EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 121:

  Which iOS jailbreaking technique patches the kernel during the device boot so that it becomes jailbroken after each successive reboot?

  A. Tethered jailbreaking
  B. Semi-tethered jailbreaking
  C. Untethered jailbreaking
  D. Semi-Untethered jailbreaking
  C. Untethered jailbreaking

  ---

  Explanation

  An untethered jailbreak is one that allows a telephone to finish a boot cycle when being pwned with none interruption to jailbreak-oriented practicality.

  Untethered jailbreaks area unit the foremost sought-after of all, however they're additionally the foremost difficult to attain due to the powerful exploits and organic process talent they need. associate unbound jailbreak is sent over a physical USB cable association to a laptop or directly on the device itself by approach of associate application-based exploit, like a web site in campaign.

  Upon running associate unbound jailbreak, you'll be able to flip your pwned telephone off and on once more while not running the jailbreak tool once more. all of your jailbreak tweaks and apps would then continue in operation with none user intervention necessary.

  It's been an extended time since IOS has gotten the unbound jailbreak treatment. the foremost recent example was the computer-based Pangu break, that supported most handsets that ran IOS nine.1. We've additionally witnessed associate unbound jailbreak within the kind of JailbreakMe, that allowed users to pwn their handsets directly from the mobile campaign applications programme while not a laptop.

• Question 122:

  "........is an attack type for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. It is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hot- spot by posing as a legitimate provider. This type of attack may be used to steal the passwords of

  unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there."

  Fill in the blank with appropriate choice.

  A. Evil Twin Attack
  B. Sinkhole Attack
  C. Collision Attack
  D. Signal Jamming Attack
  A. Evil Twin Attack

  ---

  Explanation

  https://en.wikipedia.org/wiki/Evil_twin_(wireless_networks)

  An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims' sensitive details. Most often, the victims of such attacks are ordinary people like you and me.

  The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable.

  ADDITION: It may not seem obvious what happened. The problem is in the question statement. The attackers were not Alice and John, who were able to connect to the network without a password, but on the contrary, they were attacked and forced to connect to a fake network, and not to the real network belonging to Jane.

• Question 123:

  A penetration tester intercepts HTTP requests between a user and a vulnerable web server. The tester observes that the session ID is embedded in the URL, and the web application does not regenerate the session upon login. Which session hijacking technique is most likely to succeed in this scenario?

  A. Injecting JavaScript to steal session cookies via cross-site scripting
  B. DNS cache poisoning to redirect users to fake sites
  C. Session fixation by pre-setting the token in a URL
  D. Cross-site request forgery exploiting user trust in websites
  C. Session fixation by pre-setting the token in a URL

  ---

  Explanation

  This scenario demonstrates a classic case of Session Fixation , a session hijacking technique explicitly covered under the CEH v13 Web Application Hacking module . Session fixation occurs when an attacker sets or predicts a valid session identifier and forces a victim to authenticate using that same session ID.

  In the given question, two critical vulnerabilities are highlighted:

  The session ID is embedded in the URL

  The application does not regenerate the session ID after login

  According to CEH v13, secure applications must regenerate session identifiers after successful authentication to prevent fixation attacks. If this does not occur, an attacker can craft a URL containing a known session ID and trick the victim into clicking it. Once the victim logs in, the attacker reuses the same session ID to gain unauthorized access.

  CEH documentation states that session fixation is particularly effective when:

  Session IDs are passed via URL parameters

  Sessions persist across authentication

  Secure cookie attributes are not enforced

  Other options are incorrect because:

  XSS-based cookie theft requires client-side script injection.

  DNS cache poisoning is unrelated to session management.

  CSRF exploits user trust but does not directly hijack sessions.

  Thus, Session Fixation by pre-setting the token in a URL is the most effective attack in this case.

• Question 124:

  Jake, a network security specialist, is trying to prevent network-level session hijacking attacks in his company.

  While studying different types of such attacks, he learns about a technique where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path.

  This technique is primarily used to reroute the packets.

  Which of the following types of network-level session hijacking attacks is Jake studying?

  A. RST Hijacking
  B. Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing
  C. UDP Hijacking
  D. TCP/IP Hijacking
  B. Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing

  ---

  Explanation

  A man-in-the-middle attack using forged ICMP and ARP spoofing is a type of network-level session hijacking attack where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets and intercept or modify the data exchanged between the client and the server.

