312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

The Certified Ethical Hacker (CEH) Web Application Security module emphasizes that client-side controls cannot be trusted.

Disabling JavaScript allows attackers to bypass:

Password complexity enforcement

CAPTCHA validation

Input validation logic

Option B is the simplest and most effective CEH-approved method.

Option A is unnecessary and noisy.

Option C risks detection.

Option D is effective but more complex and detectable.

CEH explicitly teaches testers to disable JavaScript to evaluate server-side enforcement.

The correct answer is A, Anti-forensics. Disabling logging services after compromising an administrator account is an attempt to hide evidence, prevent detection, and make later investigation harder. In CEH system hacking phases, this aligns with covering tracks, where an attacker removes or modifies evidence after gaining access. The CEH material describes covering tracks as wiping evidence, removing event logs, error messages, and other indicators so the attack is not easily discovered. It also lists disabling auditing, clearing logs, and manipulating logs as common techniques used by attackers. CEH hacking methodology also explains that clearing tracks helps attackers remain undetected by overwriting system, application, and related logs to avoid suspicion. This is not exfiltration, because no data theft is described. It is not reconnaissance, because the attacker is not gathering information. It is not privilege escalation, because the account is already administrative. Therefore, disabling logging services is best classified as anti-forensics or covering tracks.

CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data—such as passwords, emails, chat messages, and financial information—to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger’s main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

The correct answer is B. MODBUS.

The defining indicators are TCP port 502, reading coil status, and writing register values. These are classic characteristics of Modbus/TCP, a widely used industrial control protocol.

CEH-aligned OT/ICS material identifies Modbus as a protocol used in industrial control systems and shows Modbus reconnaissance and interaction using port 502. It also describes Modbus function-code operations such as writing a single coil and reading input registers .

Option A. IEC 60870-5-104 is incorrect because IEC 104 is commonly associated with TCP port 2404, not port 502.

Option C. DNP3 is incorrect because DNP3 commonly uses TCP/UDP port 20000.

Option D. OPC UA is incorrect because OPC UA is not identified by Modbus coil/register operations on TCP 502.

Therefore, the best answer is B. MODBUS.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

The correct answer is D because Telnet is insecure by default. Telnet is an older remote access protocol that provides command-line access to remote systems, but it does not encrypt communication. This means usernames, passwords, commands, and keystrokes can travel across the network in clear text and may be captured through sniffing or man-in-the-middle attacks. The CEH-aligned material specifically states that Telnet sends usernames, passwords, and keystrokes over the network as clear text, making it easy to sniff. HTTPS is secure HTTP over TLS/SSL, SFTP is file transfer protected through SSH, and SSH is a secure replacement for Telnet that uses encryption and commonly operates on TCP port 22. Therefore, compared with HTTPS, SFTP, and SSH, Telnet is the protocol that is insecure by default because confidentiality and secure authentication protection are not built into its normal operation.

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

The correct answer is Risk Assessment. CEH vulnerability assessment guidance distinguishes between identifying vulnerabilities and evaluating their business or operational impact. Findings are the raw or organized results showing what weaknesses were discovered. Risk assessment goes a step further by scoping the impact of those weaknesses, ranking them by severity, and highlighting which assets face the greatest exposure. The scenario specifically says the report grouped weaknesses into severity tiers and emphasized relative impact and prioritization across systems. That language aligns directly with risk assessment rather than with a simple findings section. Recommendations would focus on remediation steps, while an assessment overview would summarize the engagement at a higher level. CEH documentation on the vulnerability assessment life cycle explains that after vulnerabilities are identified, risk assessment is used to interpret their significance for the organization so remediation efforts can be prioritized correctly. That is why executives and decision-makers depend on this section: it translates technical weaknesses into exposure levels and response urgency. Because the emphasis here is on impact, prioritization, and severity-based grouping, the report component is best classified as Risk Assessment.

CEH materials explain that modern web applications deploy multiple layers of security—HTTPS, secure cookies, HttpOnly flags, and strict session regeneration—to defend against standard hijacking methods such as token theft through XSS or fixation. When these protections are properly implemented, attackers must compromise the underlying trust relationship between the client and server to successfully intercept or manipulate session tokens. One of the most advanced techniques described in CEH is compromising a trusted certificate authority or injecting a forged certificate into the victim’s trust store. This enables the attacker to perform a transparent MITM attack despite HTTPS protections. Because the victim’s browser trusts the forged certificate, encrypted traffic—including session tokens—is exposed to the attacker without generating browser warnings or IDS alerts. Timing side-channel attacks are not considered session hijacking methods; XSS is mitigated by secure flags; and session fixation is ineffective when session regeneration occurs. Therefore, compromising a trusted certificate authority to enable an undetectable MITM attack is the most viable method.

