EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 241:

  Bella, a security professional working at an it firm, finds that a security breach has occurred while transferring important files. Sensitive data, employee usernames. and passwords are shared In plaintext, paving the way for hackers 10 perform successful session hijacking. To address this situation. Bella Implemented a protocol that sends data using encryption and digital certificates. Which of the following protocols Is used by Bella?

  A. FTP
  C. HTTPS
  D. FTPS
  E. IP
  C. HTTPS

  ---

  Explanation

  The File Transfer Protocol (FTP) is a standard organization convention utilized for the exchange of PC records from a worker to a customer on a PC organization. FTP is based on a customer worker model engineering utilizing separate control and information associations between the customer and the server.[1] FTP clients may validate themselves with an unmistakable book sign-in convention, ordinarily as a username and secret key, however can interface namelessly if the worker is designed to permit it.

  For secure transmission that ensures the username and secret phrase, and scrambles the substance, FTP is frequently made sure about with SSL/TLS (FTPS) or supplanted with SSH File Transfer Protocol (SFTP).

  The primary FTP customer applications were order line programs created prior to working frameworks had graphical UIs, are as yet dispatched with most Windows, Unix, and Linux working systems.[2][3] Many FTP customers and mechanization utilities have since been created for working areas, workers, cell phones, and equipment, and FTP has been fused into profitability applications, for example, HTML editors.

• Question 242:

  During a routine security audit, administrators found that cloud storage backups were illegally accessed and modified. What countermeasure would most directly mitigate such incidents in the future?

  A. Deploying biometric entry systems
  B. Implementing resource auto-scaling
  C. Regularly conducting SQL injection testing
  D. Adopting the 3-2-1 backup model
  D. Adopting the 3-2-1 backup model

  ---

  Explanation

  According to CEH v13 Cloud Computing , backup integrity and resilience are critical components of cloud security. The 3-2-1 backup model is a widely recommended best practice to mitigate unauthorized access, data corruption, and ransomware-related incidents.

  The 3-2-1 rule dictates that organizations should maintain:

  3 copies of critical data

  Stored on 2 different media types

  With 1 copy stored offsite or offline

  This approach ensures that even if one backup is compromised, altered, or deleted-as described in the scenario-clean and trusted versions of the data remain available for restoration. CEH v13 emphasizes that offline or immutable backups significantly reduce the impact of malicious modification.

  Option A focuses on physical security, which does not protect cloud backups. Option B addresses availability, not integrity. Option C is relevant to web application security, not backup protection.

  CEH v13 explicitly highlights backup segregation and redundancy as key countermeasures against cloud data compromise. Therefore, Option D is the most direct and effective mitigation strategy.

• Question 243:

  Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?

  A. tcpsplice
  B. Burp
  C. Hydra
  D. Whisker
  D. Whisker

  ---

  Explanation

  Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period, many IDS stop reassembling and handling that stream. If the application under attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session splicing attacks.?

  Did you know that the EC-Council exam shows how well you know their official book? So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author of the question found it while copying Wikipedia.

  https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

  One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.

  By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.

  NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you unverified information. According to the official tutorials, the correct answer is Nessus, but if you know anything about Wisker, please write in the QA section. Maybe this question will be updated soon, but I'm not sure about that.

• Question 244:

  Thomas, a cloud security professional, is performing security assessment on cloud services to identify any loopholes. He detects a vulnerability in a bare-metal cloud server that can enable hackers to implant malicious backdoors in its firmware. He also identified that an installed backdoor can persist even if the server is reallocated to new clients or businesses that use it as an IaaS.

  What is the type of cloud attack that can be performed by exploiting the vulnerability discussed in the above scenario?

  A. Man-in-the-cloud (MITC) attack
  B. Cloud cryptojacking
  C. Cloudborne attack
  D. Metadata spoofing attack
  C. Cloudborne attack

  ---

  Explanation

  In CEH v13 Module 16: Cloud Computing and Container Security, Cloudborne attacks are described as threats specific to bare-metal cloud infrastructure.

  Characteristics of a Cloudborne Attack:

  Targets firmware-level vulnerabilities in reused physical servers.

  Malware or backdoors can persist even after VM or OS reinstallation.

  Can lead to compromise of new tenants or clients once servers are reallocated.

  First highlighted in Project X by Eclypsium.

  Option Clarification:

  A. MITC: Exploits synchronization in cloud storage, not firmware.

  B. Cryptojacking: Mining cryptocurrency using cloud resources.

  C. Cloudborne attack: Correct - targets firmware on bare-metal cloud servers.

  D. Metadata spoofing: Exploits cloud instance metadata services, unrelated to firmware.

  Module 16 - Advanced Cloud Attacks # Cloudborne Threats

  CEH eBook: Firmware-Level Threats in Cloud Environments

• Question 245:

  An audacious attacker is targeting a web server you oversee. He intends to perform a Slow HTTP POST attack, by manipulating 'a' HTTP connection. Each connection sends a byte of data every 'b' second, effectively holding up the connections for an extended period. Your server is designed to manage 'm' connections per second, but any connections exceeding this number tend to overwhelm the system. Given `a=100' and variable 'm', along with the attacker's intention of maximizing the attack duration 'D=a*b', consider the following scenarios. Which is most likely to result in the longest duration of server unavailability?

