EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 111:

  A red team member uses an access token obtained from an Azure function to authenticate with Azure PowerShell and retrieve storage account keys. What kind of abuse does this scenario demonstrate?

  A. Gathering NSG rule information
  B. Exploiting managed identities for unauthorized access
  C. Lateral movement via Stormspotter
  D. Enumeration of user groups with AzureGraph
  B. Exploiting managed identities for unauthorized access

  ---

  Explanation

  CEH cloud security modules highlight that Azure Managed Identities allow workloads such as functions, VMs, and automation tasks to authenticate to Azure resources without storing secrets. If an attacker obtains the token associated with a managed identity, they can impersonate that identity and access any Azure resources it is permitted to use. In this scenario, the captured access token is used to authenticate via Azure PowerShell and retrieve storage account keys, demonstrating unauthorized privilege usage by hijacking the managed identity. This aligns directly with managed identity abuse, where attackers leverage identity tokens instead of user credentials. NSG rule gathering and AzureGraph enumeration are reconnaissance activities, and Stormspotter is used for visualizing attack paths, not abusing identities. Therefore, this scenario clearly illustrates exploitation of managed identities.

• Question 112:

  During a recent security assessment, you discover the organization has one Domain Name Server (DNS) in a Demilitarized Zone (DMZ) and a second DNS server on the internal network.

  What is this type of DNS configuration commonly called?

  A. DynDNS
  B. DNS Scheme
  C. DNSSEC
  D. Split DNS
  D. Split DNS

  ---

  Explanation

  Split DNS (also known as Split-Horizon DNS) is a configuration where internal users and external users receive different DNS responses. Typically, one DNS server resides in the DMZ for public access, and another is inside the network for internal name resolution.

  # Reference: CEH v13 Official Study Guide, Module 9: System Hacking / Perimeter Security

  "Split DNS allows different DNS records to be presented based on whether the requester is from inside or outside the organization's network."

  # Incorrect options:

  A. DynDNS is a dynamic DNS provider.

  B. DNS Scheme is a non-standard term.

  C. DNSSEC is a security extension for DNS, not a deployment model.

• Question 113:

  An organization uses SHA-256 for data integrity checks but still experiences unauthorized data modification.

  Which cryptographic tool can help resolve this issue?

  A. Asymmetric encryption
  B. SSL/TLS certificates
  C. Symmetric encryption
  D. Digital signatures
  D. Digital signatures

  ---

  Explanation

  SHA-256 is a cryptographic hash function , and CEH v13 clearly states that hash functions alone provide data integrity , but not authenticity or non-repudiation . If attackers can modify data and recompute the hash, integrity checks will still pass.

  The issue arises because SHA-256 does not prove who created or modified the data . To address this weakness, CEH v13 recommends using digital signatures , which combine hashing with asymmetric cryptography . A digital signature ensures:

  Integrity (data has not changed)

  Authentication (data was signed by a known entity)

  Non-repudiation (the signer cannot deny the action)

  Digital signatures work by hashing the data and encrypting the hash with the sender's private key . Any modification to the data invalidates the signature.

  Encryption alone (Options A and C) protects confidentiality, not integrity or authenticity. SSL/TLS (Option B) secures data in transit but does not protect stored data from tampering.

  CEH v13 explicitly identifies digital signatures as the correct cryptographic control when integrity mechanisms alone are insufficient. Therefore, Option D is correct.

• Question 114:

  You are the lead cybersecurity analyst at a multinational corporation that uses a hybrid encryption system to secure inter-departmental communications. The system uses RSA encryption for key exchange and AES for data encryption, taking advantage of the strengths of both asymmetric and symmetric encryption. Each RSA key pair has a size of 'n' bits, with larger keys providing more security at the cost of slower performance. The time complexity of generating an RSA key pair is O(n*2), and AES encryption has a time complexity of O(n). An attacker has developed a quantum algorithm with time complexity O((log n)*2) to crack RSA encryption. Given *n=4000' and variable `AES key size', which scenario is likely to provide the best balance of security and performance? which scenario would provide the best balance of security and performance?

