EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 201:

  Vlady works in a fishing company where the majority of the employees have very little understanding of IT let alone IT Security. Several information security issues that Vlady often found includes, employees sharing password, writing his/her password on a post it note and stick it to his/her desk, leaving the computer unlocked, didn't log out from emails or other social media accounts, and etc. After discussing with his boss, Vlady decided to make some changes to improve the security environment in his company. The first thing that Vlady wanted to do is to make the employees understand the importance of keeping confidential information, such as password, a secret and they should not share it with other persons.

  Which of the following steps should be the first thing that Vlady should do to make the employees in his company understand to importance of keeping confidential information a secret?

  A. Warning to those who write password on a post it note and put it on his/her desk
  B. Developing a strict information security policy
  C. Information security awareness training
  D. Conducting a one to one discussion with the other employees about the importance of information security
  A. Warning to those who write password on a post it note and put it on his/her desk

  ---

  Explanation

• Question 202:

  Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered. John decided to perform a TCP SYN ping scan on the target network.

  Which of the following Nmap commands must John use to perform the TCP SYN ping scan?

  A. nmap -sn -pp
  B. nmap -sn -PO
  C. nmap -sn -PS
  D. nmap -sn -PA
  C. nmap -sn -PS

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.

  When using Nmap:

  -PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.

  The response type to this SYN packet determines the host status:

  If a SYN/ACK is received, it indicates the port is open, and the host is up.

  If RST is received, the port is closed, but the host is still considered online.

  If no response or ICMP unreachable is received, the host may be down or filtered.

  Clarification of options:

  A. -pp: This is not a valid Nmap option.

  B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.

  C. -PS: Correct. Performs a TCP SYN Ping Scan.

  D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.

  Reference from CEH v13 Study Guide and Course Material:

  CEH v13 Official Module 03 - Scanning Networks, Slide: Nmap Host Discovery Techniques

  EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS

  Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.html

• Question 203:

  When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameters and headers manually to get more precise results than if using web vulnerability scanners.

  What proxy tool will help you find web vulnerabilities?

  A. Maskgen
  B. Dimitry
  C. Burpsuite
  D. Proxychains
  C. Burpsuite

  ---

  Explanation

  In CEH v13 Module 12: Hacking Web Applications, Burp Suite is introduced as a powerful proxy-based tool used for intercepting, modifying, and analyzing HTTP/S traffic between a client and a web application.

  Key Features of Burp Suite:

  Captures all HTTP requests and responses.

  Allows for manual testing of input parameters, headers, and cookies.

  Includes tools such as Intruder, Repeater, Scanner, and Decoder.

  Helps detect vulnerabilities such as XSS, SQLi, CSRF, and insecure session handling.

  Option Review:

  A. Maskgen: Used for generating masks, not a web proxy.

  B. Dimitry: A footprinting tool, not used for request/response testing.

  C. Burpsuite: Correct. Designed for web application vulnerability analysis.

  D. Proxychains: Used to chain proxies for anonymity, not for HTTP traffic analysis.

  Module 12 - Web Application Testing Tools

  CEH iLabs: Using Burp Suite for Manual Vulnerability Discovery

• Question 204:

  You're the security manager for a tech company that uses a database to store sensitive customer data.

  You have implemented countermeasures against SQL injection attacks. Recently, you noticed some suspicious activities and suspect an attacker is using SQL injection techniques.

  The attacker is believed to use different forms of payloads in his SQL queries. In the case of a successful SQL injection attack, which of the following payloads would have the most significant impact?

  A. `OR 'T="1: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data
  B. `OR username LIKE '%: This payload uses the LIKE operator to search for a specific pattern in a column
  C. OR `a'='a; DROP TABLE members; --: This payload combines the manipulation of the WHERE clausewith a destructive action, causing data loss
  D. UNION SELECT NULL, NULL, NULL -- : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables
  C. OR `a'='a; DROP TABLE members; --: This payload combines the manipulation of the WHERE clausewith a destructive action, causing data loss

  ---

  Explanation

  The payload that would have the most significant impact in the case of a successful SQL injection attack is OR `a'='a; DROP TABLE members; --. This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss. This payload works as follows:

  The OR `a'='a part of the payload is a logical expression that is always true, regardless of the input or the condition of the SQL statement. This part of the payload allows the attacker to bypass any authentication or authorization checks that may be implemented in the SQL statement, such as a login form or a search query.

