312-50v13 Reviews Questions

CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns. A custom exploit using obfuscation is far more likely to evade detection.

Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

The correct answer is D because the root cause of the breach was an unpatched, outdated Apache HTTP Server vulnerable to remote code execution. According to CEH principles under Security Operations and Incident Response, vulnerability management and risk assessment are critical components of defensive security strategy. An extensive risk assessment enables the organization to identify vulnerable assets, prioritize patching based on severity and business impact, and implement a structured remediation plan.

Risk assessment is part of the vulnerability management lifecycle, which includes asset identification, vulnerability scanning, risk evaluation, prioritization, patch management, and verification. By determining which systems are most exposed and critical, the organization can apply patches and security updates systematically, reducing the attack surface. Since the breach occurred due to a known vulnerability, proper patch management and regular security updates would have prevented exploitation.

Options A, B, and C represent hardening or segmentation techniques but do not directly address the core issue of outdated software vulnerabilities. Blocking ports and using dedicated machines are good security practices; however, they do not eliminate the risk of exploitation if the web server software itself remains unpatched. Therefore, implementing a comprehensive risk assessment process followed by prioritized patch management aligns directly with CEH-recommended best practices for preventing similar future incidents.

The TCP SYN scan, also known as a Stealth Scan, is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

The system described is a Network-Based Intrusion Detection System because it is positioned near the perimeter firewall and inspects traffic flowing across the network segment rather than activity on a single endpoint. In CEH-aligned coverage, a NIDS is deployed at strategic network points such as behind a firewall, on core switches, or on SPAN or TAP links to monitor inbound and outbound packets. Its purpose is to detect suspicious patterns, signatures, protocol anomalies, and indicators of scanning or exploitation attempts across multiple hosts and an entire subnet. The question explicitly says it “analyzes incoming and outgoing traffic” and looks for patterns “across the entire subnet,” which matches NIDS scope and placement.

A Host-Based IDS, by contrast, runs on individual servers or workstations and monitors local events such as system calls, logs, file integrity, registry changes, and local network connections for that specific host. That does not match the perimeter-positioned, subnet-wide traffic analysis described. Host-based firewalls also operate per endpoint, enforcing rules for that machine only, and do not provide centralized subnet-wide packet inspection from a perimeter vantage point. A network-based firewall primarily enforces allow or deny policy and may perform stateful filtering, but it is not primarily described as a detection tool analyzing suspicious patterns; IDS is the detection-focused control.

Therefore, Olivia is attempting to bypass a Network-Based Intrusion Detection System to demonstrate how malicious traffic might evade monitoring controls placed near the firewall and to help the security team strengthen detection coverage and alerting.