CEH v13 312-50v13 Exam Questions and Answers PDF

Ethical hacking, as defined throughout CEH courseware, is the authorized and legitimate process of identifying vulnerabilities, weaknesses, and misconfigurations in information systems. The primary objective is to strengthen security by discovering issues before malicious actors can exploit them. Ethical hackers follow strict legal guidelines, obtain written permission, and operate within a defined scope to ensure their activities contribute positively to the organization’s security posture. Unlike malicious hacking, the intent is not to steal data, cause harm, or disrupt operations. Ethical hackers use the same tools, techniques, and methodologies that attackers use, but with the purpose of remediation and risk reduction. CEH emphasizes that ethical hacking supports defense-in-depth strategies by enabling organizations to harden their environments and proactively mitigate threats. Therefore, identifying and fixing vulnerabilities is the central mission of ethical hacking.

The correct answer is B, 2. A multihomed firewall is a firewall system connected to more than one network through multiple network interfaces. In CEH firewall architecture concepts, a multihomed firewall is described as connecting two or more networks, with each interface connected to its own network segment. Therefore, the minimum number of network connections required is two: one interface facing one network, such as the external or untrusted network, and another interface facing another network, such as the internal or trusted network. A firewall with three interfaces is commonly associated with a screened subnet or DMZ design, where one interface connects to the Internet, one to the internal network, and one to the DMZ. However, the question asks for the minimum, not a typical DMZ design. Since “multi” means more than one, the smallest valid number of network connections for a multihomed firewall is two.

The correct answer is B. ARP Spoofing because the described outcome—silently redirecting traffic between two hosts through the attacker’s machine on a LAN without changing switch configurations—is the classic effect of ARP poisoning (also called ARP spoofing). In CEH-aligned network sniffing and man-in-the-middle (MITM) techniques, ARP spoofing works by sending forged ARP replies onto the local network so that a victim host associates the attacker’s MAC address with the IP address of a legitimate system (commonly the default gateway or another target host). Once the victim’s ARP cache is poisoned, frames intended for the real destination are instead sent to the attacker, who can then forward them to the legitimate host to maintain connectivity while inspecting or altering the traffic.

The scenario states David “injects crafted messages” and then “all traffic between a finance workstation and the authentication server is silently routed through his system.” That behavior strongly indicates ARP spoofing performed in both directions: poisoning the workstation to believe the attacker is the authentication server (or gateway) and poisoning the server to believe the attacker is the workstation (or gateway). This enables a transparent MITM position where credentials can be observed—especially if protocols are unencrypted or if the attacker can downgrade or strip protections. The fact that “no proxy or VPN is in use” supports the idea that the redirection is happening at Layer 2/Layer 3 on the local segment rather than via an explicit application-level proxy.

Why the other options are less accurate: Switch port stealing targets switch CAM tables to redirect frames, but it is less directly described than ARP cache poisoning between two IP endpoints. An STP attack manipulates spanning tree to become the root bridge and can influence paths, but it is a different control-plane attack and usually affects broader Layer 2 topology. IRDP spoofing involves ICMP Router Discovery Protocol to advertise a rogue router, but the scenario fits the much more common and direct MITM sniffing technique on a switched LAN: ARP spoofing.

Therefore, David most likely used ARP spoofing.

The correct answer is B, Buffer overflow. In CEH vulnerability and exploitation concepts, a buffer overflow occurs when a program writes more data into a fixed-size memory buffer than it was designed to hold. The excess data can overwrite adjacent memory, corrupt control data, crash the application, or allow attacker-controlled code execution. CEH-related material describes buffer overflow as writing too much data into an application’s allocated buffer, potentially overwriting adjacent memory, executing code, or crashing the system. It also explains that buffer overflow attacks rely on lack of boundary testing and, in stack-based cases, may overwrite a return pointer so execution flow switches to malicious code. XSS injects malicious scripts into web pages, CSRF tricks an authenticated user into performing unwanted actions, and SQL injection manipulates database queries. These do not primarily exploit memory corruption. Therefore, the vulnerability associated with memory corruption is buffer overflow.