EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 171:

  An attacker redirects the victim to malicious websites by sending them a malicious link by email. The link appears authentic but redirects the victim to a malicious web page, which allows the attacker to steal the victim's data. What type of attack is this?

  A. Phishing
  B. Vlishing
  C. Spoofing
  D. DDoS
  A. Phishing

  ---

  Explanation

  https://en.wikipedia.org/wiki/Phishing

  Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

  An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

  Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

  An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on the scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

• Question 172:

  A security analyst is tasked with gathering detailed information about an organization's network infrastructure without making any direct contact that could be logged or trigger alarms. Which method should the analyst use to obtain this information covertly?

  A. Examine leaked documents or data dumps related to the organization
  B. Use network mapping tools to scan the organization's IP range
  C. Initiate social engineering attacks to elicit information from employees
  D. Perform a DNS brute-force attack to discover subdomains
  A. Examine leaked documents or data dumps related to the organization

  ---

  Explanation

  Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.

• Question 173:

  Bill has been hired as a penetration tester and cybersecurity auditor for a major credit card company. Which information security standard is most applicable to his role?

  A. FISMA
  B. HITECH
  C. PCI-DSS
  D. Sarbanes-Oxley Act
  C. PCI-DSS

  ---

  Explanation

  In CEH v13 Module 01: Information Security Governance, PCI-DSS (Payment Card Industry Data Security Standard) is introduced as the mandatory compliance framework for organizations handling credit card transactions.

  PCI-DSS Requirements Include:

  Encrypting cardholder data.

  Maintaining secure systems and applications.

  Regular vulnerability testing and audits.

  Restricting access to sensitive data.

  Option Clarification:

  A. FISMA: Applies to U.S. federal information systems.

  B. HITECH: Related to health information privacy and HIPAA.

  C. PCI-DSS: Correct for credit card companies and merchant environments.

  D. SOX (Sarbanes-Oxley): Focuses on financial reporting, not card data.

  Module 01 - Compliance Standards: PCI-DSS Overview

  CEH eBook: Security Regulations in the Financial Sector

• Question 174:

  Which WPA2 vulnerability allows packet interception and replay?

  A. Hole196 vulnerability
  B. KRACK vulnerability
  C. WPS PIN recovery
  D. Weak RNG
  B. KRACK vulnerability

  ---

  Explanation

  The KRACK (Key Reinstallation Attack) vulnerability is a critical WPA2 flaw covered extensively in CEH v13 Wireless Network Hacking . KRACK exploits weaknesses in the four-way handshake process, allowing attackers to force reinstallation of encryption keys.

  This key reinstallation resets nonces and counters, enabling attackers to decrypt, replay, and forge packets , even on encrypted WPA2 networks. CEH v13 highlights that KRACK does not break encryption mathematically but exploits protocol logic flaws.

  Hole196 affects GTK misuse, and WPS PIN attacks target authentication, not replay of encrypted traffic.

  Weak RNG issues are unrelated to WPA2 replay.

• Question 175:

  You receive an email prompting you to download "Antivirus 2010" software using a suspicious link. The software claims to provide protection but redirects you to an unknown site.

  How will you determine if this is a Real or Fake Antivirus website?

  A. Look at the website design, if it looks professional then it is a Real Antivirus website
  B. Connect to the site using SSL, if you are successful then the website is genuine
  C. Search using the URL and Antivirus product name into Google and look out for suspicious warnings against this site
  D. Download and install Antivirus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
  C. Search using the URL and Antivirus product name into Google and look out for suspicious warnings against this site

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.

  The best approach:

  Google the product name and URL.

  Check reputable forums, antivirus vendors, or security advisories.

  Look for phishing warnings or reports of malware.

  From CEH v13 Courseware:

  Module 7: Social Engineering and Phishing Scams

  Module 6: Malware Threats # Rogue Software

  CEH v13 Study Guide - Module 6: Fake Antivirus and ScarewareUS-CERT Alert TA13-112A - Detecting Fake Antivirus Software

• Question 176:

  To invisibly maintain access to a machine, an attacker utilizes a toolkit that sits undetected In the core components of the operating system. What is this type of rootkit an example of?

  A. Mypervisor rootkit
  B. Kernel toolkit
  C. Hardware rootkit
  D. Firmware rootkit
  B. Kernel toolkit

  ---

  Explanation

  Kernel-mode rootkits run with the best operating system privileges (Ring 0) by adding code or replacement parts of the core operating system, as well as each the kernel and associated device drivers. Most operative systems support kernel-mode device drivers, that execute with a similar privileges because the software itself. As such, several kernel-mode rootkits square measure developed as device drivers or loadable modules, like loadable kernel modules in Linux or device drivers in Microsoft Windows.

