EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 131:

  An LDAP directory can be used to store information similar to a SQL database. LDAP uses a _____ database structure instead of SQL's _____ structure. Because of this, LDAP has difficulty representing many-to-one relationships.

  A. Relational, Hierarchical
  B. Strict, Abstract
  C. Hierarchical, Relational
  D. Simple, Complex
  C. Hierarchical, Relational

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  LDAP (Lightweight Directory Access Protocol) uses a hierarchical data structure similar to a directory tree. SQL databases use a relational structure with tables, rows, and columns.

  Because of its hierarchical nature:

  LDAP is excellent for parent-child relationships.

  It struggles with representing many-to-many or many-to-one relationships efficiently.

  From CEH v13 Courseware:

  Module 4: Enumeration # LDAP Basics Reference:CEH v13 Study Guide - Module 4: LDAP vs. SQL Data StructuresRFC 4511 - LDAP Protocol

• Question 132:

  Mirai malware targets IoT devices. After infiltration, it uses them to propagate and create botnets that are then used to launch which types of attack?

  A. MITM attack
  B. Birthday attack
  C. DDoS attack
  D. Password attack
  C. DDoS attack

  ---

  Explanation

  The Mirai malware primarily targets Internet of Things (IoT) devices with weak or default credentials. Once infected, these devices become part of a botnet that the attacker controls remotely. The primary use of Mirai botnets is to perform Distributed Denial of Service (DDoS) attacks.

  DDoS attacks flood a target (server, application, or network) with massive traffic, overwhelming resources and causing service outages.

  Mirai gained infamy after being used in large-scale DDoS attacks, including against DNS provider Dyn, which caused widespread internet outages.

  Incorrect Options:

  A. MITM attacks involve intercepting communications.

  B. Birthday attacks are cryptographic hash collision techniques.

  D. Password attacks refer to credential brute-forcing; although Mirai uses default credentials, its main attack vector is DDoS.

  CEH v13 Official Courseware:

  Module 18: IoT and OT Hacking

  Section: "IoT Malware"

  Subsection: "Mirai Botnet and Real-World Attacks"

  CEH Engage: IoT Botnet Simulation

• Question 133:

  An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed?

  A. Reverse Social Engineering
  B. Tailgating
  C. Piggybacking
  D. Announced
  B. Tailgating

  ---

  Explanation

  Identifying operating systems, services, protocols and devices, Collecting unencrypted information about usernames and passwords, Capturing network traffic for further analysis are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network.

  When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.

• Question 134:

  A penetration tester is assessing an IoT thermostat used in a smart home system. The device communicates with a cloud server for updates and commands. The tester discovers that communication between the device and the cloud server is not encrypted. What is the most effective way to exploit this vulnerability?

  A. Conduct a Cross-Site Scripting (XSS) attack on the thermostat's web interface
  B. Perform a brute-force attack on the thermostat's local admin login
  C. Execute a SQL injection attack on the cloud server's login page
  D. Use a man-in-the-middle (MitM) attack to intercept and manipulate unencrypted communication
  D. Use a man-in-the-middle (MitM) attack to intercept and manipulate unencrypted communication

  ---

  Explanation

  IoT devices that transmit data without encryption expose all communication to interception. CEH explains that attackers can position themselves between the IoT device and cloud service to manipulate or capture traffic. A MitM attack enables interception of commands, credentials, and firmware data due to the absence of TLS protections.

• Question 135:

  To hide the file on a Linux system, you have to start the filename with a specific character. What is the character?

  A. Exclamation mark (!)
  B. Underscore (_)
  C. Tilde (~)
  D. Period (.)
  D. Period (.)

  ---

  Explanation

  On Linux and UNIX-like systems, files or directories that begin with a period (.) are considered hidden. These files do not appear by default when a user runs the ls command, unless explicitly instructed to show hidden files using ls -a.

  Example:

  File named .hiddenfile will not appear with a simple ls command.

