Practice for the CEH v13 (312-50) exam with 22 multiple-choice questions. Answer each question before the reveal, then review the explanation to understand the reasoning.
This is Part 1/7 in the CertPunch CEH v13 (312-50) practice exam series.
Topics covered: reconnaissance, vulnerability analysis, web security, malware concepts, cryptography, and defensive controls.
More practice: certpunch.com
What you will practice
- In her role as a cybersecurity analyst for an established technology firm, Maria is assigned a crucial task…
- After a recent breach, your team discovers that attackers used modified versions of legitimate system utiliti…
- Your role as a cybersecurity analyst at XYZ Corporation requires you to perform a thorough security assessmen…
- An attacker uses a 'Side-channel attack' against a cryptographic module by measuring the power consumption du…
- You are a cybersecurity analyst at a financial institution. Your company has a strict policy against any unen…
- An attacker uses a fileless malware technique that utilizes the 'Regsvr32.exe' utility to download and execut…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. In her role as a cybersecurity analyst for an established technology firm, Maria is assigned a crucial task. She's instructed to perform a thorough passive reconnaissance of a major competitor's online environment to understand their digit…
Answer: D. Running an intensive port scan against the competitor's public IP addresses to gain information on their internal network and server structure.
A port scan is active reconnaissance, directly probing the target system and risking detection. Passive methods like public records or archived sites do not directly interact with the target.
Q2. After a recent breach, your team discovers that attackers used modified versions of legitimate system utilities and a Windows service to persist undetected for weeks, accessing internal credentials. What key step can be taken to better pro…
Answer: A. Monitor file hashes of sensitive executables for unauthorized changes.
Monitoring file hashes detects unauthorized changes to legitimate executables, a key defense against living-off-the-land attacks. The other options are good practices but less specific.
Q3. Your role as a cybersecurity analyst at XYZ Corporation requires you to perform a thorough security assessment of the company's online presence. You initiate the process with a passive reconnaissance phase, trying to gather as much informa…
Answer: A. Using a tool like Nmap to scan the company's public IP range.
Nmap is an active reconnaissance tool that directly interacts with the target. Passive reconnaissance involves gathering information without direct system interaction.
Q4. An attacker uses a 'Side-channel attack' against a cryptographic module by measuring the power consumption during encryption. What is this specific technique called?
Answer: C. Differential Power Analysis (DPA)
Differential Power Analysis is the specific technique of analyzing power consumption to find cryptographic keys. This is a classic side-channel attack method.
Q5. You are a cybersecurity analyst at a financial institution. Your company has a strict policy against any unencrypted protocols. You've noticed some data packets being sent via HTTP rather than HTTPS on the network. This raises your concern…
Answer: B. Wireshark
Wireshark is the industry standard for capturing and analyzing network traffic to inspect packet contents. Other tools listed are not protocol analyzers.
Q6. An attacker uses a fileless malware technique that utilizes the 'Regsvr32.exe' utility to download and execute a remote COM scriptlet (SCT file). Which of the following best describes this technique?
Answer: C. Squiblydoo
Squiblydoo is the precise term for using Regsvr32.exe to execute remote SCT files. The other options describe distinct fileless malware techniques.
Q7. A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?
Answer: C. Saving data today for future quantum decryption
Saving data for future quantum decryption is the exact threat described. The other options involve active quantum attacks or unrelated quantum concepts.
Q8. A cybersecurity team identifies suspicious outbound network traffic. Investigation reveals malware utilizing Background Intelligent Transfer Service (BITS) to evade firewall detection. Why would attackers use this particular service to hid…
Answer: B. Because BITS packets appear identical to normal Windows update traffic.
BITS is the correct answer because its traffic mimics legitimate Windows updates, allowing it to blend in and evade detection by firewalls. The other options are incorrect because BITS does not use encrypted DNS, exclusively HTTP, or IP fragmentation.
Q9. As the newly appointed head of IT security at a growing startup, you have been tasked with improving the company's security posture. Given the rise in social engineering attacks, you decide to set up training sessions for employees to help…
Answer: D. Pretexting
Pretexting is the correct answer as it involves creating a fabricated scenario to trick victims into revealing information. Baiting and phishing are different social engineering methods, while quid pro quo involves a service-for-information exchange.
Q10. You are a security analyst investigating a network compromise. The infected systems are receiving external instructions, masking the control traffic using widely allowed protocols like HTTP and DNS. The payloads are stealthy and modify sys…
Answer: D. Use behavioral analytics to monitor for irregular outbound requests and abnormal application behavior.
Behavioral analytics is the correct answer because it detects anomalies in process activity and network requests, which is necessary for fileless malware that evades signature-based detection. The other options are ineffective against this sophisticated threat.
