EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 151:

  A large enterprise has been experiencing sporadic system crashes and instability, resulting in limited access to its web services. The security team suspects it could be a result of a Denial of Service (DoS) attack. A significant increase in traffic was noticed in the network logs, with patterns suggesting packet sizes exceeding the prescribed size limit. Which among the following DoS attack techniques best describes this scenario?

  A. UDP flood attack
  B. Smurf attack
  C. Pulse wave attack
  D. Ping of Death attack
  D. Ping of Death attack

  ---

  Explanation

  A Ping of Death attack is a type of DoS attack that exploits a vulnerability in the IP protocol that allows packets to be fragmented and reassembled at the destination. The attacker sends a malformed packet that exceeds the maximum size of 65,535 bytes, which causes the target system to crash or become unstable when it tries to reassemble the packet. This attack can affect various operating systems and devices, such as routers, switches, and firewalls. A Ping of Death attack can be detected by monitoring the network traffic for unusually large packets or ICMP messages.

  References:

  Ping of Death (PoD) Attack

  Denial-of-Service Attacks: History, Techniques and Prevention

  What is a denial-of-service (DoS) attack?

• Question 152:

  Chandler works as a pen-tester in an IT firm in New York. As part of detecting viruses in the systems, he uses a detection method where the antivirus executes the malicious code on a virtual machine to simulate CPU and memory activities.

  Which type of virus detection method did Chandler use in this context?

  A. Heuristic Analysis
  B. Code Emulation
  C. Scanning
  D. Integrity checking
  B. Code Emulation

  ---

  Explanation

  In CEH v13 Module 06: Malware Threats, code emulation is defined as a technique used by modern antivirus software where a virtual CPU and memory are created to safely execute and analyze malware in a sandboxed environment.

  This allows the detection engine to observe runtime behavior of suspicious code without risking the actual system.

  It's more effective than signature-based detection for catching polymorphic and obfuscated malware.

  Module 06 - Malware Detection Techniques

  CEH eBook: Heuristic vs. Emulation-Based Detection

  CEH iLabs: Malware Analysis with Emulation and Behavior-Based Techniques

• Question 153:

  A cybersecurity analyst monitors competitors' web content for changes indicating strategic shifts. Which missing component is most crucial for effective passive surveillance?

  A. Participating in competitors' blogs and forums
  B. Setting up Google Alerts for competitor names and keywords
  C. Using a VPN to hide the analyst's IP address
  D. Hiring a third party to hack competitor databases
  B. Setting up Google Alerts for competitor names and keywords

  ---

  Explanation

  The CEH Footprinting and Reconnaissance module highlights Google Alerts as a key passive reconnaissance tool for monitoring changes in web content, news, and online mentions.

  Option B is correct.

  Option A is active engagement.

  Option C aids anonymity but not monitoring.

  Option D is illegal and unethical.

  CEH strongly promotes automated alerting for competitive intelligence.

• Question 154:

  You are a cybersecurity consultant for a global organization. The organization has adopted a Bring Your Own Device (BYOD)policy, but they have recently experienced a phishing incident where an employee's device was compromised. In the investigation, you discovered that the phishing attack occurred through a third-party email app that the employee had installed. Given the need to balance security and user autonomy under the BYOD policy, how should the organization mitigate the risk of such incidents? Moreover, consider a measure that would prevent similar attacks without overly restricting the use of personal devices.

  A. Provide employees with corporate-owned devices for work-related tasks.
  B. Implement a mobile device management solution that restricts the installation of non-approved applications.
  C. Require all employee devices to use a company-provided VPN for internet access.
  D. Conduct regular cybersecurity awareness training, focusing on phishing attacks.
  D. Conduct regular cybersecurity awareness training, focusing on phishing attacks.

