Summary:
A covert channel is a communication path that allows two parties to secretly exchange information in ways not intended by the system's designers. It violates security models by using legitimate system mechanisms (like TCP sequence numbers, packet timing, or file metadata) for unauthorized data exfiltration. Covert channels are stealthy, hard to detect, and represent a significant insider threat vector in security assessments.

Correct Option:

B. Making use of a protocol in a way it is not intended to be used.
Covert channels exploit legitimate protocol features for unintended communication. Examples include embedding data in TCP IP ID fields, ICMP packet padding, or HTTP header spacing. This definition perfectly captures how attackers use protocol "side effects" (timing, sizes, unused fields) to leak data undetected by traditional security controls.

Incorrect Option:

A. A server program using a port that is not well known.
Non-standard ports represent covert listening but not true covert channels. Covert channels transmit data through legitimate traffic channels, not by changing ports. Port 31337 usage is easily detected by port scanners and doesn't qualify as a covert communication mechanism.

C. It is the multiplexing taking place on a communication link.
Multiplexing legitimately shares bandwidth across multiple connections (TCP ports, VLANs). Covert channels specifically violate security policy through unauthorized use of system resources, not normal multiplexing operations designed for concurrent legitimate communications.

D. It is one of the weak channels used by WEP which makes it insecure
WEP vulnerabilities stem from RC4 key stream reuse and weak IVs, not covert channels. This confuses wireless encryption flaws with the broader covert channel concept that applies to any system allowing unintended information flows.

Reference:

EC-Council CEH v13i - Module 09: System Hacking & Module 20: Malware Threats
https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Message integrity ensures data remains unaltered during transmission or storage. Hashing algorithms (SHA-256, MD5) create fixed-size digests that detect any modification—even a single bit change produces a completely different hash. Combined with digital signatures, hashes provide mathematical proof of integrity. Unlike encryption (which provides confidentiality), hashing specifically validates data authenticity and tamper resistance in security protocols.

Correct Option:

C. hashing algorithms
Hashing algorithms (SHA-256, SHA-3) generate unique fixed-size digests from arbitrary input data. Any modification produces a different hash, enabling tamper detection. Used in digital signatures (hash + private key encryption), file verification, and HMAC for message authentication. Provides mathematical guarantee of integrity without revealing original content.

Incorrect Option:

A. symmetric algorithms
Symmetric algorithms (AES, DES) provide confidentiality through encryption/decryption with shared keys. They don't inherently guarantee integrity—ciphertext can be modified without detection unless combined with MACs or authenticated encryption modes like GCM. Primary purpose is data secrecy, not tamper detection.

B. asymmetric algorithms
Asymmetric algorithms (RSA, ECC) enable secure key exchange and digital signatures. While signatures provide integrity + authentication, the algorithms themselves handle public/private key operations, not direct message hashing. Integrity requires underlying hash functions combined with asymmetric cryptography.

D. integrity algorithms
"Integrity algorithms" is not a recognized cryptographic category. The term confuses specific mechanisms (hashing, MACs, digital signatures) with a security property. No standard crypto libraries or protocols reference this nonexistent classification.

Reference:
EC-Council CEH v13i - Module 18: Cryptography

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Password assessments reveal weak authentication practices through multiple attack vectors. Hardware keyloggers (USB devices), software keyloggers (processes monitoring keystrokes), and network sniffing (capturing plaintext credentials) represent the primary methods for password retrieval. Comprehensive assessments test all vectors since attackers exploit any available weakness. Understanding these techniques helps implement layered defenses against credential theft in enterprise environments.

Correct Option:

A. Hardware, Software, and Sniffing.
This comprehensive approach covers all major password retrieval methods: hardware keyloggers (physical USB devices), software keyloggers (kernel/rootkit-based), and sniffing (capturing plaintext over HTTP/FTP/SMB). Bob must test multiple vectors to validate security posture. Sniffing exploits weak protocols while keyloggers bypass them entirely, making this the most complete assessment methodology.

Incorrect Option:

B. Hardware and Software Keyloggers.
Excludes sniffing, missing network-based credential theft (MITM attacks, ARP poisoning). Many enterprise passwords travel plaintext over internal networks (HTTP, Telnet, SMBv1). Comprehensive assessments must include packet capture analysis to identify protocol weaknesses, not just endpoint keylogger deployment.

