EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 191:

  Your organization has signed an agreement with a web hosting provider that requires you to take full responsibility for the maintenance of the cloud-based resources. Which of the following models covers this?

  A. Platform as a Service
  B. Software as a Service
  C. Functions as a Service
  D. Infrastructure as a Service
  D. Infrastructure as a Service

  ---

  Explanation

  Infrastructure as a Service (IaaS) provides virtualized computing infrastructure over the internet. In this model:

  The cloud provider supplies the hardware (servers, storage, networking). The client (your organization) is responsible for installing and managing the OS, applications, and all configurations.

  This aligns with the question, where the organization must take full responsibility for maintenance.

  Incorrect Options:

  A. PaaS offers managed OS, middleware, and runtime, reducing customer responsibilities.

  B. SaaS provides fully managed applications-users only access features.

  C. Functions as a Service (FaaS) offers event-driven computing without server management, used in serverless environments.

  CEH v13 Official Courseware:

  Module 19: Cloud Computing

  Section: "Cloud Service Models"

  Table: "Responsibilities in IaaS vs PaaS vs SaaS"

• Question 192:

  In order to tailor your tests during a web-application scan, you decide to determine which web-server version is hosting the application. On using the sV flag with Nmap. you obtain the following response:

  80/tcp open http-proxy Apache Server 7.1.6

  what Information-gathering technique does this best describe?

  A. WhOiS lookup
  B. Banner grabbing
  C. Dictionary attack
  D. Brute forcing
  B. Banner grabbing

  ---

  Explanation

  Banner grabbing is a technique wont to gain info about a computer system on a network and the services running on its open ports. administrators will use this to take inventory of the systems and services on their network. However, an to find will use banner grabbing so as to search out network hosts that are running versions of applications and operating systems with known exploits.

  Some samples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 severally. Tools normally used to perform banner grabbing are Telnet, nmap and Netcat.

  For example, one may establish a connection to a target internet server using Netcat, then send an HTTP request. The response can usually contain info about the service running on the host:

  This information may be used by an administrator to catalog this system, or by an intruder to narrow down a list of applicable exploits.

  To prevent this, network administrators should restrict access to services on their networks and shut down unused or unnecessary services running on network hosts. Shodan is a search engine for banners grabbed from portscanning the Internet.

• Question 193:

  Which information CANNOT be directly obtained from DNS interrogation?

  A. Usernames and passwords
  B. Server geolocation (via IPs)
  C. Subdomains of the organization
  D. IP addresses of mail servers
  A. Usernames and passwords

  ---

  Explanation

  DNS interrogation is a core passive and semi-active reconnaissance technique described in CEH v13 Reconnaissance Techniques . It allows ethical hackers to gather publicly available information about a target' s domain infrastructure.

  Through DNS queries, testers can retrieve:

  Subdomains (via zone transfers, brute force, or DNS records)

  Mail server IP addresses (via MX records)

  Server IP addresses, which can then be mapped to approximate geographic locations

  However, DNS does not store authentication credentials such as usernames and passwords. That information resides in authentication systems like Active Directory, LDAP, or application databases, not DNS.

  Therefore, Option A is the only choice that cannot be obtained via DNS interrogation. CEH v13 clearly distinguishes between naming infrastructure data and credential-based information , reinforcing why DNS enumeration cannot reveal user credentials.

• Question 194:

  Gregory, a professional penetration tester working at Sys Security Ltd., is tasked with performing a security test of web applications used in the company. For this purpose, Gregory uses a tool to test for any security loopholes by hijacking a session between a client and server. This tool has a feature of intercepting proxy that can be used to inspect and modify the traffic between the browser and target application. This tool can also perform customized attacks and can be used to test the randomness of session tokens. Which of the following tools is used by Gregory in the above scenario?

  A. Nmap
  B. Burp Suite
  C. CxSAST
  D. Wireshark
  B. Burp Suite

  ---

  Explanation

  Burp Suite is a comprehensive web vulnerability scanner and testing suite widely used in penetration testing and ethical hacking.

  Key features include:

  Intercepting proxy: Allows inspection and modification of traffic between the browser and target server.

  Session hijacking/testing tools

  Intruder and Repeater modules for customized payload injection Sequencer module for testing session token randomness

  Extensibility through plugins and custom scripts

  Incorrect Options:

  A. Nmap is a network scanning tool, not used for intercepting web traffic.

  C. CxSAST (Checkmarx) is a static application security testing (SAST) tool.

  D. Wireshark is a packet analyzer but does not include intercepting proxy features or token testing.

  CEH v13 Official Courseware:

  Module 14: Hacking Web Applications

  Section: "Burp Suite as a Web Vulnerability Testing Tool"

  CEH iLab: Using Burp Suite for Web App Testing

• Question 195:

  A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach.

  What should be the immediate step the system administrator takes?

  A. Perform a system reboot to clear the memory
  B. Delete the compromised user's account
  C. Change the NTLM password hash used to encrypt the ST
  D. invalidate the TGS the attacker acquired
  D. invalidate the TGS the attacker acquired

  ---

  Explanation

  A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user's ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system. Performing a system reboot, deleting the compromised user's account, or changing the NTLM password hash used to encrypt the ST are not effective ways to invalidate the TGS, as they do not affect the encryption of the TGS or the validity of the TGT. References:

  EC-Council CEHv13 Courseware Module 11: Hacking Webservers, page 11-24

  What is a Kerberoasting Attack? - CrowdStrike

  How to Perform Kerberoasting Attacks: The Ultimate Guide - StationX

• Question 196:

  Identify the UDP port that Network Time Protocol (NTP) uses as its primary means of communication?

