EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 161:

  You perform a network scan using ICMP Echo Requests and observe that certain IP addresses do not return Echo Replies, while other network services remain functional. How should this situation be interpreted?

  A. The scanned IPs are unused and available for expansion
  B. The lack of replies indicates a major breach
  C. A firewall or security control is blocking ICMP Echo Requests
  D. The non-responsive IPs indicate severe congestion
  C. A firewall or security control is blocking ICMP Echo Requests

  ---

  Explanation

  According to CEH v13 Network Scanning and Enumeration , ICMP Echo Requests (ping) are commonly filtered by firewalls and intrusion prevention systems to reduce network reconnaissance exposure. When ICMP Echo Replies are not returned but other services remain operational, the most likely explanation is ICMP filtering rather than host unavailability or compromise.

  CEH v13 explicitly states that many organizations configure firewalls to block ICMP Echo Requests while allowing other ICMP types or higher-layer protocols. This practice helps prevent attackers from easily mapping live hosts during the reconnaissance phase.

  The other options are incorrect because:

  Unused IPs would not necessarily have active services.

  A breach would typically present additional symptoms.

  Network congestion would affect multiple protocols, not just ICMP.

  Thus, blocked ICMP is the correct interpretation.

• Question 162:

  What is the purpose of a demilitarized zone on a network?

  A. To scan all traffic coming through the DMZ to the internal network
  B. To only provide direct access to the nodes within the DMZ and protect the network behind it
  C. To provide a place to put the honeypot
  D. To contain the network devices you wish to protect
  B. To only provide direct access to the nodes within the DMZ and protect the network behind it

  ---

  Explanation

  A demilitarized zone (DMZ) is a buffer zone between a trusted internal network and an untrusted external network (usually the internet). Public-facing services like web servers, email servers, and DNS servers are typically placed in the DMZ. These nodes can be accessed from the internet, but the DMZ design ensures that unauthorized access to the internal network is blocked or highly restricted.

  The purpose is to provide access to certain systems without exposing the internal network directly.

  CEH v13 eCourseware - Module 02: Footprinting and Reconnaissance # Network Topologies and Firewalls

  CEH v13 Study Guide - Chapter: Network Architecture Security # "Understanding DMZ Configuration"

• Question 163:

  What is the following command used for?

  net use \target\ipc$ "" /u:""

  A. Grabbing the etc/passwd file
  B. Grabbing the SAM
  C. Connecting to a Linux computer through Samba.
  D. This command is used to connect as a null session
  E. Enumeration of Cisco routers
  D. This command is used to connect as a null session

  ---

  Explanation

  The given command is used to establish a null session connection with the IPC$ share on a Windows machine. IPC$ (Inter-Process Communication) is a special hidden share used for Windows inter-process communication, and when connected with blank credentials, it allows anonymous access to certain system information -- a common step in enumeration.

  Command breakdown:

  net use \target\ipc$ "" /u:""

  # Initiates a connection using a blank username and password (null session).

  From CEH v13 Courseware:

  Module 04: Enumeration

  Topic: Null Sessions and SMB Enumeration

  CEH v13 Study Guide states:

  "A null session allows unauthorized users to connect to a Windows machine and extract information like usernames, shares, and policies. Null sessions exploit the default settings of the IPC$ share and are typically initiated using net use commands."

  Incorrect Options:

  A/B: Accessing the etc/passwd or SAM directly is not the function of this command.

  C: Samba uses SMB, but this is targeting a Windows system.

  E: Cisco router enumeration involves SNMP, not Windows IPC$.

  CEH v13 Study Guide - Module 4: Enumeration # Subtopic: Null SessionsMicrosoft KB: Overview of NULL session connections and IPC$

• Question 164:

  You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet to. 1.4.0/23. Which of the following IP addresses could be teased as a result of the new configuration?

  A. 210.1.55.200
  B. 10.1.4.254
  C. 10.1.5.200
  D. 10.1.4.156
  C. 10.1.5.200

  ---

  Explanation

  https://en.wikipedia.org/wiki/Subnetwork

  As we can see, we have an IP address of 10.1.4.0 with a subnet mask of /23. According to the question, we need to determine which IP address will be included in the range of the last 100 IP addresses.

  The available addresses for hosts start with 10.1.4.1 and end with 10.1.5.254. Now you can clearly see that the last 100 addresses include the address 10.1.5.200.

• Question 165:

  Jim, a professional hacker, targeted an organization that is operating critical Industrial Infrastructure. Jim used Nmap to scan open pons and running services on systems connected to the organization's OT network. He used an Nmap command to identify Ethernet/IP devices connected to the Internet and further gathered Information such as the vendor name, product code and name, device name, and IP address. Which of the following Nmap commands helped Jim retrieve the required information?