  To view it, use: ls -a

  This is commonly used for configuration files (e.g., .bashrc, .profile) and also by attackers or malicious users who want to conceal their scripts or payloads.

  Incorrect Options:

  A. Exclamation mark (!) is used in shell history and command expansion, not for hiding files.

  B. Underscore (_) is a valid filename character but does not hide files.

  C. Tilde (~) represents the current user's home directory; not used for hiding.

  Reference CEH v13 Official Courseware:

  Module 06: Malware Threats

  Section: "Tactics to Hide Malware Files in the OS"

  Lab: CEH Engage - Creating and Hiding Files in Linux

• Question 136:

  You are a cybersecurity consultant for a healthcare organization that utilizes Internet of Medical Things (loMT) devices, such as connected insulin pumps and heart rate monitors, to provide improved patientcare. Recently, the organization has been targeted by ransomware attacks. While the IT infrastructure was unaffected due to robust security measures, they are worried that the loMT devices could be potential entry points for future attacks. What would be your main recommendation to protect these devices from such threats?

  A. Implement multi-factor authentication for all loMT devices.
  B. Disable all wireless connectivity on loMT devices.
  C. Use network segmentation to isolate loMT devices from the main network.
  D. Regularly change the IP addresses of all loMT devices.
  C. Use network segmentation to isolate loMT devices from the main network.

  ---

  Explanation

  Internet of Medical Things (IoMT) devices are internet-connected medical devices that can collect, transfer, and analyze data over a network. They can provide improved patient care and comfort, but they also pose security challenges and risks, as they can be targeted by cyberattacks, such as ransomware, that can compromise their functionality, integrity, or confidentiality. Ransomware is a type of malware that encrypts the victim's data or system and demands a ransom for its decryption or restoration.

  Ransomware attacks can cause serious harm to healthcare organizations, as they can disrupt their operations, endanger their patients, and damage their reputation.

  To protect IoMT devices from ransomware attacks, the main recommendation is to use network segmentation to isolate IoMT devices from the main network. Network segmentation is a technique that divides a network into smaller subnetworks, each with its own security policies and controls. Network segmentation can prevent or limit the spread of ransomware from one subnetwork to another, as it restricts the communication and access between them. Network segmentation can also improve the performance, visibility, and manageability of the network, as it reduces the network congestion, complexity, and noise.

  The other options are not as effective or feasible as network segmentation. Implementing multi-factor authentication for all IoMT devices may not be possible or practical, as some IoMT devices may not support or require user authentication, such as sensors or monitors. Disabling all wireless connectivity on IoMT devices may not be desirable or realistic, as some IoMT devices rely on wireless communication protocols, such as Wi-Fi, Bluetooth, or Zigbee, to function or transmit data. Regularly changing the IP addresses of all IoMT devices may not prevent or deter ransomware attacks, as ransomware can target devices based on other factors, such as their domain names, MAC addresses, or vulnerabilities. References:

  What Is Internet of Medical Things (IoMT) Security?

  5 Steps to Secure Internet of Medical Things Devices

  Ransomware in Healthcare: How to Protect Your Organization

  [Network Segmentation: Definition, Benefits, and Best Practices]

• Question 137:

  Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours. What protocol used on Linux servers to synchronize the time has stopped working?

  A. Time Keeper
  B. NTP
  C. PPP
  D. OSPP
  B. NTP

  ---

  Explanation

  Comprehensive and Detailed Explanation From CEH v13 Guide:

  The Network Time Protocol (NTP) is used by systems, including Linux servers, to synchronize their clocks with a time server. If NTP fails, time discrepancies may lead to inaccurate log records and affect security monitoring.

  CEH v13 Reference:

  Module 17: Evading IDS, Firewalls, and Honeypots - Log Tampering

  "Accurate timekeeping is essential for proper logging and correlation. NTP ensures system time is synchronized across hosts."

• Question 138:

  Multiple failed login attempts using expired tokens are followed by successful access with a valid token.

  What is the most likely attack scenario?