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

Port scanning is the CEH-aligned technique used to identify available access points into systems, where “access points” refers to open TCP and UDP ports and the services listening on them. In the reconnaissance and scanning phases described in CEH methodology, testers first enumerate live hosts and then perform port scanning to discover which network services are reachable, such as HTTP on 80 or 443, SSH on 22, RDP on 3389, DNS on 53, and many others. This information directly guides the next steps of analysis by revealing the attack surface: what services are exposed, which systems are running them, and which ports may permit remote interaction.

Vulnerability scanning is different because it attempts to identify known weaknesses or misconfigurations and typically requires service detection, versioning, and signature or configuration checks. It is usually performed after ports and services are discovered, not as the first method for finding “available access points.” Topology mapping focuses on understanding how the network is structured, including routing paths, device relationships, and segmentation boundaries. Network scanning is a broader term that can include host discovery and other probes, but it is less precise than port scanning for identifying the specific entry points that an attacker could use to connect.

Under ethical guidelines, port scanning is conducted with proper authorization, scoped targets, controlled timing to avoid disruption, and clear reporting of open ports, detected services, and risk implications so defenders can reduce exposure by closing unnecessary ports and hardening required services.

The Spearphone attack, covered in CEH v13 Mobile Platform Hacking, exploits smartphone accelerometers to infer speech vibrations from loudspeakers—without microphone permissions.

This attack demonstrates how built-in sensors can be abused for covert surveillance, making it ideal for assessing privacy risks.

Other options involve different attack vectors not related to sensor-based eavesdropping.

Thus, Option C is correct.

According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping, a Layer 2 security feature that classifies switch ports as either trusted or untrusted. DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers. DHCP snooping directly mitigates this threat.

The Certified Ethical Hacker (CEH) Malware Threats module explains that modern malware increasingly uses fileless techniques and living-off-the-land strategies, communicating over legitimate protocols like HTTP and DNS to evade detection.

Because this traffic blends with normal activity, port-based blocking and signature-based antivirus are often ineffective. CEH highlights behavioral analytics and network traffic analysis as the most reliable detection mechanisms for identifying anomalies such as:

Unusual outbound DNS queries

Abnormal HTTP beaconing patterns

Suspicious process behavior

Option C is correct because it focuses on detecting behavioral anomalies, which CEH identifies as essential for combating advanced malware and command-and-control (C2) channels.

Option D may disrupt business operations and does not address DNS-based C2.

Option A is outdated.

Option B cannot detect unknown or fileless malware.

CEH strongly recommends anomaly detection and behavioral monitoring for advanced threats.

Comprehensive and Detailed Explanation From CEH v13 Guide Topics:

The correct answer is D. nmap -T4 -F 10.10.0.0/24. The objective is to quickly enumerate hosts within the same subnet as the compromised server (10.10.0.5), which belongs to the 10.10.0.0/24 network.

In Nmap, the -F (Fast Scan) option scans only the most commonly used ports instead of the full port range, significantly reducing scan time. Combined with -T4, which increases scan speed through a more aggressive timing template, it is the fastest option among the choices provided for rapidly identifying active systems and services on the subnet.

Option A (-q) does not perform host enumeration and is not a standard Nmap host-discovery optimization. Option B (-O) performs OS detection, which generates additional probes and takes longer than necessary when the goal is simply to identify systems quickly. Option C (-r) scans ports sequentially and targets the wrong subnet (10.10.1.0/24), making it incorrect.

From a CEH reconnaissance and network scanning perspective, when speed is important, security professionals commonly use optimized Nmap scans such as Fast Scan and aggressive timing templates to identify live hosts efficiently before conducting deeper enumeration activities.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R & D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R & D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

CEH v13 highlights that SNMPv1/v2 environments configured with default community strings such as " public " or " private " present significant security risks because they allow unauthorized users to query system information. SNMP enumeration can reveal processes, interfaces, routing tables, users, device configurations, and more. The snmp-processes Nmap NSE script is specifically designed to enumerate running processes on an SNMP-enabled host. It queries the Host Resources MIB (HR-MIB), which stores operational information about system processes, CPU usage, and memory consumption. This information provides attackers with insights into what services may be exploitable or misconfigured. CEH stresses that SNMPv2 is particularly vulnerable due to lack of encryption and authentication hardening. By enumerating processes, penetration testers can identify potential privilege escalation paths, outdated services, or rogue applications that may aid lateral movement. Other scripts such as snmp-sysdescr or snmp-interfaces retrieve system description or interface data but do not enumerate processes.

ARP spoofing–based session hijacking is identified in CEH v13 Web Application and Network Attacks as one of the most stealthy and difficult-to-detect session compromise techniques, especially within internal or VPN-connected networks.

