EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 101:

  During a targeted phishing campaign, a malicious HTML attachment reconstructs malware locally using obfuscated JavaScript without making external network calls, bypassing firewalls and IDS inspection. Which evasion technique is being employed?

  A. HTML smuggling
  B. Port forwarding
  C. Cross-site scripting
  D. HTTP header spoofing
  A. HTML smuggling

  ---

  Explanation

  CEH v13 highlights HTML smuggling as a modern technique used to bypass perimeter defenses by leveraging browser-side execution. Instead of downloading a malware file directly-which firewalls and IDS can detect-an attacker embeds obfuscated JavaScript or HTML within an attachment. When the victim opens the file, the browser reconstructs the payload locally using APIs like Blob or URL.createObjectURL. This method avoids external network transfers during the payload creation stage, allowing it to bypass content filters, sandboxing, and inline inspection tools. CEH emphasizes that HTML smuggling is especially dangerous because it operates within the browser environment, which security appliances implicitly trust. Port forwarding (Option B) relates to tunneling traffic, not file reconstruction. XSS (Option C) requires injecting scripts into web pages, not delivering malware. HTTP header spoofing (Option D) manipulates request metadata, not payload construction. Therefore, HTML smuggling precisely matches the described behavior.

• Question 102:

  A penetration tester targets a company's executive assistants by referencing upcoming board meetings in an email requesting access to confidential agendas. What is the most effective social engineering technique to obtain the necessary credentials without raising suspicion?

  A. Create a personalized email referencing specific meetings and request access
  B. Call posing as a trusted IT support to verify credentials
  C. Send a mass phishing email with a fake meeting link
  D. Develop a fake LinkedIn profile to connect and request information
  A. Create a personalized email referencing specific meetings and request access

  ---

  Explanation

  CEH v13 identifies spear-phishing as one of the most effective and targeted social engineering methods. It involves crafting highly personalized messages that reference real events, internal processes, or upcoming activities to build credibility and reduce suspicion. In this scenario, referencing board meetings-an event executive assistants frequently handle-creates a believable and urgent context for the request. CEH emphasizes that personalization significantly increases success rates because recipients perceive the sender as someone with legitimate access to internal information. A phone call impersonating IT support (Option B) is less convincing for retrieving agenda access-specific credentials. Mass phishing (Option C) lacks personalization and is easily flagged. LinkedIn social engineering (Option D) is long-term and less effective for obtaining immediate credentials. Therefore, a tailored spear-phishing email is the most effective approach.

• Question 103:

  Robin, an attacker, is attempting to bypass the firewalls of an organization through the DNS tunneling method in order to exfiltrate data. He is using the NSTX tool for bypassing the firewalls. On which of the following ports should Robin run the NSTX tool?

  A. Port 53
  B. Port 23
  C. Port 50
  D. Port 80
  A. Port 53

  ---

  Explanation

  DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP) these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and resource usage compared TCP-equivalent queries. UDP has no error or flow-control capabilities, nor does it have any integrity checking to make sure the info arrived intact.

  How is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it's a best-effort protocol after all) within the first instance, most systems will retry variety of times and only after multiple failures, potentially switch to TCP before trying again; TCP is additionally used if the DNS query exceeds the restrictions of the UDP datagram size - typically 512 bytes for DNS but can depend upon system settings.

  Figure 1 below illustrates the essential process of how DNS operates: the client sends a question string (for example, mail.google[.]com during this case) with a particular type - typically A for a number address. I've skipped the part whereby intermediate DNS systems may need to establish where `.com' exists, before checking out where `google[.]com' are often found, and so on.

