CEH v13 312-50v13 Dumps PDF

Rachel is using the Ping method for sniffer detection. The distinguishing behavior in the scenario is that she sends ICMP echo requests (pings) crafted so that the Layer 2 MAC address is incorrect/mismatched, while the Layer 3 IP destination is correct. Under normal circumstances, a host’s network interface card (NIC) should drop frames not addressed to its MAC address. However, when a NIC is set to promiscuous mode (as sniffers often require), it can accept frames regardless of destination MAC and pass them up the stack. If the operating system then processes the encapsulated IP packet and responds (e.g., sends an ICMP echo reply), that response suggests the host is accepting frames it normally would ignore—an indicator consistent with promiscuous mode sniffing.

This technique is used as a heuristic: by intentionally violating normal Ethernet delivery rules and observing whether the target still responds, you can infer that the interface may be capturing traffic not explicitly addressed to it. It’s not perfect—modern drivers, switches, VLAN configurations, and host firewall behavior can affect results—but the scenario’s “mismatched MAC but correct IP” plus “the suspected machine responds” is the classic signature of the ping-based promiscuous-mode test.

Why the other options are less suitable:

ARP method (B) typically involves ARP-based tricks (non-broadcast ARP requests or crafted ARP traffic) to test how the target responds; the scenario explicitly describes ICMP behavior.

DNS method (C) relates to DNS queries/resolution behavior and does not match the ICMP/MAC mismatch test.

Nmap sniffer-detect (NSE) (D) is a specific scripted approach, but the question asks for the underlying technique being used; the described action matches the Ping method.

Therefore, the correct answer is A. Ping Method.

According to the CEH attack methodology, once an attacker obtains initial access—whether through exploitation, misconfiguration, or credential compromise—the next critical phase is privilege escalation. Gaining system-level or administrative control is essential for maintaining persistence, accessing protected data, modifying system configurations, and pivoting further into the network. Privilege escalation exploits target kernel flaws, misconfigured services, improper permission settings, or vulnerable drivers. CEH emphasizes that performing a DoS attack disrupts the engagement and provides no strategic advantage. Similarly, CSRF targets web applications rather than operating systems, and brute-force password attempts are inefficient, noisy, and often ineffective once local access has already been established. By leveraging privilege escalation techniques, the tester converts limited user access into full system control, enabling comprehensive post-exploitation activities aligned with CEH system hacking procedures.

The correct answer is D. SIMjacker.

SIMjacker is a mobile attack technique that uses specially crafted binary SMS messages targeting SIM-card functionality, historically associated with the S@T Browser environment. The attack can trigger device actions without visible user interaction, including collecting location or device information and sending it to an attacker-controlled destination.

The scenario states that the device received binary-formatted SMS messages, the messages were not visible to the user, and the phone automatically transmitted cellular location identifiers and device-related data. These are the strongest indicators of SIMjacker.

CEH-aligned mobile security material identifies SMS-based attacks and mobile malware as common mobile attack vectors and notes that mobile threats can steal personal and sensitive data from devices .

Option A. Call Spoofing is incorrect because the attack does not involve falsifying caller ID.

Option B. OTP Hijacking is incorrect because the scenario does not involve stealing one-time passwords.

Option C. SMiShing is incorrect because SMiShing requires a fraudulent text message designed to trick the user into clicking or responding. Here, no user interaction occurred.

Option D. SIMjacker is correct because invisible binary SMS messages triggered automatic device data transmission.

Therefore, the best answer is D. SIMjacker.

The correct classification is Potentially Unwanted Applications (PUAs). In CEH malware taxonomy, PUAs refer to software that is not strictly malicious in the traditional sense but exhibits undesirable behavior such as displaying intrusive advertisements, modifying browser settings, collecting user data, degrading system performance, or bundling with other freeware without clear user awareness. In this scenario, the toolbar and optimization tool were bundled with a legitimate utility installer and presented with vague descriptions—an extremely common PUA distribution method known as software bundling.

The symptoms described—pop-up ads, homepage modification, sluggish performance, and background data transfers—are consistent with adware or browser hijackers, which fall under the broader PUA classification. Importantly, the question specifies there is no immediate file encryption (which would suggest ransomware) and no self-replication (which would suggest a worm). Botnet agents typically establish command-and-control communication and are designed for coordinated malicious activity such as DDoS or spam campaigns; while unexplained traffic may raise suspicion, the described behavior aligns more closely with adware-style monetization rather than structured botnet activity. Logic bombs are dormant code triggered by specific conditions, which is not indicated here.

From a defensive perspective, CEH recommends secure software acquisition policies, user awareness training, disabling unnecessary bundled installations, implementing endpoint protection with PUA detection enabled, and enforcing application allowlisting to prevent unauthorized or bundled software from executing within the enterprise environment.