312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

The correct answer is A. HTTP Response Splitting Attack because the scenario describes a flaw where one crafted request is interpreted in a way that causes the server (or an intermediary) to treat it as two separate HTTP messages, enabling the attacker to inject malicious data into the HTTP response stream. This is a classic input validation and header injection issue, typically involving the insertion of carriage return and line feed (CRLF) characters (\r\n) into user-controlled input that is later placed into HTTP headers (for example, in redirects, cookies, or custom headers). By injecting CRLF sequences, an attacker can “split” the server’s response: the first part completes a legitimate response header section, and the injected content begins a second, attacker-controlled response.

This aligns with the prompt’s emphasis that “a single crafted request is processed as two separate ones,” which is the fundamental mechanic of response splitting—turning one transaction into multiple interpreted HTTP entities. Once response splitting is possible, attackers may set or manipulate headers (such as Set-Cookie), inject arbitrary content, perform cross-user defacement, facilitate cache poisoning, or enable more effective delivery of client-side attacks by making browsers or proxies store and serve malicious content.

The question also frames it alongside XSS, CSRF, and SQL injection as “input validation flaws.” That matches response splitting’s root cause: insufficient sanitization/validation of untrusted input before including it in HTTP headers or responses.

Why the other options are incorrect: Password cracking is unrelated to HTTP parsing and input validation. Directory traversal abuses path handling to access files (e.g., ../) and does not involve splitting HTTP messages. Web cache poisoning can be a consequence of response splitting, but the described behavior—splitting a single request/response into two—most directly identifies HTTP response splitting as the demonstrated attack.

This technique is known as Boolean-Based Blind SQL Injection, as defined in CEH v13 Web Application Hacking. When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

CEH v13 distinguishes this from:

Error-based SQLi (visible DB errors)

UNION-based SQLi (data extraction)

Time-based SQLi (response delays)

Boolean-based blind SQL injection relies solely on content differences, making option C correct.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

The attack described is website defacement, which occurs when an attacker gains the ability to modify the content of a website—often the homepage—to display unauthorized messages, propaganda, or vandalism. The scenario explicitly says Mia “alter[s] visible content on the homepage, replacing it with unauthorized messages,” and emphasizes the reputational harm even without data theft. That reputational impact is a hallmark of defacement: it undermines customer trust, signals weak security, and can create regulatory/brand consequences even if no confidential information is exfiltrated.

The stated entry point—“exploiting an unpatched vulnerability in the web server”—is also consistent with defacement. Attackers frequently leverage web server or web application weaknesses (misconfigurations, known CVEs, weak credentials, vulnerable plugins, or insecure file permissions) to gain write access to web content or templates. Once write access is achieved, the attacker can replace HTML pages, alter templates, inject malicious scripts, or modify assets so that visitors see the attacker’s message.

Why the other options are less appropriate:

DNS hijacking (A) redirects users by changing DNS resolution so that the domain points to an attacker-controlled server. That can lead to a fake site, but it’s not the same as modifying the real server’s homepage content.

Frontjacking (B) typically involves UI deception—overlaying or framing content to trick users—rather than server-side modification of the homepage.

File upload exploits (C) are a method that can be used to gain code execution or place malicious files on a server, but the question asks for the type of web server attack being demonstrated. The visible outcome described—unauthorized homepage changes—is best categorized as defacement.

Therefore, Mia is most likely demonstrating D. Website Defacement.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

The correct choice is C because Nessus Essentials is fundamentally a vulnerability assessment scanner. Its core purpose is to identify security weaknesses by checking systems and services against a large vulnerability knowledge base, which includes detecting outdated or vulnerable versions of operating systems, server software, databases, web servers, and common network services. In practical scanning, Nessus performs remote checks such as banner/version identification, configuration and patch-level assessment (where possible), and vulnerability plugin checks to flag software releases that are known to be insecure or end-of-life. This directly matches the scenario emphasis: supporting “diverse technologies including operating systems, databases, web servers, and virtual environments,” and asking for a capability it provides “as part of its scanning process.”

Why the other options are incorrect:

A (Patch management) is not what Nessus Essentials is designed to do. Nessus identifies missing patches and vulnerabilities, but it does not serve as an operating system and third-party application patch deployment platform.

B (High-speed asset discovery) is more characteristic of dedicated asset discovery/attack surface tools or broader platform features; while Nessus can discover hosts during scans, “high-speed asset discovery” is not the defining, primary capability being tested here.

D (Agent-based detection) refers to endpoint agents running locally for continuous monitoring. Nessus Essentials is primarily used for scanner-driven vulnerability assessment; agent-based functionality is a separate approach/tooling concept and not the main Essentials scanning capability being targeted in this question.

Therefore, the best answer is C: Nessus Essentials is designed to scan and identify vulnerabilities, including detecting outdated/vulnerable versions across many server and service technologies.