ECCouncil Updated 312-50v13 Exam Questions and Answers by gabrielle

CEH defines passive reconnaissance as collecting information without directly engaging the target.

Option A is incorrect for passive reconnaissance because Nmap scanning actively probes systems, generating detectable traffic.

Options B, C, and D rely on publicly available information and are standard passive techniques.

CEH classifies Nmap scanning as active footprinting.

The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources.

A vulnerability in a cloud API can allow attackers to:

Bypass authentication

Escalate privileges

Access or modify cloud resources

Create or delete services

Option B is therefore correct.

Option A relates to availability, not API flaws.

Option C is managed by the provider and unrelated to APIs.

Option D would require key compromise, not just API weakness.

CEH strongly emphasizes API security as a top cloud risk.

In CEH-aligned vulnerability assessment reporting, the Findings section is where the assessor documents what was discovered during scanning and validation in a clear, structured, and actionable way. This portion of the report typically contains the concrete results: identified assets, affected systems, vulnerability details, and evidence that supports each issue. The question states that Nikhil lists the IP addresses of scanned hosts, identifies which machines are affected, and includes tables categorizing vulnerabilities such as outdated software, default credentials, and open ports. These are classic “results” artifacts that belong in Findings because they communicate the observed security weaknesses and where they exist.

The Risk Assessment section generally builds on findings by assigning severity, likelihood, impact, and overall risk ratings, often mapping issues to business consequences and prioritization. While Nikhil may later rate default credentials as critical or open ports as medium depending on exposure, the act of enumerating vulnerabilities and associating them with specific hosts is the findings activity, not risk scoring.

Supporting Information usually contains appendices such as tool configurations, raw scan outputs, methodology references, assumptions, scope boundaries, and glossary items. Although IP lists and tables might appear in an appendix for completeness, the way the prompt describes them, they are being used as the primary categorized presentation of discovered vulnerabilities, which is consistent with the Findings section.

Assessment Overview is typically a high-level summary of scope, objectives, timeline, and approach, not detailed host-by-host vulnerability tables. Therefore, the correct section is Findings.

The correct answer is B. Password Spraying because the pattern described is the defining behavior of a spraying attack: the attacker tries a small set of common or likely passwords (for example, seasonal passwords, default patterns, or organization-themed guesses) across many different user accounts, using only a few attempts per account to avoid account lockout thresholds. The scenario explicitly states that “many accounts each receive only a few login attempts,” the attacker “reuses a very small set of likely credentials across a large number of accounts,” and the activity is “spread out over several days and IP ranges to avoid triggering automated lockouts.” These are the exact operational traits that distinguish password spraying from traditional brute force.

In CEH-aligned credential attack concepts, brute force is typically characterized by repeated attempts against a single account (or a small set of accounts), often cycling through many password candidates until the correct one is found. That approach is noisy and quickly triggers lockouts and detection. Password spraying flips the strategy: it keeps the per-account attempt count low and distributes attempts widely and slowly, which reduces alerting and lockout events. This is why the attacker was able to successfully access “several low-privilege accounts” before the pattern was noticed—spraying often compromises accounts with weak or reused passwords while staying below detection thresholds.

Why the other options are incorrect: Session hijacking involves stealing or replaying session tokens/cookies after authentication, not repeated login attempts across accounts. CSRF forces a logged-in user’s browser to perform unintended actions; it does not produce distributed authentication failures in logs. Brute force is related, but the avoidance of lockouts through minimal attempts per account and broad targeting is the signature of password spraying.

Therefore, the observed behavior most clearly indicates a password spraying attack.