  The ; part of the payload is a statement terminator that marks the end of the current SQL statement and allows the attacker to inject another SQL statement after it. This part of the payload enables the attacker to execute multiple SQL statements in a single query, which is also known as stacked queries or batched queries. The DROP TABLE members part of the payload is a destructive SQL statement that deletes the entire table named members from the database. This part of the payload causes data loss and may compromise the functionality and integrity of the application that relies on the table. The table name may vary depending on the target database, but the attacker can use other techniques, such as error-based or union-based SQL injection, to discover the table names before executing the drop statement.

  The part of the payload is a comment symbol that tells the SQL engine to ignore the rest of the query. This part of the payload helps the attacker to avoid any syntax errors or unwanted results that may arise from the original query.

  The other options are not as impactful as option C for the following reasons:

  A. `OR 'T="1: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data. This payload is a common and basic SQL injection technique that injects a logical expression that is always true, such as 'OR 'T="1 or 'OR 1=1, to bypass the authentication or authorization checks of the SQL statement. This payload can allow the attacker to view data that they are not supposed to, such as user credentials, personal information, or financial records. However, this

  payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

  B. `OR username LIKE '%: This payload uses the LIKE operator to search for a specific pattern in a column. This payload is a variation of the previous payload that injects a logical expression that is always true, such as 'OR username LIKE '% or 'OR 1 LIKE '%, to bypass the authentication or authorization checks of the SQL statement. The LIKE operator is used to compare a value with a pattern that may contain wildcard characters, such as % or _, which match any string or character. This payload can

  allow the attacker to view data that matches the pattern, such as usernames that start with a certain letter or contain a certain substring. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

  D. UNION SELECT NULL, NULL, NULL - : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables. This payload is an advanced SQL injection technique that injects the UNION SQL operator to combine the results of two or more SELECT statements into a single result set, which is then returned as part of the HTTP response. The UNION operator can be used to join the results from different tables that have the same number and type of

  columns. The NULL values are used to match the column types and avoid any errors. This payload can allow the attacker to retrieve data from tables that are not intended to be accessed by the application, such as system tables, configuration tables, or backup tables. However, this payload does not cause any data loss or modification, and it does not affect the functionality or integrity of the application.

  References:

  1: SQL Injection - OWASP Foundation 2: SQL Injection Payloads: How SQLi exploits work - Bright Security 3: SQL Injection - HackTricks

• Question 205:

  A penetration tester is tasked with assessing the security of an Android mobile application that stores sensitive user data. The tester finds that the application does not use proper encryption to secure data at rest. What is the most effective way to exploit this vulnerability?

  A. Access the local storage to retrieve sensitive data directly from the device
  B. Use SQL injection to retrieve sensitive data from the backend server
  C. Execute a Cross-Site Scripting (XSS) attack to steal session cookies
  D. Perform a brute-force attack on the application's login credentials
  A. Access the local storage to retrieve sensitive data directly from the device

  ---

  Explanation

  CEH training emphasizes that mobile applications frequently mishandle local storage, leaving sensitive data such as tokens, passwords, API keys, or personal information unencrypted within SQLite databases, shared preferences, or flat-file storage. When encryption is absent or improperly implemented, attackers can directly access this data through filesystem extraction, Android Debug Bridge (ADB) access, physical device access, or rooted environments. CEH identifies "Insecure Data Storage" as one of the most critical mobile vulnerabilities because it bypasses server-side defenses entirely. Since the vulnerability specifically concerns data at rest , the most direct and effective exploitation method is to retrieve the locally stored unencrypted data. SQL injection (Option B) evaluates backend security, not device storage. XSS (Option C) is a web attack and unrelated to local encryption. Brute-forcing credentials (Option D) is unnecessary when sensitive information is already stored insecurely. Therefore, accessing local storage is the correct exploitation method.

• Question 206:

  A penetration tester detects malware on a system that secretly records all keystrokes entered by the user. What type of malware is this?

  A. Rootkit
  B. Ransomware
  C. Keylogger
  D. Worm
  C. Keylogger

  ---

  Explanation

  CEH v13 explains that a keylogger is a type of spyware designed to capture user input covertly, often storing or transmitting captured data-such as passwords, emails, chat messages, and financial information-to an attacker. Keyloggers can be implemented as software, firmware, or hardware, and they operate silently in the background without affecting system performance, making them ideal for credential theft. CEH categorizes keyloggers under spying and monitoring malware frequently used in the System Hacking phase to escalate privileges or move laterally once credentials are harvested. Unlike rootkits, which hide processes, or ransomware, which encrypts files, a keylogger's main purpose is passive surveillance. CEH emphasizes how attackers deploy keyloggers post-compromise or use phishing/social engineering to trick victims into installing them. Their covert nature and ability to bypass traditional AV solutions by masquerading as legitimate processes make identifying them crucial during forensics and incident response activities.

• Question 207:

  Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?

