312-50v13 Exam Results

The correct answer is D. Reconnaissance.

The scenario describes an early-stage information-gathering activity. The team is not exploiting the application, maintaining access, or actively compromising accounts. Instead, they are mapping exposed endpoints, directories, parameters, scripts, backend behavior, response differences, and error-handling patterns to understand the application before later testing.

CEH methodology describes reconnaissance as the preparatory phase where an attacker or tester gathers as much information as possible about a target before launching subsequent phases . EC-Council material also describes footprinting as building a blueprint or profile of an organization or target in a methodological manner, including discovering systems, services, access points, and mapping the network .

Option A. Maintaining Access is incorrect because there is no persistence or continued unauthorized access.

Option B. Scanning is less accurate because although some observation and endpoint checking may occur, the broader activity is structural information gathering at the beginning of the engagement.

Option C. Gaining Access is incorrect because the team is not exploiting vulnerabilities or taking control of the application.

Option D. Reconnaissance is correct because the activity focuses on collecting and organizing information to support later testing phases.

Therefore, the best answer is D. Reconnaissance.

CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack, tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

CEH v13 explains that SQL injection typically occurs when user inputs are concatenated into SQL queries without proper validation or parameterization. The login form is one of the most common injection targets, and testers use specific test payloads designed to manipulate the authentication query. A classic test string such as ' OR ' 1 ' = ' 1 exploits conditional logic to force the SQL statement to evaluate as true, effectively bypassing authentication if the application is vulnerable. CEH notes that this technique is a standard initial test because it is low-risk, easily detectable if vulnerable, and directly confirms improper sanitization. JavaScript injection (Option A) tests for XSS, not SQLi. Directory traversal (Option C) targets file path vulnerabilities rather than SQL queries. Brute-force attacks (Option D) rely on guessing credentials and do not test input sanitization. Therefore, using a logical SQL injection payload is the most appropriate and CEH-aligned method.

The most clearly demonstrated vulnerability is Lack of authentication. In CEH-aligned network device security principles, authentication is the fundamental control that verifies a user or device is permitted to access administrative functions or participate in trusted communications. The scenario states that the router allows external administrative access without requiring a password. That directly indicates that authentication is not being enforced for management access, meaning an unauthorized user could potentially gain administrative control simply by reaching the management interface.

The second observation reinforces the same core weakness in a different context: the router uses a protocol that provides neither encryption nor validation. In CEH terms, “validation” in routing and management protocols commonly refers to authentication and integrity checks, ensuring that updates or communications are sent by trusted peers and not altered in transit. When a protocol lacks validation, an attacker may be able to inject rogue updates, impersonate a trusted neighbor, or manipulate routing behavior, depending on the protocol and topology. While this could also be described as “insecure routing protocols,” the question asks what vulnerability is most clearly present based on both observations together. The common denominator is the absence of authentication controls: no password for admin access and no validation for device-to-device protocol exchanges.

“Lack of password protection” addresses only the first issue and is narrower. “Firewall vulnerabilities” is not evidenced. Therefore, the clearest and most comprehensive vulnerability indicated by the observations is Lack of authentication.