  A. Data encryption with 3DES using a 168-bit key: Offers high security but slower performance due to 3DES's inherent inefficiencies.
  B. Data encryption with Blowfish using a 448-bit key: Offers high security but potential compatibility issues due to Blowfish's less widespread use.
  C. Data encryption with AES-128: Provides moderate security and fast encryption, offering a balance between the two.
  D. Data encryption with AES-256: Provides high security with better performance than 3DES, but not as fast as other AES key sizes.
  C. Data encryption with AES-128: Provides moderate security and fast encryption, offering a balance between the two.

  ---

  Explanation

  Data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario. This option works as follows:

  AES-128 is a symmetric encryption algorithm that uses a 128-bit key to encrypt and decrypt data. AES-128 is one of the most widely used and trusted encryption algorithms, and it is considered secure against classical and quantum attacks, as long as the key is not compromised. AES-128 has a time complexity of O(n), which means that the encryption and decryption time is proportional to the size of the data. AES-128 is also fast and efficient, as it can process 16 bytes of data in each round, and it requires only 10 rounds to complete the encryption or decryption.

  RSA-4000 is an asymmetric encryption algorithm that uses a 4000-bit key pair to encrypt and decrypt data. RSA-4000 is used for key exchange, which means that it is used to securely share the AES-128 key between the sender and the receiver. RSA-4000 has a time complexity of O(n*2), which means that the key generation, encryption, and decryption time is proportional to the square of the size of the key. RSA-4000 is also slow and resource-intensive, as it involves large number arithmetic and modular exponentiation operations. RSA- 4000 is considered secure against classical attacks, but it is vulnerable to quantum attacks, especially if the attacker has access to a quantum computer with sufficient resources to run Shor's algorithm, which can factor large numbers in polynomial time.

  The attacker's quantum algorithm has a time complexity of O((log n)*2), which means that the cracking time is proportional to the square of the logarithm of the size of the key. This implies that the attacker can crack RSA-4000 much faster than a classical computer, as the logarithm function grows much slower than the linear or quadratic function. For example, if a classical computer takes 10^12 years to crack RSA-4000, a quantum computer with the attacker's algorithm could do it in about 10^4 years, which is still a long time, but not impossible.

  Therefore, data encryption with AES-128 is likely to provide the best balance of security and performance in this scenario, because:

  AES-128 is secure and fast, and it can encrypt large amounts of data efficiently.

  RSA-4000 is slow and vulnerable, but it is only used for key exchange, which involves a small amount of data and a one-time operation.

  The attacker's quantum algorithm is powerful, but it is not practical, as it requires a quantum computer with a large number of qubits and a long coherence time, which are not available yet.

  The other options are not as balanced as option C for the following reasons:

  A. Data encryption with 3DES using a 168-bit key: This option offers high security but slower performance due to 3DES's inherent inefficiencies. 3DES is a symmetric encryption algorithm that uses a 168-bit key to encrypt and decrypt data. 3DES is a variant of DES, which is an older and weaker encryption algorithm that uses a 56-bit key. 3DES applies DES three times with different keys to increase the security, but this also increases the complexity and reduces the speed. 3DES has a time complexity of O

  (n), but it is much slower than AES, as it can process only 8 bytes of data in each round, and it requires 48 rounds to complete the encryption or decryption. 3DES is considered secure against classical and quantum attacks, but it is not recommended for new applications, as it is outdated and inefficient.

  B. Data encryption with Blowfish using a 448-bit key: This option offers high security but potential compatibility issues due to Blowfish's less widespread use. Blowfish is a symmetric encryption algorithm that uses a variable key size, up to 448 bits, to encrypt and decrypt data. Blowfish is fast and secure, and it has a time complexity of O(n), as it can process 8 bytes of data in each round, and it requires 16 rounds to complete the encryption or decryption. Blowfish is considered secure against classical and

  quantum attacks, but it is not as popular or standardized as AES, and it may have compatibility issues with some applications or platforms.

