312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

Ransomware encrypts user data and extorts payment for restoration. CEH covers ransomware as a major threat in system hacking, highlighting encryption-based extortion as its defining behavior.

CEH v13 outlines insertion attacks as IDS evasion methods in which attackers send packets deliberately crafted so that the IDS processes them differently from the target host. In an insertion attack, malformed packets appear legitimate to the IDS—allowing malicious traffic to blend with benign inspection results—while the end host rejects or modifies the packets due to incorrect checksums, invalid flags, or protocol inconsistencies. As a result, the IDS sees one set of reconstructed data, while the actual host processes a different version or nothing at all. CEH emphasizes that intrusion detection systems may not follow full TCP/IP stack validation, making them susceptible to deception by malformed or borderline-conformant packets. Polymorphic shellcode (Option B) changes payload signatures, not packet structure. Session splicing (Option C) splits payload across packets to evade pattern matching but does not rely on checksum manipulation. Fragmentation attacks (Option D) divide traffic into smaller fragments, not alter validity fields. The described behavior fits insertion attacks precisely.

The CEH Enumeration module explains that SMTP supports commands such as VRFY, EXPN, and RCPT TO, which can be abused to enumerate valid email users if not properly restricted.

In this scenario, the smtp-enum-users Nmap script successfully uses EXPN and RCPT, indicating that the server responds differently to valid and invalid usernames.

Option C is correct because unrestricted SMTP user verification allows attackers to harvest usernames for further attacks such as phishing or brute force.

Option A involves authentication, not enumeration.

Option B affects confidentiality, not user discovery.

Option D is unrelated to SMTP enumeration.

CEH strongly recommends disabling or restricting these SMTP commands.

CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies “Insecure Data Storage” as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest, the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

The correct answer is D. Hardware/Firmware Rootkit because the scenario describes persistence that remains even after multiple OS reinstalls and executes before the operating system loads, while evading OS-level antivirus and forensic scans. In CEH-aligned malware/rootkit concepts, hardware/firmware rootkits embed malicious code into firmware components such as BIOS/UEFI, device firmware (for example, NIC firmware, storage controller firmware, HDD/SSD firmware), or other embedded hardware layers. Because firmware is separate from the operating system’s file system, reinstalling the OS typically does not remove the implant.

The clue “resides deep inside the system hardware” and “executes before the OS is loaded” aligns with firmware-level execution in the boot chain. Firmware rootkits can run during early startup, initialize malicious hooks, and then hand off control to the OS in a way that hides their presence. This makes them extremely difficult to detect using conventional host-based tools, because those tools operate after the OS is running and generally cannot easily inspect or validate firmware integrity. The mention of “unusual activity on network cards and storage devices” is also a strong indicator: compromised NIC or storage firmware can manipulate traffic, exfiltrate data, or alter reads/writes while remaining invisible to file-based scanning.

Why the other options are less accurate: a boot-loader-level rootkit typically infects the bootloader on disk; while it runs early, it may be removed by disk reimaging or certain reinstall workflows. A kernel-level rootkit resides within the OS kernel and is generally removed by reinstalling the OS. A hypervisor-level rootkit (virtualization-based) can be stealthy, but it still generally depends on software layers that may not survive repeated OS reinstalls unless paired with firmware persistence.

Therefore, the persistence across reinstalls and pre-OS execution most clearly indicate a hardware/firmware rootkit.

This scenario describes SNMP Enumeration, a technique covered under CEH v13 Reconnaissance and Enumeration. Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries, enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access. The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3, which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

The vulnerability described is characteristic of XML External Entity (XXE) Injection. In CEH web application security coverage, XXE occurs when an application parses XML input without properly disabling external entity resolution. If the XML parser is configured insecurely, an attacker can define a malicious external entity that references local files or internal system resources. When the parser processes the XML document, it resolves the external entity and may return the contents of sensitive files in the server’s response.

The scenario clearly states that the issue arises from “handling of external references in document parsing” and results in exposure of internal file paths and database connection strings. This aligns directly with XXE behavior, where attackers leverage external entity declarations to retrieve local files such as configuration files, environment settings, or system credentials. In some cases, XXE can also enable server-side request forgery by forcing the server to make internal network requests.

The other options do not match the described behavior. Identification and authentication failures relate to improper access controls, not document parsing. HTTP response splitting involves manipulating headers to inject malicious responses. Security logging and monitoring failures refer to detection gaps, not data exposure through parsing. CEH-recommended mitigation strategies include disabling DTD processing, turning off external entity resolution in XML parsers, validating input formats, implementing least privilege on file access, and using secure parsing libraries that prevent XXE exploitation.