EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 211:

  Targeted, logic-based credential guessing using prior intel best describes which technique?

  A. Strategic pattern-based input using known logic
  B. Exhaustive brute-force testing
  C. Shoulder surfing
  D. Rule-less hybrid attack
  A. Strategic pattern-based input using known logic

  ---

  Explanation

  This describes a rule-based or logic-based password attack , which CEH v13 classifies as a smart, targeted guessing technique . Attackers use known patterns-such as naming conventions, dates, or personal interests-to reduce the keyspace and increase success rates.

  Option A accurately reflects this methodology. Option B is brute force, which is random and exhaustive. Option C is physical observation. Option D describes hybrid attacks without structured logic.

  CEH v13 emphasizes that pattern-based attacks are highly effective when attackers possess prior intelligence.Therefore, Option A is correct.

• Question 212:

  While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an attack or other wrongdoing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective:

  A. Block port 25 at the firewall.
  B. Shut off the SMTP service on the server.
  C. Force all connections to use a username and password.
  D. Switch from Windows Exchange to UNIX Sendmail.
  E. None of the above.
  C. Force all connections to use a username and password.

  ---

  Explanation

  Telnetting into port 25 allows users to manually issue SMTP commands. While not necessarily malicious, it can be abused (e.g., for spamming or probing).

  You don't want to shut down SMTP (as that's required for email), and you can't block port 25 entirely. The best approach is to secure the service by requiring:

  SMTP authentication (username/password)

  Possibly TLS encryption

  From CEH v13 Courseware:

  Module 5: Vulnerability Analysis

  Module 20: Secure Protocols

  CEH v13 Study Guide states:

  "To prevent unauthorized SMTP access, require SMTP AUTH. This allows only authenticated users to send email, mitigating abuse of open mail relays."

  Incorrect Options:

  A: Blocks all SMTP, affecting email functionality.

  B: Disables mail service entirely.

  D: Switching platforms doesn't solve the underlying issue.

  E: Not appropriate--there is a clear solution.

  CEH v13 Study Guide - Module 5: Mail Server HardeningRFC 4954 - SMTP Authentication

• Question 213:

  A web application returns generic error messages. The analyst submits AND 1=1 and AND 1=2 and observes different responses. What type of injection is being tested?

  A. UNION-based SQL injection
  B. Error-based SQL injection
  C. Boolean-based blind SQL injection
  D. Time-based blind SQL injection
  C. Boolean-based blind SQL injection

  ---

  Explanation

  This technique is known as Boolean-Based Blind SQL Injection , as defined in CEH v13 Web Application Hacking . When applications suppress database errors and return generic responses, attackers use conditional statements to infer database behavior.

  By comparing responses to true (1=1) and false (1=2) conditions, the attacker deduces whether injected SQL is being executed successfully.

  CEH v13 distinguishes this from:

  Error-based SQLi (visible DB errors)

  UNION-based SQLi (data extraction)

  Time-based SQLi (response delays)

  Boolean-based blind SQL injection relies solely on content differences , making option C correct.

• Question 214:

  A cybersecurity research team identifies suspicious behavior on a user's Android device. Upon investigation, they discover that a seemingly harmless app, downloaded from a third-party app store, has silently overwritten several legitimate applications such as WhatsApp and SHAREit. These fake replicas maintain the original icon and user interface but serve intrusive advertisements and covertly harvest credentials and personal data in the background. The attackers achieved this by embedding malicious code in utility apps like video editors and photo filters, which users were tricked into installing. The replacement occurred without user consent, and the malicious code communicates with a command-and-control (CandC) server to execute further instructions. What type of attack is being carried out in this scenario?

  A. Simjacker attack
  B. Man-in-the-Disk attack
  C. Agent Smith attack
  D. Camfecting attack
  C. Agent Smith attack

  ---

  Explanation

  CEH v13 describes Agent Smith-Style attacks as malicious Android operations where an app silently replaces legitimate applications by exploiting weaknesses in the Android app update and installation processes. These attacks often begin when users download seemingly innocent apps from untrusted third- party marketplaces. Once installed, the malicious application injects harmful code into other apps, overwriting them while preserving their icons and interface, allowing the attacker to harvest credentials, display ads, or maintain persistence without detection. CEH explains that this technique takes advantage of Android's APK structure, sideloading vulnerabilities, and lack of signature validation in compromised environments. Simjacker (Option A) targets SIM toolkit vulnerabilities and does not replace apps. Man-in-the-Disk (Option B) abuses external storage operations but does not overwrite applications. Camfecting (Option D) refers to hijacking smartphone cameras. The described malicious replacement of legitimate apps exactly matches the Agent Smith attack pattern .