  ---

  Explanation

  The best measure to prevent similar attacks without overly restricting the use of personal devices is to conduct regular cybersecurity awareness training, focusing on phishing attacks. Cybersecurity awareness training is a process of educating and empowering employees on the best practices and behaviors to protect themselves and the organization from cyber threats, such as phishing, malware, ransomware, or data breaches. Cybersecurity awareness training can help the organization mitigate the risk of phishing incidents by providing the following benefits12:

  It can increase the knowledge and skills of employees on how to identify and avoid phishing emails, messages, or links, such as by checking the sender, the subject, the content, the attachments, and the URL of the message, and by verifying the legitimacy and authenticity of the message before responding or clicking.

  It can enhance the attitude and culture of employees on the importance and responsibility of cybersecurity, such as by encouraging them to report any suspicious or malicious activity, to follow the security policies and guidelines, and to seek help or guidance when in doubt or trouble.

  It can reduce the human error and negligence that are often the main causes of phishing incidents, such as by reminding employees to update their devices and applications, to use strong and unique passwords, to enable multi-factor authentication, and to backup their data regularly.

  The other options are not as optimal as option D for the following reasons:

  A. Provide employees with corporate-owned devices for work-related tasks: This option is not feasible because it contradicts the BYOD policy, which allows employees to use their personal devices for work- related tasks. Providing employees with corporate-owned devices would require the organization to incur additional costs and resources, such as purchasing, maintaining, and securing the devices, as well as training and supporting the employees on how to use them. Moreover, providing employees with

  corporate-owned devices would not necessarily prevent phishing incidents, as the devices could still be compromised by phishing emails, messages, or links, unless the organization implements strict security controls and policies on the devices, which may limit the user autonomy and productivity3.

  B. Implement a mobile device management solution that restricts the installation of non-approved applications: This option is not desirable because it violates the user autonomy and privacy under the BYOD policy, which allows employees to use their personal devices for both personal and professional purposes. Implementing a mobile device management solution that restricts the installation of non-approved applications would require the organization to monitor and control the devices of the employees,

  which may raise legal and ethical issues, such as data ownership, consent, and compliance. Furthermore, implementing a mobile device management solution that restricts the installation of non-approved applications would not completely prevent phishing incidents, as the employees could still receive phishing emails, messages, or links through the approved applications, unless the organization implements strict security controls and policies on the applications, which may affect the user experience and

  functionality4.

  C. Require all employee devices to use a company-provided VPN for internet access: This option is not sufficient because it does not address the root cause of phishing incidents, which is the human factor. Requiring all employee devices to use a company-provided VPN for internet access would provide the organization with some benefits, such as encrypting the network traffic, hiding the IP address, and bypassing geo-restrictions. However, requiring all employee devices to use a company-provided VPN

  for internet access would not prevent phishing incidents, as the employees could still fall victim to phishing emails, messages, or links that lure them to malicious websites or applications, unless the organization implements strict security controls and policies on the VPN, which may affect the network performance and reliability.

  References:

  1: What is Cybersecurity Awareness Training? | Definition, Benefits and Best Practices | Kaspersky

  2: How to Prevent Phishing Attacks with Security Awareness Training | Infosec

  3: BYOD vs. Corporate-Owned Devices: Pros and Cons | Bitglass

  4: Mobile Device Management (MDM) | OWASP Foundation

• Question 155:

  CompanyXYZ has asked you to assess the security of their perimeter email gateway. From your office in New York, you craft a specially formatted email message and send it across the Internet to an employee of CompanyXYZ. The employee of CompanyXYZ is aware of your test. Your email message looks like this:

  From: [email protected]

  To: [email protected] Subject: Test message

  Date: 4/3/2017 14:37

  The employee of CompanyXYZ receives your email message.

  This proves that CompanyXYZ's email gateway doesn't prevent what?

  A. Email Masquerading
  B. Email Harvesting
  C. Email Phishing
  D. Email Spoofing
  D. Email Spoofing

  ---

  Explanation

  Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message. The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat.

• Question 156:

  In ethical hacking, what is black box testing -

  A. Testing using only publicly available information
  B. Testing without any prior knowledge of the system
  C. Testing with full system knowledge
  D. Testing knowing only inputs and outputs
  B. Testing without any prior knowledge of the system

  ---

  Explanation

  According to CEH v13 black box testing , refers to a testing approach where the ethical hacker has no prior knowledge of the internal structure, source code, or configuration of the system.

