1|Page
Vermont Certified Ethical Hacker (CEH) V13
Exam | Latest Verified Questions and Detailed
Answers
OVERVIEW DESCRIPTION:
The CEH V13 exam validates a candidate’s ability to identify, exploit, and mitigate modern
cybersecurity threats using cutting-edge methodologies. It emphasizes AI-enhanced attack
techniques, cloud environments (AWS, Azure, GCP), IoT and OT hacking, alongside
traditional domains such as network scanning, system hacking, web application attacks,
and wireless security. The exam tests proficiency with essential tools including Nmap,
Wireshark, Burp Suite, Hydra, and Metasploit, focusing on real-world scenarios that require
adaptive thinking against next-generation defenses.
QUESTION 1
An ethical hacker is conducting a footprinting exercise to map a target organization's
external infrastructure without triggering alarms. Which technique would most likely
remain undetected by basic intrusion detection systems?
A) Full port scan using Nmap with default settings
B) ICMP Echo requests to all IP addresses in the range
C) Passive DNS enumeration and public WHOIS lookups
D) SYN flood against the firewall’s public interface
CORRECT ANSWER: C
EXPERT RATIONALE: Passive DNS and WHOIS queries use publicly available data and
do not send packets to the target’s live systems, avoiding detection. Active techniques
like scans or floods generate traffic that IDS can flag.
,2|Page
QUESTION 2
During enumeration, you discover an open LDAP port (389) on a domain controller.
What is the primary value of this service to an attacker?
A) It allows direct root access to the filesystem
B) It can be queried for user, group, and computer objects
C) It provides a web interface for password resets
D) It is used only for time synchronization
CORRECT ANSWER: B
EXPERT RATIONALE: LDAP directories store organizational data such as usernames,
groups, and policies, aiding lateral movement. Extracting this information supports
further targeted attacks.
QUESTION 3
You have obtained a hash of a user’s NTLM password. Which tool is most efficient for
attempting to reverse the hash using a large precomputed table?
A) Hydra
B) John the Ripper in single crack mode
C) Hashcat with a dictionary attack
D) RainbowCrack using rainbow tables
CORRECT ANSWER: D
EXPERT RATIONALE: Rainbow tables are precomputed hash chains that speed up
reversal of hashes without brute-forcing each attempt. This method is efficient for
common passwords.
,3|Page
QUESTION 4
An AI-powered malware uses reinforcement learning to alter its network traffic patterns
every 60 seconds. Which defense mechanism would be most effective against this?
A) Signature-based antivirus
B) Static firewall rules blocking known C2 ports
C) Behavioral analysis with anomaly detection
D) Disabling all outbound ICMP
CORRECT ANSWER: C
EXPERT RATIONALE: Behavioral analysis focuses on deviations from normal traffic
baselines, not fixed signatures, catching AI-mutating patterns. Signature-based tools fail
when patterns change rapidly.
QUESTION 5
During a cloud penetration test on AWS, you find an S3 bucket that returns "Access
Denied" for listing objects but allows you to upload a small test file. What is this
misconfiguration called?
A) Unauthenticated write
B) Privilege escalation via bucket policy
C) Directory listing vulnerability
D) Bucket hijacking
CORRECT ANSWER: A
, 4|Page
EXPERT RATIONALE: The bucket allows write operations without authentication or
proper permissions, a dangerous misconfiguration. Attackers can upload malicious
content or fill storage.
QUESTION 6
Which Nmap command would perform a SYN stealth scan on the top 100 ports while
avoiding ICMP echo ping probes?
A) nmap -sS -p 1-100 -PE
B) nmap -sT -F -Pn
C) nmap -sS --top-ports 100 -Pn
D) nmap -sA -p 1-100 -PS
CORRECT ANSWER: C
EXPERT RATIONALE: -sS is SYN stealth, --top-ports 100 scans the most common ports,
and -Pn skips host discovery pings. This reduces detection chances.
QUESTION 7
In a SQL injection test, you input ' OR '1'='1 into a login form and receive all user
records. Which remediation is most specific to this flaw?
