CEH v13 (312-50) Practice Exam — Part 2/7 #8211: a complete.

Answer: B. Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks

The correct order is Reconnaissance, Scanning, Gaining Access, Maintaining Access, Covering Tracks. Option A incorrectly starts with Scanning instead of Reconnaissance.

Answer: A. Utilize a proxy tool to intercept and modify the client-side controls before they reach the server.

A proxy tool is the most effective method for bypassing client-side controls, as it intercepts and modifies data before it reaches the server, preventing server-side validation from ever seeing the bypass.

Answer: C. It ensures any new device subscribing to that topic immediately receives the malicious message.

The 'Retain' flag ensures any new subscriber to a topic receives the last message, allowing an attacker to persist malicious commands that infect new devices without sending new messages.

Answer: B. Implementing an automatic patch management process and using a patch management tool to monitor the patched systems.

Automatic patch management is the most effective strategy as it ensures timely, consistent application of patches across all systems, reducing the window of vulnerability.

Answer: A. Enforcing timely user de-provisioning

This question effectively tests identity and access management (IAM) best practices, a fundamental security control. The other options are secondary controls that don't directly solve the access de-provisioning issue.

Answer: C. The LDAP directory data is protected by Access Control Lists (ACLs).

ACLs restrict access to LDAP directory data, preventing enumeration of protected information. This is a fundamental concept of directory service security.

Answer: C. Temporary security tokens (Access Key, Secret Key, and Session Token) associated with the instance's IAM role.

The metadata URL returns temporary IAM credentials, allowing the attacker to access AWS resources. The other options are incorrect, as this URL doesn't return root passwords or VPC keys.

Answer: B. An attacker intercepts network traffic, captures unencrypted session cookies, and uses these to impersonate the user.

Side jacking specifically involves capturing unencrypted session cookies from network traffic. The other options describe firewall exploits, XSS, or credential phishing.

Answer: D. Isolate the implicated traffic light from the overarching network for a detailed investigation into its firmware to identify any possible security breaches.

Isolating the device is the critical first step to contain the threat and safely investigate the firmware. Continuing to allow network traffic is dangerous.

Answer: C. Secret Scanning (e.g., TruffleHog or Gitleaks)

Secret Scanning tools, like TruffleHog, are built specifically to find exposed keys in code. SAST and DAST find code vulnerabilities, not secrets.

Answer: C. Session fixation by pre-setting the token in a URL.

Session fixation works when a non-regenerated session ID is sent via URL. The attacker can predict this ID before the user authenticates.

Answer: B. A person gains access to the building by following an employee through a secure door before it closes.

Tailgating is physically following an authorized person into a restricted area. This is a physical security breach, not a digital one.

Answer: D. Indirect Prompt Injection

Indirect prompt injection is correct because the attacker manipulated external data the LLM processed, not the direct prompt. The other options involve direct manipulation or evasion techniques not applicable here.

Answer: A. The SNMP agent allowed anonymous bulk data queries due to default settings.

Anonymous bulk data queries via SNMP's default community string enabled this. The other options describe unrelated vulnerabilities like FTP or registry access.

Answer: C. The analyst is using conditional logic to infer database behavior from page responses.

Conditional logic testing is correct because the analyst inferred database behavior from page differences. The other options describe error-based or time-based techniques.

Answer: A. Man-in-the-Browser (MitB) Attack Installing Malicious Browser Extensions to Intercept User Sessions

Man-in-the-Browser (MitB) is the correct answer because it attacks the browser layer after authentication, making it exceptionally hard for servers to detect and severely compromising real-time transactions. The other options are detectable by network or server-side security controls.

Answer: D. Utilize SSRF (Server-Side Request Forgery) to make unauthorized API calls from the server itself.

SSRF is the correct answer because it abuses server trust to make internal calls, bypassing client-side defenses. The other options are direct and more likely to leave traces, whereas SSRF allows for stealthy, indirect exploitation.

Answer: B. Unauthorized access to cloud resources

Unauthorized access to cloud resources is the correct answer, as API flaws are a direct vector for compromising cloud environments. Physical security and data encryption are less likely threats from an API vulnerability.

Answer: C. The pod can sniff traffic from the node's network interfaces and potentially escape the container.

This is correct because 'hostNetwork: true' and 'privileged: true' allow the pod to access the host's network, enabling packet sniffing. The trap is confusing network access with isolation or encryption.

Answer: A. Implement a strategy of Virtual Patching, providing a protective layer around the vulnerability until the actual patch can be applied.

This is correct because virtual patching mitigates risk without downtime. The trap is reactive monitoring versus proactive protection.

Answer: C. It quantifies technical impact and ease of exploitation, guiding structured risk response based on impact and environment.

This is correct because severity scores quantify exploitability and impact. The trap is prioritizing automation over risk-based decisions.