EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 251:

  Clark is a professional hacker. He created and configured multiple domains pointing to the same host to switch quickly between the domains and avoid detection.

  Identify the behavior of the adversary In the above scenario.

  A. use of command-line interface
  B. Data staging
  C. Unspecified proxy activities
  D. Use of DNS tunneling
  C. Unspecified proxy activities

  ---

  Explanation

  A proxy server acts as a gateway between you and therefore the internet. It's an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy counting on your use case, needs, or company policy.

  If you're employing a proxy server, internet traffic flows through the proxy server on its thanks to the address you requested. A proxy server is essentially a computer on the web with its own IP address that your computer knows. once you send an internet request, your request goes to the proxy server first. The proxy server then makes your web request on your behalf, collects the response from the online server, and forwards you the online page data so you'll see the page in your browser.

• Question 252:

  Which of the following Linux commands will resolve a domain name into IP address?

  A. >host -t a hackeddomain.com
  B. >host -t ns hackeddomain.com
  C. >host -t soa hackeddomain.com
  D. >host -t AXFR hackeddomain.com
  A. >host -t a hackeddomain.com

  ---

  Explanation

  The host command in Linux is used for DNS lookup operations. The switch -t specifies the type of DNS record you are querying.

  host -t a domain.com queries for A (Address) records, which return the IP address associated with a domain.

  host -t ns queries for name servers (NS records).

  host -t soa queries for the Start of Authority (SOA) record.

  host -t AXFR attempts a zone transfer (not a standard resolution method and typically blocked).

  Hence, option A correctly resolves a domain name to its IP address.

  CEH v13 eCourseware - Module 02: Footprinting and Reconnaissance # DNS Enumeration Tools

  CEH v13 Study Guide - Chapter: Reconnaissance Techniques # "host Command Usage for DNS Information Gathering"

• Question 253:

  Tremp is an IT Security Manager planning to deploy an IDS. He needs a solution that:

  Verifies success/failure of an attack

  Monitors system activities

  Detects local (host-based) attacks

  Provides near real-time detection

  Doesn't require additional hardware

  Has a lower entry cost

  Which type of IDS is best suited for Tremp's requirements?

  A. Gateway-based IDS
  B. Network-based IDS
  C. Host-based IDS
  D. Open source-based
  C. Host-based IDS

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Host-based Intrusion Detection Systems (HIDS) run on individual hosts and monitor activities like file access, processes, and system logs. HIDS:

  Detects attacks missed by NIDS (e.g., insider threats, encrypted traffic)

  Monitors integrity of system files

  Works in near real-time

  Requires no additional network hardware

  Can be implemented at low cost

  From CEH v13 Courseware:

  Module 13: IDS, Firewalls and Honeypots # Types of IDS (HIDS vs. NIDS)

  CEH v13 Study Guide - Host-Based IDS Capabilities

• Question 254:

  During a red team operation on a segmented enterprise network, the testers discover that the organization's perimeter devices deeply inspect only connection-initiation packets (such as TCP SYN and HTTP requests). Response packets and ACK packets within established sessions, however, are minimally inspected. The red team needs to covertly transmit payloads to an internal compromised host by blending into normal session traffic. Which approach should they take to bypass these defensive mechanisms?

  A. Port knocking
  B. SYN scanning
  C. ICMP flooding
  D. ACK tunneling
  D. ACK tunneling

  ---

  Explanation

  CEH teaches that certain advanced intrusion evasion techniques rely on understanding how firewalls differentiate between new connections and established traffic. Most perimeter firewalls scrutinize SYN packets and initial HTTP requests but allow ACK packets from established sessions to pass with minimal filtering. ACK tunneling leverages this behavior by embedding malicious payloads inside ACK packets, which appear to be part of a legitimate, pre-established session. Because ACK packets are often considered "safe," they bypass deep inspection engines, intrusion detection systems, and application-layer gateways. This method allows attackers to move data or commands covertly between compromised internal systems and external hosts. CEH references such evasion strategies when discussing bypassing stateful firewalls and making malicious traffic appear legitimate. Port knocking and SYN scans would initiate new connections- precisely what the firewall is heavily inspecting. ICMP flooding is noisy and easily detected. ACK tunneling is specifically designed for stealth and is aligned with red team tradecraft for avoiding packet-level inspection mechanisms.

