312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

This scenario most accurately represents repackaging legitimate apps. CEH mobile social engineering coverage explains that in a repackaging attack, an adversary takes a real application, modifies its internal code or structure to include malicious functionality, and redistributes it through a third-party marketplace. The important clues here are that the app appears visually and functionally identical to the legitimate version, yet sandboxing reveals additional outbound activity and binary comparison confirms structural differences from the official build. That pattern is stronger than merely publishing a look-alike malicious app, because the question indicates there are two versions of what is essentially the same application and the unofficial copy has been altered. Smishing involves fraudulent SMS messages and fake security applications typically masquerade as protective tools, neither of which matches this case. CEH warns that unofficial application stores are a common distribution point for repackaged mobile apps because attackers can embed spyware, adware, credential theft code, or other malicious logic into otherwise trusted software. The user often sees a familiar interface and therefore assumes the application is safe, making repackaging a highly effective mobile-based social engineering method.

In the CEH Denial-of-Service and Network Attacks coverage, a SYN flood is a classic TCP-based DoS technique that exploits the TCP connection establishment process. In a normal handshake, the client sends SYN, the server replies SYN/ACK, and the client completes with ACK. A SYN flood deliberately sends a high volume of SYN packets (often spoofed) but never completes the final ACK. As CEH describes, this leaves the server holding many half-open connections in SYN_RECEIVED, consuming memory and connection table resources (backlog queue). When the backlog fills, legitimate clients cannot establish connections, degrading availability.

The indicators in your scenario align exactly with CEH’s SYN flood fingerprints: incomplete handshakes and accumulation of half-open connections. The goal is resource exhaustion at the connection-management layer rather than bandwidth saturation.

Option B (Ping of Death) involves malformed/oversized ICMP packets and does not match SYN_RECEIVED behavior. Option C (UDP flood) targets UDP services/ports and creates different symptoms (high UDP traffic, ICMP unreachable messages, service degradation) without half-open TCP states. Option D (Smurf) is ICMP-based amplification via broadcast addresses—again unrelated to incomplete TCP handshakes.

CEH also notes mitigations such as SYN cookies, increasing backlog, reducing SYN-RECEIVED timers, rate limiting, and upstream filtering—further reinforcing that the described event is a SYN flood.

CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A < IP > retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles—all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

The correct answer is RSA. CEH cryptography coverage describes RSA as a widely used asymmetric algorithm that supports encryption and digital signatures and is commonly deployed in public-key infrastructures. The question states that the transaction data is hashed, the hash is signed with the sender’s private key, and the recipient verifies the signature with the matching public key. That is the classic RSA signature model presented in CEH materials. The additional clue is that the same algorithm is said to support encryption, digital signatures, and secure communications use cases. Diffie-Hellman is mainly a key exchange mechanism and is not used for digital signatures in the way described here. DSA is designed for digital signatures, but not for general encryption. ElGamal can support encryption and signatures, but CEH exam framing most strongly associates this full combination of encryption plus digital-signature verification with RSA. CEH references repeatedly emphasize RSA as the standard asymmetric cryptosystem for confidentiality, authentication, integrity, and nonrepudiation in enterprise communications. Because the described implementation combines hashing, private-key signing, and public-key verification within a broad asymmetric framework, RSA is the most accurate answer.

The behavior described most closely matches an insider attack, because the actor is a temporary contractor who has physical proximity and implicit access to internal areas where employees work and handle sensitive information. In CEH guidance, an “insider” is not limited to permanent employees; it includes contractors, vendors, interns, and any trusted or semi-trusted individuals who can enter facilities or access internal environments. The attack combines two common insider-facilitated techniques: shoulder surfing and dumpster diving. Recording employees entering passwords is a form of shoulder surfing, where credentials are harvested by observing or capturing authentication entry through direct viewing or recording devices. Finding sensitive documents in a trash bin indicates dumpster diving, where attackers recover confidential information from improperly disposed materials.

These actions are typically feasible because the attacker is already inside the perimeter and can exploit weak operational security practices, such as lack of clean-desk enforcement, inadequate shredding policies, and insufficient physical monitoring of visitor or contractor activity. CEH materials emphasize that insider threats are particularly dangerous because they bypass many external perimeter controls and can blend into normal workplace behavior.

The other options do not fit. A distribution attack generally refers to compromise introduced through supply chain or third-party distribution channels, not on-site observation and trash retrieval. A passive attack is too generic and does not capture the key element of an authorized or trusted presence enabling the compromise. “Cisco-in attack” is not a standard CEH attack category for this scenario. Therefore, the most accurate classification is an insider attack.

MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking, where attackers overwhelm a switch’s CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port, which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

Thus, option C is the clearest confirmation.

CEH v13 explains that SQL injection typically occurs when user inputs are concatenated into SQL queries without proper validation or parameterization. The login form is one of the most common injection targets, and testers use specific test payloads designed to manipulate the authentication query. A classic test string such as ' OR ' 1 ' = ' 1 exploits conditional logic to force the SQL statement to evaluate as true, effectively bypassing authentication if the application is vulnerable. CEH notes that this technique is a standard initial test because it is low-risk, easily detectable if vulnerable, and directly confirms improper sanitization. JavaScript injection (Option A) tests for XSS, not SQLi. Directory traversal (Option C) targets file path vulnerabilities rather than SQL queries. Brute-force attacks (Option D) rely on guessing credentials and do not test input sanitization. Therefore, using a logical SQL injection payload is the most appropriate and CEH-aligned method.

To determine which specific system on the sender’s side processed the message, the most relevant email-header detail is the sender’s mail server, typically revealed in the chain of Received: headers. Each mail transfer agent (MTA) that handles the message adds a Received line indicating the system that passed the message along and the system that received it. By reviewing these headers from bottom to top (earliest hop upward), analysts can identify the originating outbound infrastructure used by the sender—such as the initial submission server, outbound relay, or gateway that first accepted the email for delivery.

The scenario’s goal is to “map the sender’s outbound email infrastructure” and identify “which specific system on the sender’s side processed the message.” That maps more directly to identifying the mail server hostnames involved (the MTAs), because those are the processing systems that relayed the email. While an IP address can help locate a host, the question emphasizes the “specific system” responsible for processing, which is typically expressed as the mail server identity (hostname/domain) shown in header traces. In practice, investigators correlate the sender mail server information with IPs, TLS details, and authentication results, but the primary header clue for the processing system is the server identified in Received lines.

Why the other options are less suitable:

Date and time (A) helps with timeline analysis, not identification of the processing system.

Sender’s IP address (C) can indicate a source network, but the message may traverse NAT, relays, or cloud email services; it doesn’t always name the processing system.

Authentication system used (D) (e.g., SPF/DKIM/DMARC results) indicates validation outcomes, not which server processed the message.

Therefore, the correct choice is B. Sender’s mail server.