CEH v13 (312-50) Practice Exam – Part 5/7 – 21 Questions with Answers

Answer: C. The IDS is configured with very high sensitivity settings, leading to many false positives.

High sensitivity settings cause false positives by flagging normal activity as threats. The other options imply system failures rather than configuration issues.

Answer: D. State-sponsored hackers

State-sponsored hackers is the correct answer as they act directly for a government's national interests. Organized, gray hat, and hacktivists lack the official government backing described in the scenario.

Answer: C. Heavy query-based SQL injection

Heavy query-based SQL injection is the correct answer because the payload causes a significant delay by overloading the database with complex queries. The WAITFOR DELAY technique is specific to SQL Server, while this payload is a generic stress test.

Answer: C. The attacker is utilizing a 'zombie' machine to transmit the scan, thus making the true source of the scan difficult to determine.

Using a 'zombie' machine is the correct answer because it obscures the attacker's true source, making the scan stealthy. The other methods are more direct and easier to trace back to the source.

Answer: B. Remote Access Trojan (RAT) Implanting Malicious Software on Mobile Devices to Gain Unauthorized Remote Access and Monitor User Activities, such as Keystrokes and Screen Capture

This is correct because RATs provide stealthy remote access, making them hard to detect. The trap is distinguishing between active attacks and passive vulnerabilities.

Answer: B. Monitor wireless signals for abnormal jamming or interference.

This is correct because signal jamming reveals key fob replay attacks. The trap is confusing digital security with physical measures.

Answer: B. Employ a systematic, multi-layered strategy, starting with the deployment of a specialized rootkit detection tool to verify the presence and type of rootkit, followed by an appropriately tailored removal procedure, specific to the identified rootkit.

This is correct because kernel rootkits need specialized detection and removal. The trap is overreacting with honeypots or full reinstallation.

Answer: B. Exploiting MRI machine firmware vulnerabilities to intercept real-time patient scans.

Exploiting MRI firmware vulnerabilities is a sophisticated attack targeting medical devices directly, making it highly difficult to detect without specialized monitoring. The other options focus on administrative manipulation rather than direct network-level interception.

Answer: C. Measure unusual fluctuations during device operations at the hardware level.

Side-channel attacks exploit physical characteristics like power fluctuations, requiring hardware-level monitoring to detect. Network latency or UI reviews might indicate other issues, but hardware-level analysis is the definitive method for confirming side-channel leakage.

Answer: A. Disable "Discoverable Mode" and activate "Non-discoverable Mode" on all Bluetooth devices.

Disabling discoverable mode prevents attackers from detecting Bluetooth devices, the first step in Bluesnarfing. Firmware updates and strong PINs are secondary defenses; encryption doesn't prevent discovery-based attacks.

Answer: B. Zero-Day Exploits Leveraging Previously Unknown Vulnerabilities in Mobile Operating Systems or Applications to Gain Unauthorized Access to Healthcare Data and Patient Records

Zero-day exploits are correct because they use unknown vulnerabilities, making them extremely hard to detect. App spoofing and bluejacking are easier to spot with mobile device management.

Answer: B. Set up Google Alerts to receive email notifications whenever new web content includes their competitors' names or other key terms.

Google Alerts are the best choice for automated monitoring. VPNs don't track changes, hacking is unethical, and forum engagement is inefficient and risky.

Answer: D. SMTP user verification commands are exposed without restrictions.

Unrestricted user verification commands allow easy username enumeration. Disabling STARTTLS or allowing auth without credentials are different security issues.

Answer: A. Changing the source IP address of packets to appear as if the traffic is coming from a trusted source.

IP spoofing allows attackers to bypass firewall rules that rely on trusted source IP addresses. This is a classic firewall evasion technique that attackers frequently use to appear legitimate.

Answer: C. By monitoring command-line arguments and unusual network connections from system binaries.

EDR detects LotL activities by monitoring suspicious command-line arguments from trusted system binaries and their corresponding unusual network connections.

Answer: B. Restrict and monitor the execution of scripts and system tools, especially those invoked by unsanctioned processes.

Restricting and monitoring script execution counters fileless malware like ShadowFlee that exploits system tools. Option A is too broad; C and D don't directly address memory-based threats.

Answer: B. Polymorphic Malware: Employ advanced threat detection tools that use behavior-based detection techniques and ensure all systems are patched.

Polymorphic malware changes its code to evade detection, making behavior-based tools and patching the best defense. Option A is a generic worm response that misses the evasion clue.

Answer: C. Impose rate-limiting to slow down the brute-force attack.

Rate-limiting is the most direct counter to a brute-force attack, slowing the attacker down. Option D is a trap because increasing key length doesn't stop brute-force of the DH exchange.

Answer: C. Session Replay Attack Capturing and Replaying Encrypted Session Tokens to Gain Unauthorized Access

Session replay attacks are stealthy, using real captured tokens to impersonate users. Option A is client-side, B requires user action, and D relies on known credentials.

Answer: A. Consider the possibility of a firewall blocking the FIN packets and investigate further.

Firewalls often block FIN scans, so a lack of response requires investigation. Option C is incorrect because only RST/ACK indicates a closed port in this context.

Answer: B. Adopting the 3-2-1 backup model.

The 3-2-1 model ensures backups are stored offsite and redundant, preventing single points of failure. Options A, C, and D are unrelated to data integrity.