Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows. This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.

Enterprise, governments, and financial institutions have greater security with WPA3-Enterprise. WPA3-Enterprise builds upon WPA2 and ensures the consistent application of security protocol across the network.

WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to raised protect sensitive data:

• Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)

• Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)

• Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) employing a 384-bit elliptic curve

• Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)

The 192-bit security mode offered by WPA3-Enterprise ensures the proper combination of cryptographic tools are used and sets a uniform baseline of security within a WPA3 network.

It protects sensitive data using many cryptographic algorithms It provides authenticated encryption using GCMP-256 It uses HMAC-SHA-384 to generate cryptographic keys It uses ECDSA-384 for exchanging keys

This scenario clearly describes Load Balancing as a DDoS mitigation strategy, which is covered under the CEH v13 Network and Perimeter Hacking module. Load balancing distributes incoming network or application traffic across multiple servers or resources to prevent any single system from becoming overwhelmed.

According to CEH v13, modern DDoS mitigation architectures often combine hardware load balancers with cloud-based scrubbing centers or Content Delivery Networks (CDNs). These systems absorb high traffic volumes and ensure availability by spreading requests across multiple nodes. This approach aligns perfectly with the organization’s strategy of absorbing and distributing traffic rather than blocking it outright.

Other options are incorrect:

Black hole routing drops all traffic, including legitimate traffic.

Rate limiting restricts traffic volume rather than distributing it.

Sinkholing redirects traffic for analysis, not load distribution.

In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

-T5: Insane mode – very fast, highly aggressive, easily detectable.

-T0: Paranoid mode – very slow and stealthy.

-O: Enables OS detection (not related to scan speed).

-A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

Therefore:

If speed is your goal and you are not concerned about detection, then:

-T5 is the correct answer.

Windows 2000 and newer systems use Kerberos as their default authentication protocol rather than NTLM or LM challenge/response over SMB. Kerberos is encrypted and does not rely on the older SMB logon exchange methods that L0phtCrack can sniff.

From CEH v13 Courseware:

Module 6: Malware and Password Attacks

Module 4: Enumeration

CEH v13 Study Guide states:

“Kerberos is the default authentication protocol in Windows 2000 and newer systems. It encrypts communication and is not vulnerable to the same sniffing attacks that work against LM/NTLM challenge-response mechanisms.”

Incorrect Options:

A: While a NIDS may detect traffic, it doesn't prevent sniffing.

C: Logons can be sniffed in older systems using NTLM.

D: L0phtCrack does not sniff web logons—it targets SMB and Windows logins.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.

Option B is correct.

Option A is active engagement.

Option C aids anonymity but not monitoring.

Option D is illegal and unethical.

CEH strongly promotes automated alerting for competitive intelligence.

bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in-the-middle attacks, spoof and sniff protocols, inject custom payloads, and more1.

bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets2.

bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point3.

Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

In the context of security testing, test automation plays a critical role in improving the speed and consistency of testing activities. However, it cannot entirely replace manual testing because certain security vulnerabilities—especially logic flaws or issues with session management—often require human intuition and contextual understanding.

According to CEH v13 Official Courseware – Module 05 (Vulnerability Analysis), and confirmed in the CEH v13 Study Guide, automated testing is best suited for:

Repetitive benchmark tests

Regression testing

Scanning for known vulnerabilities

Ensuring consistency across environments

However, manual testing is still essential for:

Business logic testing

Security misconfiguration identification

Discovering zero-day flaws

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.

This scenario illustrates physical impersonation, a social engineering tactic discussed in CEH v13 Social Engineering. The attacker exploits trust in appearance and role assumption, dressing as a network technician to gain access without challenge.

Unlike tailgating (which involves following someone), this attack relies on assumed authority and familiarity. CEH v13 categorizes this under impersonation attacks, where attackers pose as employees, contractors, or vendors.

Other options describe different social engineering vectors:

A: Phone-based pretexting

B: Dumpster diving

C: Vishing

Physical impersonation is particularly dangerous because it bypasses technical controls entirely. Option D best matches the scenario.

While the question as shown appears slightly misformatted, this closely resembles the Windows command:

ping -t 192.168.0.101

Here:

-t means to ping continuously until manually stopped.

In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

Option A. t – Correct (ping continuously)

Why Others Are Incorrect:

B. s: Not a valid option in Windows ping.

C. a: Used to resolve the hostname from an IP (not related to this).

D. n: Specifies the number of echo requests to send.

Zigbee could be a wireless technology developed as associate open international normal to deal with the unique desires of affordable, low-power wireless IoT networks. The Zigbee normal operates on the IEEE 802.15.4 physical radio specification and operates in unauthorised bands as well as a pair of.4 GHz, 900 MHz and 868 MHz.

The 802.15.4 specification upon that the Zigbee stack operates gained confirmation by the Institute of Electrical and physical science Engineers (IEEE) in 2003. The specification could be a packet-based radio protocol supposed for affordable, battery-operated devices. The protocol permits devices to speak in an exceedingly kind of network topologies and may have battery life lasting many years.

The Zigbee three.0 Protocol

The Zigbee protocol has been created and ratified by member corporations of the Zigbee Alliance.Over three hundred leading semiconductor makers, technology corporations, OEMs and repair corporations comprise the Zigbee Alliance membership. The Zigbee protocol was designed to supply associate easy-to-use wireless information answer characterised by secure, reliable wireless network architectures.

THE ZIGBEE ADVANTAGE

The Zigbee 3.0 protocol is intended to speak information through rip-roaring RF environments that area unit common in business and industrial applications. Version 3.0 builds on the prevailing Zigbee normal however unifies the market-specific application profiles to permit all devices to be wirelessly connected within the same network, no matter their market designation and performance. what is more, a Zigbee 3.0 certification theme ensures the ability of product from completely different makers. Connecting Zigbee three.0 networks to the information science domain unveil observance and management from devices like smartphones and tablets on a local area network or WAN, as well as the web, and brings verity net of Things to fruition.

Zigbee protocol options include:

Support for multiple network topologies like point-to-point, point-to-multipoint and mesh networks

Low duty cycle – provides long battery life

Low latency

Direct Sequence unfold Spectrum (DSSS)

Up to 65,000 nodes per network

128-bit AES encryption for secure information connections

Collision avoidance, retries and acknowledgements

This is another short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10–100 m.

Man-in-the-Cloud (MITC) attacks target cloud synchronization services such as Dropbox, Google Drive, and OneDrive by manipulating authentication tokens instead of user passwords. CEH courseware explains that cloud storage clients rely heavily on sync tokens stored locally, which authorize access without user interaction. If an attacker replaces or injects a malicious token, they can hijack the victim’s cloud account or redirect synced data to attacker-controlled locations. In this scenario, the EC2 instance continues to operate normally, but its Dropbox client silently synchronizes data to an external account using the attacker’s token. This bypasses traditional defenses such as perimeter firewalls, credential monitoring, or user behavior analytics, because the synchronization process appears legitimate and authenticated. MITC attacks are uniquely stealthy, as they require no further compromise once the sync token is stolen or replaced. Other choices, such as Cloud Snooper or cryptojacking, do not match the described behavior. Therefore, this attack clearly aligns with a Man-in-the-Cloud attack.