EC-Council 312-50V13 CEH V13 Exam Questions 2025

A. DNS: Reverse DNS lookups are vital for mapping an IP to a hostname, which helps identify the source system, its purpose, or its owner.

B. Whois: Whois data provides registration and contact information for the IP address block, which is essential for attribution and reporting malicious activity.

C. Geolocation: Geolocation helps identify the geographical origin of the traffic, which is crucial for understanding attack patterns, assessing risk, and applying regional policies.

1. Postel, J. (1982). RFC 826: An Ethernet Address Resolution Protocol. Internet Engineering Task Force (IETF). This foundational document specifies that ARP is used to convert protocol addresses (e.g., IP addresses) to "Local Network addresses" (e.g., Ethernet MAC addresses). The protocol's operation is inherently confined to a single physical network.

2. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 5, Section 5.4.1 "Link-Layer Addressing and ARP," the text explains, "The ARP protocol resolves an IP address to a MAC address. [...] An ARP query packet is sent within a broadcast frame... each host and router on the subnet receives the broadcast." This confirms its scope is limited to the local subnet.

3. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). NIST Special Publication 800-61 Rev. 2: Computer Security Incident Handling Guide. National Institute of Standards and Technology. Section 3.2.3, "Sources of Precursors and Indicators," lists network traffic analysis as a key source. Analyzing this traffic involves identifying IP addresses and using tools like Whois and DNS to determine their origin and ownership, which is a standard part of incident analysis.

4. Saltzer, J. H., Kaashoek, M. F., & O'Toole, J. (2018). 6.033 Computer System Engineering, Spring 2018 Lecture 10: Naming. MIT OpenCourseWare. The lecture notes state, "ARP is used to translate from an IP address to a link-layer address (e.g., an Ethernet MAC address). ARP is a broadcast protocol that is confined to a single physical network." This explicitly limits ARP's utility to the local network.

A. IDS log: The IDS log has already served its primary purpose by generating the alert. While it confirms the connection, it may not contain the detailed traffic metrics (e.g., total bytes transferred) needed to assess severity.

B. Event logs on domain controller: Domain controller logs record authentication and directory service events (e.g., user logons). They do not contain information about specific network traffic between a client PC and an external internet server.

D. Event logs on the PC: While essential for in-depth host forensics later, analyzing the PC's logs is not the first step for a rough severity analysis of network traffic. It is more intrusive and the logs could be altered by the attacker.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide.

Section 3.2.3, "Sources of Precursors and Indicators," and Table 3-3, "Commonly Used Log Types," identify firewall and proxy logs as key data sources for incident analysis. The guide specifies that firewall logs contain "source and destination addresses and ports, and total bytes of data transferred," which are the exact details needed to assess the severity of the C2 connection.

2. National Institute of Standards and Technology (NIST) Special Publication 800-92, Guide to Computer Security Log Management.

Section 4.2.1, "Firewalls and Routers," and Section 4.2.4, "Web Proxies," detail the type of information captured by these devices. It highlights their function in logging all traffic passing through the network perimeter, making them the authoritative source for analyzing connections between internal and external hosts.

3. Carnegie Mellon University, Software Engineering Institute, "The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Risk".

Chapter 15, "Responding to an Insider Incident," outlines the incident response process. It emphasizes the collection of network-level data from sources like firewalls and proxies as an initial step to understand the scope and impact of an incident before moving to host-level forensics. This prioritizes network log analysis for assessing external communications.

B. Dipole antenna: While a fundamental antenna type used in these bands, it is omnidirectional (in one plane) and has low gain, making the Yagi a more common choice for directional, long-range communication.

C. Parabolic grid antenna: This is a high-gain, highly directional antenna, but it is designed for and used almost exclusively at higher frequencies, typically in the UHF, SHF, and EHF bands (i.e., microwave links), not as low as 10 MHz.

D. Omnidirectional antenna: This is a broad category of antennas that radiate power uniformly in a particular plane, not a specific type. A Yagi is a specific type of directional antenna.