  A. Capturing a valid token before expiry
  B. Token replay attack using expired tokens
  C. Brute-forcing token generation
  D. Exploiting a race condition in token validation
  D. Exploiting a race condition in token validation

  ---

  Explanation

  This scenario strongly suggests a race condition attack in the application's token validation logic, as described in CEH v13 Web Application Hacking . A race condition occurs when an application processes multiple requests simultaneously and fails to properly synchronize validation checks.

  The presence of multiple failed attempts using expired tokens followed by successful access within a short time window indicates the attacker exploited a timing flaw. During this window, the system may have inconsistently validated token expiration, allowing an expired token to be accepted.

  Option A is unlikely because the logs specifically reference expired tokens. Option B is incorrect because replaying expired tokens should fail unless a validation flaw exists. Option C is highly improbable due to token entropy.

  CEH v13 highlights race conditions as advanced logic flaws that are difficult to detect and often missed during standard testing. They are commonly exploited in authentication, payment processing, and session management systems.

  Therefore, Option D is the correct and CEH-aligned answer.

• Question 139:

  Stephen, an attacker, targeted the industrial control systems of an organization. He generated a fraudulent email with a malicious attachment and sent it to employees of the target organization. An employee who manages the sales software of the operational plant opened the fraudulent email and clicked on the malicious attachment. This resulted in the malicious attachment being downloaded and malware being injected into the sales software maintained in the victim's system. Further, the malware propagated itself to other networked systems, finally damaging the industrial automation components.

  What is the attack technique used by Stephen to damage the industrial systems?

  A. Spear-phishing attack
  B. SMiShing attack
  C. Reconnaissance attack
  D. HMI-based attack
  A. Spear-phishing attack

  ---

  Explanation

  In CEH v13 Module 09: Social Engineering, spear-phishing is described as a targeted email-based attack in which malicious actors craft highly personalized emails to specific individuals within an organization.

  Characteristics from the scenario:

  The attacker sends a fraudulent email to an employee.

  The email contains a malicious attachment.

  Once opened, malware is installed, targeting ICS/SCADA components. The attack spreads and ultimately damages industrial systems.

  This is a classic spear-phishing attack used as the initial infection vector in Advanced Persistent Threats (APT) targeting industrial control systems.

  Why Others Are Incorrect:

  B. SMiShing: SMS-based phishing; not email-related.

  C. Reconnaissance: Pre-attack information gathering, not execution.

  D. HMI-based attack: Targets Human-Machine Interface devices, but that's not how the attack started here.

  Module 09 - Social Engineering # Spear Phishing in Critical Infrastructure

  CEH iLabs: ICS Infection via Spear Phishing Simulation

• Question 140:

  An e-commerce platform hosted on a public cloud infrastructure begins to experience significant latency and timeouts. Logs show thousands of HTTP connections sending headers extremely slowly and never completing the full request. What DoS technique is most likely responsible?

  A. Slowloris holding web server connections
  B. Fragmentation flood attack
  C. UDP application-layer flooding
  D. SYN flood with spoofed source IPs
  A. Slowloris holding web server connections

  ---

  Explanation

  CEH v13 identifies Slowloris as a low-bandwidth yet highly effective application-layer DoS technique that works by opening many HTTP connections and sending headers very slowly, never completing the request. Because the server must maintain these half-open HTTP sessions, its connection pool becomes saturated, preventing it from servicing legitimate users. Slowloris is particularly dangerous because it does not rely on malformed packets, high traffic volume, or protocol abuses; instead, it mimics legitimate HTTP behavior, making it difficult for firewalls or IDS systems to distinguish malicious traffic. This aligns exactly with the described scenario, where thousands of legitimate-looking HTTP connections are gradually consuming server resources. Fragmentation attacks (Option B) target packet reconstruction, UDP floods (Option C) generate high-bandwidth noise, and SYN floods (Option D) impact the TCP handshake layer, not the HTTP header behavior. Slowloris' unique use of slow HTTP headers directly matches the symptoms described.