312-50v13 ECCouncil Exam Lab Questions

This scenario most closely matches spam and phishing delivered through social networking platforms, a technique emphasized in CEH social engineering coverage as social media phishing or spear phishing via professional networks. Nadia impersonates a trusted internal authority figure, a senior HR manager, and uses believable branding elements such as a stolen logo and accurate employee details to establish credibility. She then initiates contact through connection requests and funnels targets into a controlled space, a private group, where she requests sensitive information. Collecting a work email address and department role may appear harmless, but CEH guidance notes that attackers often start with small, plausible requests to build trust and assemble data for deeper compromise. Work emails and roles enable targeted spear phishing, business email compromise preparation, password reset targeting, and crafting convincing pretexts aligned to the victim’s function.

The core mechanics align with phishing: deception, impersonation, and a call to action designed to extract information. The “exclusive project updates” hook is a classic lure used to increase compliance. While the exercise could lead to involuntary data leakage as a downstream effect, the primary simulated threat is the phishing process itself, using social media as the delivery channel. Loss of productivity is not the intent here, and network vulnerability exploitation refers to technical system flaws rather than manipulating human trust. Therefore, the most accurate classification of Nadia’s drill is spam and phishing conducted through a social media pretext.

CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like “certrcx” or storing content under “/admin/web”) may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control. If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn’t fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself—an open-source stack can still be insecure if misconfigured or unpatched.

Therefore, CEH-aligned best practice is regular patching and updates.

This question describes a classic example of Tautology-Based SQL Injection, a subcategory of SQL Injection attacks which fall under Web Application Hacking in the CEH curriculum.

In a tautology-based SQL injection, the attacker injects a SQL fragment that always evaluates to true, thus bypassing the authentication mechanism. The string ' C ' ll-T; — is a malformed variant, possibly meant to represent ' OR ' 1 ' = ' 1 ' ; --, which is one of the most basic and widely recognized tautology-based injection payloads. When injected into a vulnerable SQL query, this kind of input manipulates the WHERE clause of the query so that it always evaluates to true, regardless of the original conditions.

Here’s how it works:

If the SQL query is:

SELECT * FROM users WHERE username = ' $username ' AND password = ' $password ' ;

And the attacker inputs:

' OR ' 1 ' = ' 1 ' ; --

The query becomes:

SELECT * FROM users WHERE username = ' ' OR ' 1 ' = ' 1 ' ; -- ' AND password = ' ' ;

This results in the execution of:

SELECT * FROM users WHERE ' 1 ' = ' 1 ' ;

Which always evaluates to true, thereby bypassing authentication and allowing unauthorized access.

This method does not rely on error messages (Error-Based), timing delays (Time-Based Blind), or UNION statements (Union-Based). Its goal is to exploit logic within the query structure itself using boolean-based manipulation.

According to EC-Council ' s CEH v13 Module: Web Application Hacking, understanding tautology-based injection is critical because it ' s one of the most common ways attackers bypass login forms on poorly secured web applications.

CEH incident response material explains that LLMNR and NBT-NS poisoning is a common credential-harvesting technique in internal networks. These legacy name-resolution protocols operate via broadcast queries. Attackers can listen for these broadcasts and respond faster than legitimate DNS/hosts entries, impersonating the requested resource. Once the victim system attempts to authenticate, it sends NTLM hashes to the attacker-controlled machine. Tools like Responder and Inveigh automate this process, enabling attackers to collect challenge-response hashes for offline cracking. CEH highlights that this method is passive from the victim’s viewpoint and difficult to detect unless monitoring tools watch for anomalous LLMNR/NBT-NS responses. Options A, B, and D refer to other components of password cracking, but none describe the mechanism of capturing hashes via poisoned name resolution. The attacker’s technique directly aligns with exploiting the name-resolution protocol to intercept authentication attempts.