C. Passwords are always best obtained using Hardware key loggers.
Hardware keyloggers require physical access, limiting scalability in assessments. Software keyloggers deploy remotely, and sniffing captures credentials passively across networks. No single method is "always best"—attackers choose based on access level and target environment.

D. Software only, they are the most effective.
Software keyloggers are easily detected by AV/EDR and require privilege escalation. Hardware keyloggers evade detection entirely, while sniffing requires no agent installation. Effectiveness depends on target defenses—claiming software is "most effective" ignores real-world deployment constraints.

Reference:
EC-Council CEH v13i - Module 09: System Hacking (Password Cracking Techniques)

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Unauthorized wired connections by students bypass campus access controls, enabling malware spread detected by IDS. Ethernet ports intended for faculty/visitors require authentication to prevent student abuse. 802.1x provides port-based network access control (NAC) requiring credentials before granting connectivity. This enforces policy compliance while maintaining legitimate user access through centralized authentication infrastructure.

Correct Option:

C. Use the 802.1x protocol
802.1x implements port-based NAC, authenticating devices/users via RADIUS before allowing network access. Students without valid credentials are blocked at Layer 2. Supplicants (notebooks) negotiate with authenticators (switches) against authentication servers. This prevents unauthorized wired connections while allowing professors/visitors with proper credentials, directly solving Bob's policy enforcement problem.

Incorrect Option:

A. Disable unused ports in the switches
Disabling ports prevents legitimate faculty/visitor access when needed. Ports must remain active for authorized users—disabling creates operational issues requiring manual re-enabling. Doesn't scale for campus environments with dynamic port usage patterns and fails to authenticate legitimate connections.

B. Separate students in a different VLAN
VLAN separation assumes students can be identified and segregated, but the problem is unauthorized wired access by unidentified devices. Students connect to faculty VLANs—VLANs don't prevent connection, only segment traffic post-connection. Requires prior identification Bob lacks.

D. Ask students to use the wireless network
Relies on voluntary compliance, which students ignore (proven by current wired abuse). Wireless likely has similar restrictions or monitoring. Doesn't enforce policy—students seeking wired performance/bypass will continue violations. Policy enforcement requires technical controls, not requests.

Reference:
EC-Council CEH v13i - Module 22: Network Defense & Countermeasures

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Network Time Protocol (NTP) synchronizes clocks across networks using UDP port 123 for both client-server queries and server responses. This well-known port assignment enables firewall rules and service identification. Understanding protocol ports is fundamental for reconnaissance, firewall analysis, and detecting time synchronization abuse (NTP amplification DDoS attacks) during penetration testing engagements.

Correct Option:

C. 123
NTP uses UDP port 123 bidirectionally—clients send queries to servers on 123, and servers respond from 123 to ephemeral client ports. This IANA-assigned port enables precise time synchronization essential for Kerberos, certificate validation, and log correlation. Pen testers scan port 123 to identify NTP servers vulnerable to amplification attacks.

Incorrect Option:

A. 113
Port 113 is AUTH (Identification Protocol) used for non-standard user identification between systems, not time synchronization. Legacy protocol rarely used today and unrelated to NTP functionality or clock synchronization services.

B. 69
Port 69 is TFTP (Trivial File Transfer Protocol) for simple file transfers without authentication. UDP-based like NTP but serves completely different purpose—file distribution, not time synchronization.

D. 161
Port 161 is SNMP (Simple Network Management Protocol) for device monitoring and configuration. While both are UDP management protocols, SNMP manages network devices while NTP handles clock synchronization.

Reference:
EC-Council CEH v13i - Module 03: Footprinting and Reconnaissance (Port Scanning)

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Digital signatures provide cryptographic assurance of message authenticity and integrity using public key infrastructure. They must be mathematically unforgeable (only verifiable by private key holder) and authentic (verifiable by recipient using public key). These properties enable non-repudiation—signers cannot deny creating signatures. Essential for secure email, software distribution, and legal electronic documents in enterprise environments.