• Question 255:

  A penetration tester is tasked with mapping an organization's network while avoiding detection by sophisticated intrusion detection systems (IDS). The organization employs advanced IDS capable of recognizing common scanning patterns. Which scanning technique should the tester use to effectively discover live hosts and open ports without triggering the IDS?

  A. Execute a FIN scan by sending TCP packets with the FIN flag set
  B. Use an Idle scan leveraging a third-party zombie host
  C. Conduct a TCP Connect scan using randomized port sequences
  D. Perform an ICMP Echo scan to ping all network devices
  B. Use an Idle scan leveraging a third-party zombie host

  ---

  Explanation

  CEH v13 highlights the Idle Scan as one of the stealthiest reconnaissance methods available, designed specifically to avoid detection by IDS and security monitoring tools. Idle scanning leverages a "zombie host" -a system with a predictable IPID sequence-to route all probe packets through it. Since no packets ever originate directly from the attacker's IP, IDS systems are unable to attribute the port scan to the attacker. CEH emphasizes that this technique creates zero direct traffic between the attacker and the target, making it extremely evasive and ideal for highly monitored networks. FIN scans (Option A) are somewhat stealthy but still originate from the attacker and are detectable. TCP Connect scans (Option C) are the most detectable because they complete full connections. ICMP Echo scans (Option D) are easily logged and flagged by IDS. Idle scanning is uniquely suited for bypassing advanced detection systems while still identifying open ports and live hosts.

• Question 256:

  During enumeration, a tool sends requests to UDP port 161 and retrieves a large list of installed software due to a publicly known community string. What enabled this technique to work so effectively?

  A. Unencrypted FTP services storing software data
  B. The SNMP agent allowed anonymous bulk data queries due to default settings
  C. Remote access to encrypted Windows registry keys
  D. SNMP trap messages logged in plain text
  B. The SNMP agent allowed anonymous bulk data queries due to default settings

  ---

  Explanation

  This scenario describes SNMP Enumeration , a technique covered under CEH v13 Reconnaissance and Enumeration . Simple Network Management Protocol (SNMP) operates over UDP port 161 and is widely used for monitoring and managing network devices. A common and critical weakness arises when organizations leave default or publicly known community strings such as public (read-only) or private (read-write) unchanged.

  CEH v13 explains that when an SNMP agent is configured with default community strings, it allows unauthenticated or weakly authenticated queries , enabling attackers to retrieve extensive system information. This includes installed software, running processes, system descriptions, network interfaces, and routing tables. The ability to perform bulk data queries using SNMP GET and WALK commands makes enumeration highly effective and fast.

  Option B correctly identifies the root cause: misconfigured SNMP agents permitting anonymous or default access . The other options are incorrect because SNMP does not rely on FTP, registry access, or trap logging for enumeration. Traps (Option D) are unsolicited notifications sent to managers and are not used for querying system details.

  CEH v13 strongly recommends disabling SNMP when not required, changing default community strings, restricting SNMP access via ACLs, and using SNMPv3 , which supports authentication and encryption. Therefore, Option B is the correct and CEH-aligned answer.

• Question 257:

  As a part of an ethical hacking exercise, an attacker is probing a target network that is suspected to employ various honeypot systems for security. The attacker needs to detect and bypass these honeypots without alerting the target. The attacker decides to utilize a suite of techniques. Which of the following techniques would NOT assist in detecting a honeypot?

  A. Probing system services and observing the three-way handshake
  B. Using honeypot detection tools like Send-Safe Honeypot Hunter
  C. Implementing a brute force attack to verify system vulnerability
  D. Analyzing the MAC address to detect instances running on VMware
  C. Implementing a brute force attack to verify system vulnerability

  ---

  Explanation

  A brute force attack is a method of trying different combinations of passwords or keys to gain access to a system or service. It is not a reliable way of detecting a honeypot, as it may trigger an alert or response from the target. Moreover, a brute force attack does not provide any information about the system's characteristics or behavior that could indicate a honeypot. A honeypot is a decoy system that is designed to attract and trap attackers, while providing security teams with valuable intelligence and insights. Therefore, an ethical hacker needs to use more subtle and stealthy techniques to detect and avoid honeypots.

