312-50v13 ECCouncil Certified Ethical Hacker Exam (CEHv13) Free Practice Exam Questions (2026 Updated)

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

CEH methodology emphasizes validating and researching identified vulnerabilities to determine exploitability, patch status, and business impact. Even medium-risk findings require investigation to assess their real severity.

The CEH Web Application Security module explains that race conditions occur when systems improperly handle simultaneous requests, leading to unexpected behavior. In token-based authentication systems, poor synchronization between token expiration checks and validation logic can allow attackers to exploit timing gaps.

The observed pattern—failed attempts with expired tokens followed by successful access—suggests the attacker exploited a race condition where the application inconsistently validated token state.

Option C is correct.

Option A would not involve expired tokens.

Option B is highly impractical given secure token entropy.

Option D typically succeeds without repeated failures.

CEH highlights race conditions as subtle but dangerous logic flaws.

The correct answer is C. Insecure Data Storage because the vulnerability described is the storage of sensitive information locally on the mobile device in a manner that is not encrypted and is accessible by simply browsing the file system. In mobile application security, this is a classic risk category: when an app stores confidential data (case notes, client records, tokens, documents, cached responses, databases, logs, or exported files) in clear text or in insecure locations, an attacker who gains device access—or uses backup extraction, file explorers, rooted/jailbroken access, or malware with storage permissions—may retrieve that data without needing to authenticate to the application.

The scenario makes the weakness unmistakable: Daniel can use a “standard explorer tool” to open sensitive records “without any authentication.” This indicates the app is failing to apply appropriate protections such as encryption at rest, secure key handling, proper file permissions, and secure storage mechanisms. In secure mobile design, sensitive records should be encrypted using platform-supported protections (e.g., using OS keystores/keychains for keys, encrypting databases/files, and minimizing local retention). Additionally, apps should avoid storing highly sensitive regulated data unless essential, and should implement secure session controls and data lifecycle management (cache control, expiration, remote wipe support in enterprise settings).

Why the other options are not the best fit: Insecure communication concerns data exposure while transmitted over networks (e.g., lack of TLS, weak TLS, MITM susceptibility), whereas the issue here is purely local storage. Improper credential usage relates to mishandling passwords, tokens, or authentication secrets (hard-coded credentials, weak storage of credentials), but the prompt focuses on stored records themselves. Inadequate privacy controls is broader and typically involves over-collection, improper disclosure, or weak user privacy settings, not direct clear-text storage exposure.

Therefore, the most clearly present OWASP Top 10 Mobile Risk is Insecure Data Storage.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

Ping of Death is a classic Denial-of-Service technique in which an attacker sends oversized or malformed IP packets that exceed the maximum allowed size when reassembled. In IP networks, the maximum packet size is 65,535 bytes. Historically, attackers exploited fragmentation by sending a series of IP fragments that, when reassembled by the target, resulted in a packet larger than the permitted limit or produced an invalid buffer condition. Vulnerable systems could crash, reboot, or become unstable because the network stack mishandled the reassembly process or failed to properly validate packet length and structure.

The scenario matches this behavior precisely: Sofia transmits “oversized, malformed packets” and the server “crashes intermittently due to processing failures.” That symptom is more consistent with a malformed-packet handling flaw than with pure traffic volume. An ICMP flood and an ACK flood are volumetric or resource-exhaustion attacks that overwhelm bandwidth or connection-handling capacity, typically degrading performance rather than directly causing crashes from malformed packet parsing. A Smurf attack is an amplification-based ICMP attack using broadcast addresses to multiply traffic toward a victim; again, it is about volume, not crafted malformed packets that trigger parsing failures.

CEH guidance highlights that PoD-style attacks exploit improper packet validation and reassembly logic. Modern systems are generally patched, but poorly maintained devices, legacy OS stacks, and some embedded implementations can still exhibit instability when exposed to malformed fragmentation and reassembly edge cases.

UDP scanning produces reliable " closed " results only when an ICMP Port Unreachable is returned. Silent responses indicate either open ports (no reply expected) or filtered ports (blocks dropping packets). CEH emphasizes that non-responses require retransmission or alternate verification techniques.

A Distributed Control System (DCS) is the best match because the scenario describes multiple automated control loops (temperature, pressure, conveyor speed) that are coordinated by a centralized supervisory network linking multiple controllers across a facility. In industrial environments, a DCS architecture distributes control functions across many controllers located near the process equipment, while supervisory control and operator interfaces coordinate and monitor the overall process. This makes DCS common in continuous and process industries such as steel, chemical, oil and gas, and manufacturing plants where many interdependent loops must operate reliably together.