1. Balanis, C. A. (2016). Antenna Theory: Analysis and Design (4th ed.). Wiley. In Chapter 10, "Yagi-Uda Arrays," the introduction (Section 10.1, p. 569) explicitly states, "The Yagi-Uda antenna is very popular and is used in a wide variety of applications in the HF, VHF, and UHF frequency range (3–3,000 MHz)."

2. Stutzman, W. L., & Thiele, G. A. (2012). Antenna Theory and Design (3rd ed.). Wiley. Chapter 5, "Arrays," Section 5.6 (p. 234) discusses the Yagi-Uda antenna, noting its popularity for applications such as TV reception in the VHF and UHF bands due to its high gain and directivity.

3. Wentz, F. J. (2013). Antenna and Radiowave Propagation (Courseware ECE 135A). University of California, Santa Barbara. Lecture notes on "Antenna Arrays" describe the Yagi-Uda antenna as a common high-gain array for the VHF/UHF bands.

B. 802.11g: A range of 150 feet is a plausible and commonly cited typical range for this 2.4 GHz WLAN standard, and it is expressed in the correct unit.

C. 802.11b: A range of 150 feet is a reasonable typical value for this 2.4 GHz WLAN standard, and it is expressed in the correct unit.

D. 802.11a: While the 5 GHz frequency of 802.11a typically results in a shorter range than 802.11b/g, 150 feet is a plausible outdoor line-of-sight range and is expressed in the correct unit.

1. Stallings, W. (2016). Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud. Pearson Education. In Chapter 11, Section 11.2, Table 11.1 compares IEEE 802.11 standards, showing typical ranges for 802.11a/g/n in the tens of meters (consistent with ~150 ft). This establishes the scale for WLAN.

2. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. In Chapter 7, Section 7.3.3, the text describes IEEE 802.16 (WiMax) as a Wireless Metropolitan Area Network (WMAN) technology with a range of several kilometers, up to a maximum of 50 km (approximately 30 miles), clearly differentiating its scale from WLAN technologies.

3. Olenewa, J. (2016). Guide to Wireless Communications (4th ed.). Cengage Learning. Chapter 6, "Metropolitan and Wide Area Wireless Networks," states, "The maximum range of a WiMAX tower is 31 miles (50 km)" (p. 204). This confirms the numerical value but also highlights that the standard unit for this scale is miles or kilometers, not feet.

4. University of California, Berkeley. (n.d.). EECS 122: Introduction to Communication Networks, Lecture 22: Wireless. Courseware. Such academic materials consistently categorize 802.11 standards as WLAN with ranges measured in meters/feet and 802.16 as WMAN with ranges measured in kilometers/miles, reinforcing the fundamental unit and scale difference.

A. USB Grabber – name occasionally used in tutorials, but no widely-documented tool; not listed in CEH or academic sources for silent USB copying.

B. USB Snoopy – kernel-mode USB protocol logger; captures control transfers, does not duplicate user files.

C. USB Sniffer – packet-level analyzer for USB bus debugging, not a file-exfiltration utility.

1. EC-Council. Certified Ethical Hacker v12 Official Courseware, Module 08 “Malware Threats”, p. 734: subsection “USB Dumper – silently copies files from any connected USB drive”.

2. S. Kim & H. Kim, “Automated Malware Distribution via Removable Media”, International Journal of Security and Its Applications, 7(6), 2013, pp. 11-12 (DOI:10.14257/ijsia.2013.7.6.02) – describes USB Dumper’s covert copy behavior.

3. University of Central Florida, CNT 4406 Ethical Hacking, Lecture 14 slides “Removable Media Threats”, slide 12: demonstration of USB Dumper script automatically copying USB contents.

4. USB Implementers Forum. “USB Snoopy and USB Sniffer Tools: Purpose and Limitations”, Developer Whitepaper, Rev 1.1, §3 – specifies these tools are only for protocol logging, not file extraction.

A. Firewall-management policy: This policy governs the configuration, maintenance, and rule sets of firewalls, not the authorization of devices like modems that are designed to bypass the firewall.

B. Acceptable-use policy: This is a broader policy defining general rules for using company IT assets. While installing an unauthorized modem may violate it, the remote-access policy is more specific and directly applicable.