  A. 113
  B. 69
  C. 123
  D. 161
  C. 123

  ---

  Explanation

  https://en.wikipedia.org/wiki/Network_Time_Protocol

  The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

  NTP is intended to synchronize all participating computers within a few milliseconds of Coordinated Universal Time (UTC). It uses the intersection algorithm, a modified version of Marzullo's algorithm, to select accurate time servers and is designed to mitigate variable network latency effects. NTP can usually maintain time to within tens of milliseconds over the public Internet and achieve better than one millisecond accuracy in local area networks. Asymmetric routes and network congestion can cause errors of 100 ms or more.

  The protocol is usually described in terms of a client-server model but can easily be used in peer-to-peer relationships where both peers consider the other to be a potential time source. Implementations send and receive timestamps using the User Datagram Protocol (UDP) on port number.

• Question 197:

  If you send a TCP ACK segment to a known closed port on a firewall but it does not respond with an RST, what do you know about the firewall you are scanning?

  A. There is no firewall in place.
  B. This event does not tell you anything about the firewall.
  C. It is a stateful firewall
  D. It is a non-stateful firewall.
  C. It is a stateful firewall

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

  An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here's how it works:

  When you send a TCP ACK segment:

  If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

  If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

  If a stateful firewall is used, it keeps track of connection states. Therefore:

  An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn't correspond to any active connection.

  No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

  Therefore:

  No RST response packet was silently dropped.

  Silent dropping of unsolicited ACK packets Stateful Firewall Behavior.

  Option Analysis:

  A. There is no firewall in place

  # Incorrect. If there were no firewall, an RST would be sent from the closed port. B. This event does not tell you anything about the firewall

  # Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

  C. It is a stateful firewall

  Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

  D. It is a non-stateful firewall

  # Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

  Reference from CEH v13 Study Guide and Courseware:

  Module 03 - Scanning Networks, Section: Nmap Scanning Techniques # TCP ACK Scan

  CEH Engage Labs - Network Scanning Phase: Firewall Rule Detection using ACK Scans

• Question 198:

  Your company suspects a potential security breach and has hired you as a Certified Ethical Hacker to investigate. You discover evidence of footprinting through search engines and advanced Google hacking techniques. The attacker utilized Google search operators to extract sensitive information. You further notice queries that indicate the use of the Google Hacking Database (GHDB) with an emphasis on VPN footprinting.

  Which of the following Google advanced search operators would be the LEAST useful in providing the attacker with sensitive VPN-related information?

  A. intitle: This operator restricts results to only the pages containing the specified term in the title
  B. location: This operator finds information for a specific location
  C. inur: This operator restricts the results to only the pages containing the specified word in the URL
  D. link: This operator searches websites or pages that contain links to the specified website or page
  B. location: This operator finds information for a specific location

  ---

  Explanation

  The location: operator is the least useful in providing the attacker with sensitive VPN-related information, because it does not directly relate to VPN configuration, credentials, or vulnerabilities. The location: operator finds information for a specific location, such as a city, country, or region. For example, location:paris would return results related to Paris, France. However, this operator does not help the attacker to identify or access VPN servers or clients, unless they are specifically named or indexed by their location, which is unlikely.

  The other operators are more useful in providing the attacker with sensitive VPN-related information, because they can help the attacker to find pages or files that contain VPN configuration, credentials, or vulnerabilities. The intitle: operator restricts results to only the pages containing the specified term in the title. For example, intitle:vpn would return pages with VPN in their title, which may include VPN guides, manuals, or tutorials. The inurl: operator restricts the results to only the pages containing the specified word in the URL. For example, inurl:vpn would return pages with VPN in their URL, which may include VPN login portals, configuration files, or directories. The link: operator searches websites or pages that contain links to the specified website or page. For example, link:vpn.com would return pages that link to vpn.com, which may include VPN reviews, comparisons, or recommendations. References:

  Google Search Operators: The Complete List (44 Advanced Operators)

  Footprinting through search engines

  Module 02: Footprinting and Reconnaissance

• Question 199:

  Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules. Which of the following types of firewalls can protect against SQL injection attacks?

  A. Data-driven firewall
  B. Packet firewall
  C. Web application firewall
  D. Stateful firewall
  C. Web application firewall

  ---

  Explanation

  https://en.wikipedia.org/wiki/Web_application_firewall

  A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

• Question 200:

  A red team operator wants to obtain credentials from a Windows machine without touching LSASS memory due to security controls and Credential Guard. They use SSPI to generate NetNTLM responses in the logged- in user context and collect those responses for offline cracking. Which attack technique is being used?

  A. Internal Monologue attack technique executed through OS authentication protocol manipulations
  B. Replay attack attempt by reusing captured authentication traffic sequences
  C. Hash injection approach using credential hashes for authentication purposes
  D. Pass-the-ticket attack method involving forged tickets for network access
  A. Internal Monologue attack technique executed through OS authentication protocol manipulations

  ---

  Explanation

  CEH v13 discusses various credential extraction and authentication abuse techniques, including approaches that avoid LSASS memory due to modern protections like Credential Guard. The Internal Monologue technique is a specialized credential-harvesting approach that leverages the Windows SSPI authentication stack to coerce the local system into generating NetNTLM challenge-response hashes without requiring direct access to LSASS. This allows attackers to obtain legitimate NTLM responses entirely within the user's security context. These captured responses can then be cracked offline using tools such as Hashcat. Unlike replay attacks (Option B), Internal Monologue is not about reusing captured traffic. Hash injection (Option C) requires possession of NT hashes and modifies authentication tokens, which does not occur here. Pass-the- ticket (Option D) targets Kerberos, not NTLM. Therefore, the correct technique is the Internal Monologue attack.