  Many worms and scanners are created to seek out and exploit systems running telnet. Given these facts, it's really no surprise that telnet is usually seen on the highest Ten Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually the case, this upgrade has not been performed on variety of devices. this might flow from to the very fact that a lot of systems administrators and users don't fully understand the risks involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to completely discontinue its use. the well-liked method of mitigating all of telnets vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing many of an equivalent functions as telnet and a number of other additional services typical handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks to beat before it can completely replace telnet.

  it's typically only supported on newer equipment. It requires processor and memory resources to perform the info encryption and decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are often and to supply solutions to alleviate the main known threats so as to enhance the general security of the web

  Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is usually cached on the local system (and possibly on intermediate DNS servers) for a period of your time . Subsequent queries for an equivalent name from an equivalent client then don't leave the local system until said cache expires. Of course, once the IP address of the remote service is understood , applications can use that information to enable other TCP-based protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat GIFs are often reliably shared together with your colleagues.

  So, beat all, a couple of dozen extra UDP DNS queries from an organization's network would be fairly inconspicuous and will leave a malicious payload to beacon bent an adversary; commands could even be received to the requesting application for processing with little difficulty.

• Question 104:

  An attacker has partial root access to a mobile application. What control best prevents further exploitation?

  A. Secure coding and automated reviews
  B. Certificate pinning
  C. Regular penetration testing
  D. Mobile Application Management (MAM)
  D. Mobile Application Management (MAM)

  ---

  Explanation

  When partial root access exists, preventing further privilege abuse is the immediate priority. CEH v13 explains that Mobile Application Management (MAM) enforces granular access control, application isolation, and permission enforcement-even on compromised devices.

  Secure coding (Option A) and testing (Option C) are preventative measures but do not contain an active compromise.

  Certificate pinning (Option B) protects communications, not application control. MAM solutions allow administrators to revoke access, enforce policies, and isolate apps , limiting attacker capabilities post-compromise. Therefore, Option D is correct.

• Question 105:

  A penetration tester is assessing a web application that does not properly sanitize user input in the search field. The tester suspects the application is vulnerable to a SQL injection attack. Which approach should the tester take to confirm the vulnerability?

  A. Use directory traversal in the search field to access sensitive files on the server
  B. Input a SQL query such as 1 OR 1=1 - into the search field to check for SQL injection
  C. Perform a brute-force attack on the login page to identify weak passwords
  D. Inject JavaScript into the search field to perform a Cross-Site Scripting (XSS) attack
  B. Input a SQL query such as 1 OR 1=1 - into the search field to check for SQL injection

  ---

  Explanation

  SQL injection is one of the most common and dangerous vulnerabilities covered in CEH training. It occurs when an application accepts unsanitized input and directly passes it to a backend SQL query. To confirm the presence of SQL injection, the tester must insert a payload that alters the logic of the SQL query executed by the application. A classic test payload such as "1 OR 1=1 -" is widely used because it forces the database to return all rows instead of filtering based on the intended search value. This verifies whether the input field is being concatenated directly into a SQL command. The CEH methodology emphasizes starting with simple, non-destructive boolean-based payloads to safely evaluate the vulnerability without causing harm to the database or impacting server availability. Since directory traversal, brute-force login attempts, and XSS attacks target entirely different weaknesses, they are not appropriate for confirming SQL injection. The selected option aligns with proper CEH testing methodology

  for identifying insecure input handling and improper query construction.

• Question 106:

  You are an ethical hacker tasked with conducting an enumeration of a company's network. Given a Windows system with NetBIOS enabled, port 139 open, and file and printer sharing active, you are about to run some nbtstat commands to enumerate NetBIOS names. The company uses |Pv6 for its network. Which of the following actions should you take next?

