312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

The technique being used is Error Message Analysis, because the tester is intentionally supplying a special character payload and then interpreting the application’s returned database or SQL parsing error to infer the presence of an injection point. In CEH-aligned SQL injection methodology, one of the earliest indicators of SQL injection is when crafted input causes the application to generate a database error, such as syntax errors, unclosed quotation marks, type conversion failures, or context-related messages that reveal how the input is being embedded into a query. A long series of single quotes is a classic trigger: if user input is concatenated into a SQL statement without proper sanitization or parameterization, the quotes can break the query structure and force the database engine or ORM layer to throw an error that exposes the query context.

The scenario explicitly states the response is an error message indicating the application cannot handle the input “in the current SQL context.” That means the application is leaking information through error responses, which CEH highlights as both a detection opportunity for testers and a security weakness because detailed errors can guide attackers toward successful payload construction.

This is not primarily “Detecting SQL Modification,” which focuses on confirming changes in query logic or results, often using boolean-based techniques. It is not “Function Testing,” which validates application functions rather than probing input handling at the SQL layer. While the input resembles fuzzing, fuzz testing is broader and does not specifically depend on interpreting SQL error messages as the detection signal. Here, the decisive evidence is the SQL-context error returned, making Error Message Analysis the correct technique.

White Hat Hacking is defined in CEH v13 as ethical hacking performed with explicit authorization to identify and remediate vulnerabilities. White hat hackers operate within legal frameworks and contractual agreements.

Grey hats act without permission but without malicious intent. Black hats conduct illegal attacks. Blue hats are external testers invited to find bugs before product release.

Thus, Option C is correct.

The risk described is increased attack surface caused by unnecessary services and protocols running on a web server—specifically NetBIOS and SMB. The most direct hardening action to mitigate this is to block/disable unnecessary ports and protocols so they are not exposed to the network and cannot be abused by attackers. Option D captures that principle: reduce exposure by closing ports and restricting protocols that are not required for the server’s role.

A well-hardened web server should run only the services needed to deliver its intended web functionality (e.g., HTTP/HTTPS and necessary management interfaces under strict control). Services like SMB (commonly TCP 445/139) and NetBIOS (UDP 137/138, TCP 139) are not normally required for public-facing web hosting and are frequent targets for enumeration and exploitation. Leaving such services open can enable attackers to perform credential attacks, exploit legacy vulnerabilities, access shared resources, or pivot further into the environment. By blocking or disabling these ports at the host firewall and/or perimeter firewall, the organization reduces reachable attack paths and limits what an external attacker can interact with.

Why the other options are less direct:

Dedicated machine (A) can help separation of duties, but if unnecessary services still run, the attack surface remains.

Risk assessment for patching (B) is important, but it doesn’t immediately remove the exposure created by unneeded services.

Eliminating unnecessary files (C) addresses file-system exposure, not open network services like SMB/NetBIOS.

Because the problem is explicitly about unnecessary open services/protocols, the best mitigation is D. Block all unnecessary ports, ICMP traffic, and protocols (i.e., minimize exposed services).

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.