CEH v13 312-50v13 Book

The correct answer is D. Brute force. A brute-force attack is a password-cracking method that systematically attempts every possible combination of characters until the correct password is discovered. Because it does not rely on precompiled wordlists, common passwords, or previously generated hash databases, it is considered the most exhaustive and time-consuming password-cracking technique.

In CEH password-attacking concepts, a dictionary attack is generally faster because it uses a predefined list of commonly used passwords and words. Rainbow tables are even faster in many situations because they rely on precomputed hash values that can be matched against captured password hashes. Shoulder surfing is not a technical password-cracking method; it involves directly observing a user entering credentials.

The effectiveness and duration of a brute-force attack depend on password complexity, length, character set, account lockout policies, and available computing power. Strong passwords containing uppercase letters, lowercase letters, numbers, and special characters significantly increase the number of possible combinations, making brute-force attacks far more difficult and time-consuming.

CEH Exam Tip:

Dictionary Attack = Faster, wordlist-based.

Rainbow Tables = Precomputed hash lookup.

Brute Force = Tries every possibility; most time and effort required.

Shoulder Surfing = Social engineering observation technique.

Therefore, Brute Force is the correct answer.

A polymorphic virus is specifically designed to change its code appearance while keeping the same underlying functionality, which aligns exactly with the scenario. In CEH terms, polymorphism allows malware to mutate its decryptor routine, instruction ordering, register usage, junk code insertion, and other syntactic elements every time it propagates or executes. This causes each instance to look different at the binary level, producing different hashes and signatures, even though the malicious payload and behavior remain the same. That is why the security team sees inconsistent antivirus detection and why “traditional hash-based comparison” fails. The key indicator is that static analysis shows the “underlying logic remains unchanged,” but “code patterns vary unpredictably,” which is the hallmark of polymorphism: behavior stays consistent, signature changes.

The other options do not fit as well. A cavity virus typically hides by inserting itself into unused spaces within legitimate executable files to avoid changing the overall file size, but it does not inherently generate unpredictable code variants per infection. A macro virus primarily targets macro-enabled documents and spreads through document templates and user actions, which is not suggested here. A stealth virus focuses on evading detection by intercepting system calls and hiding its presence, such as returning “clean” file reads, but it does not necessarily produce many structurally different binaries that break hash matching. Therefore, the most likely cause of the described outbreak is a polymorphic virus.

This scenario is a classic example of DLL hijacking (also called DLL search order hijacking). On Windows, when an application attempts to load a required DLL without using a fully qualified path, the operating system searches for that DLL in a defined search order (including, in many cases, the application directory and other locations that may be writable by a low-privileged user). If an attacker can place a malicious DLL with the same name as the expected library into a directory that is searched before the legitimate DLL’s location, Windows will load the attacker’s DLL first. When the trusted application starts, the malicious DLL is loaded into the process, causing the attacker’s code to execute in the context and privileges of that application.

The question’s clues align tightly with DLL hijacking:

A “non-privileged process loaded a malicious library instead of the intended library” indicates a library preloading/search-order issue rather than exploiting a kernel bug.

The attacker “placed the rogue file in a directory Windows searched before the legitimate location,” which directly describes search order manipulation.

“When the trusted application started, the attacker’s code executed with the application’s privileges” reflects how DLL hijacking can lead to privilege escalation when the target process runs with higher privileges (e.g., as admin or SYSTEM).

“No registry changes … were involved” helps rule out techniques like certain COM hijacks or registry-based persistence and also points away from UAC bypass methods that often rely on registry keys or auto-elevated behaviors.

Why the other options don’t fit:

Exploiting vulnerabilities (A) is too generic and would typically reference a software flaw (buffer overflow, kernel exploit, etc.).

Access token manipulation (C) involves stealing/impersonating tokens, not DLL search order behavior.

Bypassing UAC (D) targets elevation prompts and auto-elevation mechanisms, not DLL loading precedence.

Therefore, the technique is B. Privilege Escalation Using DLL Hijacking.

The scenario describes a wireless discovery method where the tester only listens to the airwaves and does not transmit probe requests or inject frames. In CEH terms, this is passive reconnaissance, commonly referred to as passive footprinting in the wireless context. Passive footprinting relies on capturing and analyzing existing 802.11 management traffic such as beacon frames (periodically broadcast by access points) and probe responses sent to other clients, allowing the tester to identify SSIDs, BSSIDs (MAC addresses of access points), channel numbers, supported data rates, and sometimes security capabilities, all without generating traffic that could alert administrators or trigger wireless intrusion detection systems.

Active footprinting, by contrast, involves transmitting frames—most notably probe requests—to solicit probe responses from access points, which increases detectability. The question explicitly says Ethan does not send probe requests and does not inject data packets, which rules out active methods. “Network Discovery Software” is too generic; tools can be used for either passive or active discovery, but the technique in use is defined by behavior on the wireless medium, not the presence of software. “Wash” is a specific tool/command associated with enumerating WPS-enabled access points; while it can be used during reconnaissance, the question is testing the broader technique rather than a specific utility, and the defining characteristic here is silent listening.

CEH defensive guidance notes that passive discovery is stealthier because it leverages normal beaconing behavior. Organizations mitigate reconnaissance by using wireless monitoring, rogue AP detection, strong encryption configurations, disabling unnecessary broadcasts where feasible, and maintaining continuous wireless security assessments.