CEH v13 (312-50) Practice Exam – Part 7/7 – 21 Questions with Answers

Practice for the CEH v13 (312-50) exam with 21 multiple-choice questions. Answer each question before the reveal, then review the explanation to understand the reasoning.

This is Part 7/7 in the CertPunch CEH v13 (312-50) practice exam series.

Topics covered: reconnaissance, vulnerability analysis, web security, malware concepts, cryptography, and defensive controls.

More practice: certpunch.com

What you will practice

  • During a cybersecurity operation, a CEH professional discovered an unknown Bluetooth Low Energy (BLE) device…
  • A system analyst wants to implement an encryption solution that allows safe key distribution. Which encryptio…
  • While conducting a thorough reconnaissance operation on a potential threat actor's digital footprint, an ethi…
  • You are a new IT intern at a local tech company. The company has a strong focus on cybersecurity and regularl…
  • You have recently joined as a cybersecurity analyst at a multinational corporation. Your role includes regula…
  • While performing a vulnerability assessment for XYZ Corporation, you discover that several key systems are re…

Answers and explanations

Tap a question to expand the answer and the exam reasoning. Try to commit to your own pick first.

Q1. During a cybersecurity operation, a CEH professional discovered an unknown Bluetooth Low Energy (BLE) device actively transmitting pairing signals. The professional decided to breach the BLE device using a crackle. The device was seen pair…

Answer: C. The operation cannot continue without the LTK.

This is correct because the LTK is essential for BLE decryption. The trap is confusing packet types with exploitable data.

Q2. A system analyst wants to implement an encryption solution that allows safe key distribution. Which encryption method should the analyst consider?

Answer: C. Asymmetric encryption

Asymmetric encryption uses public/private keys for secure key exchange without a pre-shared secret. Symmetric encryption requires secure key distribution, while hashing and disk encryption aren't key management solutions.

Q3. While conducting a thorough reconnaissance operation on a potential threat actor's digital footprint, an ethical hacker working for a cybersecurity firm stumbled upon an interesting discovery. The threat actor appeared to have left a serie…

Answer: B. Directly interacting with the threat actor on the forums using a pseudonym to gain more information about their plans.

Directly engaging the threat actor is risky because it can expose your identity. Passive tools like Tor, WHOIS, and archives are safer for reconnaissance.

Q4. You are a new IT intern at a local tech company. The company has a strong focus on cybersecurity and regularly hires ethical hackers to maintain its security posture. You come across the term 'black box testing' in a company document. Unce…

Answer: D. It involves the ethical hacker trying to break into a system without any prior knowledge about the system.

Black box testing simulates a real attacker by providing no prior system knowledge, forcing the ethical hacker to find vulnerabilities through exploration.

Q5. You have recently joined as a cybersecurity analyst at a multinational corporation. Your role includes regular vulnerability assessments of the company's wide-ranging IT infrastructure. During one of these assessments, you employ the Nessu…

Answer: A. Without delay, apply the patch recommended by the vendor. Subsequently, initiate a system-wide reboot during the next downtime scheduled for system maintenance.

For a severe, high-risk vulnerability like a potential remote code execution, patching immediately is the top priority to close the attack window.

Q6. While performing a vulnerability assessment for XYZ Corporation, you discover that several key systems are regularly interacting with unidentified external entities. These interactions often involve data transfers, both incoming and outgoi…

Answer: B. Prioritize a behavioral analytics solution that profiles normal system behaviors and alerts on deviations, focusing on the interaction patterns of the identified systems.

Behavioral analytics is the most direct method because it identifies unsanctioned exchanges by profiling normal system interaction patterns and alerting on deviations.

Q7. You are currently serving as a cybersecurity analyst at a global banking corporation. Your team has recently identified a series of irregular incidents that indicate a potential backdoor attack on the company's intricate network system. So…

Answer: B. Implement strict access control lists (ACLs), ensure regular updates of security patches, and conduct an extensive audit of user accounts and privileges periodically.

Strict access controls, regular patching, and user account audits are fundamental for neutralizing backdoors and preventing privilege escalation attacks.

Q8. As an IT professional, you are attending a webinar on cybersecurity. The presenter emphasizes the importance of ethical hacking and the different types of hackers involved in the cyber world. Suddenly, the term "script kiddie" is mentioned…

Answer: A. They are novices in the hacking world who mainly use scripts and codes developed by others.

Script kiddies are novice hackers who use pre-existing scripts. Option C is a trap for sophisticated attackers, while D describes skilled developers, not script kiddies.

Q9. An organization uses SHA-256 for data integrity checks but is still experiencing unauthorized data modification. Which cryptographic tool can help resolve this issue?

Answer: C. Digital signatures

Digital signatures provide non-repudiation, ensuring data hasn't been tampered with. SHA-256 only verifies hashes but doesn't prove origin or prevent modification.

