312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

Other options are incorrect because:

XMAS scans send packets with multiple flags set.

SYN/ACK scans are primarily used for firewall rule discovery.

TCP Connect scans complete the full handshake and generate ACKs.

CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

According to the CEH Vulnerability Assessment and Incident Response modules, vulnerabilities with high CVSS scores and potential RCE must be treated as active threats.

CEH best practices recommend:

Immediate containment (network isolation)

Investigation and impact analysis

Patch application

Recovery

Option D follows the CEH incident response lifecycle precisely.

Option C is incomplete without containment.

Options A and B are unsafe.

CEH emphasizes containment before remediation.

Qualys VM is the best match because the scenario emphasizes enterprise vulnerability management for a hybrid environment with agent-based endpoint coverage, continuous monitoring, alerting, and centralized visibility across both on-premises and cloud systems. In CEH-aligned security operations concepts, vulnerability management is not only about running periodic scans, but also about maintaining an accurate, continuously updated view of asset exposure, prioritizing risk, and producing actionable remediation workflows. A platform designed for hybrid infrastructures commonly includes lightweight agents for endpoints, cloud connectors, unified dashboards, continuous assessment, and notification or alerting features to support real-time risk decisions. Qualys VM is widely recognized for delivering vulnerability management through a centralized cloud platform with broad asset visibility and support for continuous assessment models that align with large-scale, distributed environments.

The other options are less aligned with the full requirement set. Nikto is a focused web server and web application scanner and does not represent an enterprise-wide vulnerability management platform for endpoints and hybrid assets. OpenVAS is a capable open-source vulnerability scanner, but it is typically implemented as a scanning solution rather than a full hybrid vulnerability management platform with the same level of integrated agent-based endpoint coverage, centralized cloud visibility, and operational alerting described. Nessus is a strong vulnerability scanner and can support agents in some deployments, but the scenario’s emphasis on broad hybrid infrastructure visibility and centralized, continuous monitoring with alerting most strongly aligns with Qualys VM as a vulnerability management platform.

Outdated server software often contains memory corruption flaws. CEH notes that buffer overflow exploits are a primary method for compromising vulnerable server binaries, allowing remote code execution. This approach targets the underlying service rather than application-layer input validation issues.

CEH’s approach to suspected compromise aligns with an incident-handling mindset: containment first, then analysis and remediation. In IoT and OT-adjacent environments (smart city infrastructure, SCADA-like components, embedded controllers), CEH emphasizes that suspicious external communications and unexplained open ports may indicate compromise, misconfiguration, exposed management services, or implanted malware/backdoors. Because IoT endpoints often have limited logging and are difficult to reimage safely, the safest next step is to isolate the suspected device to prevent further data exfiltration, command-and-control activity, or lateral movement to other city systems.

Option A best matches CEH guidance: isolate the device and investigate its firmware, services, and configuration, including checking for unauthorized binaries, altered firmware images, insecure default services, and hardcoded credentials. This also preserves evidence and reduces the blast radius.

Option C (blocking the external IP) can be helpful, but it’s a partial control: attackers can rotate infrastructure, and the device could still be compromised internally. Option B (full network pen test) is too broad and delays containment when a specific high-risk indicator is already present. Option D (attempting a reverse connection) crosses into active exploitation behavior and is not an appropriate “next step” in a defensive investigation; CEH methodology stresses authorized, controlled testing and prioritizes risk reduction over interacting with suspicious external hosts.

Thus, CEH-aligned best practice is immediate isolation and firmware-level investigation.

The most likely tool/command is dig @server axfr, which attempts a DNS zone transfer (AXFR) from a specified DNS server. In CEH-aligned reconnaissance and enumeration methodology, DNS is a high-value target because it reveals how an organization’s names map to systems. A successful zone transfer can expose an entire DNS zone database, often including hostnames (subdomains), mail exchanger (MX) records, canonical name (CNAME) aliases, and sometimes internal-facing entries if the zone is misconfigured. The scenario’s outcome—receiving “a full list of subdomains, MX records, and aliases”—matches exactly what an AXFR zone transfer can disclose when a DNS server is improperly configured to allow transfers to unauthorized hosts.

The clue about a “secondary server” is also significant. In DNS architecture, organizations frequently deploy primary (master) and secondary (slave) DNS servers. Secondary servers legitimately request zone transfers from the master to stay synchronized. If the secondary server is misconfigured (for example, allowing AXFR to any requester or to a broader range than intended), an attacker can exploit this and retrieve the zone file. This results in detailed visibility into the organization’s naming scheme and infrastructure layout—information that can be used to identify high-value targets (mail servers, VPN portals, admin hosts), locate staging points, and plan follow-on attacks such as credential harvesting, targeted exploitation, or social engineering.

Why the other options do not fit: smtp-user-enum.pl is used for enumerating valid users on SMTP servers, not DNS records. ldapsearch enumerates directory information from LDAP services, not DNS zones. nbtstat -A queries NetBIOS name tables for Windows hosts, which may reveal local names and shares but not DNS-wide subdomains and MX/CNAME records. Therefore, the enumeration described is most consistent with a DNS zone transfer using dig with AXFR.

The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models. Attacks involving compromised APIs often succeed because functions are granted excessive privileges.

Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.

Option A is beneficial but reactive.

Option B focuses on SaaS governance rather than FaaS execution control.

Option C provides visibility but does not directly prevent privilege misuse.

CEH highlights identity and access management (IAM) as critical in serverless security.