EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 231:

  Packet fragmentation is used as an evasion technique. Which IDS configuration best counters this?

  A. Recognizing regular fragmented packet intervals
  B. Anomaly-based IDS detecting irregular traffic patterns
  C. Rejecting all fragmented packets
  D. Signature-based IDS detecting fragmented packet signatures
  B. Anomaly-based IDS detecting irregular traffic patterns

  ---

  Explanation

  Packet fragmentation is a well-documented IDS evasion technique in CEH v13 Network and Perimeter Hacking . Attackers fragment packets to evade detection by overwhelming or confusing intrusion detection systems, especially those that rely on simple pattern matching.

  CEH v13 explains that anomaly-based IDS systems are particularly effective against evasion techniques like packet fragmentation because they analyze deviations from normal network behavior , rather than relying on static signatures. Fragmented packets often create unusual traffic patterns, abnormal packet sizes, or irregular reassembly behavior, which anomaly-based systems are designed to detect.

  Signature-based IDS solutions struggle against fragmentation because attackers can split malicious payloads across multiple packets in ways that bypass predefined signatures. Rejecting all fragmented packets (Option C) is impractical and could disrupt legitimate network communication, as fragmentation is a normal part of TCP/IP networking.

  Recognizing regular intervals (Option A) is unreliable, as attackers can randomize packet timing. CEH v13 clearly recommends anomaly-based detection to counter advanced evasion techniques.

  Thus, Option B is the most effective and CEH-aligned IDS configuration.

• Question 232:

  Which action would most effectively increase the security of a virtual-hosted web server?

  A. Implement LAMP architecture
  B. Change IP addresses regularly
  C. Regularly update and patch server software
  D. Move document root to another disk
  C. Regularly update and patch server software

  ---

  Explanation

  According to CEH v13 Web Application and Server Security regular patching and updates , are the most effective way to reduce server attack surfaces. Vulnerabilities in web servers, proxies, and supporting services are frequently exploited if patches are delayed.

  While architectural choices and directory placement influence organization, they do not mitigate known vulnerabilities. Changing IP addresses does not prevent exploitation, and moving directories does not address underlying software flaws.

  CEH v13 consistently emphasizes patch management as a primary defensive control. Therefore, Option is C correct.

• Question 233:

  Which is the first step followed by Vulnerability Scanners for scanning a network?

  A. OS Detection
  B. Firewall detection
  C. TCP/UDP Port scanning
  D. Checking if the remote host is alive
  D. Checking if the remote host is alive

  ---

  Explanation

  Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps:

  1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques.

  2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems.

  3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.

• Question 234:

  Why explore the Deep Web during reconnaissance?

  A. Insider threats
  B. Physical attacker locations
  C. Learning hacking techniques
  D. Non-indexed company data exposure
  D. Non-indexed company data exposure

  ---

  Explanation

  CEH v13 explains that the Deep Web contains content not indexed by search engines, including exposed databases, misconfigured portals, leaked credentials, and internal documents. This makes it a critical area to assess unintended data exposure. The Deep Web is not primarily for attacker profiling or insider detection.

• Question 235:

  Study the following log extract and identify the attack.

  

  [Image shows an HTTP GET request with encoded traversal strings, such as

  A. Hexcode Attack
  B. Cross Site Scripting
  C. Multiple Domain Traversal Attack
  D. Unicode Directory Traversal Attack
  D. Unicode Directory Traversal Attack

  ---

  Explanation

  This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:

  The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:

  %c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character "/" when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).

  This type of attack attempts to:

  Traverse out of the web root directory (via encoded ../ sequences)

  Access cmd.exe in the Windows system32 directory

  Execute operating system commands such as dir c: (list contents of drive C)

  From CEH v13 Official Courseware:

  Module 14: Hacking Web Servers

  Topic: Unicode Directory Traversal Vulnerability (IIS-specific)

  CEH v13 Study Guide states:

  "A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32."

  Incorrect Options:

  A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.

  B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.

  C. Multiple Domain Traversal: Not a valid or recognized attack type.

  CEH v13 Study Guide - Module 14: Web Server Attacks # Unicode Directory TraversalMicrosoft Security Bulletin MS00-078 - IIS Malformed Request Vulnerability

• Question 236:

  A web server is overwhelmed by many slow, incomplete HTTP connections. What attack is occurring?

  A. Slowloris attack
  B. ICMP flood
  C. UDP flood
  D. Fragmentation attack
  A. Slowloris attack

  ---

  Explanation

  This scenario describes a Slowloris attack , a classic application-layer DoS attack covered in CEH v13 Network and Perimeter Hacking . Slowloris works by opening many HTTP connections and sending data very slowly , preventing the server from closing the connections.

  Because the connections appear legitimate, the server keeps them open, eventually exhausting its connection pool. This causes legitimate users to experience timeouts and service unavailability-exactly as described. ICMP and UDP floods consume bandwidth, which was ruled out. Fragmentation attacks target packet handling, not application-layer sessions.

  CEH v13 highlights Slowloris as particularly dangerous because it requires minimal bandwidth and bypasses many traditional DoS defenses. Therefore, Option A is correct.

• Question 237:

  What is the proper response for a NULL scan if the port is closed?

