ECCouncil Certified Ethical Hacker Exam (CEHv13) 312-50v13 Exam Dumps: Updated Questions & Answers (April 2026)

The CEH Malware Threats module defines polymorphic malware as malicious code that mutates its appearance (code, encryption, packing) each time it propagates, making signature-based detection ineffective. Dormancy and trigger-based activation are also common characteristics.

CEH emphasizes that behavior-based detection, sandboxing, and heuristic analysis are the most effective countermeasures against polymorphic threats.

Option D is correct.

Options A, B, and C do not address polymorphic evasion techniques.

The observed characteristics point most strongly to WPA2 because the scenario explicitly identifies CCMP-like headers and AES-based encryption, along with replay protection using a packet number (PN) and the familiar four-way handshake. WPA2 (based on IEEE 802.11i) replaced older approaches that relied on RC4 and TKIP, introducing AES-CCMP as the standard data confidentiality and integrity mechanism for Wi-Fi protected networks. CCMP uses AES in a mode designed for wireless frames and includes a per-packet number to prevent replay attacks.

The mention that these features were “introduced to replace older TKIP/RC4 approaches” is a major clue. Original WPA was designed as a transitional upgrade over WEP and commonly used TKIP with RC4, whereas WPA2 standardized the stronger AES-CCMP mechanism. The four-way handshake is used to derive and install fresh session keys (pairwise transient keys) between the client and access point, and the packet number increases with each encrypted frame to provide replay protection and maintain encryption correctness.

Why the other options don’t fit as well:

WEP (D) uses RC4 with weak IV handling and lacks the robust key management and handshake properties described.

WPA (B) typically centers on TKIP/RC4 rather than AES-CCMP as the defining feature set, especially in CEH-style distinctions.

WPA3 (C) introduces improvements such as SAE (Simultaneous Authentication of Equals) replacing the legacy PSK handshake method in WPA2-Personal, and enhanced protections (e.g., stronger password-based authentication). While WPA3 can still use AES-based encryption, the scenario’s emphasis is on CCMP/AES replacing TKIP/RC4—most directly the WPA2 shift.

Therefore, the access point is most likely using A. WPA2.

CEH covers classical cryptanalytic attacks, including linear cryptanalysis, which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

Option C is correct.

Options A and B detect issues but don’t prevent access persistence.

Option D is unrelated to access control.

CEH stresses joiner–mover–leaver (JML) processes.

This scenario strongly suggests a race condition attack in the application’s token validation logic, as described in CEH v13 Web Application Hacking. A race condition occurs when an application processes multiple requests simultaneously and fails to properly synchronize validation checks.

The presence of multiple failed attempts using expired tokens followed by successful access within a short time window indicates the attacker exploited a timing flaw. During this window, the system may have inconsistently validated token expiration, allowing an expired token to be accepted.

Option A is unlikely because the logs specifically reference expired tokens. Option B is incorrect because replaying expired tokens should fail unless a validation flaw exists. Option C is highly improbable due to token entropy.

CEH v13 highlights race conditions as advanced logic flaws that are difficult to detect and often missed during standard testing. They are commonly exploited in authentication, payment processing, and session management systems.

Therefore, Option D is the correct and CEH-aligned answer.

CEH incident response material explains that LLMNR and NBT-NS poisoning is a common credential-harvesting technique in internal networks. These legacy name-resolution protocols operate via broadcast queries. Attackers can listen for these broadcasts and respond faster than legitimate DNS/hosts entries, impersonating the requested resource. Once the victim system attempts to authenticate, it sends NTLM hashes to the attacker-controlled machine. Tools like Responder and Inveigh automate this process, enabling attackers to collect challenge-response hashes for offline cracking. CEH highlights that this method is passive from the victim’s viewpoint and difficult to detect unless monitoring tools watch for anomalous LLMNR/NBT-NS responses. Options A, B, and D refer to other components of password cracking, but none describe the mechanism of capturing hashes via poisoned name resolution. The attacker’s technique directly aligns with exploiting the name-resolution protocol to intercept authentication attempts.

CEH explains that MAC flooding overwhelms a switch’s CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

In the Aircrack-ng suite referenced throughout CEH wireless hacking coverage, Aireplay-ng is the tool used to inject frames into a wireless network. The key phrase in the question is “transmit packets that force client devices to disconnect and reconnect.” That describes a deauthentication attack, where the tester sends 802.11 deauth frames to a client or to the access point, causing the client to drop its association and then reconnect. When a WPA2 client reconnects, the WPA2 four-way handshake is performed again. By forcing this reconnection, an ethical hacker can capture the handshake and later attempt password recovery in an offline process.

Airodump-ng is primarily a passive capture and monitoring tool used to list access points and clients, hop channels, and capture packets and handshakes, but it does not perform packet injection itself. Aircrack-ng is the cracking component that attempts to recover the WPA/WPA2 pre-shared key from a captured handshake using a wordlist or other offline techniques; it is not the tool that kicks clients off the network. Airbase-ng is used for creating a rogue access point or conducting evil twin style attacks, which is different from transmitting deauthentication frames to trigger a handshake.

Therefore, the tool that matches the described action of actively sending frames to force disconnect and reconnect is Aireplay-ng.

CEH v13 stresses that IoT-to-OT convergence is one of the most dangerous architectures in critical infrastructure environments. IoT devices often lack strong security controls and become ideal entry points for lateral movement into OT systems controlling physical processes.

The immediate priority is to secure the communication boundary between IoT and OT systems. Implementing strong encryption, authentication, and access control ensures that even if an IoT device is compromised, it cannot be used as a pivot point. CEH v13 explicitly recommends network segmentation and secure communication channels as first-response containment measures.