The scenario’s “centralized supervisory network” is a key DCS hallmark: operators and supervisory systems (often including engineering workstations and HMIs) provide centralized monitoring, setpoints, alarms, and coordination, while the actual loop control is executed by distributed controllers. This differs from a single isolated controller or purely manual operation. The purpose is to maintain stable process control and ensure coordinated behavior across different production areas.

Why the other options don’t fit:

A manual loop (A) implies human-operated control rather than automated feedback loops. The plant is described as having “numerous automated loops,” so manual loop is incorrect.

Open loop (C) control does not use feedback from the output to adjust the input; it is not typical for precise regulation of temperature and pressure where feedback is essential.

Closed loop (D) does describe feedback-based regulation and is true of many industrial loops; however, the question asks for the OT system concept applied based on the overall facility design—specifically a supervisory network coordinating multiple controllers—pointing to the architecture (DCS) rather than the loop type.

Therefore, the correct answer is B. Distributed Control System (DCS).

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

The correct answer is D. Application Keylogger because the scenario describes keystroke capture from desktop applications on a Windows workstation without installing kernel drivers and without requiring physical access or browser-level script injection. In CEH-aligned keylogger classifications, an application (user-mode) keylogger operates at the application layer by using user-space techniques such as hooking common Windows APIs (for example, keyboard input functions and message-handling routines) to intercept keystrokes as they are processed by applications. This enables logging of credentials typed into local programs, draft emails written in desktop clients, and sensitive text entered into business tools—exactly the outcome Tyler observed.

The question provides two strong eliminators. First, it states no kernel drivers were installed, which rules out kernel keyloggers that capture input at the kernel level (often requiring driver installation and deeper OS integration). Second, it states the attack did not require browser injection, which rules out a JavaScript keylogger (typically implemented by injecting script into a web page/application to capture form inputs within a browser session). It also explicitly notes that there was no physical device access, which rules out a hardware keylogger (a physical device placed between keyboard and computer or embedded in a keyboard) that requires in-person installation.

Application keyloggers are frequently used in post-exploitation because they can be deployed quickly with standard user-level privileges (though higher privileges may expand coverage), can target a broad range of applications, and can run covertly. From a defense perspective, monitoring for suspicious API hooking behavior, unusual process injection, abnormal input-capture patterns, and endpoint controls that detect credential access techniques are common countermeasures.

Therefore, given the constraints and the observed logging of desktop application input, the most likely keylogger type is an application keylogger.

Passive reconnaissance involves gathering information without directly interacting with the target. WHOIS, search engines, and social media are all passive techniques highlighted in CEH v13 Reconnaissance.

Nmap scanning, however, actively probes target systems and generates traffic that can be logged and detected. This makes it an active reconnaissance technique.

Therefore, Option D is least useful in a passive phase.

CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses—critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH’s description of anonymous LDAP binding.

Blowfish is the only option that matches all the technical characteristics described. In CEH cryptography concepts, symmetric algorithms are commonly distinguished by their structure (block cipher versus stream cipher), block size, and supported key lengths. The question states the algorithm encrypts data in 64-bit blocks and supports a variable key size ranging from 32 bits up to 448 bits, and it was introduced as a replacement for DES. Blowfish fits precisely: it is a symmetric block cipher with a 64-bit block size and a configurable key length from 32 to 448 bits, designed to be fast in software and positioned historically as an alternative to older ciphers such as DES.

The other choices do not align with these identifying properties. RC4 is a stream cipher and does not operate on fixed-size blocks, so it cannot match the 64-bit block requirement. AES is a block cipher but uses a 128-bit block size with fixed key sizes of 128, 192, or 256 bits, not 32 to 448 bits. Twofish, while related historically as a successor-era design, also uses a 128-bit block size and fixed key sizes up to 256 bits, so it does not match either.

From a CEH perspective, the mention of variable key sizes also hints at risk evaluation: shorter keys in any cipher can be brute-forced, so secure deployments require strong key length selection and proper key management. Additionally, Blowfish’s 64-bit block size can be a concern in large-volume encryption scenarios due to block collision risks, which is why modern systems often prefer 128-bit block ciphers for new designs.