  A man-in-the-middle attack using forged ICMP and ARP spoofing works as follows1:

  The attacker sends a forged ICMP redirect message to the client, claiming to be the gateway. The ICMP redirect message tells the client to use the attacker's machine as the next hop for reaching the server's network. The client updates its routing table accordingly and starts sending packets to the attacker's machine instead of the gateway.

  The attacker also sends a forged ARP reply message to the client, claiming to be the server. The ARP reply message associates the attacker's MAC address with the server's IP address. The client updates its ARP cache accordingly and starts sending packets to the attacker's MAC address instead of the server's MAC address.

  The attacker receives the packets from the client and forwards them to the server, acting as a relay. The attacker can also monitor, modify, or drop the packets as they wish. The server responds to the packets and sends them back to the attacker, who then forwards them to the client. The client and the server are unaware of the attacker's presence and think they are communicating directly with each other.

  Therefore, Jake is studying a man-in-the-middle attack using forged ICMP and ARP spoofing, which is a type of network-level session hijacking attack.

  References:

  Network or TCP Session Hijacking | Ethical Hacking - GreyCampus

• Question 125:

  In the field of cryptanalysis, what is meant by a "rubber-hose" attack?

  A. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC.
  B. A backdoor placed into a cryptographic algorithm by its creator.
  C. Extraction of cryptographic secrets through coercion or torture.
  D. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plaintext.
  C. Extraction of cryptographic secrets through coercion or torture.

  ---

  Explanation

  A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem - the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method's main advantage is the decryption time's fundamental independence from the volume of secret information, the length of the key, and the cipher's mathematical strength.

  The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part.

• Question 126:

  As a cybersecurity professional, you are responsible for securing a high-traffic web application that uses MySQL as its backend database. Recently, there has been a surge of unauthorized login attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown proficiency in SQL Injection and appears to be using the 'UNION' SQL keyword to trick the login process into returning additional data.

  However, your application's security measures include filtering special characters in user inputs, a method usually effective against such attacks. In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ?

  A. The hacker alters his approach and injects a `DROP TABLE' statement, a move that could potentially lead to the loss of vital data stored in the application's database
  B. The hacker tries to manipulate the 'UNION' keyword in such a way that it triggers a database error, potentially revealing valuable information about the database's structure
  C. The hacker switches tactics and resorts to a `time-based blind' SQL Injection attack, which would force the application to delay its response, thereby revealing information based on the duration of the delay
  D. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries
  D. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries

  ---

  Explanation

  SQL Injection is a type of attack that exploits a vulnerability in a web application that uses a SQL database. The attacker injects malicious SQL code into the user input, such as a login form, that is then executed by the database server. This can allow the attacker to access, modify, or delete data, or execute commands on the database server.

  The `UNION' SQL keyword is often used in SQL Injection attacks to combine the results of two or more SELECT statements into a single result set. This can allow the attacker to retrieve additional data from other tables or columns that are not intended to be displayed by the application. For example, if the application uses the following query to check the user credentials:

  SELECT * FROM users WHERE username = '$username' AND password = '$password'

  The attacker can inject a `UNION' statement to append another query, such as:

  ' OR 1 = 1 UNION SELECT * FROM credit_cards --

  This will result in the following query being executed by the database server:

  SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

  The first part of the query will always return true, and the second part of the query will return the data from the credit_cards table. The `? symbol is a comment that will ignore the rest of the query. The attacker can then see the credit card information in the application's response.

  However, some web applications implement security measures to prevent SQL Injection attacks, such as filtering special characters in user inputs. Special characters are symbols that have a special meaning in SQL, such as quotes, semicolons, dashes, etc. By filtering or escaping these characters, the application can prevent the attacker from injecting malicious SQL code. For example, if the application replaces single quotes with two single quotes, the previous injection attempt will fail, as the query will become:

  SELECT * FROM users WHERE username = '''' OR 1 = 1 UNION SELECT * FROM credit_cards --'' AND password = '$password'

  This will result in a syntax error, as the query is not valid SQL.