  A. msfpayload
  B. msfcli
  C. msfd
  D. msfencode
  D. msfencode

  ---

  Explanation

  One of the best ways to avoid being stopped by antivirus software is to encode our payload with msfencode. Msfencode is a useful tool that alters the code in an executable so that it looks different to antivirus software but will still run the same way. Much as the binary attachment in email is encoded in Base64, msfencode encodes the original executable in a new binary. Then, when the executable is run, msfencode decodes the original code into memory and exe-cutes it.

• Question 208:

  A cybersecurity consultant suspects attackers are attempting to evade an Intrusion Detection System (IDS) .

  Which technique is most likely being used?

  A. Deploying self-replicating malware
  B. Fragmenting malicious packets into smaller segments
  C. Flooding the IDS with ICMP packets
  D. Sending phishing emails
  B. Fragmenting malicious packets into smaller segments

  ---

  Explanation

  The CEH IDS/IPS Evasion module describes packet fragmentation as a common evasion technique used to bypass signature-based detection.

  Option B is correct.

  Other options represent different attack categories.

  CEH highlights reassembly normalization as a countermeasure.

• Question 209:

  A penetration tester is assessing a web application that uses dynamic SQL queries for searching users in the database. The tester suspects the search input field is vulnerable to SQL injection. What is the best approach to confirm this vulnerability?

  A. Input DROP TABLE users; -- into the search field to test if the database query can be altered
  B. Inject JavaScript into the search field to test for Cross-Site Scripting (XSS)
  C. Use a directory traversal attack to access server configuration files
  D. Perform a brute-force attack on the user login page to guess weak passwords
  A. Input DROP TABLE users; -- into the search field to test if the database query can be altered

  ---

  Explanation

  CEH explains that SQL injection testing should begin with controlled, intentional manipulation of SQL syntax to determine whether user input is improperly concatenated into backend queries. While destructive queries like DROP TABLE are not recommended in real-world ethical hacking engagements, CEH uses this example as a conceptual demonstration of how SQLi can influence database commands. In practice, a penetration tester would more safely use benign tautologies such as ' OR '1''1 to test whether unauthorized data is returned. However, within CEH's theoretical framing, injecting a clearly malicious SQL command demonstrates whether the input is executed at the database level. This validates improper sanitization, the use of dynamic SQL queries, and missing parameterized input handling. CEH stresses that SQLi is among the most critical vulnerabilities because it allows attackers to bypass authentication, exfiltrate data, or manipulate the database structure. XSS, brute-forcing, and directory traversal do not test SQL query manipulation and therefore do not confirm SQL injection.

• Question 210:

  As a Certified Ethical Hacker evaluating a smart city project (traffic lights, public Wi-Fi, and water management), you find anomalous IoT network logs showing high-volume data exchange between a specific traffic light and an external IP address. Further investigation reveals an unexpectedly open port on that traffic light. What should be your subsequent course of action?

  A. Isolate the affected traffic light from the network and perform a detailed firmware investigation
  B. Conduct an exhaustive penetration test across the entire network to uncover hidden vulnerabilities
  C. Analyze and modify IoT firewall rules to block further interaction with the suspicious external IP
  D. Attempt to orchestrate a reverse connection from the traffic light to the external IP to understand the transferred data
  A. Isolate the affected traffic light from the network and perform a detailed firmware investigation

  ---

  Explanation

  CEH's approach to suspected compromise aligns with an incident-handling mindset: containment first , then analysis and remediation. In IoT and OT-adjacent environments (smart city infrastructure, SCADA-like components, embedded controllers), CEH emphasizes that suspicious external communications and unexplained open ports may indicate compromise, misconfiguration, exposed management services, or implanted malware/backdoors. Because IoT endpoints often have limited logging and are difficult to reimage safely, the safest next step is to isolate the suspected device to prevent further data exfiltration, command-and-control activity, or lateral movement to other city systems.

  Option A best matches CEH guidance: isolate the device and investigate its firmware, services, and configuration , including checking for unauthorized binaries, altered firmware images, insecure default services, and hardcoded credentials. This also preserves evidence and reduces the blast radius. Option C (blocking the external IP) can be helpful, but it's a partial control: attackers can rotate infrastructure, and the device could still be compromised internally. Option B (full network pen test) is too broad and delays containment when a specific high-risk indicator is already present. Option D (attempting a reverse connection) crosses into active exploitation behavior and is not an appropriate "next step" in a defensive investigation; CEH methodology stresses authorized, controlled testing and prioritizes risk reduction over interacting with suspicious external hosts.

  Thus, CEH-aligned best practice is immediate isolation and firmware-level investigation .