In ARP spoofing, attackers poison ARP caches to position themselves as a man-in-the-middle (MitM). Once in place, they can silently intercept, modify, or replay session data—even when encryption is used—by redirecting traffic transparently between endpoints.

Option A (sidejacking) is mitigated by HTTPS. Option C (session guessing) is noisy and detectable. Option D (cookie poisoning) relies on weak validation and is easier to detect via integrity checks.

CEH v13 highlights ARP spoofing as particularly dangerous because:

It exploits trusted local network behavior

It does not require breaking encryption directly

It is often invisible to users and applications

Therefore, Option B is the most challenging to detect and mitigate and is the correct answer.

The correct answer is Ciphertext-only attack. CEH cryptography coverage defines this attack as a situation in which the attacker has access only to encrypted data and not to the corresponding plaintext. The attacker attempts to derive useful information, recover plaintext patterns, or eventually infer the key by analyzing the ciphertext itself. That is exactly what the question describes: the adversary obtained encrypted database backups but not the keys and not the original plaintext records, and the specialist is considering whether the attacker is examining the encrypted output in isolation for structural clues or repetition. Known-plaintext attacks require access to both plaintext and matching ciphertext. Chosen-plaintext attacks involve the attacker selecting input to be encrypted, while chosen-ciphertext attacks involve selecting ciphertext for decryption attempts. None of those fit the scenario. CEH materials emphasize that ciphertext-only analysis is the most basic cryptanalytic model because it assumes the least attacker knowledge apart from the encrypted material itself. Since the exposure here is limited to intercepted ciphertext with no confirmed access to plaintext or decryption capability, the best match is a ciphertext-only attack.

CEH defines ethical hacking as the authorized, structured, and permission-based process of identifying vulnerabilities to strengthen an organization’s security posture. Ethical hackers operate under a signed scope-of-work and follow legal boundaries. Malicious hackers, by contrast, exploit systems without permission, often with harmful or criminal intent. CEH emphasizes that both ethical and malicious hackers may use similar tools, techniques, and methodologies; the distinction lies entirely in authorization, intent, and legality. Ethical hacking is conducted to improve defenses, while malicious hacking targets exploitation, theft, or disruption. Nothing in CEH materials suggests that toolsets or work styles distinguish the two groups; permission and lawful operation remain the central differentiators.

The correct answer is C. Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service.

The scenario describes a large-scale DDoS attack that exceeds the organization’s local mitigation capacity. The traffic is rerouted through an upstream filtering or scrubbing infrastructure that absorbs malicious traffic and forwards legitimate traffic back to the organization. This is the function of an ISP-backed or specialized DDoS mitigation/scrubbing service.

CEH-aligned DDoS countermeasure material notes that, for a true DDoS attack, the practical answer is often involvement of the upstream ISP because endpoint-level defenses may not keep up with a sophisticated global botnet attack .

Option A. RFC 3704 Filtering is incorrect because ingress/egress filtering helps reduce spoofed traffic but does not describe large-scale traffic scrubbing.

Option B. Cisco IPS Source IP Reputation Filtering is incorrect because source reputation filtering alone does not match upstream traffic rerouting and scrubbing.

Option D. Black Hole Filtering is incorrect because blackholing drops traffic, often including legitimate traffic, while the scenario says clean traffic is forwarded back to the retailer.

Therefore, the best answer is C. Leveraging DDoS Prevention Offerings from an ISP or DDoS Mitigation Service.

CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus, widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.

Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.

Other options are less realistic or less persistent in modern enterprise environments.

According to CEH v13 Cloud Computing, improper identity and access management (IAM) is one of the most common causes of cloud security incidents. When former employees retain access to cloud resources, it represents a failure in user lifecycle management, specifically in the de-provisioning phase.

Timely user de-provisioning ensures that when an employee leaves the organization or changes roles, all associated access rights—API keys, IAM roles, credentials, tokens, and permissions—are immediately revoked. CEH v13 emphasizes that cloud environments magnify this risk because access is often centralized and remote, meaning former employees can access systems from anywhere.

Options A, B, and C are supportive security practices but do not directly address the root cause. Multi-cloud models do not prevent unauthorized access. Traffic analysis may detect misuse after the fact but does not prevent it. Penetration testing identifies vulnerabilities but does not manage user access.

CEH v13 explicitly identifies timely de-provisioning as a critical cloud security control to prevent insider threats, privilege abuse, and compliance violations. Therefore, Option D is the correct answer.

