CEH v13 312-50v13 Reddit Questions

A bootkit is the rootkit type that best matches the described behavior because it compromises the system boot process and executes before the operating system fully loads, often before many security controls, drivers, and monitoring services start. CEH materials describe bootkits as a highly persistent class of malware that targets components such as the Master Boot Record, Volume Boot Record, or bootloader. By gaining execution at boot time, a bootkit can load malicious code very early, then hook or tamper with OS loading routines, kernel initialization, or security mechanisms. This early execution is exactly what the scenario emphasizes: the payload runs “before any system-level drivers or services are active,” enabling covert control while evading traditional user-mode detection.

This also explains why administrators see suspicious network activity but forensics do not easily find malicious user-level artifacts. Bootkits can hide by manipulating what the OS and security tools can see after startup, including concealing files, processes, registry keys, or even redirecting reads so scanners receive “clean” data. Because the malicious component is anchored in the boot chain, it can survive reboots and remain present even if many OS-level indicators are cleaned.

A kernel-mode rootkit operates within the OS kernel but typically loads after the OS begins booting and drivers initialize. A hypervisor rootkit relies on virtualization to sit beneath the OS at runtime, but the scenario specifically highlights boot-time execution prior to drivers and services. Firmware rootkits persist in BIOS/UEFI or device firmware, which is possible, but the most direct match to “boot process compromise below the OS” in CEH terminology is a bootkit.

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

This scenario describes Platform as a Service (PaaS) because the provider delivers a managed platform where developers can deploy and run custom applications while the provider manages the underlying infrastructure components—servers, operating systems, storage, and often middleware/runtime components. The customer is responsible for application code and logic (and usually data and application configuration), but not for provisioning or maintaining the base compute and OS layers.

The key phrasing is: “developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage,” and “the firm controls the application logic but not the runtime infrastructure.” That is the hallmark responsibility split of PaaS: the provider handles infrastructure and platform operations, enabling rapid development and deployment through managed runtimes, build/deploy pipelines, and scalable services.

Why the other models don’t fit:

IaaS (A) would require the customer to manage the OS and many platform components (patching, runtime configuration, middleware), even though the provider supplies the virtualized infrastructure. The scenario explicitly says they do not manage OS or servers.

SaaS (C) provides a complete finished application that the customer uses; customers typically cannot deploy their own custom application logic onto it in the way described.

XaaS (D) is a broad umbrella term, not the specific NIST-style service model classification being asked.

Therefore, the correct answer is B. Platform as a Service (PaaS).

Ping of Death is a classic Denial-of-Service technique in which an attacker sends oversized or malformed IP packets that exceed the maximum allowed size when reassembled. In IP networks, the maximum packet size is 65,535 bytes. Historically, attackers exploited fragmentation by sending a series of IP fragments that, when reassembled by the target, resulted in a packet larger than the permitted limit or produced an invalid buffer condition. Vulnerable systems could crash, reboot, or become unstable because the network stack mishandled the reassembly process or failed to properly validate packet length and structure.

The scenario matches this behavior precisely: Sofia transmits “oversized, malformed packets” and the server “crashes intermittently due to processing failures.” That symptom is more consistent with a malformed-packet handling flaw than with pure traffic volume. An ICMP flood and an ACK flood are volumetric or resource-exhaustion attacks that overwhelm bandwidth or connection-handling capacity, typically degrading performance rather than directly causing crashes from malformed packet parsing. A Smurf attack is an amplification-based ICMP attack using broadcast addresses to multiply traffic toward a victim; again, it is about volume, not crafted malformed packets that trigger parsing failures.

CEH guidance highlights that PoD-style attacks exploit improper packet validation and reassembly logic. Modern systems are generally patched, but poorly maintained devices, legacy OS stacks, and some embedded implementations can still exhibit instability when exposed to malformed fragmentation and reassembly edge cases.