  A. Use nbtstat -c to get the contents of the NetBIOS name cache
  B. use nbtstat -a followed by the IPv6 address of the target machine
  C. Utilize Nmap Scripting Engine (NSE) for NetBIOS enumeration
  D. Switch to an enumeration tool that supports IPv6
  D. Switch to an enumeration tool that supports IPv6

  ---

  Explanation

  The nbtstat command is a Windows utility that displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables, and the NetBIOS name cache. However, the nbtstat command does not support IPv6 addresses, which are the standard format for the Internet Protocol version 6 (IPv6). Therefore, using the nbtstat command with IPv6 addresses will result in an error message or no output. To enumerate NetBIOS names on a network that uses IPv6, you should switch to an enumeration tool that supports IPv6, such as Nmap, which is a network scanning and security auditing tool. Nmap has a scripting engine (NSE) that allows users to write and execute scripts for various network tasks, including NetBIOS enumeration. Nmap can also detect the operating system, services, and vulnerabilities of the target machines, regardless of the IP version they use. References:

  Nbtstat Command - Computer Hope

  Nbtstat CMD: Windows Network Command Line Prompt

  [Nmap Scripting Engine (NSE) Documentation]

• Question 107:

  During an internal red team engagement, an operator discovers that TCP port 389 is open on a target system identified as a domain controller. To assess the extent of LDAP exposure, the operator runs the command ldapsearch -h -x -s base namingcontexts and receives a response revealing the base distinguished name (DN): DC=internal,DC=corp. This naming context indicates the root of the LDAP directory structure. With this discovery, the operator plans the next step to continue LDAP enumeration and expand visibility into users and objects in the domain. What is the most logical next action?

  A. Launch a brute-force attack against user passwords via SMB
  B. Conduct an ARP scan on the local subnet
  C. Attempt an RDP login to the domain controller
  D. Use the base DN in a filter to enumerate directory objects
  D. Use the base DN in a filter to enumerate directory objects

  ---

  Explanation

  Once the base DN is identified through LDAP namingContexts, CEH teaches that the next step in enumeration is to query the directory tree using this DN. This allows retrieval of users, groups, computers, and other AD objects. LDAP-based enumeration requires valid search filters rooted in the base DN.

• Question 108:

  As a cybersecurity analyst for SecureNet, you are performing a security assessment of a new mobile payment application. One of your primary concerns is the secure storage of customer data on the device.

  The application stores sensitive information such as credit card details and personal identification numbers (PINs) on the device.

  Which of the following measures would best ensure the security of this data?

  A. Implement biometric authentication for app access.
  B. Encrypt all sensitive data stored on the device.
  C. Enable GPS tracking for all devices using the app.
  D. Regularly update the app to the latest version.
  B. Encrypt all sensitive data stored on the device.

  ---

  Explanation

  Encrypting all sensitive data stored on the device is the best measure to ensure the security of this data, because it protects the data from unauthorized access or disclosure, even if the device is lost, stolen, or compromised. Encryption is a process of transforming data into an unreadable format using a secret key or algorithm. Only authorized parties who have the correct key or algorithm can decrypt and access the data. Encryption can be applied to data at rest, such as files or databases, or data in transit, such as network traffic or messages. Encryption can prevent attackers from stealing or tampering with the customer data stored on the device, such as credit card details and PINs, which can cause financial or identity fraud. The other options are not as effective or sufficient as encryption for securing the customer data stored on the device. Implementing biometric authentication for app access may provide an additional layer of security, but it does not protect the data from being accessed by other means, such as malware, physical access, or backup extraction. Enabling GPS tracking for all devices using the app may help locate the device in case of loss or theft, but it does not prevent the data from being accessed by unauthorized parties, and it may also pose privacy risks. Regularly updating the app to the latest version may help fix bugs or vulnerabilities, but it does not guarantee the security of the data, especially if the app does not use encryption or other security features.

  References:

  Securely Storing Data | Security.org Data Storage Security: 5 Best Practices to Secure Your Data M9: Insecure Data Storage | OWASP Foundation

• Question 109:

  A large e-commerce organization is planning to implement a vulnerability assessment solution to enhance its security posture. They require a solution that imitates the outside view of attackers, performs well-organized inference-based testing, scans automatically against continuously updated databases, and supports multiple networks. Given these requirements, which type of vulnerability assessment solution would be most appropriate?

