ECCouncil Certified Ethical Hacker Exam (CEHv13) 312-50v13 Exam Dumps: Updated Questions & Answers (March 2026)

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

This scenario represents a Tautology-Based SQL Injection, a fundamental SQL injection technique covered under the Web Application Hacking module in the CEH v13 curriculum. The defining characteristic of this attack is the injection of a condition that always evaluates to TRUE, thereby bypassing authentication or authorization controls.

In the given example, the injected input 1 OR 'T'='T'; -- manipulates the logical condition of the SQL query. A typical vulnerable login query may resemble:

SELECT * FROM users WHERE user_id = 1 AND password = 'input';

When the attacker submits the injected payload, the resulting SQL statement becomes:

SELECT * FROM users WHERE user_id = 1 OR 'T'='T'; --';

The expression 'T'='T' is a tautology, meaning it always evaluates to TRUE regardless of context. As a result, the database returns records without properly validating the user’s credentials, granting unauthorized access.

According to EC-Council CEH v13, tautology-based SQL injection is classified as a Boolean-based injection technique where attackers exploit improper input validation to alter the logical flow of SQL queries. This attack does not depend on database error messages (as in Error-Based SQL Injection), does not extract data using UNION statements (Union-Based SQL Injection), and does not rely on response delays (Time-Based Blind SQL Injection).

CEH v13 emphasizes that such attacks are especially effective against login forms and authentication mechanisms when developers fail to implement input sanitization, parameterized queries, or prepared statements. This attack is one of the most common and exam-tested SQL injection types because it clearly demonstrates how flawed logic can compromise application security without advanced techniques.

Understanding tautology-based SQL injection is critical for ethical hackers, as it forms the foundation for identifying and mitigating more complex SQL injection variants.

The strongest indicator in this scenario is that multiple compromised hosts are “behaving like zombies,” communicating outbound to a single unfamiliar external IP over high ports, and “silently accept remote instructions” while performing “coordinated background tasks.” In CEH-aligned malware terminology, these are hallmark characteristics of a botnet: a collection of infected endpoints (bots/zombies) under centralized or semi-centralized command-and-control. Worm-like propagation explains how the compromise rapidly expanded across the internal network—using shared folders and stolen credentials for lateral spread—while the “backdoor component” provides persistent remote control functionality once a system is infected. The observed coordination across many hosts strongly suggests the attacker’s goal is not merely individual surveillance of a single machine, but scalable remote control of many machines at once.

Option A, data exfiltration, is plausible in many intrusions, but the question emphasizes orchestration and remote tasking across many endpoints rather than targeted theft from specific repositories. Option B is inconsistent because there is no mention of encryption, ransom notes, or disruption-focused behavior. Option D, a RAT, typically describes remote control of a host, but the scenario’s defining feature is the creation of many “zombies” with coordinated behavior—this aligns more precisely with building a botnet for command and control, which can later be used for data theft, DDoS, spam, or further intrusion operations.

CEH defensive guidance includes monitoring egress traffic anomalies, detecting C2 patterns, segmenting networks to limit worm spread, disabling unnecessary shares, enforcing strong credential hygiene, and using EDR to identify backdoors and lateral movement behaviors.

This technique is known as Boolean-Based Blind SQL Injection, as defined in CEH v13 Web Application Hacking. When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

CEH v13 distinguishes this from:

Error-based SQLi (visible DB errors)

UNION-based SQLi (data extraction)

Time-based SQLi (response delays)

Boolean-based blind SQL injection relies solely on content differences, making option C correct.

Password cracking is a core component of the system hacking phase. CEH materials highlight that once password hashes are obtained, attackers often perform offline cracking to avoid detection and bypass account lockout policies. Tools like Hashcat make use of hardware acceleration—specifically, GPU or multi-core CPU computing—to significantly increase cracking throughput. Hardware acceleration allows the system to perform thousands to millions of hash calculations simultaneously, dramatically improving cracking efficiency compared to traditional CPU-bound methods. While dumping SAM contents is part of credential extraction, it is not the optimization described in the scenario. Dictionary rules influence cracking strategy but not raw speed. NetBIOS spoofing is unrelated to password cracking. The emphasis here is on maximizing computational power to accelerate the hash-cracking process, aligning directly with CEH’s explanation of hardware-accelerated offline cracking techniques.

In CEH v13 Cloud Computing, APIs are identified as the primary control plane for managing cloud resources. A vulnerability in a cloud API can allow attackers to bypass authentication, escalate privileges, and manipulate resources.

Unauthorized access may lead to:

Data exposure

Resource abuse

Account takeover

Lateral movement within the cloud environment

Physical security (Option A) and encryption at rest (Option D) are unrelated to API flaws. DDoS attacks (Option C) are possible but not the primary risk of API vulnerabilities.

Thus, Option B is correct.

The CEH Cryptanalysis module describes differential cryptanalysis as an attack that studies the relationship between differences in input and resulting differences in output to recover secret keys.

Option A precisely matches this definition.

Option B relies on execution timing.

Option C requires ciphertext manipulation.

Option D exhaustively tests keys.

CEH lists differential cryptanalysis as a foundational theoretical attack.

The described technique is HTTP tunneling because Ethan is encapsulating his traffic inside standard web requests on port 80 to blend with normal browsing activity and bypass perimeter defenses that only perform basic port/protocol filtering. HTTP tunneling leverages the fact that many organizations allow outbound (and sometimes inbound) HTTP/HTTPS traffic through firewalls for business needs. If a firewall is not doing deep inspection (such as application-layer proxying, WAF inspection, or strict egress controls), encapsulated traffic can traverse allowed ports while carrying non-HTTP payloads inside the HTTP structure.