Q11. When auditing a CI/CD pipeline, you find that 'Secret Scanning' is disabled. What is the primary risk during the 'Build' phase? Correct answer
Answer: A. Hardcoded API keys or credentials might be pushed to the container image or public repo.
This is correct because disabled secret scanning risks exposing credentials during build. The trap is technical issues, not misconfigurations like GPL licensing.
Q12. As a security analyst, you are testing your company's network for potential vulnerabilities. During your investigation, you suspect that an attacker might be using MAC flooding to compromise the switches and sniff network traffic. Which of…
Answer: A. Numerous MAC addresses that correspond to a single switch port.
This is correct because MAC flooding floods a port with fake addresses. The trap is confusing MAC overflow with IP-MAC mapping issues.
Q13. A penetration tester is analyzing a mobile application. They find that the app uses a hardcoded API key to communicate with a Firebase backend. In the context of CEH v13, what is the most effective tool to automate the discovery of such se…
Answer: C. MobSF (Mobile Security Framework)
MobSF automates APK analysis for hardcoded secrets and vulnerabilities, making it the ideal tool for this scenario. Wireshark and Nmap are network-focused, while John the Ripper is for password cracking, not secret discovery.
Q14. During a cybersecurity training session at your organization, you present several hypothetical scenarios to the trainees to assess their understanding of social engineering threats. Which of these scenarios best describes a social engineer…
Answer: C. Sarah, a new recruit, receives a call from someone claiming to be from the IT department, who asks for her login credentials to solve a non-existing issue.
The caller impersonating IT to get credentials is classic social engineering. The other options describe physical security, accidental malware, or legitimate monitoring.
Q15. In your role as a cybersecurity specialist for a growing tech company, you are tasked with performing a regular network scan to check for any potential vulnerabilities. Your manager has specifically asked you to use a NULL scan for this ro…
Answer: A. The target machine responds with a TCP RST packet.
A TCP RST packet means the port is closed. The RST resets the connection, indicating no service is listening on that specific port.
Q16. An attacker uses 'Certutil.exe' with the '-urlcache' flag to download a malicious binary. How should a modern EDR be configured to detect this 'Living off the Land' behavior?
Answer: D. Monitor for parent-child process anomalies and network connections initiated by system binaries like certutil.
Monitoring parent-child process anomalies is the best detection method. Blocking or renaming system binaries breaks legitimate functionality and is not a practical solution.
Q17. An attacker uses a fileless malware technique that leverages 'mshta.exe' to execute a malicious HTA script stored in a remote server's registry key. Why is this technique highly effective in 2026? Correct answer
Answer: A. It bypasses disk-based signature scanning by running in memory.
Fileless malware using 'mshta.exe' runs in memory, bypassing disk-based signature scanning. Option B describes encryption, not evasion; C and D are unrelated to this specific technique.
Q18. An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?
Answer: B. Differential cryptanalysis on input-output differences
Differential cryptanalysis analyzes ciphertext differences from small input changes to deduce key patterns in symmetric algorithms. A, C, and D are unrelated cryptographic attack methods.
Q19. You are a Certified Ethical Hacker hired by a financial institution to assess the robustness of its web application security. In your penetration testing, you are particularly focused on exploiting vulnerabilities related to session manage…
Answer: A. Utilize Session Fixation to manipulate a user into utilizing a session ID that an attacker already has access to.
Session Fixation manipulates a user into using an attacker-controlled session ID, bypassing MFA and encryption. Sidejacking requires interception, CSRF relies on user actions, and deserialization is unrelated.
Q20. A global media streaming platform is experiencing periodic traffic surges every 10 minutes, severely degrading performance and leading to widespread buffering issues. Traffic analysis reveals intermittent spikes exceeding 300 Gbps, followe…
Answer: B. A Pulse Wave attack leveraging high-volume short bursts to overwhelm network resources.
A Pulse Wave attack uses high-volume short bursts to overwhelm resources, matching the periodic 300 Gbps spikes. Other options describe sustained attacks, mimicry, or hardware damage.
Q21. Which of the following describes a 'Poisoning Attack' against a machine learning model used for malware detection? Correct answer
Answer: A. Modifying the training dataset to include samples that misclassify specific malware as 'Benign'.
A poisoning attack corrupts the training data to misclassify malware as benign. Option B is a denial-of-service attempt, not a poisoning attack that manipulates model logic.
Q22. A large media-streaming company begins receiving complaints from users that their web application is timing out or failing to load. The security team observes that the web server is overwhelmed with a high number of open HTTP connections…
Answer: D. The attacker uses a Slowloris attack to keep many open connections alive, slowly exhausting the server's connection pool.
Slowloris attacks keep many connections open at a slow rate to exhaust server resources. Option A is a UDP flooding attack, which is not the application-layer technique described.
More Ethical Hacking v13 (312-50) drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.