Q10. In an IoT environment using the MQTT protocol, an attacker compromises a low-power sensor and starts publishing messages to the 'topic/system/updates' with a 'Retain' flag. What is the impact?

Answer: C. Every new subscriber to that topic will immediately receive the malicious update message.

MQTT's 'Retain' flag sends the stored message to all new subscribers. The impact is widespread delivery, not automatic TLS, battery drain, or broker crashing.

Q11. An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?

Answer: C. No client from the DNS server's network has recently accessed the domain.

A NOERROR but empty answer in DNS cache snooping indicates the domain isn't in the cache. Option A would return the cached record, while B suggests a SERVFAIL error.

Q12. An attacker gains access to an AWS environment and runs 'aws sts get-caller-identity'. They then attempt to call 'iam:SimulatePrincipalPolicy'. What is their most likely goal?

Answer: B. To test which permissions their current token has without triggering many 'Access Denied' logs.

SimulatePrincipalPolicy is a stealthy way to test permissions without logging 'Access Denied' errors. Option A and D are unrelated actions, while C is unlikely.

Q13. A Certified Ethical Hacker (CEH) is auditing a company's web server that employs virtual hosting. The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server's doc…

Answer: D. Regularly updating and patching the server software

Regular patching is the most direct way to address vulnerabilities in any server, regardless of its architecture. This action closes security holes that could be exploited, unlike reorganizing directory structures.

Q14. You're an IT security analyst at a fast-growing fintech startup. Recently, you've noticed an uptick in network traffic anomalies. You decide to perform a more thorough network scan using the ICMP Echo Request method. During the scan, you n…

Answer: D. The firewall or another security control is probably blocking the ICMP Echo Requests.

The lack of Echo Replies while other services are normal points to a security control like a firewall blocking the ICMP traffic, which is a common and intentional security measure.

Q15. A security analyst notices that an LLM-based customer service bot is leaking system prompts and internal API keys when a user provides a specific sequence of malformed inputs. What type of vulnerability is being exploited?

Answer: B. Direct Prompt Injection

Direct prompt injection is correct because the attacker bypasses the model by injecting malicious input directly into the system prompt, causing it to leak sensitive data.

Q16. Following an attack on its mobile infrastructure, an e-commerce company is reconsidering its mobile security strategies. In an event where an attacker has been able to gain partial root access to the mobile application, which of these tact…

Answer: D. Leveraging secure coding practices and automated code review processes in the development stage.

This tests secure development practices for mobile applications. While a good topic, the question could be clearer by specifying 'prevent future' instead of 'barrier to additional' exploitation.

Q17. As a newly appointed cybersecurity analyst in a financial firm, you are tasked with performing network scanning to maintain the organization's network security posture. You decide to conduct a SYN scan, sometimes referred to as half-open s…

Answer: B. The scanned port on the target IP address is open, as the receipt of a SYN/ACK packet indicates that the port is prepared to establish a connection.

A SYN/ACK response indicates the port is open and accepting connections. Option A is a trap because it incorrectly describes port closure logic.

Q18. During an investigation, an ethical hacker discovered that a web application's API has been compromised, leading to unauthorized access and data manipulation. They identified webhooks and a webshell being used by the attacker. To prevent f…

Answer: C. Harden the web server security, add multi-factor authentication for API users, and restrict the execution of scripts server-side.

Hardening the server, MFA, and script restrictions directly prevent webshells and unauthorized access. Option B is a trap because a WAF alone isn't sufficient.

Q19. You have recently been hired as an entry-level IT technician in a large corporation. In a meeting with the IT team, the terms "ethical hacking" and "penetration testing" are mentioned frequently. Later, a colleague explains to you that the…

Answer: A. An ethical hacker is primarily focused on securing the system, while a penetration tester tries to exploit the system's vulnerabilities.

The answer correctly contrasts securing systems (ethical hacker) with exploiting them (penetration tester). However, the wording is slightly vague; ethical hackers also exploit vulnerabilities to secure systems.

Q20. A hacker uses a 'Prompt Leaking' technique against a corporate LLM to reveal the hidden instructions provided by the developers. Which of the following is a direct consequence of this attack?

Answer: C. Exposure of proprietary business logic or data filtering rules.

Prompt leaking directly exposes the hidden system instructions, which often include proprietary business logic or data filtering rules that are meant to be confidential.

Q21. A cybersecurity company wants to prevent attackers from gaining information about its encrypted traffic patterns. Which of the following encryption algorithms should they utilize?

Answer: C. RSA

RSA is an asymmetric algorithm that obscures traffic patterns more than symmetric AES, but the question is misleading since all listed algorithms encrypt traffic. The exam expects RSA as the best answer for pattern obscuration, though the premise is weak.

More Ethical Hacking v13 (312-50) drills and other practice exams are on @CertPunch. New rounds drop every few days at certpunch.com.

Scroll to Top