EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 181:

  A tester evaluates a login form that constructs SQL queries using unsanitized user input. By submitting ' C 'll- T; -, the tester gains unauthorized access to the application. What type of SQL injection has occurred?

  A. Tautology-based SQL injection
  B. Error-based SQL injection
  C. Union-based SQL injection
  D. Time-based blind SQL injection
  A. Tautology-based SQL injection

  ---

  Explanation

  This question describes a classic example of Tautology-Based SQL Injection , a subcategory of SQL Injection attacks which fall under Web Application Hacking in the CEH curriculum.

  In a tautology-based SQL injection , the attacker injects a SQL fragment that always evaluates to true, thus bypassing the authentication mechanism. The string ' C 'll-T; - is a malformed variant, possibly meant to represent ' OR '1''1'; --, which is one of the most basic and widely recognized tautology-based injection payloads. When injected into a vulnerable SQL query, this kind of input manipulates the WHERE clause of the query so that it always evaluates to true , regardless of the original conditions.

  Here's how it works:

  If the SQL query is:

  SELECT * FROM users WHERE username '$username' AND password '$password';

  And the attacker inputs:

  ' OR '1''1'; --

  The query becomes:

  SELECT * FROM users WHERE username '' OR '1''1'; --' AND password '';

  This results in the execution of:

  SELECT * FROM users WHERE '1''1';

  Which always evaluates to true, thereby bypassing authentication and allowing unauthorized access.

  This method does not rely on error messages (Error-Based), timing delays (Time-Based Blind), or UNION statements (Union-Based). Its goal is to exploit logic within the query structure itself using boolean-based manipulation.

  According to EC-Council's CEH v13 Module: Web Application Hacking , understanding tautology-based injection is critical because it's one of the most common ways attackers bypass login forms on poorly secured web applications.

• Question 182:

  A hacker is analyzing a system that uses two rounds of symmetric encryption with different keys. To speed up key recovery, the attacker encrypts the known plaintext with all possible values of the first key and stores the intermediate ciphertexts. Then, they decrypt the final ciphertext using all possible values of the second key and compare the results to the stored values. Which cryptanalytic method does this approach represent?

  A. Flood memory with brute-forced credentials
  B. Scrape electromagnetic leakage for bits
  C. Use midpoint collision to identify key pair
  D. Reverse permutations to bypass encryption
  C. Use midpoint collision to identify key pair

  ---

  Explanation

  CEH covers advanced cryptanalytic attacks, including Meet-in-the-Middle (MITM) attacks , which are especially effective against multi-round symmetric encryption schemes. When an algorithm encrypts data twice using different keys, the naive brute-force method would require testing every possible combination of both keys-a time complexity of 2# - 2#. Meet-in-the-Middle dramatically reduces this complexity by splitting the problem in half. Attackers encrypt the plaintext using all potential values of the first key and store the results. They then decrypt the final ciphertext using all possible values of the second key. When an intermediate value matches one in storage, the corresponding key pair is identified. CEH highlights that this approach exploits the lack of key independence between two encryption layers, demonstrating how doubling encryption does not always double security. This attack is well-known for targeting 2DES, one of the historical examples covered in CEH. It is not related to side-channel attacks, brute-force flooding, or permutation reversal; it strictly relies on midpoint matching to reduce computational workload.

• Question 183:

  In Trojan terminology, what is a covert channel?

  

  A. A channel that transfers information within a computer system or network in a way that violates the security policy
  B. A legitimate communication path within a computer system or network for transfer of data
  C. It is a kernel operation that hides boot processes and services to mask detection
  D. It is Reverse tunneling technique that uses HTTPS protocol instead of HTTP protocol to establish connections
  A. A channel that transfers information within a computer system or network in a way that violates the security policy

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  A covert channel is any communication path that allows data to be transferred in violation of a system's security policy. It's commonly used by malware or Trojans to exfiltrate data or send commands undetected.