  D. Data encryption with AES-256: This option provides high security with better performance than 3DES, but not as fast as other AES key sizes. AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. AES-256 is a variant of AES, which is the most widely used and trusted encryption algorithm. AES-256 has a time complexity of O(n), and it can process 16 bytes of data in each round, but it requires 14 rounds to complete the encryption or decryption, which is more

  than AES-128 or AES-192. AES- 256 is considered secure against classical and quantum attacks, but it is not as fast as other AES key sizes, and it may not be necessary for most applications, as AES-128 or AES-192 are already secure enough.

  References:

  1: Advanced Encryption Standard - Wikipedia

  2: AES Encryption: What It Is and How It Works | Kaspersky

  3: RSA (cryptosystem) - Wikipedia

  4: RSA Encryption: What It Is and How It Works | Kaspersky

  5: Shor's algorithm - Wikipedia

  6: Triple DES - Wikipedia

  7: 3DES Encryption: What It Is and How It Works | Kaspersky

  8: Blowfish (cipher) - Wikipedia

  9: Blowfish Encryption: What It Is and How It Works | Kaspersky

• Question 115:

  A financial services firm is experiencing a sophisticated DoS attack on their DNS servers using DNS amplification and on their web servers using HTTP floods. Traditional firewall rules and IDS are failing to mitigate the attack effectively. To protect their infrastructure without impacting legitimate users, which advanced mitigation strategy should the firm implement?

  A. Increase server capacity and implement simple rate limiting
  B. Block all incoming traffic from suspicious IP ranges using access control lists
  C. Deploy a Web Application Firewall (WAF) to filter HTTP traffic
  D. Utilize a cloud-based DDoS protection service with traffic scrubbing capabilities
  D. Utilize a cloud-based DDoS protection service with traffic scrubbing capabilities

  ---

  Explanation

  Cloud-based DDoS mitigation services provide upstream traffic scrubbing, detecting and filtering high- volume attacks such as DNS amplification and HTTP floods before the traffic reaches the victim's network. These services use distributed infrastructures capable of handling multi-vector attacks that surpass the capacity of traditional on-premises firewalls and IDS. Traffic scrubbing centers distinguish legitimate traffic from malicious traffic, allowing normal operations to continue without service disruption.

• Question 116:

  What piece of hardware on a computer's motherboard generates encryption keys and only releases a part of the key so that decrypting a disk on a new piece of hardware is not possible?

  A. CPU
  B. GPU
  C. UEFI
  D. TPM
  D. TPM

  ---

  Explanation

  The TPM is a chip that's part of your computer's motherboard - if you bought an off-the-shelf PC, it's soldered onto the motherboard. If you built your own computer, you can buy one as an add-on module if your motherboard supports it. The TPM generates encryption keys, keeping part of the key to itself

• Question 117:

  Your network infrastructure is under a SYN flood attack. The attacker has crafted an automated botnet to simultaneously send 's' SYN packets per second to the server.

  You have put measures in place to manage `f SYN packets per second, and the system is designed to deal with this number without any performance issues.

  If 's' exceeds `f', the network infrastructure begins to show signs of overload. The system's response time increases exponentially (24k), where 'k' represents each additional SYN packet above the ff limit. Now, considering 's500' and different 'f values, in which scenario is the server most likely to experience overload and significantly increased response times?

  A. f510: The server can handle 510 SYN packets per second, which is greater than what the attacker is sending. The system stays stable, and the response time remains unaffected
  B. f495: The server can handle 495 SYN packets per second. The response time drastically rises (245 32 times the normal), indicating a probable system overload
  C. fS05: The server can handle 505 SYN packets per second. In this case, the response time increases but not as drastically (245 32 times the normal), and the systern might still function, albeit slowly
  D. f420: The server can handle 490 SYN packets per second. With 's' exceeding `f by 10, the response time shoots up (2410 1024 times the usual response time), indicating a system overload
  D. f420: The server can handle 490 SYN packets per second. With 's' exceeding `f by 10, the response time shoots up (2410 1024 times the usual response time), indicating a system overload

  ---

  Explanation

  A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. The attacker has crafted an automated botnet to simultaneously send `s' SYN packets per second to the server. The server can handle `f' SYN packets per second without any performance issues. If `s' exceeds `f', the network infrastructure begins to show signs of overload. The system's response time increases exponentially (24k), where `k' represents each additional SYN packet above the `f' limit.

