CEH v13 312-50v13 Exam Questions and Answers PDF

Comprehensive Explanation from CEH v13 Courseware:

CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking’s reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

CEH documentation explains that WPA-TKIP was a transitional security protocol and does not use AES encryption, relying instead on RC4-based mechanisms.

The lack of AES-based encryption makes WPA-TKIP vulnerable to injection and replay attacks.

Option C is correct.

Options A applies to WEP.

Option B affects authentication, not TKIP weakness.

Option D is not the primary TKIP flaw.

CEH recommends WPA2/WPA3 with AES.

The behavior described is most consistent with an unauthenticated scan. In CEH-aligned vulnerability assessment methodology, unauthenticated scanning evaluates systems from the perspective of an external or non-privileged entity. The scanner can typically identify network-reachable services, open ports, service banners, protocol fingerprints, and sometimes known vulnerabilities inferred from versions or exposed configurations. However, it cannot reliably inspect host-internal posture such as registry settings, local security policies, installed patch levels, missing hotfixes, detailed configuration baselines, or user and group policy settings because those require authenticated access to query the operating system and installed software inventory directly.

The prompt explicitly states that the results were limited to “open service ports and version banners” and that “deeper registry settings, user policies, and missing patches remain unreported.” That limitation is a hallmark of unauthenticated scanning. The additional clue that “system login prompts were never triggered” and “no credential failures were logged in the SIEM” further confirms that the scanner never attempted to authenticate to endpoints using accounts, SSH/WinRM/WMI, SMB, or agent-based credential checks. If the scan were authenticated or credentialed, you would expect authentication attempts, potential login prompts on some services, and often audit logs or SIEM events reflecting successful or failed logons.

Option C, internal scan, only describes where the scan originates, not whether credentials were used. Options B and D imply authentication and host-level interrogation, which contradicts the observed lack of credential activity and missing patch/policy visibility. Therefore, unauthenticated scanning best explains the outcome.

CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.