  Examples include:

  Encoding data in TCP headers (unused bits)

  Timing of packets (timing channel)

  Use of legitimate protocols to piggyback malicious traffic

  From CEH v13 Courseware:

  Module 6: Malware Threats # Trojans and Covert Channels

  CEH v13 Study Guide - Module 6: Trojan Communication # Covert and Overt ChannelsNIST SP 800-53 - Covert Channel Analysis

• Question 184:

  Widespread fraud ac Enron. WorldCom, and Tyco led to the creation of a law that was designed to improve the accuracy and accountability of corporate disclosures. It covers accounting firms and third parties that provide financial services to some organizations and came into effect in 2002. This law is known by what acronym?

  A. Fed RAMP
  B. PCIDSS
  C. SOX
  D. HIPAA
  C. SOX

  ---

  Explanation

  The Sarbanes-Oxley Act of 2002 could be a law the U.S. Congress passed on July thirty of that year to assist defend investors from fallacious money coverage by companies.Also called the SOX Act of 2002 and also the company Responsibility Act of 2002, it mandated strict reforms to existing securities rules and obligatory powerful new penalties on law breakers.

  The Sarbanes-Oxley law Act of 2002 came in response to money scandals within the early 2000s involving in public listed corporations like Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds cask capitalist confidence within the trustiness of company money statements Associate in Nursingd light-emitting diode several to demand an overhaul of decades-old restrictive standards.

• Question 185:

  Elliot is exploiting a web application vulnerable to SQL injection. He has introduced conditional timing delays to determine whether the injection is successful.

  What type of SQL injection is Elliot most likely performing?

  A. Error-based SQL injection
  B. Blind SQL injection
  C. Union-based SQL injection
  D. NoSQL injection
  B. Blind SQL injection

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Blind SQL injection is used when the application does not return errors or display query results. In such cases, attackers use inference methods such as:

  Boolean-based queries

  Time-based queries (e.g., using SLEEP or WAITFOR DELAY)

  Elliot's use of timing delays indicates a time-based blind SQL injection.

  From CEH v13 Courseware:

  Module 10: Web Application Hacking # SQL Injection Types

  CEH v13 Study Guide - Module 10: Blind SQL Injection TechniquesOWASP - SQL Injection Cheat Sheet

• Question 186:

  A penetration tester is tasked with gathering information about the subdomains of a target organization's website. The tester needs a versatile and efficient solution for the task. Which of the following options would be the most effective method to accomplish this goal?

  A. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT
  B. Analyzing Linkedin profiles to find employees of the target company and their job titles
  C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing
  D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization
  A. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT

  ---

  Explanation

  Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

  Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist.

  By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization's website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization.

  The other options are not as effective as option A for the following reasons:

  B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles,

  which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization's website, which is the goal of this scenario.

  C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using

  the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization's website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines.

  D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester

  may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization's website, which is the goal of this scenario.

  References:

  1: GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers

  2: Subdomain Discovery in Cybersecurity with Kali Linux | Medium

  3: LinkedIn - Wikipedia

  4: The Harvester - Kali Linux Tools

  5: Spokeo - Wikipedia

  6: Intelius - Wikipedia

• Question 187:

  Which of the following protocols can be used to secure an LDAP service against anonymous queries?

  A. SSO
  B. RADIUS
  C. WPA
  D. NTLM
  D. NTLM

  ---

  Explanation

  In a Windows network, nongovernmental organization (New Technology) local area network Manager (NTLM) could be a suite of Microsoft security protocols supposed to produce authentication, integrity, and confidentiality to users.NTLM is that the successor to the authentication protocol in Microsoft local area network Manager (LANMAN), Associate in Nursing older Microsoft product. The NTLM protocol suite is enforced in an exceedingly Security Support supplier, which mixes the local area network Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in an exceedingly single package. whether or not these protocols area unit used or will be used on a system is ruled by cluster Policy settings, that totally different|completely different} versions of Windows have different default settings. NTLM passwords area unit thought-about weak as a result of they will be brute-forced very simply with fashionable hardware.

  NTLM could be a challenge-response authentication protocol that uses 3 messages to authenticate a consumer in an exceedingly affiliation orientating setting (connectionless is similar), and a fourth extra message if integrity is desired.