  Considering `s500' and different `f' values, the scenario that is most likely to cause the server to experience overload and significantly increased response times is the one where `f420'. This is because `s' is greater than `f' by 80 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The response time shoots up (2480 281,474,976,710,656 times the normal response time), indicating a system overload.

  The other scenarios are less likely or less severe than the one where `f420'. Option A has `f510', which is greater than `s', so the system stays stable and the response time remains unaffected. Option B has `f495', which is less than `s' by 5 packets per second, so the response time drastically rises (245 32 times the normal response time), indicating a probable system overload, but not as extreme as option D. Option C has `f505', which is less than `s' by 5 packets per second, so the response time increases but not as drastically (245 32 times the normal response time), and the system might still function, albeit slowly. References:

  SYN flood DDoS attack | Cloudflare

  SYN flood - Wikipedia

  What Is a SYN Flood Attack? | F5

  What is a SYN flood attack and how to prevent it? | NETSCOUT

• Question 118:

  During a red team assessment, an ethical hacker must map a large multinational enterprise's external attack surface. Due to strict rules of engagement, no active scans may be used. The goal is to identify publicly visible subdomains to uncover forgotten or misconfigured services. Which method should the ethical hacker use to passively enumerate the organization's subdomains?

  A. Leverage tools like Netcraft or DNSdumpster to gather subdomain information
  B. Attempt to guess admin credentials and access the company's DNS portal
  C. Conduct a brute-force DNS subdomain enumeration
  D. Request internal DNS records using spoofed credentials
  A. Leverage tools like Netcraft or DNSdumpster to gather subdomain information

  ---

  Explanation

  CEH clearly distinguishes between active and passive reconnaissance. Passive methods involve gathering publicly available data without directly interacting with the target's infrastructure, thus avoiding detection. Tools such as Netcraft, DNSdumpster, VirusTotal, Certificate Transparency logs, and search engine indexing are recommended by CEH for discovering subdomains through public metadata, cached DNS records, WHOIS data, SSL certificate entries, and third-party enumeration databases. These platforms provide insights into externally accessible assets without sending packets or queries to the target organization. Brute- force enumeration is active and violates the rules of engagement. Attempting credential guessing or requesting internal DNS data are unauthorized and clearly active reconnaissance activities. Passive OSINT- based subdomain enumeration is a core CEH technique used to uncover hidden infrastructure safely and legally. It is especially crucial in red team operations where stealth is a priority.

• Question 119:

  During a black-box pen test you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

  A. Circuit
  B. Stateful
  C. Application
  D. Packet Filtering
  C. Application

  ---

  Explanation

  https://en.wikipedia.org/wiki/Internet_Relay_Chat

  Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The chat process works on a client/server networking model. IRC clients are computer programs that users can install on their system or web-based applications running either locally in the browser or on a third-party server. These clients communicate with chat servers to transfer messages to other clients.

  IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well- known port for IRC is 6667, a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well.

  You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls.

  https://en.wikipedia.org/wiki/Application_firewall

  An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the OSI model's application layer, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

  Application layer filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/destination IP Addresses or ports. It can also use information spanning across multiple connections for any given host.

  Network-based application firewalls Network-based application firewalls operate at the application layer of a TCP/IP stack. They can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non- standard port or detect if an allowed protocol is being abused.

  Host-based application firewalls

  A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control but is limited to only protecting the host it is running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.

• Question 120:

  Ethical hacker jane Smith is attempting to perform an SQL injection attach. She wants to test the response time of a true or false response and wants to use a second command to determine whether the database will return true or false results for user IDs. which two SQL Injection types would give her the results she is looking for?

  A. Out of band and boolean-based
  B. Time-based and union-based
  C. union-based and error-based
  D. Time-based and boolean-based
  D. Time-based and boolean-based

  ---

  Explanation

  "Boolean based" we mean that it is based on Boolean values, that is, true or false / true and false. AND Time- based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

  Boolean-based (content-based) Blind SQLi

  Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

  Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.

  Time-based Blind SQLi

  Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

  Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.

  https://www.acunetix.com/websitesecurity/sql-injection2/