  The attacker simulates a real-world external attacker, relying solely on discovery and exploitation techniques.

  White box testing = full knowledge

  Gray box testing = partial knowledge

• Question 157:

  Self-replicating malware causes redundant traffic, crashes, and spreads autonomously. What malware type is responsible, and how should it be handled?

  A. Worm - isolate systems, scan network, update OS
  B. Ransomware - disconnect, back up data, decrypt
  C. Trojan - scan systems and patch
  D. Rootkit - reboot and deploy scanner
  A. Worm - isolate systems, scan network, update OS

  ---

  Explanation

  This scenario describes a worm infection , as defined in CEH v13 Malware Threats . Worms are self- replicating malware that spread autonomously across networks without user interaction. Their propagation often results in excessive network traffic system crashes, and resource exhaustion , which aligns with the symptoms described.

  CEH v13 differentiates worms from other malware:

  Ransomware encrypts data but does not self-propagate aggressively.

  Trojans require user execution.

  Rootkits focus on stealth and persistence rather than replication.

  The appropriate response prioritizes containment and eradication . Quarantining affected systems prevents further spread. A network-wide antivirus sweep with updated signatures removes known worm variants. Updating operating systems closes vulnerabilities that worms exploit for propagation.

  CEH v13 stresses rapid isolation and patching as critical measures to control worm outbreaks and restore network stability. Therefore, Option A is correct.

• Question 158:

  You are instructed to perform a TCP NULL scan. In the context of TCP NULL scanning, which response indicates that a port on the target system is closed -

  A. ICMP error message
  B. TCP SYN/ACK packet
  C. No response
  D. TCP RST packet
  D. TCP RST packet

  ---

  Explanation

  TCP NULL scanning is a stealth scanning technique covered in CEH v13 Reconnaissance and Network Scanning . In a NULL scan, all TCP flags are set to zero. According to RFC 793 and CEH documentation, closed ports must respond with a TCP RST (Reset) packet.

  If the port is open, the target typically does not respond , making this technique useful for firewall evasion.

  Therefore:

  RST response Closed port

  No response Open or filtered port

  Other options do not apply to NULL scans:

  SYN/ACK is associated with SYN scans.

  ICMP errors may indicate filtering, not port state.

• Question 159:

  Attacker Simon targeted the communication network of an organization and disabled the security controls of NetNTLMvl by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic. He then extracted all the non-network logon tokens from all the active processes to masquerade as a legitimate user to launch further attacks. What is the type of attack performed by Simon?

  A. Internal monologue attack
  B. Combinator attack
  C. Rainbow table attack
  D. Dictionary attack
  A. Internal monologue attack

  ---

  Explanation

  Types of Password Attacks - Active Online Attacks: Internal Monologue Attack Attackers perform an internal monologue(##) attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user.Attacker disables the security controls of NetNTLMv1, extracts all the non- network logon tokens from all the active processes to masquerade as legitimate users. (P.594/578)

• Question 160:

  Password cracking programs reverse the hashing process to recover passwords. (True/False.)

  A. True
  B. False
  B. False

  ---

  Explanation

  Hashing is a one-way function--by design, it cannot be reversed. Password-cracking tools do not "reverse" the hash. Instead, they:

  Generate a list of potential passwords.

  Hash each candidate using the same algorithm.

  Compare the result to the target hash.

  If a match is found, the original password is revealed by correlation, not reversal.

  From CEH v13 Official Courseware:

  Module 6: Cryptography and Password Cracking

  CEH v13 Study Guide states:

  "Hash functions are one-way and irreversible. Password-cracking tools work by hashing wordlists or character combinations and comparing them to known password hashes."

  CEH v13 Study Guide - Module 6: Password Hashing ConceptsNIST FIPS 180-4 - Secure Hash Standard