  First, the consumer establishes a network path to the server and sends a NEGOTIATE_MESSAGE advertising its capabilities.

  Next, the server responds with CHALLENGE_MESSAGE that is employed to determine the identity of the consumer.

  Finally, the consumer responds to the challenge with Associate in Nursing AUTHENTICATE_MESSAGE.

  The NTLM protocol uses one or each of 2 hashed word values, each of that are keep on the server (or domain controller), and that through a scarcity of seasoning area unit word equivalent, that means that if you grab the hash price from the server, you'll evidence while not knowing the particular word. the 2 area unit the lm Hash (a DES-based operate applied to the primary fourteen chars of the word born-again to the standard eight bit laptop charset for the language), and also the nt Hash (MD4 of the insufficient endian UTF-16 Unicode password). each hash values area unit sixteen bytes (128 bits) every.

  The NTLM protocol additionally uses one among 2 a method functions, looking on the NTLM version. National Trust LanMan and NTLM version one use the DES primarily based LanMan a method operate (LMOWF), whereas National TrustLMv2 uses the NT MD4 primarily based a method operate (NTOWF).

• Question 188:

  During a cryptographic audit of a legacy system, a security analyst observes that an outdated block cipher is leaking key-related information when analyzing large sets of plaintextiphertext pairs. What approach might an attacker exploit here?

  A. Launch a key replay through IV duplication
  B. Use linear approximations to infer secret bits
  C. Modify the padding to obtain plaintext
  D. Attack the hash algorithm for collisions
  B. Use linear approximations to infer secret bits

  ---

  Explanation

  CEH covers classical cryptanalytic attacks, including linear cryptanalysis , which uses statistical correlations between plaintext and ciphertext to infer bits of the secret key. If a cipher leaks structural patterns across many data samples, linear approximations can be computed to break the cipher.

• Question 189:

  A large media-streaming company receives complaints that its web application is timing out or failing to load. Security analysts observe the web server is overwhelmed with a large number of open HTTP connections , transmitting data extremely slowly. These connections remain open indefinitely, exhausting server resources without consuming excessive bandwidth. The team suspects an application-layer DoS attack . Which attack is most likely responsible?

  A. A UDP flooding attack targeting random ports.
  B. An ICMP Echo Request flooding attack.
  C. A Slowloris attack that keeps numerous HTTP connections open to exhaust server resources.
  D. A fragmented packet attack with overlapping offset values.
  C. A Slowloris attack that keeps numerous HTTP connections open to exhaust server resources.

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections .

  Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth , making it difficult to detect using traditional network-based defenses.

  Option C accurately matches the described symptoms and CEH's definition.

  Options A and B are network-layer flooding attacks, which were explicitly ruled out.

  Option D is a packet fragmentation attack, not an application-layer DoS technique. CEH stresses tuning connection timeouts and using reverse proxies as mitigations.

• Question 190:

  What type of a vulnerability/attack is it when the malicious person forces the user's browser to send an authenticated request to a server?

  A. Session hijacking
  B. Server Side Request Forgery
  C. Cross-site request forgery
  D. Cross-site scripting
  C. Cross-site request forgery

  ---

  Explanation

  Cross-Site Request Forgery (CSRF) is covered in CEH v13 Module 12: Hacking Web Applications. It occurs when an attacker tricks a victim's browser into making unintended, authenticated requests to a web application where the victim is already logged in.

  Example:

  User logs in to a banking site.

  While logged in, the attacker sends the user a crafted link that submits a transaction via a hidden request.

  Since the user's session cookies are valid, the bank processes the request.

  Why Other Options Are Incorrect:

  A. Session hijacking: Steals session tokens but doesn't involve forcing browser actions.

  B. SSRF: Server sends a request to an internal service, not via user's browser.

  D. XSS: Executes scripts in the user's browser but doesn't force HTTP requests under the user's identity.

  Module 12 - Application Layer Attacks # CSRF

  CEH Labs: CSRF Exploitation Demo with Logged-In Session Tokens