CEH v13 (312-50) Practice Exam – Part 4/7 – 21 Questions with Answers

Answer: B. Conduct real-time monitoring of the server, scrutinize the logs for unusual patterns, and identify the nature of the activities to devise an immediate countermeasure.

The correct initial action is real-time monitoring to understand the threat before acting. This prevents premature actions like disconnecting the server, which could destroy evidence needed for a proper investigation.

Answer: C. Tempting the victim to engage with a malicious device using curiosity.

This is a classic baiting attack, exploiting the victim's curiosity. The 'Employee Salary Info' label is designed to trigger an emotional response, leading to the malicious act of plugging in the device.

Answer: C. The attacker has used a SYN scan, also known as half-open scanning, which involves sending SYN packets and waiting for SYN/ACK responses.

The attack is a SYN scan because it sends SYN packets to initiate a connection but does not complete the handshake, allowing it to scan for open ports without logging a full connection attempt.

Answer: A. Exploitation of misconfigured security groups

Misconfigured security groups are a primary cause of data breaches in cloud environments, as they can accidentally expose storage buckets or virtual machines to the public internet.

Answer: B. Stealth Scan (SYN Scan)

A SYN scan is the ideal choice because it's a half-open connection that doesn't complete the TCP handshake, making it stealthy and less likely to trigger traditional IDS signatures.

Answer: A. A security professional hired to identify and exploit vulnerabilities with permission

This correctly defines a penetration tester as an authorized professional who mimics an attack to find vulnerabilities, which distinguishes them from malicious hackers.

Answer: C. Intranet DNS poisoning via local spoofed responses.

This is intranet DNS poisoning because the attack is happening internally with rogue DNS responses, confirmed by the faster spoofed replies and ARP spoofing on the local network.

Answer: A. Gaining physical access by assuming the identity of a trusted internal staff.

This question perfectly tests social engineering tactics, specifically physical impersonation, a core red teaming skill. The wrong options are weaker because they describe different attack vectors like dumpster diving and phishing.

Answer: D. Engage a specialized steganalysis tool to scrutinize questionable files, decode the obscured data, and reveal the hacker's exfiltration methodology.

This directly tests steganalysis knowledge for detecting data exfiltration, a key forensic skill. The trap is that network-based tools can't detect hidden data within files.

Answer: B. Implementing a function-level permission model and enforcing the principle of least privilege.

This is an excellent question for modern cloud security, testing least privilege in serverless architectures. It correctly identifies that function-level permissions are the most direct countermeasure to the attack described.

Answer: A. White Hat Hacking

White Hat Hacking is correct because it explicitly involves authorized, ethical penetration testing with permission. Other options imply unauthorized or malicious activity.

Answer: D. WPA3 uses the Simultaneous Authentication of Equals (SAE) protocol, which is resistant to passive observation and key reinstallation.

WPA3 uses SAE, which is resistant to key reinstallation. Option C is a trap because SAE replaces, not disables, the handshake.

Answer: D. ' AND BENCHMARK(5000000,ENCODE('test','test')); —

The BENCHMARK payload introduces a delay to test time-based vulnerabilities. Option B is a trap because it tests for basic SQL injection, not blind injection.

Answer: C. Use of weak Initialization Vectors (IV).

TKIP's weak IVs are a known flaw that allows for decryption and packet injection attacks. While WPA2 with AES is secure, WPA with TKIP is vulnerable.

Answer: D. Employ an intrusion prevention system (IPS) on the network to detect and block any malicious activities.

An IPS can detect and block malicious activity from compromised IoT devices. While other options are good long-term strategies, the immediate action is to block the attack.

Answer: D. AI-powered malware using machine learning to tailor its execution.

The malware's adaptive behavior and use of machine learning points to AI-powered malware. Polymorphic viruses change signatures, but don't adapt based on user behavior.

Answer: A. The specific usernames and passwords used by the organization's employees.

DNS queries reveal domain mappings, not private credentials like usernames and passwords. Other options are valid DNS data points, making option A the clear incorrect answer.

Answer: D. Swiftly apply a virtual patch to the affected web server using a web application firewall to temporarily safeguard against potential exploits.

A virtual patch via a WAF provides immediate protection against an unpatched zero-day. Shutting down the server is not the 'first' step.

Answer: A. Model Extraction (or Inversion)

Model Extraction involves repeatedly querying an AI model to steal its underlying data or logic. This is a direct threat to intellectual property.

Answer: B. Time-Based Blind SQL Injection

Time-based blind SQL injection is right because it uses response delays to infer truths when standard techniques fail. The other options require visible errors or known database structures.

Answer: C. The attacker captured a valid token before its expiry and used it to gain access.

Capturing a valid token before expiry matches the observed pattern. The other options don't explain the expired token attempts followed by success.