  A. m=110, b=20: Despite the attacker sending 100 connections, the server can handle 110 connections persecond, therefore likely staying operative, regardless of the hold-up time per connection
  B. m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connectionsexceed this, and with each connection held up for 15 seconds, the attack duration could be significant
  C. 95, b=10: Here, the server can handle 95 connections per second, but it falls short against theattacker's 100 connections, albeit the hold-up time per connection is lower
  D. m=105, b=12: The server can manage 105 connections per second, more than the attacker's 100connections, likely maintaining operation despite a moderate hold-up time
  B. m=90, b=15: The server can manage 90 connections per second, but the attacker's 100 connectionsexceed this, and with each connection held up for 15 seconds, the attack duration could be significant

  ---

  Explanation

  A Slow HTTP POST attack is a type of denial-of-service (DoS) attack that exploits the way web servers handle HTTP requests. The attacker sends a legitimate HTTP POST header to the web server, specifying a large amount of data to be sent in the request body. However, the attacker then sends the data very slowly, keeping the connection open and occupying the server's resources. The attacker can launch multiple such connections, exceeding the server's capacity to handle concurrent requests and preventing legitimate users from accessing the web server.

  The attack duration D is given by the formula D = a * b, where a is the number of connections and b is the hold-up time per connection. The attacker intends to maximize D by manipulating a and b. The server can manage m connections per second, but any connections exceeding m will overwhelm the system. Therefore, the scenario that is most likely to result in the longest duration of server unavailability is the one where a > m and b is the largest. Among the four options, this is the case for option B, where a = 100, m = 90, and b = 15. In this scenario, D = 100 * 15 = 1500 seconds, which is the longest among the four options. Option A has a larger b, but a < m, so the server can handle the connections without being overwhelmed. Option C has a > m, but a smaller b, so the attack duration is shorter. Option D has a > m, but a smaller b and a smaller difference between a and m, so the attack duration is also shorter.

  References:

  What is a Slow POST Attack and How to Prevent One? (Guide)

  Mitigate Slow HTTP GET/POST Vulnerabilities in the Apache HTTP Server - Acunetix

• Question 246:

  Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal?

  A. har.txt
  B. SAM file
  C. wwwroot
  D. Repair file
  B. SAM file

  ---

  Explanation

• Question 247:

  The security administrator of ABC needs to permit Internet traffic in the host 10.0.0.2 and UDP traffic in the host 10.0.0.3. He also needs to permit all FTP traffic to the rest of the network and deny all other traffic. After he applied his ACL configuration in the router, nobody can access the ftp, and the permitted hosts cannot access the Internet. According to the next configuration, what is happening in the network?

  access-list 102 deny tcp any any

  access-list 104 permit udp host 10.0.0.3 any

  access-list 110 permit tcp host 10.0.0.2 eq www any

  access-list 108 permit tcp any eq ftp any

  A. The ACL 104 needs to be first because is UDP
  B. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router
  C. The ACL for FTP must be before the ACL 110
  D. The ACL 110 needs to be changed to port 80
  B. The first ACL is denying all TCP traffic and the other ACLs are being ignored by the router

  ---

  Explanation

  https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html Since the first line prohibits any TCP traffic (access-list 102 deny tcp any any), the lines below will simply be ignored by the router. Below you will find the example from CISCO documentation.

  This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from NetB destined to NetA is denied, while all other IP traffic is permitted.

  FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted.

  access-list 102 deny tcp any any eq ftp

  access-list 102 deny tcp any any eq ftp-data

  access-list 102 permit ip any any

• Question 248:

  If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible?

  A. Birthday
  B. Brute force
  C. Man-in-the-middle
  D. Smurf
  B. Brute force

  ---

  Explanation

  If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

  Steal the token

  Try all possible PIN combinations (0000?999)

  Bypass limits if no lockout mechanisms exist

  This is a brute-force attack - the attacker tries every combination until the correct one is found.

  From CEH v13 Courseware:

  Module 6: Malware and Authentication

  Module 20: Identity and Access Management

  Incorrect Options:

  A: Birthday attacks are related to hash collisions.

  C: MITM involves intercepting communication, not offline brute-force.

  D: Smurf is a DoS attack, not related to token/PIN systems.

  CEH v13 Study Guide - Module 6: Authentication AttacksOWASP - Hardware Token Security Considerations

• Question 249:

  What ports should be blocked on the firewall to prevent NetBIOS traffic from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?

  A. 110
  B. 135
  C. 139
  D. 161
  E. 445
  F. 1024
  B. 135
  C. 139
  E. 445

  ---

  Explanation

  To block NetBIOS and related Windows networking traffic from traversing a firewall (especially from external sources), you should block the following ports:

  Port 135 (TCP/UDP): Microsoft RPC endpoint mapper (DCOM/RPC) Port 139 (TCP): NetBIOS Session Service

  Port 445 (TCP): Direct-hosted SMB over TCP/IP (Windows 2000+)

  These ports are commonly used for:

  File sharing

  RPC-based communication

  Windows network services

  From CEH v13 Official Courseware:

  Module 3: Scanning Networks

  Module 4: Enumeration

  CEH v13 Study Guide states:

  "To prevent external enumeration, remote file sharing, and NetBIOS attacks, administrators should block inbound access to ports 135, 139, and 445 on the firewall."

  Incorrect Options:

  A (110): POP3 mail service

  D (161): SNMP

  F (1024): High ephemeral port; not specific to NetBIOS

  CEH v13 Study Guide - Module 4: Enumeration # NetBIOS Enumeration PreventionMicrosoft Security Best Practices - Block SMB Ports (135?39, 445)

• Question 250:

  Which of these is capable of searching for and locating rogue access points?

  A. HIDS
  B. WISS
  C. WIPS
  D. NIDS
  C. WIPS

  ---

  Explanation

  A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).