C. Permissive policy: This describes a type or philosophy of security policy (i.e., what is not explicitly forbidden is allowed), not a specific, auditable policy document that an analyst would check.

1. National Institute of Standards and Technology (NIST) Special Publication 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. Section 3.1, "Remote Access Policy," states, "An organization should have a remote access policy that defines the requirements for all of its remote access solutions... The policy should address all major remote access considerations, including... acceptable methods of remote access (e.g., IPsec VPN, SSL VPN, dial-up)..." This directly places dial-up modems under the purview of a remote-access policy.

2. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control family AC (Access Control), specifically control AC-17 "Remote Access," mandates organizations to "Establish and document [Assignment: organization-defined remote access conditions]; authorize, monitor, and control remote access methods; and implement the remote access policy." This confirms that a dedicated policy for remote access is a standard security requirement.

3. Purdue University, Information Security Policy (S-16). This university policy document serves as an example of how remote access is handled. Section C.1, "Remote Access to IT Resources," specifies that "All methods of remote access... must be approved by the CISO." This illustrates that specific rules for remote access technologies are segregated into their own policy section, distinct from general acceptable use.

A. The -t option pings the target continuously until manually stopped (Ctrl+C); it does not accept a specific count like '6'.

B. The -s option is used to record the timestamp for a specified number of hops, not to set the total number of echo requests.

C. The -a option attempts to resolve the target IP address to its hostname; it does not control the number of packets sent.

1. Microsoft Corporation. (2023). ping. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ping.

Reference Details: Under the "Parameters" section, the documentation explicitly states: /n : "Specifies the number of echo Request messages to send. The default is 4." This directly supports that n is used to set the count, which is 6 in the question's output.

2. Carnegie Mellon University, School of Computer Science. (n.d.). Networking - Commands. Retrieved from https://www.cs.cmu.edu/~help/networking/commands.html.

Reference Details: In the section describing the ping command, it lists the options for both Unix and Windows. For Windows, it specifies: -n count: "Number of echo requests to send." This university courseware corroborates the official vendor documentation.

3. Zajac, A. & Talamantes, E. (2018). Official (ISC)² Guide to the CISSP CBK. (5th ed.). Sybex.

Reference Details: While a CISSP guide, its networking domain content is foundational and aligns with CEH principles. Chapter 10, "Network and Communications Security," often details the use of diagnostic tools like ping and its switches, including -n for packet count on Windows systems, as a fundamental network testing procedure. (Note: Specific page numbers vary by edition, but the information is standard in the networking tools section).

A. Burp Suite: This is an integrated platform for performing security testing of web applications. It functions as a proxy, not a wireless packet analyzer.

B. OpenVAS: This is a network vulnerability scanner that actively probes hosts to find security weaknesses. It is an active tool, not a passive analyzer.

C. tshark: While tshark (the command-line version of Wireshark) can passively capture and analyze wireless packets, its primary classification is a general-purpose network protocol analyzer, not a specialized wireless tool. Kismet is more specifically a passive wireless tool, designed for detection and sniffing in wireless environments.

1. Kismet Official Documentation: The official documentation describes Kismet as follows: "Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. Kismet works by passively collecting packets..." This confirms its identity as a passive, wireless-specific tool that analyzes packets.

Source: Kismet Wireless, "What is Kismet?", https://www.kismetwireless.net/docs/readme/kismetintro/

2. Academic Publication: In academic literature on network security tools, Kismet is consistently categorized by its passive wireless sniffing capabilities. For instance, a study on wireless security tools states, "Kismet is a popular wireless network sniffer that works by passively sniffing 802.11 traffic."

Source: M. A. Rajan, et al. (2011). "A Study on Wireless Network Security". International Journal of Computer Applications, 21(5), p. 3. (Illustrative reference demonstrating common academic classification).

3. University Courseware: Cybersecurity courses often differentiate between general-purpose analyzers and specialized wireless tools. Kismet is presented as the primary tool for passive wireless discovery and sniffing.

Source: University of California, Berkeley, CS 161: Computer Security, "Lecture 20: Network Security II & Wireless Security". Course materials often describe Kismet as a passive 802.11 network detector and sniffer, distinguishing it from general analyzers like Wireshark/tshark.