312-50v13 Dumps with Practice Exam Questions Answers

The correct answer is B. HTTP/2 Stream Memory Not Reclaimed on RST.

The scenario describes an Apache web service using a multiplexed protocol, which points to HTTP/2. The important symptoms are steadily increasing memory consumption, normal client disconnects, repeated stream activity, and memory not returning to baseline. This strongly indicates that HTTP/2 stream-related memory is not being properly reclaimed after stream reset or termination events.

CEH-aligned web server material emphasizes that Apache web servers, like other web servers, can contain bugs and implementation vulnerabilities that require fixes and secure configuration review . The described behavior is not a generic misconfiguration; it is a protocol-specific memory-management issue associated with HTTP/2 stream handling.

Option A. DoS in HTTP/2 with Initial Window Size 0 is incorrect because that issue centers on abusing flow-control window behavior, not unreclaimed memory after stream resets.

Option C. Insecure Default Configuration is incorrect because the issue only appears when HTTP/2 multiplexed mode is enabled and is tied to stream memory behavior.

Option D. mod_macro Buffer Over-read is incorrect because the scenario does not involve mod_macro, buffer over-read behavior, or disclosure from memory.

Therefore, the best answer is B. HTTP/2 Stream Memory Not Reclaimed on RST.

The correct answer is B. NetBIOS Enumeration because the ports and services described map directly to NetBIOS over TCP/IP (NBT) and the actions align with querying NetBIOS name table and session services. In Windows networking (especially older systems), NetBIOS provides naming and session-layer services that can reveal valuable host and user information. Specifically, UDP 137 is used for the NetBIOS Name Service (NBNS), UDP 138 for NetBIOS Datagram Service, and TCP 139 for NetBIOS Session Service. Observing activity on UDP 137/138 and an open TCP 139 strongly indicates that NetBIOS services are reachable and can be interrogated.

The scenario states Jake “uses a utility to query the name table and session services,” which is a hallmark of NetBIOS enumeration. NetBIOS name table queries can disclose machine names, domain/workgroup names, and sometimes logged-in usernames (depending on configuration and what names are registered). Session/service enumeration can reveal information about active sessions and available resources. The fact that Jake obtains machine names, usernames, and shared folders without authentication is consistent with weakly configured legacy Windows networking where NetBIOS/SMB information disclosure is possible through null/unauthenticated queries.

Why not the other options: NFS enumeration targets UNIX/Linux file sharing and is unrelated to ports 137–139. SNMP enumeration uses UDP 161/162 and relies on SNMP communities, not NetBIOS naming/session queries. SMB enumeration is closely related and often overlaps operationally, but the question emphasizes “query the name table and session services” and explicitly references the classic NetBIOS port set (137/138/139), making NetBIOS enumeration the most precise classification for this behavior.

In practice, defenders mitigate this exposure by disabling NetBIOS where unnecessary, restricting these ports at network boundaries, enforcing SMB hardening, and limiting anonymous/null session information disclosure.

This scenario is a classic vishing (voice phishing) attempt: the attacker calls employees, impersonates a vendor, and tries to persuade them to disclose sensitive payment information. The most direct, practical countermeasure that employees can apply in every interaction is verifying the requester’s identity before sharing any information. That means using a trusted verification method—such as calling back using an official number from an internal directory/vendor contract, confirming through a known manager or procurement channel, or following an established verification workflow—rather than trusting the caller ID, the caller’s confidence, or claimed affiliation.

Option B is the best answer because it directly breaks the social engineering tactic being used: pretexting (posing as a vendor) relies on getting the victim to accept identity and urgency without validation. If employees consistently verify identity through independent channels, the attacker’s pretext collapses and the request is denied or escalated. This is the most immediate control at the human decision point, where the data disclosure risk occurs.

Why the other choices are less direct:

Security awareness programs (A) are important, but the question asks for the practical step employees must apply in each interaction. Training supports the behavior; it is not the specific action that stops the call from succeeding.

Policies and procedures (C) provide governance and guidance, but the direct operational control during a phone call is still identity verification.

Two-factor authentication (D) protects login processes but does not prevent an employee from verbally disclosing payment details over the phone.

Therefore, the prioritized countermeasure is B. Employees must verify the identity of individuals requesting information.

Fileless malware is the best match because the scenario highlights memory-resident execution with no malicious files written to disk and activity that disappears after a reboot. In CEH-aligned malware concepts, fileless attacks commonly leverage legitimate system tools and trusted processes, often called living off the land, to execute malicious logic without dropping traditional executables. PowerShell is one of the most frequently abused components for this purpose because it can download, decode, and run scripts directly in memory, including obfuscated commands that evade simple signature-based scans. The prompt explicitly states that endpoint scanners find no malicious files on disk, yet telemetry detects a trusted process executing obfuscated PowerShell commands in memory. That combination strongly indicates fileless behavior.

The fact that the anomaly vanishes on reboot also fits fileless techniques that rely on volatile memory artifacts rather than persistent file-based implants. While fileless attacks can establish persistence through registry run keys, scheduled tasks, WMI, or other mechanisms, the question emphasizes no footprint and reboot clearing the activity, which is consistent with a purely in-memory foothold or a short-lived execution chain.

A worm is characterized by self-replication across systems, which is not described. A trojan usually involves a malicious file disguised as legitimate software, conflicting with the “no files on disk” observation. A rootkit focuses on stealth and hiding by modifying system internals and can persist, but the scenario’s defining indicators are PowerShell in-memory execution and lack of disk artifacts, which aligns most directly with fileless malware.

The correct answer is C, Supply chain risk. A Java application commonly depends on third-party libraries, frameworks, packages, and modules. When those dependencies are outdated and have known CVEs, the application inherits the weakness even if the organization’s own custom code is secure. CEH web application security material describes this as using components with known vulnerabilities: third-party components may themselves be vulnerable, and if vulnerable components are used, the new application becomes vulnerable. CEH-aligned OWASP coverage also explains that libraries, frameworks, and software modules often run with high privileges, and exploitation of a vulnerable component can lead to serious impacts such as data loss, server takeover, or undermining application defenses. CSRF tricks authenticated users into submitting unwanted requests, XSS injects malicious scripts, and DoS targets availability. The key risk here is dependency exposure through the software supply chain.