312-50v13 VCE Exam Download

The correct answer is D. ICMP Timestamp Ping Scan.

An ICMP Timestamp Ping Scan uses ICMP timestamp request messages to query a target system’s clock value. If the target responds, the returned timestamp information can confirm that the host is alive and can also help infer timing characteristics such as round-trip delay.

CEH scanning material explains that ICMP scanning is used to identify live hosts by sending ICMP requests and observing replies. ICMP echo replies verify that a host is live, and ICMP-based discovery can also help determine network behavior and host characteristics .

Option A. UDP Ping Scan is incorrect because UDP scanning uses UDP probes, not ICMP timestamp requests.

Option B. ICMP Echo Ping Sweep is incorrect because echo ping sweeps use ICMP Echo Request and Echo Reply, not timestamp request/reply.

Option C. IP Protocol Scan is incorrect because IP protocol scanning tests supported IP protocols rather than querying clock values.

Option D. ICMP Timestamp Ping Scan is correct because the packet requests the target’s internal clock value.

Therefore, the best answer is D. ICMP Timestamp Ping Scan.

The best answer is D. Insecure routing protocols because the scenario describes legacy neighbor-to-neighbor device communications that lack encryption and integrity validation, allowing operational routing data to be exchanged without verification. In CEH-aligned network hacking concepts, this is a classic weakness of older or improperly secured routing protocols (and related network control-plane exchanges) where routers trust updates from neighbors and do not cryptographically validate the authenticity and integrity of routing information.

When routing updates are accepted without strong verification, an attacker who can position themselves on the same segment (or spoof a trusted neighbor) may inject or manipulate routing information. This can enable attacks such as route injection, route poisoning, man-in-the-middle (MITM) traffic redirection, blackholing traffic, or causing instability/denial of service by continuously advertising bad routes. The mention of “neighboring systems” and “operational data” strongly maps to routing adjacencies where devices exchange reachability and topology information. The absence of integrity checks makes it feasible to alter routing messages in transit or forge them, and the absence of encryption can expose routing details that further assists reconnaissance and targeted manipulation.

Why the other options are less accurate:

Firewall vulnerabilities relate to filtering and policy enforcement, but the core issue here is the trust model and protection of routing/control messages, not firewall rule flaws.

Lack of password protection is too generic and typically refers to weak/no credentials on management access, not unauthenticated routing exchanges.

Lack of authentication is conceptually related, but the question asks for the type of vulnerability most clearly present given “legacy communication mechanisms” between neighbors carrying operational data—this is most specifically categorized in CEH terms as insecure routing protocols (i.e., routing updates lacking authentication/integrity and sometimes encryption).

In practice, organizations mitigate this by enabling routing protocol authentication (where supported), using cryptographic integrity protections, restricting routing adjacencies, and segmenting or filtering routing/control-plane traffic to trusted peers only.

The correct answer is D. WSDL Probing Attacks.

The scenario describes retrieving and analyzing service description files to identify web service operations, methods, parameters, and response schemas. That directly matches WSDL probing. WSDL, or Web Services Description Language, describes the functions exposed by a web service, including supported operations and message structures.

CEH-aligned cloud and web service material identifies WSDL, SOAP, and UDDI as web service-related information that attackers may capture or analyze during service hijacking and reconnaissance activities . CEH-aligned web application material also explains that SOAP is used to exchange structured information in web services, and that malicious interaction with SOAP/web service structures can expose backend functionality .

Option A. SOAP Injection is incorrect because the tester is not injecting malicious SOAP payloads.

Option B. Application Logic Attacks is too broad and would involve abusing business logic, not specifically reviewing service descriptions.

Option C. XML Injection is incorrect because the scenario does not involve injecting malicious XML content.

Option D. WSDL Probing Attacks is correct because the tester is probing service description files to understand exposed web service capabilities.

Therefore, the best answer is D. WSDL Probing Attacks.

The defense described—keeping user inputs separate from the SQL statement and binding them as fixed values before execution—is the defining characteristic of parameterized queries (prepared statements). This is one of the most effective and widely recommended countermeasures against SQL injection because it prevents attacker input from being interpreted as SQL code.

In a vulnerable application, developers often build SQL statements by concatenating strings, such as " SELECT ... WHERE user= ' " + input + " ' " . In that pattern, malicious payloads can alter the query structure (adding conditions, UNIONs, comments, or stacked queries). With prepared statements, the SQL engine receives the query structure first (the template), and then receives the parameter values separately. The database treats the parameters strictly as data, not executable SQL. As a result, even if an attacker submits quotes, keywords, or operators, those characters remain part of the parameter value and cannot change the query’s logic.

The scenario specifically says inputs are “bound as fixed values,” which is direct language associated with parameter binding. That makes option D the best answer.

Why the other options are less accurate:

User input validation (A) is helpful but can be bypassed and is not as robust as parameterization; also the described mechanism is not validation but binding separation.

Restrict database access (B) is a defense-in-depth measure (least privilege) that reduces impact, but it does not inherently stop injection from occurring.

Encoding the single quote (C) is a legacy/insufficient approach; encoding or escaping can be error-prone and DBMS-specific, and it does not match the description of parameters being bound separately.

Therefore, the application is using D. Use parameterized queries or prepared statements.