Selected 312-50v13 CEH v13 Questions Answers

The indicators described align most strongly with the Search and Exfiltration phase of the APT lifecycle. In CEH-aligned APT models, attackers typically progress from initial access to establishing footholds, expanding access through internal reconnaissance and lateral movement, then locating valuable data and exfiltrating it. While spear-phishing is a common Initial Intrusion technique, the scenario explicitly includes multiple signals that the attackers are already deep inside the environment and actively handling sensitive information.

The key evidence is the “unusually large data transfers during non-business hours” tied to the R & D department and “unexpected outbound traffic to unfamiliar IP addresses.” Those are classic signs of staging and exfiltration, where collected data is aggregated internally and then sent out to attacker-controlled infrastructure, often at times chosen to reduce detection. The observation that attackers have “intimate knowledge of the organization’s internal data structure” further supports that they have already performed internal discovery and are now targeting specific high-value repositories.

Unauthorized firmware on printers and routers suggests the attackers may have created durable internal collection points or covert channels, but that activity supports and enables the data-theft mission rather than being the primary phase indicated by the full pattern of events. Therefore, the combination of targeted access to R & D resources, anomalous outbound connections, and large off-hours transfers most closely matches the Search and Exfiltration phase in CEH APT lifecycle coverage.

CEH v13 explains that NTP (UDP port 123) can leak sensitive network information if misconfigured. When an NTP daemon allows unrestricted external queries (e.g., monlist or ntpq commands), attackers can enumerate internal IP addresses and hostnames.

This exposure is a known reconnaissance weakness and has been exploited in both information disclosure and amplification attacks. CEH v13 strongly recommends restricting NTP query access using access control lists.

DNS poisoning and honeypots do not explain legitimate NTP enumeration responses. Therefore, option D is correct.

The activity described is passive session hijacking because Sarah is only observing and capturing session-related information without altering, injecting, or disrupting the live client server communication. In CEH coverage of session hijacking, the key distinction is whether the attacker merely eavesdrops to obtain session identifiers or actively takes control of the session in real time. Passive hijacking focuses on sniffing traffic to collect authentication material such as session IDs, cookies, bearer tokens, or other credentials transmitted in cleartext or exposed through weak transport protections. The prompt explicitly says she “quietly collects session data” and does so “without interfering,” which is the hallmark of passive hijacking.

This is commonly feasible when applications use unencrypted HTTP, weak TLS configurations, or when tokens are exposed in ways that can be captured on the network. Once obtained, the attacker can replay or reuse the stolen token to impersonate the victim, which matches Sarah’s plan to later use the captured tokens to demonstrate risk in a controlled environment. CEH emphasizes that session tokens effectively become the user’s identity after authentication; if an attacker can steal them, they can often bypass login entirely.

Option B, active session hijacking, would involve manipulating the connection, injecting packets, desynchronizing the client, or taking over the session live. Option A, session fixation, involves forcing a victim to use a session ID chosen by the attacker, not sniffing. Option C, man-in-the-browser, requires malware within the browser to intercept or modify transactions, which is not described. Therefore, Passive Session Hijacking is correct.

CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server’s specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.