  The other options are valid techniques for detecting a honeypot. Probing system services and observing the three-way handshake can reveal anomalies or inconsistencies in the system's responses, such as abnormal banners, ports, or protocols. Using honeypot detection tools like Send-Safe Honeypot Hunter can scan the target network and identify potential honeypots based on various criteria, such as IP address, domain name, or open ports. Analyzing the MAC address can detect instances running on VMware, which is a common platform for deploying honeypots. A honeypot running on VMware will have a MAC address that starts with 00:0C:29, 00:50:56, or 00:05:69. References:

  What is a Honeypot? Types, Benefits, Risks and Best Practices

  Using Honeypots for Network Intrusion Detection

  Detecting Honeypot Access With Varonis

• Question 258:

  Which of the following tools is used to analyze the files produced by several packet-capture programs such as tcpdump, WinDump, Wireshark, and EtherPeek?

  A. tcptrace
  B. Nessus
  C. OpenVAS
  D. tcptraceroute
  A. tcptrace

  ---

  Explanation

  tcptrace is a command-line tool used to analyze the output of packet-capture tools such as tcpdump and Wireshark. It processes the captured data and generates detailed reports on TCP connections including connection durations, round-trip times, throughput, and more.

  # Reference: CEH v13 Study Guide, Module 10: Sniffing

  "tcptrace reads in packet trace files and outputs information about each TCP connection seen."

  # Incorrect options:

  B. Nessus is a vulnerability scanner.

  C. OpenVAS is also a vulnerability assessment tool.

  D. tcptraceroute is used to trace the path of packets at the TCP level, not for analyzing captured data.

• Question 259:

  Consider the following Nmap output:

  

  what command-line parameter could you use to determine the type and version number of the web server?

  A. -sv
  B. -Pn
  C. -V
  D. -ss
  A. -sv

  ---

  Explanation

  According to CEH v13 Module 03: Scanning Networks, when using Nmap for service enumeration and fingerprinting, the flag to determine service version and type information is:

  -sV - Version Detection Scan

  nmap -sV instructs Nmap to actively connect to open ports and probe the services running on those ports. This technique helps identify:

  The service name (e.g., Apache, Nginx, etc.)

  The version number (e.g., Apache 2.4.54)

  The OS or device details (when possible) This is especially useful when ports like 80 (HTTP) and 443 (HTTPS) are open, as it helps determine which web server is running (e.g., Apache, IIS, Nginx) and its version - which is critical for vulnerability assessment.

  Why Other Options Are Incorrect:

  A. -sv

  # Incorrect syntax. Nmap flags are case-sensitive and this is a typo. Correct flag is -sV.

  B. -Pn

  Skips host discovery (ping scan). It does not provide service version info.

  C. -V

  Displays Nmap's version, not the service version on the target.

  D. -ss

  Incorrect spelling. You may have meant -sS (TCP SYN scan), which is for port scanning, not version detection.

  Correct Option is A, assuming the intent is to write the correct syntax as -sV. However, strictly speaking, if this is a case-sensitive exam, and the listed option is -sv (lowercase 'v'), it would be invalid. But based on CEH exam context where minor casing issues are accepted if conceptually correct, A is the best answer.

  Reference from CEH v13 Study Guide and Courseware:

  Module 03 - Scanning Networks, Section: Nmap Scan Types and Options

  EC-Council iLabs: Performing Version Detection Using nmap -sV

  Nmap Official Docs (Referenced in CEH): https://nmap.org/book/man-version-detection.html

  -h | findstr " -sV" -sV: Probe open ports to determine service/version info

• Question 260:

  An ethical hacker conducts testing with full knowledge and permission. What type of hacking is this?

  A. Blue Hat
  B. Grey Hat
  C. White Hat
  D. Black Hat
  C. White Hat

  ---

  Explanation

  White Hat Hacking is defined in CEH v13 as ethical hacking performed with explicit authorization to identify and remediate vulnerabilities. White hat hackers operate within legal frameworks and contractual agreements.

  Grey hats act without permission but without malicious intent. Black hats conduct illegal attacks. Blue hats are external testers invited to find bugs before product release.