Penetration testing (Option A) is valuable but time-consuming and not an immediate mitigation. ML-based tools (Option C) require training time and are not instant safeguards. IPS deployment (Option D) helps detect attacks but does not prevent credential abuse or trusted-path exploitation between IoT and OT layers.

By enforcing secure protocols, certificates, and authentication mechanisms, the organization reduces attack surface immediately. Thus, Option B is correct.

CEH’s Malware Analysis module outlines a structured approach:

Identify suspicious indicators (e.g., JavaScript, OpenAction)

Extract and analyze embedded objects

Determine behavior and exploit logic

PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

Option B is correct.

Option A is useful but insufficient for deep analysis.

Option C only aids identification, not behavior understanding.

The correct classification is Potentially Unwanted Applications (PUAs). In CEH malware taxonomy, PUAs refer to software that is not strictly malicious in the traditional sense but exhibits undesirable behavior such as displaying intrusive advertisements, modifying browser settings, collecting user data, degrading system performance, or bundling with other freeware without clear user awareness. In this scenario, the toolbar and optimization tool were bundled with a legitimate utility installer and presented with vague descriptions—an extremely common PUA distribution method known as software bundling.

The symptoms described—pop-up ads, homepage modification, sluggish performance, and background data transfers—are consistent with adware or browser hijackers, which fall under the broader PUA classification. Importantly, the question specifies there is no immediate file encryption (which would suggest ransomware) and no self-replication (which would suggest a worm). Botnet agents typically establish command-and-control communication and are designed for coordinated malicious activity such as DDoS or spam campaigns; while unexplained traffic may raise suspicion, the described behavior aligns more closely with adware-style monetization rather than structured botnet activity. Logic bombs are dormant code triggered by specific conditions, which is not indicated here.

From a defensive perspective, CEH recommends secure software acquisition policies, user awareness training, disabling unnecessary bundled installations, implementing endpoint protection with PUA detection enabled, and enforcing application allowlisting to prevent unauthorized or bundled software from executing within the enterprise environment.

The most likely tool/command is dig @server axfr, which attempts a DNS zone transfer (AXFR) from a specified DNS server. In CEH-aligned reconnaissance and enumeration methodology, DNS is a high-value target because it reveals how an organization’s names map to systems. A successful zone transfer can expose an entire DNS zone database, often including hostnames (subdomains), mail exchanger (MX) records, canonical name (CNAME) aliases, and sometimes internal-facing entries if the zone is misconfigured. The scenario’s outcome—receiving “a full list of subdomains, MX records, and aliases”—matches exactly what an AXFR zone transfer can disclose when a DNS server is improperly configured to allow transfers to unauthorized hosts.

The clue about a “secondary server” is also significant. In DNS architecture, organizations frequently deploy primary (master) and secondary (slave) DNS servers. Secondary servers legitimately request zone transfers from the master to stay synchronized. If the secondary server is misconfigured (for example, allowing AXFR to any requester or to a broader range than intended), an attacker can exploit this and retrieve the zone file. This results in detailed visibility into the organization’s naming scheme and infrastructure layout—information that can be used to identify high-value targets (mail servers, VPN portals, admin hosts), locate staging points, and plan follow-on attacks such as credential harvesting, targeted exploitation, or social engineering.

Why the other options do not fit: smtp-user-enum.pl is used for enumerating valid users on SMTP servers, not DNS records. ldapsearch enumerates directory information from LDAP services, not DNS zones. nbtstat -A queries NetBIOS name tables for Windows hosts, which may reveal local names and shares but not DNS-wide subdomains and MX/CNAME records. Therefore, the enumeration described is most consistent with a DNS zone transfer using dig with AXFR.

The requirement that each device authenticate through a centralized server using unique usernames and passwords aligns directly with 802.1X authentication, which CEH materials describe as port-based Network Access Control used in enterprise wired and wireless environments. In Wi-Fi, 802.1X is typically implemented as WPA2-Enterprise or WPA3-Enterprise and relies on EAP methods with a backend AAA server, most commonly RADIUS. The access point acts as the authenticator, forwarding the client’s authentication exchange to the RADIUS server, which validates the user or device identity and returns an accept or reject decision along with session keys and policy attributes. This provides strong control and auditing because access can be tied to individual identities, supports account disablement, and can enforce different access levels.

The other options do not match the “centralized server with unique credentials” description. Disabling TKIP improves security by removing an outdated encryption protocol, but it does not provide per-user authentication. MAC address filtering is weak because MAC addresses are easily discovered and spoofed, and it does not use centralized identity validation. Upgrading to WPA3 improves cryptographic strength, and WPA3-Enterprise can work with 802.1X, but WPA3 alone does not guarantee centralized username and password authentication unless the enterprise mode with 802.1X is specifically deployed. Therefore, the correct countermeasure that fits the described design is to use 802.1X authentication with a centralized authentication server, enabling strong access control, accountability, and improved resistance to unauthorized device connections.

CEH v13 identifies Slowloris as a low-bandwidth yet highly effective application-layer DoS technique that works by opening many HTTP connections and sending headers very slowly, never completing the request. Because the server must maintain these half-open HTTP sessions, its connection pool becomes saturated, preventing it from servicing legitimate users. Slowloris is particularly dangerous because it does not rely on malformed packets, high traffic volume, or protocol abuses; instead, it mimics legitimate HTTP behavior, making it difficult for firewalls or IDS systems to distinguish malicious traffic. This aligns exactly with the described scenario, where thousands of legitimate-looking HTTP connections are gradually consuming server resources. Fragmentation attacks (Option B) target packet reconstruction, UDP floods (Option C) generate high-bandwidth noise, and SYN floods (Option D) impact the TCP handshake layer, not the HTTP header behavior. Slowloris’ unique use of slow HTTP headers directly matches the symptoms described.