EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 141:

  An attacker places a malicious VM on the same physical server as a target VM in a multi-tenant cloud environment. The attacker then extracts cryptographic keys using CPU timing analysis. What type of attack was conducted?

  A. Side-channel attack
  B. Cloud cryptojacking
  C. Cache poisoned denial of service (CPDoS)
  D. Metadata spoofing
  A. Side-channel attack

  ---

  Explanation

  CEH cloud modules explain that side-channel attacks exploit indirect information leakage based on hardware characteristics-such as CPU timing, power usage, cache access patterns, or electromagnetic emissions. In virtualized cloud environments, multiple tenants share the same physical hardware, creating opportunities for attackers to extract sensitive data from neighboring virtual machines. By placing a malicious VM on the same host as the victim, an attacker can measure minute differences in timing during cryptographic operations, allowing them to infer private keys or sensitive computations. This aligns precisely with CEH's definition of a side-channel attack. Cryptojacking involves unauthorized cryptocurrency mining, CPDoS targets caching layers rather than key extraction, and metadata spoofing manipulates cloud metadata endpoints. Only side- channel analysis matches the described attack behavior.

• Question 142:

  Mike, a security engineer, was recently hired by BigFox Ltd. The company recently experienced disastrous DoS attacks. The management had instructed Mike to build defensive strategies for the company's IT infrastructure to thwart DoS/DDoS attacks. Mike deployed some countermeasures to handle jamming and scrambling attacks. What is the countermeasure Mike applied to defend against jamming and scrambling attacks?

  A. Allow the usage of functions such as gets and strcpy
  B. Allow the transmission of all types of addressed packets at the ISP level
  C. Implement cognitive radios in the physical layer
  D. Disable TCP SYN cookie protection
  C. Implement cognitive radios in the physical layer

  ---

  Explanation

  Jamming and scrambling are attacks targeting the physical layer of the OSI model, often affecting wireless communication by generating interference to disrupt signal transmission. To mitigate such attacks, one advanced countermeasure is the use of Cognitive Radios.

  According to CEH v13 Official Courseware:

  Cognitive radios are intelligent radio systems capable of sensing the radio frequency (RF) environment and dynamically adjusting their operating parameters (e.g., frequency, modulation) to avoid interference and jamming.

  They enable dynamic spectrum access and help in improving spectrum efficiency and resilience against jamming.

  This approach falls under physical-layer security mechanisms.

  Incorrect Options:

  A. gets and strcpy are unsafe functions vulnerable to buffer overflow, not relevant to DoS protection.

  B. Allowing all types of packets increases risk and is not a mitigation.

  D. TCP SYN cookies protect against SYN flood attacks and disabling them weakens security.

  CEH v13 Official Courseware:

  Module 10: Denial-of-Service (DoS) Attacks

  Section: "Defensive Strategies Against Jamming and DoS Attacks"

  Subsection: "Physical Layer Countermeasures"

• Question 143:

  "ShadowFlee" is fileless malware using PowerShell and legitimate tools. Which strategy offers the most focused countermeasure?

  A. Restrict and monitor script and system tool execution
  B. Isolate systems and inspect traffic
  C. Schedule frequent reboots
  D. Clean temporary folders
  A. Restrict and monitor script and system tool execution

  ---

  Explanation

  CEH v13 classifies this malware as fileless malware , which resides in memory and abuses legitimate system tools (Living-off-the-Land techniques). Traditional antivirus solutions are often ineffective.

  CEH v13 recommends:

  Script control (PowerShell Constrained Language Mode)

  Application whitelisting

  Monitoring parent-child process relationships

  These measures directly target the malware's execution method. Reboots and folder cleanup do not address in- memory persistence.

• Question 144:

  Based on the below log, which of the following sentences are true?

  Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

  A. Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server.
  B. Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client.
  C. SSH communications are encrypted; it's impossible to know who is the client or the server.
  D. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.
  D. Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.

  ---

  Explanation

  Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

  Let's just disassemble this entry.

  Mar 1, 2016, 7:33:28 AM - time of the request

  10.240.250.23 - 54373 - client's IP and port 10.249.253.15 - server IP

  - 22 - SSH port

• Question 145:

  During an attempt to perform an SQL injection attack, a certified ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database?

  A. Use the UNION operator to combine the result sets of two or more SELECT statements
  B. Attempt to compromise the system through OS-level command shell execution
  C. Try to insert a string value where a number is expected in the input field
  D. Utilize a blind injection technique that uses time delays or error signatures to extract information
  D. Utilize a blind injection technique that uses time delays or error signatures to extract information

  ---

  Explanation

  The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods12:

  Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time.

  Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information.

  The other options are not as suitable as option D for the following reasons:

  A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown

  by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario3.

  B. Attempt to compromise the system through OS-level command shell execution: This option is not relevant because it is not a SQL injection technique, but a post-exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the

  server, such as uploading files, downloading files, or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario4.

  C. Try to insert a string value where a number is expected in the input field: This option is not effective because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the

  database. However, this option does not work when the web application does not return any detailed error messages from the database, as in this scenario5.