• Question 215:

  Todd has been asked by the security officer to purchase a counter-based authentication system. Which of the following best describes this type of system?

  A. A biometric system that bases authentication decisions on behavioral attributes.
  B. A biometric system that bases authentication decisions on physical attributes.
  C. An authentication system that creates one-time passwords that are encrypted with secret keys.
  D. An authentication system that uses passphrases that are converted into virtual passwords.
  C. An authentication system that creates one-time passwords that are encrypted with secret keys.

  ---

  Explanation

  A counter-based authentication system is based on the HOTP (HMAC-Based One-Time Password) algorithm. It uses a shared secret and a moving counter to generate a one-time password (OTP). Each time the counter is incremented, a new OTP is generated and encrypted using the secret key.

  CEH v13 Official Study Guide:

  Module 5: System Hacking

  Quote:

  "HOTP generates a one-time password using a counter value and a secret key. This is a form of two-factor authentication, and the passwords are encrypted."

  Incorrect Options Explained:

  A and B. These describe biometric systems, not counter-based OTPs.

  D. Virtual passwords from passphrases are not counter-based systems.

• Question 216:

  A penetration tester is tasked with uncovering historical content from a company's website, including previously exposed login portals or sensitive internal pages. Direct interaction with the live site is prohibited due to strict monitoring policies. To stay undetected, the tester decides to explore previously indexed snapshots of the organization's web content saved by external sources. Which approach would most effectively support this passive information-gathering objective?

  A. Search with intext:"login" site:target.com to retrieve login data
  B. Use the link: operator to find backlinks to login portals
  C. Apply the cache: operator to view Google's stored versions of target pages
  D. Use the intitle:login operator to list current login pages
  C. Apply the cache: operator to view Google's stored versions of target pages

  ---

  Explanation

  Passive reconnaissance is emphasized throughout CEH as an essential method for gathering intelligence without alerting monitoring systems. When the tester cannot interact with the live site, they must rely entirely on third-party archives or cached content stored by search engines or internet archival services. Google's cache function provides previously stored versions of web pages exactly for this purpose. CEH explains that attackers frequently use cached content to retrieve outdated login portals, administrative pages, exposed directories, or other sensitive elements that may no longer appear on the live web server. Unlike operators such as intext or intitle, which query live indexed metadata, the cache operator retrieves historical snapshots without accessing the target website. The link operator identifies backlinks but does not provide historical page content. Only the cache operator directly supports viewing previous versions of pages passively, aligning perfectly with the requirement to avoid detection while gathering intelligence on legacy web content.

• Question 217:

  An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file.

  What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

  A. Protocol analyzer
  B. Network sniffer
  C. Intrusion Prevention System (IPS)
  D. Vulnerability scanner
  A. Protocol analyzer

  ---

  Explanation

  A Protocol Analyzer is the correct tool used to examine the contents of packet data (often stored in .pcap files) to determine if a particular sequence of traffic is suspicious, malformed, or part of a known exploit.

  In CEH v13:

  Module 3: Scanning Networks

  Module 4: Enumeration

  Module 5: Vulnerability Analysis

  Related Lab: Packet Analysis using Wireshark

  The CEH v13 Study Guide states:

  "A protocol analyzer (e.g., Wireshark) captures and decodes packets to display their contents and help analysts understand communication flows and anomalies. It is used to manually inspect packet contents and behavior, which helps distinguish legitimate traffic from attacks." PCAP (Packet Capture) files are typically analyzed using tools like Wireshark. These tools decode protocol layers and show payloads, making it easier for analysts to identify if IDS alerts were accurate or false positives.