  In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, the strategy that he is most likely to employ is to bypass the special character filter by encoding his malicious input. Encoding is a process of transforming data into a different format, such as hexadecimal, base64, URL, etc. By encoding his input, the hacker can avoid the filter and still inject malicious SQL code. For example, if the hacker encodes his input using URL encoding, the previous injection attempt will become:

  %27%20OR%201%20%3D%201%20UNION%20SELECT%20*%20FROM%20credit_cards%20--

  This will result in the following query being executed by the database server, after the application decodes the input:

  SELECT * FROM users WHERE username = '' OR 1 = 1 UNION SELECT * FROM credit_cards --' AND password = '$password'

  This will succeed in returning the credit card information, as the filter will not detect the special characters in the encoded input.

  Therefore, the hacker is most likely to employ the strategy of bypassing the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.

  References:

  SQL Injection | OWASP Foundation SQL Injection Union Attacks SQL Injection Bypassing WAF

• Question 127:

  Which of the following provides a security professional with most information about the system's security posture?

  A. Phishing, spamming, sending trojans
  B. Social engineering, company site browsing, tailgating
  C. Wardriving, warchalking, social engineering
  D. Port scanning, banner grabbing, service identification
  D. Port scanning, banner grabbing, service identification

  ---

  Explanation

  In ethical hacking and penetration testing, assessing the security posture of a target system requires direct technical interaction with that system. The combination of techniques in option D-port scanning, banner grabbing, and service identification-provides actionable and detailed insight into the system's vulnerabilities, services, and configurations.

  According to CEH v13 Official Courseware:

  Port scanning is the process of identifying open ports and the services running on them. It reveals:

  Which ports are open or closed

  The operating system's response behavior

  Entry points for possible exploitation

  Banner grabbing involves connecting to open services to retrieve application-level information. This can expose:

  Software version numbers

  Server type and configuration

  Security misconfigurations

  Service identification allows the security professional to determine what protocols and services (HTTP, FTP, SSH, etc.) are active and how they are configured. This supports:

  Vulnerability analysis

  Risk evaluation

  Threat modeling

  These combined techniques are fundamental steps in the reconnaissance and scanning phases of the ethical hacking lifecycle.

  Incorrect Options:

  A. Phishing, spamming, sending trojans are offensive tactics used in attacks; they provide limited direct system analysis and do not measure technical posture directly.

  B. Social engineering, site browsing, and tailgating are physical or psychological attack vectors, not direct technical assessments.

  C. Wardriving and warchalking identify wireless networks but offer limited detail about internal system configurations or vulnerabilities.

  CEH v13 Official Study Material:

  Module 03: Scanning Networks

  Section: "Types of Scanning"

  Subsections: "Port Scanning," "Banner Grabbing," and "Service Version Detection"

  CEH Engage: Scanning and Enumeration labs

  CEH Official Exam Blueprint: Knowledge Area - "Footprinting and Reconnaissance" and "Scanning Networks"

  These techniques are emphasized as foundational components in any network vulnerability assessment.

• Question 128:

  Clark is gathering sensitive information about a competitor and uses a tool to input the target's server IP address to identify network range, OS, and topology. What tool is he using?

  A. AOL
  B. ARIN
  C. DuckDuckGo
  D. Baidu
  B. ARIN

  ---

  Explanation

  ARIN (American Registry for Internet Numbers) is a Regional Internet Registry (RIR) that provides information about IP address allocations and autonomous systems in North America. It's used for WHOIS lookups and footprinting in reconnaissance.

• Question 129:

  Encrypted session tokens vary in length, indicating inconsistent encryption strength. What is the best mitigation?

  A. Rotate keys frequently
  B. Enforce MFA for privileged users
  C. Implement uniform encryption strength
  D. Centralized logging
  C. Implement uniform encryption strength

  ---

  Explanation

  CEH v13 explains that cryptographic consistency is essential for secure session management. Variable token lengths can leak information about encryption methods, key sizes, or user privilege levels, making sessions vulnerable to cryptanalysis or targeted attacks.

  The most effective mitigation is implementing uniform encryption strength across all roles , ensuring consistent key sizes, algorithms, and token formats. While MFA improves authentication and key rotation improves lifecycle management, neither directly resolves cryptographic inconsistency.

  CEH v13 stresses that encryption should be role-agnostic and standardized. Therefore, Option C is correct.

• Question 130:

  Null sessions are un-authenticated connections (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network?

  A. 137 and 139
  B. 137 and 443
  C. 139 and 443
  D. 139 and 445
  D. 139 and 445

  ---

  Explanation