  References:

  1: Blind SQL Injection - OWASP Foundation

  2: Blind SQL Injection - an overview | ScienceDirect Topics

  3: SQL Injection Union Attacks - OWASP Foundation

  4: OS Command Injection - OWASP Foundation

  5: SQL Injection - OWASP Foundation

• Question 146:

  An attacker plans to compromise IoT devices to pivot into OT systems. What should be the immediate action?

  A. Perform penetration testing
  B. Secure IoTT communications with encryption and authentication
  C. Deploy ML-based threat prediction
  D. Deploy an IPS
  B. Secure IoTT communications with encryption and authentication

  ---

  Explanation

  CEH v13 stresses that IoT-to-OT convergence is one of the most dangerous architectures in critical infrastructure environments. IoT devices often lack strong security controls and become ideal entry points for lateral movement into OT systems controlling physical processes.

  The immediate priority is to secure the communication boundary between IoT and OT systems. Implementing strong encryption, authentication, and access control ensures that even if an IoT device is compromised, it cannot be used as a pivot point. CEH v13 explicitly recommends network segmentation and secure communication channels as first-response containment measures.

  Penetration testing (Option A) is valuable but time-consuming and not an immediate mitigation. ML-based tools (Option C) require training time and are not instant safeguards. IPS deployment (Option D) helps detect attacks but does not prevent credential abuse or trusted-path exploitation between IoT and OT layers.

  By enforcing secure protocols, certificates, and authentication mechanisms, the organization reduces attack surface immediately. Thus, Option B is correct.

• Question 147:

  What type of analysis is performed when an attacker has partial knowledge of inner-workings of the application?

  A. Black-box
  B. Announced
  C. White-box
  D. Grey-box
  D. Grey-box

  ---

  Explanation

  Comprehensive and Detailed Explanation From CEH v13 Guide:

  Grey-box testing is a hybrid method where the tester has partial knowledge of the internal workings of the system, allowing for a more focused and efficient assessment of security vulnerabilities compared to black- box (no knowledge) and white-box (full knowledge). This approach simulates an insider threat or a user with limited access rights.

  CEH v13 Reference:

  Module 15: Hacking Web Applications - Types of Penetration Testing

  "Gray-box testing assumes partial knowledge of internal structures, combining elements of both black-box and white-box testing."

• Question 148:

  Garry is a network administrator in an organization. He uses SNMP to manage networked devices from a remote location. To manage nodes in the network, he uses MIB. which contains formal descriptions of all network objects managed by SNMP. He accesses the contents of MIB by using a web browser either by entering the IP address and Lseries.mlb or by entering the DNS library name and Lseries.mlb. He is currently retrieving information from an MIB that contains object types for workstations and server services. Which of the following types of MIB is accessed by Garry in the above scenario?

  A. LNMIB2.MIB
  B. WINS.MIB
  C. DHCP.MIS
  D. MIB_II.MIB
  A. LNMIB2.MIB

  ---

  Explanation

  DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

  # HOSTMIB.MIB: Monitors and manages host resources

  # LNMIB2.MIB: Contains object types for workstation and server services

  # MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

  # WINS.MIB: For the Windows Internet Name Service (WINS)

• Question 149:

  What useful information is gathered during a successful Simple Mail Transfer Protocol (SMTP) enumeration?

  A. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.
  B. Reveals the daily outgoing message limits before mailboxes are locked
  C. The internal command RCPT provides a list of ports open to message traffic.
  D. A list of all mail proxy server addresses used by the targeted host
  A. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.

  ---

  Explanation

  SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:

  VRFY: Verifies whether a particular email address or user ID exists on the mail server.

  EXPN: Reveals the actual addresses behind a mailing list or alias.

  These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.

  Incorrect Options:

  B. Daily outgoing message limits are not typically disclosed via SMTP.

  C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.

  D. Mail proxy addresses are not revealed directly via SMTP enumeration.

  CEH v13 Official Courseware:

  Module 04: Enumeration

  Section: "SMTP Enumeration Techniques"

  Tool Reference: smtp-user-enum, Netcat

• Question 150:

  You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach?

  A. Use Alternate Data Streams to hide the outgoing packets from this server.
  B. Use HTTP so that all traffic can be routed vis a browser, thus evading the internal Intrusion Detection Systems.
  C. Install Cryptcat and encrypt outgoing packets from this server.
  D. Install and use Telnet to encrypt all outgoing traffic from this server.
  C. Install Cryptcat and encrypt outgoing packets from this server.

  ---

  Explanation

  https://linuxsecurityblog.com/2018/12/23/create-a-backdoor-with-cryptcat/

  Cryptcat enables us to communicate between two systems and encrypts the communication between them with twofish, one of many excellent encryption algorithms from Bruce Schneier et al. Twofish's encryption is on par with AES encryption, making it nearly bulletproof. In this way, the IDS can't detect the malicious behavior taking place even when its traveling across normal HTTP ports like 80 and 443.