This activity most accurately describes a DHCP starvation attack. CEH network and sniffing coverage explains that DHCP starvation is a denial-of-service technique in which an attacker rapidly sends large numbers of DHCP requests, usually with spoofed MAC addresses, to consume all available IP addresses in the DHCP pool. Once the pool is exhausted, legitimate clients can no longer obtain valid leases, which produces exactly the symptoms described in the question: repeated address negotiation attempts, failure to receive configuration, and a burst of requests coming from a single interface. A rogue DHCP server is often paired with starvation later, but the key evidence here is the rapid exhaustion behavior rather than the distribution of malicious configurations. IRDP spoofing would manipulate gateway discovery, not primarily deplete DHCP leases, and MAC spoofing alone would not explain widespread address assignment failure across multiple hosts. CEH guidance presents DHCP starvation as both a network disruption issue and a stepping stone for further interception attacks, since denying legitimate DHCP service can set conditions for a rogue DHCP server to take over client configuration and redirect traffic.

CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

An HTTP Flood attack is an Application Layer (Layer 7) DDoS attack, as defined in CEH v13. In this attack, the adversary sends a massive number of seemingly legitimate HTTP GET or POST requests to exhaust server resources such as CPU, memory, and application threads.

CEH v13 emphasizes that HTTP floods are difficult to detect because they mimic normal user behavior and often bypass traditional network-layer defenses.

Other attacks operate at lower layers:

ICMP, UDP, and SYN floods target network and transport layers.

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.

Thomas is most likely using Follow TCP Stream. This Wireshark feature reconstructs the bidirectional application data carried over a TCP connection by reassembling packets in sequence into a readable conversation view. When traffic is unencrypted HTTP, the reassembled stream can reveal full request/response content, including URLs, headers, form parameters, and—critically in this scenario—usernames and passwords transmitted in clear text (for example, within POST body parameters).

The scenario’s language is a direct match: “reconstruct entire conversations between browsers and the server” and “reassembles packet data into a readable stream.” That is exactly what Follow TCP Stream does: it groups packets that belong to the same TCP session and displays the payload as contiguous data, making it far easier than manually inspecting individual packets. This is commonly used during assessments and investigations to understand what data was exchanged, validate whether sensitive data is exposed, and confirm whether protections like TLS are properly applied.

Why the other options are not correct:

Filtering by IP Address (A) helps narrow the packet list to specific hosts but does not reconstruct conversations.

Display Filtering by Protocol (B) can isolate HTTP packets but still leaves the analyst to interpret individual packets without full reassembly.

Monitoring the Specific Ports (C) similarly narrows traffic (e.g., TCP/80 for HTTP) but does not present a reassembled readable session.

Because the goal is quick, readable reconstruction of HTTP login sessions over TCP, the correct answer is D. Follow TCP Stream.

CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a “zombie host,” which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures. CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker’s IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation, making it the most appropriate method for stealth port enumeration.

Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization’s internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

The correct answer is HTTP Server Core because the scenario describes the primary module of a web server that processes incoming requests and coordinates with additional modules responsible for encryption, URL rewriting, and authentication. In CEH-aligned web server architecture concepts, the core HTTP engine is responsible for handling client requests, managing connections, parsing HTTP headers, and passing requests to the appropriate modules for further processing.

Modern web servers such as Apache HTTP Server or Nginx operate using a modular architecture. The core component manages the fundamental HTTP protocol operations, while optional or loadable modules extend functionality. For example, SSL or TLS modules handle encryption, rewrite modules manage URL manipulation, and authentication modules enforce access controls. The description in the question clearly aligns with this architecture, where a central processing unit works in conjunction with supporting modules.

The other options do not fit. The Document Root refers only to the directory location from which web content is served. A Virtual Document Tree relates to how URLs are logically mapped to file paths. An Application Server is a separate server component that processes business logic, often interacting with backend systems, rather than directly managing HTTP request parsing at the core level.

Therefore, Jake is analyzing the HTTP Server Core, which is responsible for handling incoming requests and integrating modular security and performance features within the web server environment.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target’s systems. CEH materials stress that any action that sends network traffic to the target—such as scanning, probing, fingerprinting, or enumeration—creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.

CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.

By encrypting malicious traffic—using HTTPS, VPN tunnels, or encrypted C2 channels—attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.

IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls. Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.