  A. nmap -Pn -sT --scan-delay 1s --max-parallelism 1 -p < Port List > < Target IP >
  B. nmap -Pn -sU -p 44818 --script enip-info < Target IP >
  C. nmap -Pn -sT -p 46824 < Target IP >
  D. nmap -Pn -sT -p 102 --script s7-info < Target IP >
  B. nmap -Pn -sU -p 44818 --script enip-info < Target IP >

  ---

  Explanation

  https://nmap.org/nsedoc/scripts/enip-info.html

  Example Usage enip-info:

  - nmap --script enip-info -sU -p 44818

  This NSE script is used to send a EtherNet/IP packet to a remote device that has TCP 44818 open. The script will send a Request Identity Packet and once a response is received, it validates that it was a proper response to the command that was sent, and then will parse out the data. Information that is parsed includes Device Type, Vendor ID, Product name, Serial Number, Product code, Revision Number, status, state, as well as the Device IP.

  This script was written based of information collected by using the the Wireshark dissector for CIP, and EtherNet/IP, The original information was collected by running a modified version of the ethernetip.py script (https://github.com/paperwork/pyenip)

• Question 166:

  You discover an unpatched Android permission-handling vulnerability on a device with fully updated antivirus software. What is the most effective exploitation approach that avoids antivirus detection?

  A. Develop a custom exploit using obfuscation techniques
  B. Use Metasploit to deploy a known payload
  C. Install a rootkit to manipulate the device
  D. Use SMS phishing to trick the user
  A. Develop a custom exploit using obfuscation techniques

  ---

  Explanation

  The CEH Mobile Platform Security module explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns . A custom exploit with obfuscation is far more likely to bypass detection.

  CEH explicitly teaches that:

  Zero-day or unpatched vulnerabilities

  Custom, obfuscated payloads

  Minimal use of known frameworks

  are the most effective for bypassing endpoint defenses during controlled testing.

  Option A is correct.

  Options B and C are easily detected.

  Option D is social engineering, not a technical exploit.

• Question 167:

  You discover a Web API integrated with webhooks and an existing administrative web shell. Your objective is to compromise the system while leaving minimal traces. Which technique is most effective?

  A. SSRF to perform unauthorized API calls
  B. IDOR exploitation
  C. Upload malicious scripts via the web shell
  D. Manipulate the webhook for unintended data transfer
  A. SSRF to perform unauthorized API calls

  ---

  Explanation

  Server-Side Request Forgery (SSRF) is emphasized in CEH v13 Web Application Hacking as a stealthy and powerful attack. SSRF allows attackers to make requests from the trusted server itself , bypassing firewalls, authentication, and logging controls.

  Compared to web shells or webhook abuse, SSRF leaves fewer forensic artifacts and enables internal API access, metadata exposure, and lateral movement.

• Question 168:

  At what stage of the cyber kill chain theory model does data exfiltration occur?

  A. Actions on objectives
  B. Weaponization
  C. installation
  D. Command and control
  A. Actions on objectives

  ---

  Explanation

  The longer an adversary has this level of access, the greater the impact. Defenders must detect this stage as quickly as possible and deploy tools which can enable them to gather forensic evidence. One example would come with network packet captures, for damage assessment. Only now, after progressing through the primary six phases, can intruders take actions to realize their original objectives. Typically, the target of knowledge exfiltration involves collecting, encrypting and extracting information from the victim(s) environment; violations of knowledge integrity or availability are potential objectives also . Alternatively, and most ordinarily , the intruder may only desire access to the initial victim box to be used as a hop point to compromise additional systems and move laterally inside the network. Once this stage is identified within an environment, the implementation of prepared reaction plans must be initiated. At a minimum, the plan should include a comprehensive communication plan, detailed evidence must be elevated to the very best ranking official or board , the deployment of end-point security tools to dam data loss and preparation for briefing a CIRT Team. Having these resources well established beforehand may be a "MUST" in today's quickly evolving landscape of cybersecurity threats

• Question 169:

  In both pharming and phishing attacks, an attacker can create websites that look similar to legitimate sites with the intent of collecting personal identifiable information from its victims.

  What is the difference between pharming and phishing attacks?

  A. In a pharming attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack, an attacker provides the victim with a URL that is either misspelled or looks similar to the actual website's domain name.
  B. In a phishing attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack, an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual website's domain name.
  C. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering.
  D. Both pharming and phishing attacks are identical.
  A. In a pharming attack, a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack, an attacker provides the victim with a URL that is either misspelled or looks similar to the actual website's domain name.

  ---

  Explanation

  According to CEH v13 Module 09: Social Engineering, both pharming and phishing are forms of fraud that direct users to malicious websites. However, their techniques differ:

  Pharming involves modifying DNS entries or the victim's host file to silently redirect users to a malicious site without needing user interaction.

  Phishing involves sending links via emails or messages where the URL is visually deceptive (misspelled, similar domain names, homoglyph attacks).

  Module 09 - Social Engineering, Section: Pharming vs. Phishing Techniques

  CEH eBook: Attack Vectors in Identity Theft and Fraud

• Question 170:

  Mary found a high vulnerability during a vulnerability scan and notified her server team. After analysis, they sent her proof that a fix to that issue had already been applied. The vulnerability that Marry found is called what?

  A. False-negative
  B. False-positive
  C. Brute force attack
  D. Backdoor
  B. False-positive

  ---

  Explanation

  https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives- and-false-negatives/

  False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn't. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

  False negatives are uncaught cyber threats - overlooked by security tooling because they're dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.