ECCouncil Updated 312-50v13 Exam Questions and Answers by evie-mae

CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP’s passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

According to the Certified Ethical Hacker (CEH) attack methodology, once reconnaissance, footprinting, and website mirroring have been completed, the attacker proceeds cautiously to exploitation while maintaining stealth. CEH documentation emphasizes that low-noise, application-layer attacks are preferable when the objective is to minimize detection.

Option B, attempting SQL Injection, aligns directly with CEH’s Web Application Hacking module. SQL Injection is a server-side attack that can often be executed through normal-looking HTTP requests, making it less likely to trigger intrusion detection systems (IDS) or security alerts. CEH materials highlight SQL injection as a common and effective technique for extracting sensitive data such as usernames, passwords, and business-critical information without disrupting server operations.

Option A is incorrect because immediately modifying server configuration files after session hijacking significantly increases the risk of detection. CEH guidelines stress post-exploitation restraint, especially during red team operations.

Option C is not ideal at this stage because automated vulnerability scanners generate substantial traffic and are highly detectable. CEH explicitly notes that vulnerability scanning is noisy and often logged.

Option D is the least stealthy option. Brute-force attacks generate numerous failed authentication attempts, triggering security alerts and account lockouts. CEH classifies brute-force attacks as high-risk and easily detectable.

Therefore, SQL Injection represents the most effective and stealthy next step in accordance with CEH’s structured attack lifecycle.

CEH v13 details the standard penetration testing workflow, where confirmed critical vulnerabilities—especially those affecting core systems like database servers—should be prioritized for exploitation only after verification and when explicitly permitted by the rules of engagement. Exploiting a known vulnerability using vetted tools (e.g., Metasploit, CVE-specific exploits) provides evidence of real-world risk and validates the severity rating. Brute-forcing logins (Option B) is inefficient and often outside scope. Ignoring a critical vulnerability (Option C) violates CEH’s prioritization guidelines. A DoS attack (Option D) is never appropriate unless the engagement explicitly authorizes destructive testing, which is rare. CEH stresses that high-impact vulnerabilities should be exploited to demonstrate business risk, privilege escalation potential, data exposure, or lateral movement possibilities—making Option A fully aligned with CEH methodology.

The correct choice is the SOA record because it uniquely provides authoritative administrative and operational metadata about a DNS zone. In CEH reconnaissance techniques, DNS enumeration is a high-value passive and semi-passive method to learn about an organization’s infrastructure without actively attacking hosts. The Start of Authority record defines core parameters of the zone and identifies the primary authoritative name server for that domain. Most importantly for this question, the SOA record contains fields that directly match “serial number and refresh interval,” which are classic SOA elements used for zone replication and synchronization behavior between primary and secondary DNS servers.

An SOA record typically includes the primary name server, the responsible party field often formatted like an email address for the zone administrator, the zone serial number, and timing values such as refresh, retry, expire, and minimum TTL. These details can reveal change frequency, operational practices, and sometimes administrative contact clues, all of which are relevant in reconnaissance and reporting.

The other record types do not meet the requirement. MX records identify mail exchangers for the domain but do not include serial or refresh parameters. NS records list authoritative name servers but lack administrative timing metadata. TXT records store arbitrary text such as SPF, DKIM, DMARC, or verification strings and are useful for email security posture analysis, but they do not provide the zone control fields the question references. Since the question explicitly calls out serial and refresh interval, the SOA record is the only option that fits completely.