Therefore, Option C is the correct and CEH-aligned answer.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

Passive reconnaissance focuses on collecting information without directly touching or interacting with the target’s systems. CEH materials stress that any action that sends network traffic to the target—such as scanning, probing, fingerprinting, or enumeration—creates logs and increases the risk of detection. Email headers, however, are considered an excellent source of passive intelligence because they reveal internal IP structures, routing paths, mail server hostnames, internal domain formats, and technology stacks without requiring interaction with the target environment. Since these headers are already in the possession of the ethical hacker through legitimate communication records, examining them does not generate traffic or trigger monitoring systems. SSL certificates and WHOIS data provide valuable external information, but they rarely disclose internal addressing schemes. Active scanning tools, such as Nmap, would immediately violate the requirement to avoid detection. Therefore, analyzing previously received email headers is the most effective and covert method for extracting internal network details during the reconnaissance phase.

This scenario describes Differential Cryptanalysis, a powerful cryptanalytic technique covered in CEH v13 Cryptography. Differential cryptanalysis focuses on analyzing how small changes in plaintext input affect the resulting ciphertext output, with the goal of uncovering patterns related to the secret encryption key.

CEH v13 explains that symmetric algorithms rely on complex transformations—such as substitution and permutation—to obscure relationships between plaintext and ciphertext. However, in some algorithms, predictable differences may propagate through encryption rounds in a way that reveals statistical biases. By carefully selecting pairs of plaintext inputs with controlled differences and comparing the resulting ciphertexts, attackers can infer information about intermediate states and eventually the encryption key.

This method does not attempt every possible key (brute force), nor does it rely on execution timing or system performance metrics (timing attacks). It also differs from chosen-ciphertext attacks, which involve submitting chosen ciphertexts for decryption rather than observing encryption behavior.

Differential cryptanalysis was instrumental in breaking early block ciphers and is a key reason why modern algorithms like AES are designed with resistance to differential attacks. CEH v13 emphasizes that understanding this attack is critical for evaluating the strength of symmetric encryption algorithms and their internal structure.

Therefore, Option A accurately describes the technique being employed.

The Certified Ethical Hacker (CEH) Malware Threats module explains that attackers often abuse legitimate system services to blend malicious traffic with normal system behavior. Background Intelligent Transfer Service (BITS) is a Windows service designed to transfer files in the background using idle network bandwidth.

Attackers leverage BITS because its traffic closely resembles legitimate Windows Update traffic, which is commonly allowed through firewalls and proxy servers. CEH documentation states that BITS-based malware can download payloads, upload stolen data, and maintain persistence without triggering security alerts.

Option A is correct because BITS traffic appears legitimate and trusted, making it difficult for security devices to distinguish malicious usage.

Option B is incorrect because BITS does not operate exclusively through HTTP tunneling; it primarily uses HTTP/HTTPS in a legitimate manner.

Option C is incorrect because IP fragmentation is not a core feature of BITS.

Option D is incorrect because BITS does not rely on encrypted DNS traffic.

CEH emphasizes that living-off-the-land (LotL) techniques—using native tools like BITS—are increasingly favored by attackers due to their stealth and reliability.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.

An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:

Mimic normal user behavior

Are difficult to distinguish from legitimate traffic

Bypass traditional network-layer defenses

Option A is correct.

Options B, C, and D operate primarily at the network or transport layers, not the application layer.

CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

The vulnerability described is characteristic of XML External Entity (XXE) Injection. In CEH web application security coverage, XXE occurs when an application parses XML input without properly disabling external entity resolution. If the XML parser is configured insecurely, an attacker can define a malicious external entity that references local files or internal system resources. When the parser processes the XML document, it resolves the external entity and may return the contents of sensitive files in the server’s response.

The scenario clearly states that the issue arises from “handling of external references in document parsing” and results in exposure of internal file paths and database connection strings. This aligns directly with XXE behavior, where attackers leverage external entity declarations to retrieve local files such as configuration files, environment settings, or system credentials. In some cases, XXE can also enable server-side request forgery by forcing the server to make internal network requests.

The other options do not match the described behavior. Identification and authentication failures relate to improper access controls, not document parsing. HTTP response splitting involves manipulating headers to inject malicious responses. Security logging and monitoring failures refer to detection gaps, not data exposure through parsing. CEH-recommended mitigation strategies include disabling DTD processing, turning off external entity resolution in XML parsers, validating input formats, implementing least privilege on file access, and using secure parsing libraries that prevent XXE exploitation.