  A. Inference-based assessment solution
  B. Service-based solution offered by an auditing firm
  C. Tree-based assessment approach
  D. Product-based solution installed on a private network
  B. Service-based solution offered by an auditing firm

  ---

  Explanation

  A service-based solution offered by an auditing firm would be the most appropriate type of vulnerability assessment solution for the large e-commerce organization, given their requirements. A service-based solution is a type of vulnerability assessment that is performed by external experts who have the skills, tools, and experience to conduct a thorough and comprehensive analysis of the target system or network. A service- based solution can imitate the outside view of attackers, as the experts are not familiar with the internal details or configurations of the organization. A service-based solution can also perform well-organized inference- based testing, which is a type of testing that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. A service-based solution can scan automatically against continuously updated databases, as the experts have access to the latest security intelligence and threat feeds. A service-based solution can also support multiple networks, as the experts can use different techniques and tools to scan different types of networks, such as wired, wireless, cloud, or hybrid.

  The other options are not as appropriate as option B for the following reasons:

  A. Inference-based assessment solution: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Inference-based testing is a testing method that uses logical reasoning and deduction to identify and exploit vulnerabilities based on the information gathered from the target. Inference-based testing can be performed by service-based, product-based, or tree-based solutions, depending on the scope, objectives, and resources of the assessment.

  C. Tree-based assessment approach: This option is not a type of vulnerability assessment solution, but a type of testing method that can be used by any solution. Tree-based testing is a testing method that uses a hierarchical structure to organize and prioritize the vulnerabilities based on their severity, impact, and exploitability. Tree-based testing can be performed by service-based, product-based, or inference-based solutions, depending on the scope, objectives, and resources of the assessment.

  D. Product-based solution installed on a private network: This option is a type of vulnerability assessment solution, but it may not meet all the requirements of the large e-commerce organization. A product-based solution is a type of vulnerability assessment that is performed by using software or hardware tools that are installed on the organization's own network. A product-based solution can scan automatically against continuously updated databases, as the tools can be configured to download and apply

  the latest security updates and patches. However, a product-based solution may not imitate the outside view of attackers, as the tools may have limited access or visibility to the external network or the internet. A product-based solution may also not perform well-organized inference-based testing, as the tools may rely on predefined rules or signatures to detect and report vulnerabilities, rather than using logical reasoning and deduction. A product- based solution may also not support multiple networks, as the

  tools may be designed or optimized for a specific type of network, such as wired, wireless, cloud, or hybrid .

  References:

  1: Vulnerability Assessment Services | Rapid7 2: Vulnerability Assessment Services | IBM 3: Inference-Based Vulnerability Testing of Firewall Policies - IEEE Conference Publication 4: A Tree-Based Approach for Vulnerability Assessment - IEEE Conference Publication Vulnerability Assessment Tools | OWASP Foundation Vulnerability Assessment Solutions: Why You Need One and How to Choose | Defensible

• Question 110:

  John wants to send Marie an email that includes sensitive information, and he does not trust the network that he is connected to. Marie gives him the idea of using PGP. What should John do to communicate correctly using this type of encryption?

  A. Use his own public key to encrypt the message.
  B. Use Marie's public key to encrypt the message.
  C. Use his own private key to encrypt the message.
  D. Use Marie's private key to encrypt the message.
  B. Use Marie's public key to encrypt the message.

  ---

  Explanation

  When a user encrypts plaintext with PGP, PGP first compresses the plaintext. The session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key

  https://en.wikipedia.org/wiki/Pretty_Good_Privacy

  Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address.

  https://en.wikipedia.org/wiki/Public-key_cryptography

  Public key encryption uses two different keys. One key is used to encrypt the information and the other is used to decrypt the information. Sometimes this is referred to as asymmetric encryption because two keys are required to make the system and/or process work securely. One key is known as the public key and should be shared by the owner with anyone who will be securely communicating with the key owner. However, the owner's secret key is not to be shared and considered a private key. If the private key is shared with unauthorized recipients, the encryption mechanisms protecting the information must be considered compromised.