EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 91:

  A major financial institution is experiencing persistent DoS attacks against online banking, disrupting transactions. Which sophisticated DoS technique poses the greatest challenge to detect and mitigate effectively, potentially jeopardizing service availability?

  A. A synchronized Layer 3 Smurf attack flooding routers with ICMP echo requests
  B. A distributed SQL injection attack against online banking database servers causing resource exhaustion
  C. A zero-day buffer overflow exploit against the web server causing service unavailability via RCE
  D. A coordinated UDP flood targeting authoritative DNS servers to disrupt domain resolution
  B. A distributed SQL injection attack against online banking database servers causing resource exhaustion

  ---

  Explanation

  CEH emphasizes that application-layer DoS attacks are often the most difficult to detect and mitigate because they can mimic legitimate user behavior while exhausting backend resources. A distributed SQL injectionriven DoS (Option B) can be especially challenging: attackers send requests that appear valid at the HTTP level, but the injected or crafted parameters force the application/database to execute expensive queries (heavy joins, sleep/delay functions, or costly operations). When distributed across many sources, the traffic can look like normal customer usage-successful TCP handshakes, valid HTTP requests, and realistic user-agent patterns-while still causing database connection pool exhaustion, CPU spikes, lock contention, and degraded response times.

  Option A (Smurf) and Option D (UDP/DNS flooding) are more volumetric/network-layer patterns and are typically mitigated with upstream DDoS scrubbing, rate limiting, and filtering, and are more readily detectable via traffic anomalies. Option C (zero-day RCE) is severe, but it is not primarily a "DoS technique" in CEH classification; it's an exploitation scenario that may lead to service outage, but the detection /mitigation path centers on exploit prevention, EDR, patching, and containment rather than DoS controls. In CEH terms, Option B aligns best with a sophisticated, scenario-like DoS that blends into normal app activity.

  CEH mitigation approaches for application-layer DoS include WAF rules, input validation/parameterization (preventing SQLi), query cost controls, rate limiting by behavior, caching, database hardening, and anomaly detection at the application and database tiers.

• Question 92:

  A system analyst wants to implement an encryption solution that allows secure key distribution between communicating parties. Which encryption method should the analyst consider?

  A. Disk encryption
  B. Symmetric encryption
  C. Hash functions
  D. Asymmetric encryption
  D. Asymmetric encryption

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Cryptography module explains that one of the primary challenges in encryption is secure key distribution Asymmetric encryption . , also known as public-key cryptography, was specifically designed to address this issue.

  In asymmetric encryption, each entity possesses a public key and a private key . The public key can be shared openly, allowing anyone to encrypt data securely, while only the corresponding private key can decrypt it. CEH documentation highlights that this model eliminates the need to transmit secret keys over insecure channels.

  Option D is correct because asymmetric encryption enables secure key exchange without prior trust.

  Option B (symmetric encryption) requires a shared secret key and suffers from key distribution challenges.

  Option A refers to data-at-rest protection, not key exchange.

  Option C provides integrity verification, not encryption.

  CEH emphasizes that asymmetric encryption underpins secure protocols such as TLS and digital certificates.

• Question 93:

  Attacker Rony Installed a rogue access point within an organization's perimeter and attempted to Intrude into its internal network. Johnson, a security auditor, identified some unusual traffic in the internal network that is aimed at cracking the authentication mechanism. He immediately turned off the targeted network and tested for any weak and outdated security mechanisms that are open to attack. What is the type of vulnerability assessment performed by Johnson in the above scenario?

  A. Distributed assessment
  B. Wireless network assessment
  C. Host-based assessment
  D. Application assessment
  B. Wireless network assessment

  ---

  Explanation

  Wireless network assessment determines the vulnerabilities in an organization's wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization's perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.

  Expanding your network capabilities are often done well using wireless networks, but it also can be a source of harm to your data system . Deficiencies in its implementations or configurations can allow tip to be accessed in an unauthorized manner.This makes it imperative to closely monitor your wireless network while also conducting periodic Wireless Network assessment.

  It identifies flaws and provides an unadulterated view of exactly how vulnerable your systems are to malicious and unauthorized accesses.

  Identifying misconfigurations and inconsistencies in wireless implementations and rogue access points can improve your security posture and achieve compliance with regulatory frameworks.

• Question 94:

  A penetration tester is assessing the security of a corporate wireless network that uses WPA2-Enterprise encryption with RADIUS authentication. The tester wants to perform a man-in-the-middle attack by tricking wireless clients into connecting to a rogue access point. What is the most effective method to achieve this?

  A. Set up a fake access point with the same SSID and use a de-authentication attack
  B. Use a brute-force attack to crack the WPA2 encryption directly
  C. Perform a dictionary attack on the RADIUS server to retrieve credentials
  D. Execute a Cross-Site Scripting (XSS) attack on the wireless controller's login page
  A. Set up a fake access point with the same SSID and use a de-authentication attack

  ---

  Explanation

  WPA2-Enterprise networks authenticate clients through 802.1X using a RADIUS server. A common attack method described in CEH training is to create an evil-twin access point broadcasting the same SSID as the legitimate one. Combined with de-authentication frames, clients are forced off the real AP and automatically reconnect to the stronger rogue AP. This allows the attacker to capture authentication exchanges for later misuse, including credential harvesting or EAP-based downgrade attacks.

• Question 95:

  A penetration tester was assigned to scan a large network range to find live hosts. The network is known for using strict TCP filtering rules on its firewall, which may obstruct common host discovery techniques. The tester needs a method that can bypass these firewall restrictions and accurately identify live systems. What host discovery technique should the tester use?