The correct answer is B, Residual risk. In CEH risk-management terminology, residual risk is the amount of risk that remains after security controls, safeguards, countermeasures, or mitigation strategies have been applied. A penetration test identifies vulnerabilities, threats, and weaknesses that may expose an organization to risk. After the tester recommends controls such as patching, access control improvements, network segmentation, monitoring, hardening, or user awareness training, those controls reduce the likelihood or impact of exploitation. However, security controls rarely remove all risk completely. The remaining exposure is known as residual risk, and management must decide whether to accept, transfer, avoid, or further mitigate it. Inherent risk is the original level of risk before any controls are applied. Gap analysis is a comparison between the current security state and the desired or required state. Total risk usually refers to the overall risk before accounting for implemented safeguards. Therefore, the best term for risk remaining after controls is residual risk.

This scenario best illustrates impersonation, which is a core social engineering technique emphasized in CEH under pretexting and physical security testing. Impersonation occurs when an attacker assumes a believable identity, such as an IT technician, vendor, maintenance worker, or delivery person, to gain trust and bypass access controls. In the prompt, the red team member adopts a third-party IT technician role and is granted entry because the receptionist assumes the visit is legitimate and does not verify credentials. That is the defining moment of impersonation: exploiting human trust and procedural gaps to obtain unauthorized physical access.

While the attacker later observes open terminals, unattended printouts, and sticky notes, those observations are opportunistic data collection that becomes possible only after successful impersonation. Shoulder surfing is specifically observing a user entering credentials or viewing a screen while standing nearby, typically during active use. Eavesdropping focuses on capturing spoken or transmitted information, such as listening to conversations or intercepting communications. Dumpster diving involves retrieving sensitive information from trash or discarded materials in waste bins, not simply seeing sticky notes left on desks.

CEH guidance highlights that impersonation often succeeds when organizations lack visitor verification, badge enforcement, escort policies, and security awareness training. Controls include validating work orders, requiring government-issued ID, issuing visitor badges, escorting visitors, enforcing clean desk practices, locking workstations, and secure printing to prevent exposure of credentials and sensitive data.

The correct answer is A. Firmware update attack because the scenario describes an attacker delivering an unauthenticated, non-cryptographically verified update/package to a controller and successfully altering its operational logic. In IoT/OT environments, controllers (PLCs, RTUs, PACs, and embedded industrial devices) often support updating firmware or logic over the network for maintenance. If the device does not verify the source, integrity, and authenticity of update packages—typically through signed firmware, certificates, and secure update channels—an attacker can replace legitimate code with a maliciously modified version.

Sameer’s demonstration maps directly to a firmware/logic update compromise: he uploads “altered instructions” and changes how the controller processes commands during operations. This is exactly the type of risk highlighted in OT security: unauthorized modification of controller logic can cause unsafe states, disrupt production, damage equipment, or create stealthy manipulation that is difficult to detect. The explicit mention of “without checking the origin or cryptographic validity” indicates missing controls like digital signatures, hash verification, and trusted update mechanisms, which are central to firmware update security.

Why the other options are less accurate: Forged malicious device usually refers to introducing a rogue or cloned device into the environment to impersonate legitimate equipment. Remote access using backdoor implies an existing hidden access mechanism rather than abuse of the update mechanism itself. Exploit kits are typically collections of exploits used to compromise systems, commonly discussed more in endpoint/web contexts; they don’t specifically describe the act of pushing an altered firmware/logic package that the controller accepts due to missing validation.

Therefore, the technique is best categorized as a firmware update attack, leveraging weak or absent authenticity/integrity checks on update packages to modify OT controller behavior.

The correct choice is D because the question is specifically about disrupting ICMP-based discovery by preventing error messages from being returned. In ICMP reconnaissance, attackers often rely not only on ICMP Echo (ping) but also on ICMP error messages to infer host availability, filtering behavior, and port reachability. A key ICMP error category is ICMP Type 3: Destination Unreachable, which includes several codes (for example, “port unreachable” and “communication administratively prohibited”) that can reveal whether a host exists, whether a firewall is filtering traffic, and whether specific ports are reachable or blocked. When these ICMP Type 3 messages are allowed to leave the network, they provide valuable feedback that helps attackers map the environment accurately.

By blocking inbound ICMP message types (to reduce direct ICMP probing) and blocking outbound ICMP Type 3 unreachable messages, the organization reduces the “informational signals” that external scanners can use to distinguish between live hosts, filtered hosts, and closed ports. This directly aligns with the requirement in the prompt: stopping ICMP discovery by preventing error messages from being returned.

Why the other choices are less precise:

A and C focus on general hardening (port/service reduction), which is good practice but does not directly address ICMP error-message feedback.

B (firewall/IDS detection) is helpful, but the prompt asks for an action that specifically disrupts ICMP discovery traffic by suppressing error responses, which is more directly achieved via ICMP filtering rules.

Operational note: while blocking ICMP Type 3 can reduce reconnaissance visibility, organizations should apply this carefully because some ICMP is important for normal network operations and troubleshooting.