Practice for the CEH v13 (312-50) exam with 21 multiple-choice questions. Answer each question before the reveal, then review the explanation to understand the reasoning.
This is Part 6/7 in the CertPunch CEH v13 (312-50) practice exam series.
Topics covered: reconnaissance, vulnerability analysis, web security, malware concepts, cryptography, and defensive controls.
More practice: certpunch.com
What you will practice
- A security analyst working for a large financial corporation has been assigned to conduct a comprehensive pen…
- A globally-operating bank recently encountered a severe security breach within its Android OS-based mobile ba…
- A major financial institution is experiencing persistent Denial-of-Service (DoS) attacks targeting its online…
- The web application security team of a global firm detected a sophisticated Injection attack that exploited a…
- A company implements WPA3-Enterprise for its wireless network. An attacker attempts a 'Downgrade Attack' to f…
- During a red team exercise, a certified ethical hacker (CEH) is working on exploiting a potential vulnerabili…
Answers and explanations
Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.
Q1. A security analyst working for a large financial corporation has been assigned to conduct a comprehensive penetration test on the corporation's wireless infrastructure. The infrastructure relies on a secured WPA2-PSK-secured network to ens…
Answer: C. The analyst instigated a de-authentication attack, purposely causing a mass disconnection of all clients from the access point. The analyst then attentively observed the four-way handshake process that occurred during the clients' reconnection attempts.
De-authentication attacks force clients to reconnect, allowing capture of the four-way handshake. Options A, B, and D describe different attacks or incorrect methods.
Q2. A globally-operating bank recently encountered a severe security breach within its Android OS-based mobile banking application. Cybercriminals managed to exploit the bank's Mobile Device Management (MDM) system and successfully carried out…
Answer: C. Establishing and enforcing a rigorous policy that unequivocally mandates the disabling of ADB, except when absolutely necessary and only within strictly regulated environments.
Disabling ADB is the most potent response because it eliminates the attacker's primary attack vector. Other options, while good security practices, do not directly close this specific access point.
Q3. A major financial institution is experiencing persistent Denial-of-Service (DoS) attacks targeting its online banking services, causing significant disruption to customer transactions and eroding trust in the institution. The security team…
Answer: B. A coordinated UDP flood attack exploiting vulnerabilities in the institution's DNS infrastructure, flooding authoritative DNS servers to disrupt domain resolution services.
A coordinated UDP flood against DNS is most challenging because it disrupts fundamental services, and legitimate DNS traffic can mask malicious packets, making detection difficult.
Q4. The web application security team of a global firm detected a sophisticated Injection attack that exploited a flaw in the application's input validation. The attack was carried out using a custom script that used obfuscation and evasion te…
Answer: D. Deploy a Web Application Firewall (WAF) with built-in evasion detection features.
A WAF is the most effective countermeasure because it sits between the application and traffic, providing real-time inspection and filtering to block injection attempts with evasion techniques.
Q5. A company implements WPA3-Enterprise for its wireless network. An attacker attempts a 'Downgrade Attack' to force the client to use WPA2. Which WPA3 feature is designed to prevent this? Correct answer
Answer: A. Transition Disable element
The Transition Disable element is specifically designed to prevent downgrade attacks, stopping a client from being forced to revert to the less secure WPA2 protocol.
Q6. During a red team exercise, a certified ethical hacker (CEH) is working on exploiting a potential vulnerability in the target's web server. The CEH has completed the information gathering and footprinting stages and mirrored the website fo…
Answer: B. Attempt SQL Injection to extract database information.
SQL injection is the logical next step after footprinting and identifying a session hijack vulnerability, as it directly exploits the web application and could provide database credentials for a session takeover.
Q7. During a red team engagement targeting a custom web application, a tester observes that the app takes a numeric id parameter from the URL and dynamically builds SQL queries. Suspecting SQL injection, the tester sends a crafted HTTP GET req…
Answer: A. The attacker executed a second malicious query alongside the first.
The most likely method is executing a second query, as deleting a table like 'users' requires a separate SQL command appended to the original query, not just error exploitation.
Q8. As a cybersecurity analyst at a renowned software corporation, you've noticed some peculiar activity. The company's internal network has seen a sudden increase in redundant network traffic and system crashes. Initial scans have found that…
Answer: C. Worm: Quarantine the affected systems, perform an immediate network-wide sweep with the latest antivirus definitions, and update the operating system on all network systems.
A worm is the probable cause because it self-replicates and spreads autonomously over the network, which matches the described behavior of increased traffic and system crashes.
Q9. You are conducting a vulnerability assessment in a segmented internal network. When scanning a set of IPs using the nbtscan tool, you discover multiple devices responding with NetBIOS names, but only one of them has the <1B> entry in its r…
Answer: C. It is the domain master browser or Primary Domain Controller (PDC).
This is a strong question for legacy network enumeration, testing knowledge of NetBIOS roles. The <1B> entry is a classic exam cue for identifying the PDC or domain master browser.