  This category of rootkit has unrestricted security access, however is tougher to jot down. The quality makes bugs common, and any bugs in code operative at the kernel level could seriously impact system stability, resulting in discovery of the rootkit. one amongst the primary wide familiar kernel rootkits was developed for Windows NT four.0 and discharged in Phrack magazine in 1999 by Greg Hoglund. Kernel rootkits is particularly tough to observe and take away as a result of they operate at a similar security level because the software itself, and square measure therefore able to intercept or subvert the foremost sure software operations. Any package, like antivirus package, running on the compromised system is equally vulnerable. during this scenario, no a part of the system is sure.

• Question 177:

  Nedved is an IT Security Manager of a bank. One day, he found out there is a security breach involving a suspicious connection from the email server to an unknown IP. What is the first thing Nedved should do before contacting the incident response team?

  A. Leave it as it is and contact the incident response team right away
  B. Block the connection to the suspicious IP Address from the firewall
  C. Disconnect the email server from the network
  D. Migrate the connection to the backup email server
  C. Disconnect the email server from the network

  ---

  Explanation

  Before the incident response team is contacted, it's crucial to contain the breach to prevent further data exfiltration or compromise. Disconnecting the affected server from the network immediately halts communication with any malicious actors.

• Question 178:

  How is the public key distributed in an orderly, controlled fashion so that the users can be sure of the sender's identity?

  A. Hash value
  B. Private key
  C. Digital signature
  D. Digital certificate
  D. Digital certificate

  ---

  Explanation

  A digital certificate, issued by a trusted Certificate Authority (CA), binds a public key to the identity of an entity (e.g., user, organization). This provides a means to validate ownership of the public key.

  CEH v13 Reference:

  Module 17: Cryptography "A digital certificate ensures the authenticity of the public key through a trusted third party known as a Certificate Authority."

• Question 179:

  During routine network monitoring, the blue team notices several LLMNR and NBT-NS broadcasts originating from a workstation attempting to resolve an internal hostname. They also observe suspicious responses coming from a non-corporate IP address that claims to be the requested host. Upon further inspection, the security team suspects that an attacker is impersonating network resources to capture authentication attempts. What type of password-cracking setup is likely being staged?

  A. Decrypt login tokens from wireless networks
  B. Use CPU resources to guess passphrases quickly
  C. Exploit name resolution to capture password hashes
  D. Match captured credentials with rainbow tables
  C. Exploit name resolution to capture password hashes

  ---

  Explanation

  CEH incident response material explains that LLMNR and NBT-NS poisoning is a common credential- harvesting technique in internal networks. These legacy name-resolution protocols operate via broadcast queries. Attackers can listen for these broadcasts and respond faster than legitimate DNS/hosts entries, impersonating the requested resource. Once the victim system attempts to authenticate, it sends NTLM hashes to the attacker-controlled machine. Tools like Responder and Inveigh automate this process, enabling attackers to collect challenge-response hashes for offline cracking. CEH highlights that this method is passive from the victim's viewpoint and difficult to detect unless monitoring tools watch for anomalous LLMNR /NBT-NS responses. Options A, B, and D refer to other components of password cracking, but none describe the mechanism of capturing hashes via poisoned name resolution. The attacker's technique directly aligns with exploiting the name-resolution protocol to intercept authentication attempts.

• Question 180:

  Firewalk has just completed the second phase (the scanning phase), and a technician receives the output shown below.

  What conclusions can be drawn based on these scan results?

  TCP port 21 no response

  TCP port 22 no response

  TCP port 23 Time-to-live exceeded

  A. The lack of response from ports 21 and 22 indicate that those services are not running on the destination server
  B. The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error
  C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall
  D. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host
  C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall

  ---

  Explanation

  Firewalk, covered in CEH v13 Module 03, is a firewall analysis tool that uses TTL-limited probes to determine which ports are allowed through a filtering device (firewall/router).

  If a Time-to-Live Exceeded message is received, it means the packet made it past the firewall and was stopped before reaching the target host.

  No response typically means filtered or blocked.

  Therefore:

  Ports 21 and 22 are filtered by the firewall.

  Port 23 triggered a TTL Exceeded, meaning it passed through the firewall, and likely hit a router or was dropped due to TTL=0 before reaching the host.

  Module 03 - Scanning Networks - Using Firewalk

  CEH iLabs - Firewall Analysis with Firewalk