CEH v13 (312-50) Practice Exam – Part 3/7 – 21 Questions with Answers

Answer: D. The NTP daemon is configured to accept queries from external sources without restriction.

This is correct because unrestricted NTP queries leak internal hostnames. The trap is misinterpreting firewall misconfigurations as DNS issues.

Answer: C. Accessing the host's /proc directory to inject code into a host process.

The 'hostPID: true' flag allows a privileged pod to access the host's /proc directory, enabling process injection onto the node. This is a direct path to root escape, whereas brute-forcing certificates is less reliable and scanning NodePorts doesn't grant host access.

Answer: C. Covert Channel Communication Exploiting Unused IP Header Fields to Conceal Malicious Traffic and Evade Detection by Security Devices

Covert channels hide malicious traffic within protocol fields, making it invisible to traditional IDS and firewall inspection. This is more challenging to detect than polymorphic malware or protocol fragmentation, which are more easily flagged by signature-based systems.

Answer: A. TEMPEST / Analysis of emanations

TEMPEST involves analyzing electromagnetic emanations to extract data, which is a classic side-channel technique. The other options are unrelated—session hijacking, social engineering, and brute force exploit different attack vectors entirely.

Answer: A. The APT group will exploit zero-day vulnerabilities present in the IoT device firmware.

APT groups commonly exploit zero-day vulnerabilities in IoT firmware since patches are unavailable, giving them direct system access. Credential theft or MITM attacks require initial compromises, which zero-days bypass entirely.

Answer: D. Deriving linear patterns from cipher behavior

Linear cryptanalysis is correct because it exploits statistical relationships between plaintext and ciphertext bits to find the key. The other options describe different attacks like brute force or differential cryptanalysis.

Answer: D. Google Hacking can help identify weaknesses in the client's website code.

Google Hacking finds exposed code vulnerabilities. It can't map internal networks reliably or access the deep web directly, making it less suitable for those tasks.

Answer: D. Implementing 'Link Layer' encryption and using sequence numbers or timestamps.

Link Layer encryption and sequence numbers or timestamps prevent a GATT Replay Attack by making each transmission unique and ensuring data integrity, which is the correct defense.

Answer: B. Whaling attack aimed at high-ranking personnel

A whaling attack targets high-ranking executives with highly personalized and convincing emails, as seen in this scenario where the email impersonates the CEO.

Answer: B. SYN Flood: This attack floods a target with SYN requests in an attempt to consume enough server resources to make the system unresponsive, aligning with the high volume of incomplete TCP handshakes.

A SYN Flood attack is identified by a high volume of incomplete TCP three-way handshakes, which leaves connections in a SYN_RECEIVED state to saturate server resources.

Answer: D. Spearphone attack exploiting accelerometer-based vulnerabilities.

The Spearphone attack exploits accelerometer-based vulnerabilities to eavesdrop on loudspeaker audio without special permissions. The other options focus on unrelated attack vectors like NFC or application manipulation, which are less relevant to this specific sensor-based privacy risk.

Answer: D. Implement uniform encryption strength across all user roles, eliminating disparities in session token lengths.

Implementing uniform encryption strength eliminates variable token lengths, ensuring consistent protection against cryptographic attacks. MFA, key rotation, and logging are good practices but don't directly address the core cryptographic vulnerability.

Answer: C. To provide mTLS (mutual TLS) and fine-grained traffic encryption between microservices.

A Sidecar Container provides mTLS and fine-grained encryption between microservices in a Service Mesh. Options A, B, and D describe unrelated functions like logging, performance, or redundancy.

Answer: D. IP addresses being resolved to multiple MAC addresses.

IPs resolving to multiple MACs indicate a MitM attack, as one IP should map to one MAC. Other options suggest general anomalies but not specific MitM behavior.

Answer: B. Implementing DNSSEC on the DNS server

DNSSEC prevents DNS hijacking by digitally signing records to prevent tampering. Updating software or changing IPs doesn't stop DNS redirection, and LAMP is unrelated.

Answer: A. An attack where compromised internal devices participate in a botnet and flood external targets with traffic.

The correct answer describes a botnet-based DDoS where compromised internal devices flood external targets. Option B is a misdirection to amplify traffic through DNS, which isn't occurring here.

Answer: C. By querying the Instance Metadata Service (IMDS) to get a token and then using Azure CLI to manage resources.

An attacker on the VM can query IMDS to get a token and use Azure CLI to manage resources with the 'Contributor' permissions. Option A is invalid as Managed Identity has no password to brute-force.

Answer: D. Implementing an anomaly-based IDS that can recognize the irregular traffic patterns caused by packet fragmentation.

Anomaly-based IDS detects irregular patterns from packet fragmentation, unlike signature-based methods. Option B is a poor choice as rejecting all fragments breaks normal network traffic.

Answer: C. Develop a custom exploit code that uses obfuscation techniques to avoid detection.

A custom obfuscated exploit avoids detection by signature-based antivirus. Option A is weak because Metasploit payloads are well-known and likely detected.

Answer: D. Extract and analyze stream objects using PDFStreamDumper.

PDFStreamDumper directly examines embedded streams where malicious JavaScript hides. Option A is passive, B finds signatures but not code, and C applies to PE files, not PDFs.

Answer: A. Search engines don't index the Deep Web, and there could be non-indexed company information lying there.

Search engines do not index the Deep Web, so information stored there remains hidden. Options B, C, and D are misinformed or irrelevant to passive reconnaissance.