A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?
Correct Answer: D
Comprehensive Explanation from CEH v13 Courseware: CEH v13 describes worms as standalone malicious programs capable of self-replication without requiring user assistance. Unlike viruses, which need a host file and are triggered typically by user actions, worms propagate autonomously by scanning networks, exploiting vulnerabilities, or copying themselves to accessible machines. Worms are known for causing rapid, widespread damage by consuming bandwidth, degrading system performance, and creating backdoors for attackers. Classic examples such as Conficker, WannaCry, and SQL Slammer reinforce the destructive potential of automated propagation. CEH stresses that worms often use network shares, open ports, or unpatched vulnerabilities to move laterally. In contrast, keyloggers harvest keystrokes, ransomware encrypts data and demands payment, and viruses require user involvement to spread. The behavior in the scenario-automatic replication across the network-is the defining characteristic of worm activity according to CEH's malware taxonomy.
312-50v13 Exam Question 62
A penetration tester needs to identify open ports and services on a target network without triggering the organization's intrusion detection systems, which are configured to detect high-volume traffic and common scanning techniques. To achieve stealth, the tester decides to use a method that spreads out the scan over an extended period. Which scanning technique should the tester employ to minimize the risk of detection?
Correct Answer: A
The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing-often achieved with Nmap's T0 or T1 timing templates- prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.
312-50v13 Exam Question 63
A penetration tester is tasked with scanning a network protected by an IDS and firewall that actively blocks connection attempts on non-standard ports. The tester needs to gather information on the target system without triggering alarms. Which technique should the tester use to evade detection?
Correct Answer: A
A low-and-slow scanning technique spreads probe attempts over long intervals, reducing the chance of triggering IDS signatures that rely on detecting rapid or high-volume scans. CEH highlights timing-based evasion as an effective method for reconnaissance against networks with strict perimeter controls.
312-50v13 Exam Question 64
During a quarterly security audit at a financial services company in Charlotte, North Carolina, you are tasked with reviewing exposed services on legacy servers inherited from a third-party vendor. While scanning, you discover that TCP port 1434 is open on a database node that is not listed in the company ' s active inventory. The IT team has no records explaining why this service is running, and you are asked to determine whether the exposure of this port could indicate an unnecessary database-related risk. Based on standardized port assignments, which service is most likely running on this port and requires further review?
Correct Answer: A
The correct answer is A. ms-sql-m because TCP/1434 is commonly associated with Microsoft SQL Server Monitor / SQL Server Browser-related services, which are used to help clients discover SQL Server instances and their connection details. In standardized service naming, ms-sql-m corresponds to Microsoft SQL "monitor" functionality tied to instance discovery and related metadata exposure. When this port is reachable from networks where it is not needed, it can increase attack surface by exposing information that helps attackers identify database instances, target the correct ports, and focus exploitation attempts. In the context of a legacy server that is "not listed in the company's active inventory," an open 1434 is a red flag because it suggests an unnecessary or unmanaged database discovery component may be running. Attackers often use exposed database-related ports for reconnaissance (identifying instance names, versions, and listening endpoints) and then pivot to authentication attacks or exploitation of known weaknesses. Even when the core SQL service port is controlled, discovery services can still leak useful environment details that lower the cost of an attack. Why the other options are incorrect: ms-sql-s typically refers to the primary Microsoft SQL Server service, most commonly associated with TCP /1433 (the default SQL Server port), not 1434. sql*net is associated with Oracle SQL*Net/Net8 traffic, typically using Oracle listener ports such as 1521, not 1434. sqlsrv is not the standardized assignment for 1434 in the way ms-sql-m/ms-sql-s are used for Microsoft SQL- related services. Therefore, based on standardized port associations and the database discovery/monitoring role of this service, the exposure most likely indicates ms-sql-m on TCP/1434, and it warrants further review and potential restriction if not required.
312-50v13 Exam Question 65
While analyzing logs, you observe a large number of TCP SYN packets sent to various ports with no corresponding ACKs. What scanning technique was likely used?
Correct Answer: A
This activity clearly indicates a TCP SYN scan, also known as a half-open scan, which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning. In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three- way handshake. If the port is open, the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools. The absence of ACK packets in logs supports this explanation, as the handshake is never completed. Other options are incorrect because: XMAS scans send packets with multiple flags set. SYN/ACK scans are primarily used for firewall rule discovery. TCP Connect scans complete the full handshake and generate ACKs. CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth, making them a preferred reconnaissance method for attackers.