Correct Option:

B. Has to be unforgeable, and has to be authentic.
Unforgeable: Only private key holder can generate valid signature—public key verification fails for fakes. Authentic: Recipient verifies signature against sender's public key, confirming identity and integrity. These cryptographic properties (hash + asymmetric encryption) provide non-repudiation, proving signer created document at specific time. Meets legal requirements for electronic contracts.

Incorrect Option:

A. Has to be the same number of characters as a physical signature and must be unique.
Digital signatures are binary cryptographic values (hundreds of bytes), not character-based like handwriting. Length varies by algorithm (RSA 2048-bit ≠ DSA). Uniqueness comes from math, not character count—confuses physical properties with cryptographic security guarantees.

C. Must be unique and have special characters.
Signatures contain no "special characters"—they're Base64-encoded binary data. Uniqueness derives from private key math, not visible formatting. This confuses digital crypto with superficial text properties irrelevant to security verification.

D. Has to be legible and neat.
Digital signatures aren't human-readable—they're verified algorithmically. "Legible/neat" applies to physical ink signatures, not cryptographic blobs. Verification succeeds/fails mathematically, independent of visual appearance.

Reference:
EC-Council CEH v13i - Module 18: Cryptography (Digital Signatures)

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
SSL/TLS hybrid cryptography combines asymmetric (RSA, ECDHE) for secure key exchange with symmetric (AES) for bulk data encryption. Asymmetric handles initial handshake authentication and key agreement despite high computational cost, while symmetric provides fast bulk encryption. This architecture balances security, performance, and scalability across diverse devices and network conditions in modern web security.

Correct Option:

D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely negotiate keys for use with symmetric cryptography.
Asymmetric crypto (public-key) enables secure key exchange without pre-shared secrets but is too slow for bulk data. TLS uses asymmetric for handshake (key agreement via Diffie-Hellman/RSA) then switches to symmetric session keys (AES-GCM) for efficiency. Perfect balance of security and performance.

Incorrect Option:

A. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.
Mobile devices perform both asymmetric handshake AND symmetric bulk encryption. All clients negotiate keys asymmetrically first, regardless of device power. Symmetric benefits all endpoints equally after key exchange completes.

B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
TLS requires successful asymmetric key exchange before symmetric encryption begins. No "failsafe"—handshake failure aborts entire connection. Both algorithm types are mandatory sequence, not alternatives.

C. Symmetric encryption allows the server to security transmit the session keys out-of-band.
Session keys transmit IN-BAND during TLS handshake, encrypted via asymmetric crypto. Out-of-band transmission defeats TLS purpose and introduces new attack surface. Keys never leave protected channel.

Reference:
EC-Council CEH v13i - Module 18: Cryptography (PKI, SSL/TLS)

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/

Summary:
Macro viruses exploit the macro scripting capability in Microsoft Office applications (Word, Excel, PowerPoint). They embed malicious VBA code in document files (.doc, .xls) that executes automatically upon opening, enabling payload delivery. This attack vector dominated Office malware in the 1990s-2000s, making macro security a critical defense layer in enterprise document management systems.

Correct Option:

C. Macro virus
Macro viruses specifically target Microsoft Office macro-enabled documents, embedding malicious VBA code that executes when files open. Examples: Melissa (1999), LoveLetter (ILOVEYOU variant). Spread via email attachments exploiting auto-execution. Modern defenses include macro disabling and Protected View, but remain significant vectors for phishing-delivered malware.

Incorrect Option:

A. Polymorphic virus
Polymorphic viruses mutate their code signature to evade antivirus detection using encryption/encryption techniques. Targets executable files (.exe), not Office documents specifically. Mutation applies to any virus type, not Office macro functionality.

B. Multipart virus
Multipart (multi-partite) viruses infect both executable files AND boot sectors, using multiple infection vectors. Attacks system files across file types, not specifically targeting Office applications or macro engines.

D. Stealth virus
Stealth viruses hide from detection by intercepting OS calls, masking infection status. Applies to file/boot sector viruses generally—not specific to Office products or macro execution environments.

Reference:
EC-Council CEH v13i - Module 20: Malware Threats (Virus Types)

https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13/