A) Use HTTPS everywhere
B) Implement parameterized queries
C) Deploy a WAF without code changes
D) Disable error messages
Vermont Certified Ethical Hacker (CEH) V13
Exam | Latest Verified Questions and Detailed
Answers
OVERVIEW DESCRIPTION:
The CEH V13 exam validates a candidate’s ability to identify, exploit, and mitigate modern
cybersecurity threats using cutting-edge methodologies. It emphasizes AI-enhanced attack
techniques, cloud environments (AWS, Azure, GCP), IoT and OT hacking, alongside
traditional domains such as network scanning, system hacking, web application attacks,
and wireless security. The exam tests proficiency with essential tools including Nmap,
Wireshark, Burp Suite, Hydra, and Metasploit, focusing on real-world scenarios that require
adaptive thinking against next-generation defenses.
QUESTION 1
An ethical hacker is conducting a footprinting exercise to map a target organization's
external infrastructure without triggering alarms. Which technique would most likely
remain undetected by basic intrusion detection systems?
A) Full port scan using Nmap with default settings
B) ICMP Echo requests to all IP addresses in the range
C) Passive DNS enumeration and public WHOIS lookups
D) SYN flood against the firewall’s public interface
CORRECT ANSWER: C
EXPERT RATIONALE: Passive DNS and WHOIS queries use publicly available data and
do not send packets to the target’s live systems, avoiding detection. Active techniques
like scans or floods generate traffic that IDS can flag.
,2|Page
QUESTION 2
During enumeration, you discover an open LDAP port (389) on a domain controller.
What is the primary value of this service to an attacker?
A) It allows direct root access to the filesystem
B) It can be queried for user, group, and computer objects
C) It provides a web interface for password resets
D) It is used only for time synchronization
CORRECT ANSWER: B
EXPERT RATIONALE: LDAP directories store organizational data such as usernames,
groups, and policies, aiding lateral movement. Extracting this information supports
further targeted attacks.
QUESTION 3
You have obtained a hash of a user’s NTLM password. Which tool is most efficient for
attempting to reverse the hash using a large precomputed table?
A) Hydra
B) John the Ripper in single crack mode
C) Hashcat with a dictionary attack
D) RainbowCrack using rainbow tables
CORRECT ANSWER: D
EXPERT RATIONALE: Rainbow tables are precomputed hash chains that speed up
reversal of hashes without brute-forcing each attempt. This method is efficient for
common passwords.
,3|Page
QUESTION 4
An AI-powered malware uses reinforcement learning to alter its network traffic patterns
every 60 seconds. Which defense mechanism would be most effective against this?
A) Signature-based antivirus
B) Static firewall rules blocking known C2 ports
C) Behavioral analysis with anomaly detection
D) Disabling all outbound ICMP
CORRECT ANSWER: C
EXPERT RATIONALE: Behavioral analysis focuses on deviations from normal traffic
baselines, not fixed signatures, catching AI-mutating patterns. Signature-based tools fail
when patterns change rapidly.
QUESTION 5
During a cloud penetration test on AWS, you find an S3 bucket that returns "Access
Denied" for listing objects but allows you to upload a small test file. What is this
misconfiguration called?
A) Unauthenticated write
B) Privilege escalation via bucket policy
C) Directory listing vulnerability
D) Bucket hijacking
CORRECT ANSWER: A
, 4|Page
EXPERT RATIONALE: The bucket allows write operations without authentication or
proper permissions, a dangerous misconfiguration. Attackers can upload malicious
content or fill storage.
QUESTION 6
Which Nmap command would perform a SYN stealth scan on the top 100 ports while
avoiding ICMP echo ping probes?
A) nmap -sS -p 1-100 -PE
B) nmap -sT -F -Pn
C) nmap -sS --top-ports 100 -Pn
D) nmap -sA -p 1-100 -PS
CORRECT ANSWER: C
EXPERT RATIONALE: -sS is SYN stealth, --top-ports 100 scans the most common ports,
and -Pn skips host discovery pings. This reduces detection chances.
QUESTION 7
In a SQL injection test, you input ' OR '1'='1 into a login form and receive all user
records. Which remediation is most specific to this flaw?
A) Use HTTPS everywhere
B) Implement parameterized queries
C) Deploy a WAF without code changes
D) Disable error messages
