ECCouncil Updated 312-50v13 Exam Questions and Answers by crystal

The behavior described is most consistent with an unauthenticated scan. In CEH-aligned vulnerability assessment methodology, unauthenticated scanning evaluates systems from the perspective of an external or non-privileged entity. The scanner can typically identify network-reachable services, open ports, service banners, protocol fingerprints, and sometimes known vulnerabilities inferred from versions or exposed configurations. However, it cannot reliably inspect host-internal posture such as registry settings, local security policies, installed patch levels, missing hotfixes, detailed configuration baselines, or user and group policy settings because those require authenticated access to query the operating system and installed software inventory directly.

The prompt explicitly states that the results were limited to “open service ports and version banners” and that “deeper registry settings, user policies, and missing patches remain unreported.” That limitation is a hallmark of unauthenticated scanning. The additional clue that “system login prompts were never triggered” and “no credential failures were logged in the SIEM” further confirms that the scanner never attempted to authenticate to endpoints using accounts, SSH/WinRM/WMI, SMB, or agent-based credential checks. If the scan were authenticated or credentialed, you would expect authentication attempts, potential login prompts on some services, and often audit logs or SIEM events reflecting successful or failed logons.

Option C, internal scan, only describes where the scan originates, not whether credentials were used. Options B and D imply authentication and host-level interrogation, which contradicts the observed lack of credential activity and missing patch/policy visibility. Therefore, unauthenticated scanning best explains the outcome.

This scenario most clearly illustrates shoulder surfing, a social engineering technique where an attacker obtains sensitive information by observing a victim’s screen, keystrokes, or written notes—often from a nearby position—without directly interacting with the victim or their device. The key indicators are that the tester is “discreetly watching their screens and hand movements” during login and is able to capture “usernames and partial passwords” without touching anything. That is the defining pattern of shoulder surfing: passive observation to harvest credentials or other confidential information.

Shoulder surfing is particularly effective in open-plan offices, shared workspaces, airports, cafés, or any environment where people can be observed entering credentials. Attackers may watch directly, use reflections (e.g., glass surfaces), or position themselves to see the keyboard and screen. Even partial password capture can be valuable when combined with other information (usernames, password patterns, reset questions, or subsequent observation), and it can help an attacker craft more convincing follow-on social engineering attempts.

Why the other options do not fit:

Dumpster diving (B) involves retrieving sensitive information from trash (printed documents, media, badges, notes), not observing logins in real time.

Impersonation (C) requires actively posing as a trusted person (IT staff, vendor, employee) to persuade someone to disclose information or grant access; the scenario explicitly avoids interaction with staff.

Tailgating (D) is physically following someone through a secure door to gain unauthorized entry; it’s about bypassing physical access controls rather than capturing credentials.

Because the technique relies on visual observation of screens and keystrokes to obtain login details, the correct answer is A. Shoulder Surfing.

CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR '1'='1 to test whether unauthorized data is returned. However, within CEH’s theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

Credential stuffing is the best match because the scenario highlights automated login attempts across many accounts with an unusually high success rate, occurring in the aftermath of a breach. In CEH-aligned system hacking concepts, credential stuffing is the automated testing of known username and password pairs—typically harvested from prior breaches—against a different service. Because many users reuse passwords across sites, attackers often achieve a higher-than-normal success rate compared to guessing-based attacks. This “high success rate” across numerous accounts is a key indicator that the attacker is not randomly guessing, but replaying valid credentials at scale using bots or automation frameworks.

Password spraying differs in that the attacker tries a small set of common passwords (or one password) across many accounts to avoid lockouts. Spraying generally yields a lower success rate and is driven by guessing rather than replaying known credential pairs. A brute force attack is even noisier and typically involves repeated guessing for a single account or small set of accounts; it is both slower and far less likely to produce a high success rate across many users in a short period. Phishing attacks can lead to account takeovers, but the pattern described would more often show targeted victims and varied sources rather than broad, automated, multi-account authentication bursts with consistently successful logins.

CEH defensive guidance emphasizes layered controls: enforce MFA, monitor for abnormal login velocity and credential reuse indicators, deploy bot detection and rate limiting, use breached-password checks, implement adaptive authentication, and tune lockout and detection policies to disrupt automated credential replay without enabling denial-of-service against legitimate users.