What 312-50v13 Questions and Answers feature?

This phase is Information Gathering, the first and most foundational step in an IoT penetration test methodology described in CEH-aligned material. The goal here is to build an accurate inventory of the IoT environment and understand how devices communicate, what hardware and software versions are present, and which protocols and interfaces are in use. Jordan is collecting device models, manufacturer names, firmware versions, and supported protocols such as Zigbee and BLE. That activity maps directly to enumeration and profiling of the target IoT ecosystem, which is performed before any intrusive testing. In CEH methodology terms, this step helps identify the attack surface, including wireless interfaces, management ports, cloud backends, mobile apps, and gateways that bridge IoT networks to enterprise networks.

Information gathering is crucial because IoT risk is highly dependent on specific device types and firmware builds. Knowing a firmware version can reveal whether known CVEs apply, whether default credentials are likely, or whether insecure services are commonly enabled. Identifying Zigbee and BLE indicates potential avenues for wireless assessment, such as insecure pairing, weak encryption or key handling, misconfigured access control, and protocol-specific weaknesses.

The other options occur later. Vulnerability scanning is the step where the tester actively checks the identified devices and services for weaknesses using scanners, enumeration probes, or targeted validation. Launch attacks and gain remote access are exploitation steps that follow planning and discovery. Since Jordan is only documenting and understanding the ecosystem, the correct step is Information gathering.

The CEH Footprinting and Reconnaissance module describes DNS interrogation as a valuable technique for extracting publicly available infrastructure information such as A records, MX records, NS records, and subdomains.

DNS can reveal:

Subdomains (via zone transfers, brute forcing, or enumeration)

Mail server IP addresses (MX records)

Server locations inferred from IP geolocation

However, DNS does not store authentication credentials. Usernames and passwords are protected within authentication systems and directories, not DNS records.

Therefore, option A is correct.

CEH clearly states that DNS reconnaissance is limited to infrastructure metadata, not sensitive user credentials.

The attack described is spear phishing because it is a targeted phishing attempt crafted for a specific individual using personal and organizational context. In CEH social engineering coverage, spear phishing differs from generic phishing by its customization: the attacker addresses the victim by name, references the victim’s job function, and tailors the message to create credibility and urgency. Here, the email is addressed specifically to Clara and mentions her role in the accounts team, which increases the likelihood she will trust the message and comply.

The message uses classic phishing psychological triggers emphasized in CEH materials: urgency and fear. By claiming a “critical system vulnerability” and threatening account suspension, the attacker pressures Clara to act quickly and ignore verification steps. The inclusion of a link to a login page that “resembles the company’s internal portal” indicates credential harvesting, where the attacker’s goal is to capture usernames and passwords or other authentication tokens. The subtle misspelling in the sender’s domain is a common indicator of lookalike or typosquatting domains used to mimic legitimate corporate email addresses and bypass casual inspection.

The other options do not match as well. Impersonation is a broader category, but spear phishing is the specific technique using an email lure with personalization. Quid pro quo involves offering a benefit or service in exchange for information, which is not present. Vishing is voice-based phishing via phone calls, not email. Recommended defenses in CEH guidance include verifying sender domains, using out-of-band confirmation with IT, enabling email security controls like SPF, DKIM, and DMARC, and enforcing phishing awareness training and MFA to reduce credential theft impact.