  A. SYN
  B. ACK
  C. FIN
  D. PSH
  E. RST
  F. No response
  E. RST

  ---

  Explanation

  A NULL scan is a type of TCP stealth scan where no flags are set in the TCP header. It is used to identify open or closed ports based on how the target responds to this unexpected packet.

  Behavior:

  If the port is closed # Target responds with RST (Reset)

  If the port is open # No response (on compliant systems like Unix-based OSes)

  From CEH v13 Courseware:

  Module 03: Scanning Networks

  Topic: TCP Flag Scanning

  Subsection: NULL Scan

  CEH v13 Study Guide states:

  "In a NULL scan, if a target port is closed, the system responds with an RST packet as per RFC 793. If the port is open, it typically does not respond, which allows stealthy enumeration of services."

  Incorrect Options:

  A. SYN: Initiated by a SYN scan.

  B. ACK: Used in ACK scans.

  C/D: Not applicable for NULL scans.

  F. No response occurs for open ports, not closed ones.

  CEH v13 Study Guide - Module 3: Scanning Networks # Section: TCP Scanning MethodsRFC 793 - TCP Standard

• Question 238:

  During a red team engagement, an ethical hacker discovers that a thermostat accepts older firmware versions without verifying their authenticity. By loading a deprecated version containing known vulnerabilities, the tester gains unauthorized access to the broader network. Which IoT security issue is most accurately demonstrated in this scenario?

  A. Lack of secure update mechanisms
  B. Denial-of-service through physical tampering
  C. Insecure network service exposure
  D. Use of insecure third-party components
  A. Lack of secure update mechanisms

  ---

  Explanation

  CEH v13 emphasizes that IoT devices must implement secure firmware update mechanisms that enforce authenticity, integrity, and version control. A critical lapse occurs when devices allow rollback to older firmware versions or accept updates without cryptographic validation. This opens the door to "firmware downgrade attacks," where attackers intentionally install outdated but vulnerable firmware to reintroduce exploitable weaknesses. CEH identifies this as part of insecure update design, one of the most dangerous IoT vulnerabilities because firmware governs device behavior, network communication, and trust boundaries. Without signature verification, integrity checking, and anti-rollback enforcement, attackers can load malicious or deprecated firmware to escalate privileges or pivot deeper into a network. Options B and C represent different categories of IoT weaknesses, and D refers to supply-chain issues, none of which match the described rollback exploitation. Therefore, the vulnerability demonstrated is the absence of secure update mechanisms.

• Question 239:

  Mr. Omkar performed tool-based vulnerability assessment and found two vulnerabilities. During analysis, he found that these issues are not true vulnerabilities.

  What will you call these issues?

  A. False positives
  B. True negatives
  C. True positives
  D. False negatives
  A. False positives

  ---

  Explanation

  False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when, in fact, you do.

  A false positive is like a false alarm; your house alarm goes off, but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when, in reality, there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. These tools help them ensure that all web application attack surfaces are correctly tested in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, the penetration tester assumes that all the others are false positives and ignore the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

  When checking for false positives, you want to ensure that they are indeed false. By nature, we humans tend to start ignoring false positives rather quickly. For example, suppose a web application security scanner detects 100 SQL Injection vulnerabilities. If the first 20 variants are false positives, the penetration tester assumes that all the others are false positives and ignore all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected. This is why it is crucial to check every vulnerability and deal with each false positive separately to ensure false positives.

• Question 240:

  As a cybersecurity professional at XYZ Corporation, you are tasked with investigating anomalies in system logs that suggest potential unauthorized activity. System administrators have detected repeated failed login attempts on a critical server, followed by a sudden surge in outbound data traffic. These indicators suggest a possible compromise. Given the sensitive nature of the system and the sophistication of the threat, what should be your initial course of action -

  A. Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.
  B. Conduct a comprehensive audit of all outbound traffic and analyze destination IP addresses to map the attacker's network.
  C. Immediately reset all server credentials and instruct all users to change their passwords.
  D. Immediately disconnect the affected server from the network to prevent further data exfiltration.
  A. Conduct real-time monitoring of the server, analyze logs for abnormal patterns, and identify the nature of the activity to formulate immediate countermeasures.

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Incident Response lifecycle begins with Identification , followed by containment, eradication, recovery, and lessons learned. CEH documentation stresses that understanding the scope and nature of an incident is critical before taking disruptive action .

  Option A is the correct initial response because it focuses on real-time monitoring and log analysis , which are essential during the identification phase. CEH materials emphasize analyzing logs, authentication failures, and traffic anomalies to confirm whether an incident has occurred and determine the attacker's techniques, persistence level, and impact.

  Option B , while valuable, is more appropriate after initial identification . Conducting deep outbound traffic audits without first understanding the attack vector can delay containment decisions.

  Option C is premature. CEH warns that changing credentials too early may alert the attacker and cause them to escalate or destroy evidence.

  Option D represents a containment strategy , not an initial response. CEH guidelines advise against immediately disconnecting systems unless there is confirmed active data exfiltration that cannot be otherwise controlled, as this may disrupt business operations and erase volatile forensic evidence.

  Therefore, the CEH-approved approach is to monitor, analyze, and identify the incident before moving to containment and eradication.