Q10. A large chemical plant uses operational technology (OT) networks to control its industrial processes. Recently, security personnel noticed abnormal behavior from critical Programmable Logic Controllers (PLCs), suspecting a stealthy comprom…
Answer: D. Perform detailed inspections of device software for hidden, unauthorized modifications.
This question accurately tests OT security incident response, focusing on verifying firmware compromise. The correct answer prioritizes verification before containment, a crucial exam principle.
Q11. During a penetration test on a legacy Windows network, you use the nbtstat -A <IP> command on a target system and retrieve several NetBIOS names, including entries ending with <20> and <03>. However, attempts to list shared folders fail. W…
Answer: C. File and printer sharing is disabled on the target system.
This is a solid question for legacy Windows network assessment, testing understanding of NetBIOS service dependencies. The failure to enumerate shares is a key cue that file sharing is disabled.
Q12. You are a cybersecurity consultant at a large healthcare organization. As part of your responsibilities, you are tasked with making sure the company's systems are secure from various attacks. Recently, you've noticed some unusual traffic p…
Answer: B. The attacker splits malicious data packets into smaller segments to avoid detection.
This effectively tests IDS evasion techniques, a core intrusion detection skill. Packet fragmentation is a classic method to bypass signature-based detection systems.
Q13. In a recent penetration testing assignment, you were able to breach a server's web service and install a backdoor. Your aim is to maintain access for as long as possible without getting detected. Considering the web server countermeasures…
Answer: A. Install the backdoor on a non-web file referenced in a URL.
Placing the backdoor on a non-web file avoids typical web monitoring tools, increasing stealth. Option C is a trap because updating the file would likely expose the backdoor.
Q14. Your role as a network administrator in a mid-sized company involves protecting the company's web servers from potential security threats. Recently, your company's web server experienced a Distributed Denial of Service (DDoS) attack. In ex…
Answer: B. HTTP flood attack
HTTP floods target the application layer by overwhelming the server with requests. Options A, C, and D are network/transport layer attacks, not application layer.
Q15. A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' OR '1'='1'; –, the tester gains unauthorized access to the application. What type of SQL injection has occurred?
Answer: D. Tautology-based SQL injection
Tautology-based SQL injection works because the injected condition '1=1' is always true, bypassing authentication. Option B is a trap because it involves UNION queries.
Q16. A red team operator is assessing the resilience of a corporate network's authentication infrastructure. They input valid usernames with specifically structured guesses based on prior intel about naming conventions, such as birthdates or fa…
Answer: B. Strategic pattern-based input using known logic.
Strategic pattern-based input uses logic-based guesses like birthdates or sports teams. Option D is a trap because it lacks the strategic element.
Q17. A cloud provider faced a situation where one customer's malicious activity affected the organization's reputation and service delivery. Which security control would have most effectively prevented this issue?
Answer: B. Assessing multi-tenant isolation techniques
Multi-tenant isolation prevents one customer's malicious activity from affecting others. Option A is a trap because logging doesn't stop cross-tenant issues.
Q18. A multinational corporation relies heavily on remote access for its employees to connect to internal systems and resources. Recently, there have been reports of unauthorized access to sensitive company data, leading to concerns about poten…
Answer: B. Session Sidejacking Intercepting Unencrypted Session Tokens over Public Wi-Fi Networks
Session sidejacking exploits unencrypted tokens on public networks. This is highly effective and hard to detect without proper encryption protocols.
Q19. A multinational corporation recently survived a severe Distributed Denial-of-Service (DDoS) attack, which caused significant downtime and resulted in substantial financial losses. After implementing enhanced security measures, the company…
Answer: C. Load Balancing: This approach distributes network or application traffic across many resources to optimize resource use, minimize latency, and maximize throughput. This is consistent with the company's strategy of distributing incoming traffic.
Load balancing distributes traffic across servers, which absorbs and mitigates DDoS attacks. Blackhole routing drops all traffic, which is not the described strategy.
Q20. You are a cybersecurity analyst at a tech startup that provides cloud-based services to its clients. Recently, your team detected suspicious activity on one of your critical servers. After further investigation, you discovered an unauthori…
Answer: C. Analyze and document the activities of the unauthorized user in real-time, then use this data to implement immediate countermeasures and isolate the affected server from the network.
Analyzing and documenting attacker activities first ensures informed containment. This prioritizes live threat response over scanning or forensics, avoiding disruption.
Q21. You are a security analyst for a medium-sized e-commerce company. Recently, the company has been suffering from repeated incidents of session hijacking. To prevent future incidents, you've been asked to suggest a robust strategy to mitigat…
Answer: B. Apply an IPsec VPN solution that encrypts the entire IP packet, thereby making session hijacking attempts more difficult.
IPsec VPN is the correct answer as it encrypts the entire session, making hijacking much harder. While IPS and awareness are good practices, they don't prevent the attack at the transport layer like encryption does.
More Ethical Hacking v13 (312-50) drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.