The scenario’s core clues are: (1) “encapsulates his traffic inside standard web requests,” (2) uses port 80, and (3) success depends on the firewall “not performing deep application inspection.” These are exactly the conditions where HTTP tunneling is effective: the traffic appears as ordinary HTTP sessions, so the firewall treats it as permitted web traffic even though the content is being used as a carrier for another protocol or command channel.

Why the other options don’t fit:

DNS tunneling (D) also encapsulates traffic, but it uses DNS queries/responses (typically UDP/TCP 53), not HTTP requests on port 80.

Tiny fragments (C) is an evasion method that breaks packets into very small fragments to confuse filtering/IDS reassembly; the scenario is about encapsulation in web requests, not fragmentation.

Source routing (B) attempts to influence packet path using IP options; it is not described here and is commonly blocked/ignored in modern networks.

Therefore, the firewall evasion technique is A. HTTP Tunneling.

Padding oracle attacks exploit systems that reveal differences in error responses when incorrectly padded ciphertext is submitted. CEH explains that these variations allow attackers to iteratively determine valid padding bytes and ultimately decrypt or modify encrypted data without knowledge of the key.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

The correct answer is D. Expansion because the scenario emphasizes that, after the initial foothold, the attacker harvests credentials and moves laterally to compromise additional systems—routers, printers, and file servers—thereby broadening control across the internal environment. In CEH-aligned APT lifecycle descriptions, this stage is commonly associated with internal reconnaissance, privilege/credential access, lateral movement, and widening the foothold to increase resilience and reach. The attacker is no longer limited to the original compromised endpoint; instead, they are deliberately spreading to other networked assets to build operational advantage.

The sequence in the prompt is important. Initial Intrusion (A) already occurred via spear-phishing delivering the first payload to the manager’s laptop. The question asks what phase is being simulated at this point, after access is gained and the attacker is actively moving through the network. Persistence (B) refers to establishing mechanisms to maintain access (e.g., backdoors, scheduled tasks, services, persistence in credentials/accounts) so the attacker can survive reboots, password changes, or cleanup attempts. While an attacker might establish persistence during expansion, the defining action here is lateral movement and compromise of multiple internal systems, which is more directly expansion than persistence.

Search & Exfiltration (C) would involve identifying and collecting target data (in this case, sensitive research data) and transferring it out of the environment. The prompt explicitly states Alex has not yet targeted sensitive research data, which rules out the search/exfiltration phase as the primary activity being simulated right now.

Therefore, the phase of the APT lifecycle best matching credential harvesting followed by lateral movement and compromise of multiple internal devices/servers to build a broader foothold is Expansion.

CEH v13 emphasizes that IoT and smart city environments are highly sensitive and safety-critical. When an IoT device shows anomalous outbound traffic and unauthorized open ports, this strongly indicates device compromise.

The correct immediate response is to isolate the affected device to prevent lateral movement and protect public safety. CEH v13 further stresses the importance of firmware analysis, as IoT malware often resides at the firmware level to maintain persistence.

Attempting reverse connections (Option A) is risky and may violate operational safety. Firewall changes alone (Option C) do not address an already compromised device. A full penetration test (Option D) is appropriate later but not as an immediate containment step.

Therefore, Option B aligns with CEH v13 incident handling best practices for IoT and OT environments.

A Directory Traversal attack, also known as path traversal, exploits weaknesses in how a web server or web application processes user-supplied file and directory paths through URLs or parameters. In CEH-aligned terminology, the attacker crafts requests that use traversal sequences such as dot-dot-slash patterns or encoded equivalents to escape the intended web root or permitted directory and reach sensitive locations on the underlying file system. The question states Sofia “manipulates resource paths” and successfully accesses “restricted system files,” revealing “sensitive configuration data.” This is the defining outcome of directory traversal: unauthorized access to files that should never be directly retrievable via the web interface, including application configuration files, server configuration, environment files, or other OS-level resources.

The prompt also eliminates other options by describing what the issue is not. It is not header manipulation, which would be more consistent with HTTP response splitting or header injection behaviors. It is not cached content tampering, which points to web cache poisoning. It is not credential compromise, which would indicate password cracking. Instead, the root cause is explicitly “failure to validate input paths,” matching CEH emphasis on inadequate input validation and improper path normalization or canonicalization before file access. Defensive guidance typically focuses on strict allowlisting of accessible resources, canonicalizing paths and enforcing a fixed base directory, blocking traversal tokens and their encoded forms, using indirect references instead of raw file paths, and applying least-privilege permissions to reduce impact if traversal is attempted.

The correct classification is Potentially Unwanted Applications (PUAs). In CEH malware taxonomy, PUAs refer to software that is not strictly malicious in the traditional sense but exhibits undesirable behavior such as displaying intrusive advertisements, modifying browser settings, collecting user data, degrading system performance, or bundling with other freeware without clear user awareness. In this scenario, the toolbar and optimization tool were bundled with a legitimate utility installer and presented with vague descriptions—an extremely common PUA distribution method known as software bundling.

The symptoms described—pop-up ads, homepage modification, sluggish performance, and background data transfers—are consistent with adware or browser hijackers, which fall under the broader PUA classification. Importantly, the question specifies there is no immediate file encryption (which would suggest ransomware) and no self-replication (which would suggest a worm). Botnet agents typically establish command-and-control communication and are designed for coordinated malicious activity such as DDoS or spam campaigns; while unexplained traffic may raise suspicion, the described behavior aligns more closely with adware-style monetization rather than structured botnet activity. Logic bombs are dormant code triggered by specific conditions, which is not indicated here.

From a defensive perspective, CEH recommends secure software acquisition policies, user awareness training, disabling unnecessary bundled installations, implementing endpoint protection with PUA detection enabled, and enforcing application allowlisting to prevent unauthorized or bundled software from executing within the enterprise environment.