Pass 312-50v13 Exam Guide

The correct answer is C. Reconnaissance. In CEH methodology, reconnaissance is the initial information-gathering phase where an ethical hacker collects details about the target before deeper testing begins. CEH-aligned material defines reconnaissance as gathering information about a target using active or passive means, and it commonly includes discovering network ranges, live hosts, open ports, operating system details, services, and organizational information. Active reconnaissance involves direct interaction with the target, such as sending probes, scans, or packets, which can provide accurate information but may be detected. Passive reconnaissance collects information without directly contacting the target, often using public sources such as websites, social media, WHOIS, DNS records, and search engines. Obfuscation is related to hiding activity, exploitation refers to using a vulnerability to gain access, and denial of service focuses on disrupting availability. Therefore, the step known for active and passive information gathering is Reconnaissance.

CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

Behavioral analytics tools establish a baseline of normal system and network behavior, including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation. A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.

Wireshark is the primary packet-sniffing tool covered in CEH v13 Network Sniffing. It captures and analyzes live traffic, allowing analysts to view plaintext HTTP packets.

Nessus is a vulnerability scanner, Nmap is for scanning, Netcat is a networking utility. None provide protocol-level inspection like Wireshark.

Thus, Option D is correct.

SMTP enumeration is the correct classification because the scenario explicitly references the SMTP commands VRFY, EXPN, and RCPT, which are well-known techniques for discovering valid user accounts and email routing information on mail servers. In CEH-aligned enumeration methodology, attackers and testers use these commands to determine whether specific usernames or mailbox addresses exist. VRFY is used to verify a user, EXPN can expand a mailing list or alias into individual recipients, and RCPT TO is commonly tested during an SMTP conversation to see whether a recipient address is accepted or rejected. When a server provides detailed responses, it can leak account validity and internal addressing formats, enabling targeted phishing, password spraying against known usernames, and broader social engineering campaigns.

Although the assessment also identifies Telnet, FTP with anonymous access, TFTP, and SMB shares, those findings represent additional exposed services and misconfigurations rather than the named enumeration classification in the answer choices. LDAP enumeration would focus on directory queries against services such as LDAP or Active Directory to extract users and groups. VoIP enumeration would involve SIP endpoints, extensions, and call infrastructure. DNS enumeration would center on zone transfers, record harvesting, and subdomain discovery. The distinguishing clue here is the use of VRFY, EXPN, and RCPT, which is uniquely tied to SMTP behavior and mail server user enumeration, making SMTP Enumeration the best fit.