Free EC-Council 312-50V13 CEH V13 Actual Exam Questions

D imo, since the question says s=500 and if we take f=420 from option D, then the difference is 80, which causes a huge exponential increase in response time (2^(4*80) is massive). That’s way worse than the smaller differences in B or C. The confusion about 490 seems like a typo or mix-up, but if we stick with 420, it clearly means severe overload. Even a small difference can raise response times, but this big jump in D is the worst case of all listed.

It’s B for me. Here, the server can handle 495, but it’s getting hit with 500 SYN packets, so s exceeds f by 5. That small difference triggers an exponential jump in response time (32 times normal), which is enough to overload the system noticeably. A and C don’t overload since s is less or just slightly above f, so response time stays manageable. D’s numbers are confusing, mixing 420 and 490, which makes it hard to trust that option fully. So B stands out clearly as the scenario where overload happens due to that exponential increase even with a small excess.

Definitely not B, C, or D since DNS traffic normally uses Port 53.

A. DNS tunneling is all about using the DNS protocol, which runs on Port 53, to sneak data through. NSTX specifically targets this standard port to blend in with normal DNS traffic, making it harder to detect. Ports like 23 (Telnet), 50 (ESP for IPsec), or 80 (HTTP) are unrelated to DNS, so they wouldn't work for this kind of tunneling. So aside from the obvious port choice, it makes sense that NSTX sticks with Port 53 to avoid raising alarms and to get past firewalls that typically allow DNS queries without much scrutiny.

C imo, since combining dictionary and brute force is exactly what “hybrid” attacks do by mixing both methods to cover more possibilities. The other options just don’t sound like real terms.

C/D? I’m with those saying C because “Hybrid” is the common term in password cracking for mixing dictionary words with brute force variations. D sounds like a fun nickname but I don’t think it’s formal or widely used. A and B just seem vague and not specific to the combined method. Hybrid really nails the idea of using both approaches to cover more possibilities efficiently.

Makes sense to pick D since STARTTLS is the recognized SMTP command that triggers TLS encryption. The other choices don’t show up in any official docs I’ve seen. D

It’s D because STARTTLS is the standard way to switch from plain text to encrypted communication in SMTP, unlike the other made-up options. The server’s initial greeting includes STARTTLS if it supports TLS upgrades.

C imo, symmetric encryption usually happens after the session keys are securely shared, not out-of-band.

B imo, because symmetric cryptography is way faster for encrypting large amounts of data, while asymmetric handles the initial secure handshake and key exchange. The combo balances speed and security.

D, since decoys create noise that can throw off intrusion detection systems.

D Decoys are a classic trick to confuse IDS by blending real traffic with fake sources. The others don’t really focus on evasion as directly as D does.

A/C? The detailed checks on registries and permissions suggest admin access, which fits credentialed (A), but since it’s focused on one system, host-based (C) also makes sense. No clear mention of access level though.

It’s C because the focus is clearly on the system itself—registries, file permissions, and local settings—which are classic host-level checks, regardless of the access level.

Guessing D since port 22 usually means SSH and high port is client side.

It’s D because port 22 is SSH and the first IP uses a high port, typical for clients.

Good point about B—since location: isn’t a recognized Google operator, it wouldn’t return any results, making it the least useful here. The others (A, C, D) actually narrow down content or URLs, which could expose VPN-related data. So definitely B for this one.

D imo. The link: operator finds pages linking to a site, which is helpful for backlink analysis but probably less direct for VPN footprinting info. The other operators (intitle:, inurl:) target specific content or URLs, making them more precise for finding sensitive VPN data. Even if location: isn’t a real operator, it at least hints at narrowing down by place, which could occasionally help with geographic VPN servers. Link: just shows backlinks, which may not reveal sensitive VPN details as effectively.

A DoS attack is mainly about flooding or overwhelming resources to stop access, so A fits best. C sounds off since password cracking isn’t the core of a denial-of-service.

A makes the most sense since DoS is about blocking service access, not password stuff.

B tbh, the question’s about confidentiality inside the same LAN, and ESP is the go-to for encryption. Since AH options don’t encrypt at all, they’re out. Tunnel mode adds unnecessary overhead for LAN setups, so that rules out D. A’s ESP transport mode encrypts payloads directly without extra wrapping, making it efficient and secure enough here. So yeah, A fits best given the scenario and what IPSec modes are designed for.

I’m thinking D (AH Tunnel mode) might be off since tunnel mode is more for gateway-to-gateway or network-to-network scenarios, not really for same LAN setups. Also, AH doesn’t encrypt, it just provides integrity and authentication, so it won’t ensure confidentiality. So based on that, anything with AH seems less likely here. The question is about both security and confidentiality, so isn’t ESP transport mode (A) the only one that encrypts the payload directly without extra encapsulation? What do you think about the options that mention AH?

Option B also makes sense because DAI directly uses DHCP snooping info to block ARP spoofing.

Maybe B makes the most sense since Dynamic ARP Inspection uses the DHCP snooping database directly to validate ARP messages and block spoofing attempts, which fits this scenario better than the others.

B vs A? WebSite Watcher mainly checks website changes, not traffic or location data. So, B fits better for monitoring traffic and user geography.

It’s D for sure. The question mentions tracking the geographical location of users, which is something WAFW00F doesn’t do—it’s mainly for detecting web application firewalls, not analytics. WebSite Watcher is more about monitoring website changes, and Webroot is antivirus software, so they don’t fit either. Web-Stat (option B) is the only tool focused on analyzing traffic and geolocation data, making it the clear choice here.

B tbh. The MX record number is more like a rank where lower numbers come first, so a higher number means the server is less preferred. It’s a bit confusing since “increasing priority” sounds like better, but here bigger numbers mean worse priority. So the statement that priority goes up with the number is false.

B. The number itself goes up, but that means lower priority, so priority doesn’t increase with the number—it’s the opposite.

I agree that wash sounds like the obvious choice since it’s built for spotting WPS-enabled APs. Looking at the other options, ntptrace is for tracing NTP servers, macof floods switches with MAC addresses, and net View is a Windows command to list network shares — none of which relate to detecting WPS. So eliminating B, C, and D seems straightforward. But is there any chance the question implies a different environment or toolset where wash wouldn't be accessible? Otherwise, wash definitely fits the bill here.

Probably A. wash makes the most sense since it’s designed specifically to detect WPS-enabled access points. The other tools don’t really focus on wireless scanning or WPS features. Macof is about flooding, ntptrace and net View don’t interact with wireless APs at all. So wash fits the description perfectly here.