  A. UDP Ping Scan
  B. lCMP ECHO Ping Scan
  C. ICMP Timestamp Ping Scan
  D. TCP SYN Ping Scan
  D. TCP SYN Ping Scan

  ---

  Explanation

  The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses3. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers.

  The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

  A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall12. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or

  reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

  B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service

  attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

  C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall12. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps

  or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting.

  References:

  1: Host Discovery in Nmap Network Scanning - GeeksforGeeks

  2: nmap Host Discovery Techniques

  3: TCP SYN Ping Scan - Nmap

  Ping Sweep - an overview | ScienceDirect Topics UDP Ping Scan - Nmap UDP Ping Scan - an overview | ScienceDirect Topics ICMP Ping Scan - Nmap ICMP Ping Scan - an overview | ScienceDirect Topics

• Question 96:

  Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?

  A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.
  B. He can send an IP packet with the SYN bit and the source address of his computer.
  C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
  D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
  D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  In TCP session hijacking or spoofing:

  An attacker sends a spoofed packet with the ACK bit set and a guessed (or predicted) sequence number to fool the receiver into thinking it's a legitimate continuation of an existing session.

  Fred is simulating this by sending a TCP packet with the ACK bit and using his own IP as the source, trying to trick the switch into believing it's part of an already established session.

  From CEH v13 Courseware:

  Module 11: Session Hijacking

  CEH v13 Study Guide - Module 11: TCP Session Hijacking and Spoofing TechniquesRFC 793 - TCP State Machine

• Question 97:

  What is the minimum number of network connections in a multihomed firewall?

  A. 3
  B. 5
  C. 4
  D. 2
  D. 2

  ---

  Explanation

  A multihomed firewall refers to a firewall with two or more network interfaces (NICs), each connected to different network segments. The purpose of a multihomed firewall is to allow filtering and segmentation of traffic between multiple network zones, such as:

  External network (e.g., Internet)

  Internal network (e.g., LAN)

  To qualify as multihomed, the system must have at least two network interfaces. This allows it to sit between two networks and inspect/filter traffic passing through it.

  CEH v13 Official Study Guide:

  Module 13: Evading IDS, Firewalls, and Honeypots

  Section: Firewall Architecture

  Quote:

  "A multihomed firewall is a system with two or more NICs connected to different networks, typically used to control traffic between internal and external networks. The minimum number of interfaces is two."

  Incorrect Options Explained:

  A. 3 interfaces may be used in advanced setups (e.g., with a DMZ), but not the minimum.

  B and C. 4 or 5 connections are not required unless designing more complex segmentation.

• Question 98:

  What did the following commands determine?

  [Image Output of USER2SID and SID2USER showing that SID ending in -500 corresponds to user Joe on domain EARTH]

  

  A. That the Joe account has a SID of 500
  B. These commands demonstrate that the guest account has NOT been disabled
  C. These commands demonstrate that the guest account has been disabled
  D. That the true administrator is Joe
  E. Issued alone, these commands prove nothing
  D. That the true administrator is Joe

  ---

  Explanation

  In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

  S-1-5-21-343818398-789336058-1343024091-500 # maps to user Joe This proves that Joe is the true built-in administrator account on the domain EARTH.

  From CEH v13 Courseware:

  Module 4: Enumeration

  Topic: SID Enumeration and Account Discovery

  CEH v13 Study Guide states:

  "In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts."

  Incorrect Options:

  A: Incomplete - it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

  B/C: These commands don't validate Guest account status.

  E: Incorrect - these commands explicitly prove administrator identity.

  CEH v13 Study Guide - Module 4: Windows Enumeration # RID 500 IdentifierMicrosoft Documentation: Well-Known SIDs

• Question 99:

  DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the-middle attacks?

  A. Spanning tree
  B. Dynamic ARP Inspection (DAI)
  C. Port security
  D. Layer 2 Attack Prevention Protocol (LAPP)
  B. Dynamic ARP Inspection (DAI)

  ---

  Explanation

  Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).

  DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

• Question 100:

  Let's imagine three companies (A, B, and C), all competing in a challenging global environment.

  Company A and B are working together in developing a product that will generate a major competitive advantage for them.

  Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing.

  With a spoofing attack on the DNS server of company B, company C gains access to outgoing e-mails from company B.

  How do you prevent DNS spoofing?

  A. Install DNS logger and track vulnerable packets
  B. Disable DNS timeouts
  C. Install DNS Anti-spoofing
  D. Disable DNS Zone Transfer
  C. Install DNS Anti-spoofing

  ---

  Explanation

  DNS spoofing (also known as DNS cache poisoning) occurs when an attacker intercepts or falsifies DNS responses to redirect traffic or exfiltrate data. The appropriate way to prevent such attacks includes:

  Implementing DNS anti-spoofing techniques

  Using DNSSEC (DNS Security Extensions)

  Ensuring proper DNS configurations and validation of responses From CEH v13:

  Module 3: Scanning Networks

  Topic: DNS Poisoning and Spoofing Attacks

  Defensive Measures: DNS Hardening

  CEH v13 Study Guide states:

  "To prevent DNS spoofing and cache poisoning, organizations should use DNSSEC, configure anti-spoofing protections, and restrict zone transfers. DNS Anti-spoofing solutions validate responses and ensure data integrity."

  Incorrect Options:

  A: Logging may detect but not prevent.

  B: Disabling DNS timeouts is unrelated and harmful.

  D: Prevents zone transfers, not spoofing specifically.

  CEH v13 Study Guide - Module 3: DNS Spoofing PreventionNIST SP 800-81r2 - Secure Domain Name System (DNS) Deployment Guide