  Incorrect Options:

  B. Network sniffer: General term; protocol analyzer is the specific functional tool used.

  C. IPS: Prevents or blocks malicious traffic, but does not analyze existing packet captures.

  D. Vulnerability scanner: Identifies vulnerabilities on systems/services; not used for packet capture review.

  CEH v13 Study Guide - Module 3: Scanning Networks, "Using Packet Capture and Protocol Analysis Tools"CEH iLabs: "Network Scanning and Protocol Analysis with Wireshark"

• Question 218:

  A penetration tester needs to identify open ports and services on a target network without triggering the organization's intrusion detection systems, which are configured to detect high-volume traffic and common scanning techniques. To achieve stealth, the tester decides to use a method that spreads out the scan over an extended period. Which scanning technique should the tester employ to minimize the risk of detection?

  A. Use a stealth scan by adjusting the scan timing options to be slow and random
  B. Perform a TCP SYN scan using a fast scan rate
  C. Execute a UDP scan targeting all ports simultaneously
  D. Conduct a TCP Xmas scan sending packets with all flags set
  A. Use a stealth scan by adjusting the scan timing options to be slow and random

  ---

  Explanation

  The CEH v13 content explains that stealth scanning involves modifying scan timing parameters to reduce packet frequency, randomize intervals, and avoid recognizable patterns typically flagged by intrusion detection systems. Slow, randomized timing-often achieved with Nmap's T0 or T1 timing templates- prevents bursts of traffic and allows scans to blend into normal network noise. IDS/IPS systems tuned for high-volume events may fail to detect such gradual reconnaissance. Fast SYN scans generate distinctive patterns easily identified by security monitoring tools. UDP scans, especially across all ports, produce high traffic volume and are extremely noisy. Xmas scans, although sometimes used for stealth against stateless filters, are still signature-detectable and inappropriate when stealth over time is required. Therefore, applying slow, randomized timing options aligns with CEH-approved reconnaissance techniques for evading detection while enumerating open ports.

• Question 219:

  A penetration tester is assessing a company's HR department for vulnerability to social engineering attacks using knowledge of recruitment and onboarding processes. What is the most effective technique to obtain network access credentials without raising suspicion?

  A. Develop a fake social media profile to connect with HR employees and request sensitive information
  B. Create a convincing fake onboarding portal that mimics the company's internal systems
  C. Send a generic phishing email with a link to a fake HR policy document
  D. Conduct a phone call posing as a new employee to request password resets
  B. Create a convincing fake onboarding portal that mimics the company's internal systems

  ---

  Explanation

  Social engineering attacks that target business processes are especially effective when they mimic legitimate workflows. CEH learning materials emphasize that attackers often exploit trust relationships and organizational procedures rather than attempting broad or generic phishing methods. In the context of HR operations, onboarding portals are highly trusted and frequently accessed by new employees who expect to enter personal information, submit documents, and receive initial network credentials. By creating a fake onboarding portal that closely resembles the organization's internal system, an attacker can collect credentials without triggering suspicion because the action being requested appears normal and expected. This method leverages procedural familiarity, brand consistency, and the implied authority of HR communications, making it far more effective than generic phishing emails or unsolicited social media messages. Phone calls, while sometimes useful, involve real-time interaction and increase the chance of detection. The fake portal, however, seamlessly integrates into existing processes, making it the most effective and lowest-profile approach for acquiring network credentials.

• Question 220:

  Within the context of Computer Security, which of the following statements describes Social Engineering best?

  A. Social Engineering is the act of publicly disclosing information
  B. Social Engineering is the means put in place by human resource to perform time accounting
  C. Social Engineering is the act of getting needed information from a person rather than breaking into a system
  D. Social Engineering is a training program within sociology studies
  C. Social Engineering is the act of getting needed information from a person rather than breaking into a system

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Social engineering is a psychological manipulation technique used by attackers to trick individuals into divulging confidential or personal information that may be used for fraudulent purposes.

  It relies on human interaction and may involve tactics such as:

  Impersonation

  Pretexting

  Phishing

  Baiting

  Rather than attacking systems directly, attackers exploit human trust and error.

  From CEH v13 Courseware:

  Module 7: Social Engineering

  CEH v13 Study Guide - Module 7: Human-Based and Computer-Based Social Engineering