312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker ' s code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

The directory that contains the publicly accessible web content—including HTML pages, images, JavaScript, CSS, and other client-side assets—is known as the Document Root. This is the base filesystem path that a web server maps to the “/” location of a website. When a user requests a resource (for example, https://site.com/index.html), the web server typically resolves that URL path to a file under the configured document root and then serves it to the client (subject to access controls and server configuration).

The scenario’s details match this precisely: Jake identifies “the directory that stores the publicly accessible website content,” and notes that it is a frequent attacker target due to risks from improper permissions. Document root security is critical because overly permissive read or browse access can expose files that were never intended to be public—such as backups, configuration files, temporary files, source code archives, or sensitive data accidentally placed in web-accessible paths. Misconfigurations can also enable directory listing, allowing attackers to enumerate and retrieve files directly. Attackers often probe for common filenames (e.g., old .zip backups, .bak files, exposed .env files, or test pages) precisely because document root is where such mistakes become externally reachable.

Why the other options are less accurate:

An Application Server (A) runs server-side application logic (e.g., Java/.NET app containers) and is not specifically the directory of static public web content.

The HTTP Server (Core) (C) refers to the web server software/service handling HTTP requests, not the content directory itself.

A Virtual Document Tree (D) describes the logical structure mapping URLs to resources (sometimes via aliases and virtual hosts), but the question asks for the directory that stores the publicly accessible content—this is the document root.

Therefore, Jake is analyzing B. Document Root.

The correct answer is Ciphertext-only attack. CEH cryptography coverage defines this attack as a situation in which the attacker has access only to encrypted data and not to the corresponding plaintext. The attacker attempts to derive useful information, recover plaintext patterns, or eventually infer the key by analyzing the ciphertext itself. That is exactly what the question describes: the adversary obtained encrypted database backups but not the keys and not the original plaintext records, and the specialist is considering whether the attacker is examining the encrypted output in isolation for structural clues or repetition. Known-plaintext attacks require access to both plaintext and matching ciphertext. Chosen-plaintext attacks involve the attacker selecting input to be encrypted, while chosen-ciphertext attacks involve selecting ciphertext for decryption attempts. None of those fit the scenario. CEH materials emphasize that ciphertext-only analysis is the most basic cryptanalytic model because it assumes the least attacker knowledge apart from the encrypted material itself. Since the exposure here is limited to intercepted ciphertext with no confirmed access to plaintext or decryption capability, the best match is a ciphertext-only attack.

The scenario describes user input being passed into system-level execution and causing “unintended operations at the system level,” which is the defining behavior of command injection in CEH web application hacking coverage. Command injection occurs when an application constructs or invokes operating system commands using unsanitized, user-controlled input. By inserting shell metacharacters or command separators such as ;, & & , |, or backticks, an attacker can cause the server to execute additional commands beyond what the developer intended. The impact often includes reading sensitive files, listing directories, creating users, downloading malware, pivoting, or otherwise interacting with restricted server resources, matching the prompt’s “access to restricted server resources.”

The question also rules out other injection families. LDAP injection targets directory service queries and manipulates LDAP filters, which the prompt explicitly excludes. CRLF injection involves inserting carriage return and line feed characters to manipulate HTTP headers or split responses; it does not primarily produce OS-level execution. “Shell Injection” is sometimes used informally to describe the same concept, but in CEH-style terminology and exam question patterns, the standard label for injecting into OS command execution is Command Injection, making option D the best and most precise answer.

Effective mitigations emphasized in CEH-aligned guidance include avoiding OS command calls where possible, using safe APIs that do not invoke shells, strict allowlisting and canonical validation of input, proper escaping for the target interpreter when needed, running services with least privilege, and applying segmentation and monitoring to limit blast radius.

\

This scenario clearly indicates a SYN Flood attack, a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking. In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server’s connection table becomes saturated, preventing legitimate users from establishing new sessions.

Other options are incorrect:

Smurf attacks rely on ICMP amplification, not TCP handshakes.

Ping of Death uses malformed ICMP packets.

UDP Floods overwhelm ports using UDP, not TCP session states.

CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.

This scenario describes Differential Cryptanalysis, a powerful cryptanalytic technique covered in CEH v13 Cryptography. Differential cryptanalysis focuses on analyzing how small changes in plaintext input affect the resulting ciphertext output, with the goal of uncovering patterns related to the secret encryption key.

CEH v13 explains that symmetric algorithms rely on complex transformations—such as substitution and permutation—to obscure relationships between plaintext and ciphertext. However, in some algorithms, predictable differences may propagate through encryption rounds in a way that reveals statistical biases. By carefully selecting pairs of plaintext inputs with controlled differences and comparing the resulting ciphertexts, attackers can infer information about intermediate states and eventually the encryption key.

This method does not attempt every possible key (brute force), nor does it rely on execution timing or system performance metrics (timing attacks). It also differs from chosen-ciphertext attacks, which involve submitting chosen ciphertexts for decryption rather than observing encryption behavior.

Differential cryptanalysis was instrumental in breaking early block ciphers and is a key reason why modern algorithms like AES are designed with resistance to differential attacks. CEH v13 emphasizes that understanding this attack is critical for evaluating the strength of symmetric encryption algorithms and their internal structure.

Therefore, Option A accurately describes the technique being employed.

CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation.

This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack, as described in CEH v13 Network Attacks. Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.