EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 271:

  Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP inquiries over the network.

  Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.

  A. SNMPUtil
  B. SNScan
  C. SNMPScan
  D. SolarWinds IP Network Browser
  E. NMap
  A. SNMPUtil
  B. SNScan
  C. SNMPScan
  D. SolarWinds IP Network Browser

  ---

  Explanation

  Simple Network Management Protocol (SNMP) enumeration involves querying devices on the network for information such as routing tables, interface statistics, and system details.

  Useful tools include:

  A. SNMPUtil: A command-line Microsoft utility for sending SNMP requests.

  B. SNScan: Tool from Foundstone for SNMP scanning and enumeration.

  C. SNMPScan: Lightweight tool for scanning networks for SNMP-enabled devices.

  D. SolarWinds IP Network Browser: A commercial tool for graphical SNMP enumeration.

  From CEH v13 Courseware:

  Module 4: Enumeration

  Subsection: SNMP Enumeration Tools

  Incorrect Option:

  E. NMap can detect SNMP services, but is not specialized for SNMP enumeration like the others.

  CEH v13 Study Guide - Module 4: SNMP Enumeration ToolsRFC 1157 - SNMP Protocol Specification

• Question 272:

  Ricardo has discovered the username for an application in his targets environment. As he has a limited amount of time, he decides to attempt to use a list of common passwords he found on the Internet. He compiles them into a list and then feeds that list as an argument into his password-cracking application, what type of attack is Ricardo performing?

  A. Known plaintext
  B. Password spraying
  C. Brute force
  D. Dictionary
  D. Dictionary

  ---

  Explanation

  A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a variety of Brute Force Attack.

  The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

  How is it done?

  Basically, it's attempting each single word that's already ready. it's done victimization machine-controlled tools that strive all the possible words within the dictionary.

  Some password Cracking Software:

  John the ripper L0phtCrack Aircrack-ng

• Question 273:

  A penetration tester evaluates a company's susceptibility to advanced social engineering attacks targeting its executive team. Using detailed knowledge of recent financial audits and ongoing projects, the tester crafts a highly credible pretext to deceive executives into revealing their network credentials. What is the most effective social engineering technique the tester should employ to obtain the necessary credentials without raising suspicion?

  A. Send a mass phishing email with a link to a fake financial report
  B. Create a convincing fake email from the CFO asking for immediate credential verification
  C. Conduct a phone call posing as an external auditor requesting access to financial systems
  D. Develop a spear-phishing email that references specific financial audit details and requests login confirmation
  D. Develop a spear-phishing email that references specific financial audit details and requests login confirmation

  ---

  Explanation

  Spear-phishing is a targeted form of phishing that uses personalized and context-rich information to increase credibility. CEH emphasizes that referencing specific internal projects, financial data, or organizational events significantly raises the success rate when attacking high-value targets such as executives. This tailored approach avoids suspicion and exploits trust more effectively than broad or generic phishing attempts.

• Question 274:

  jane, an ethical hacker. Is testing a target organization's web server and website to identity security loopholes. In this process, she copied the entire website and its content on a local drive to view the complete profile of the site's directory structure, file structure, external links, images, web pages, and so on. This information helps jane map the website's directories and gain valuable information. What is the attack technique employed by Jane in the above scenario?

  A. website mirroring
  B. Session hijacking
  C. Web cache poisoning
  D. Website defacement
  A. website mirroring

  ---

  Explanation

  A mirror site may be a website or set of files on a computer server that has been copied to a different computer server in order that the location or files are available from quite one place. A mirror site has its own URL, but is otherwise just like the principal site. Load-balancing devices allow high-volume sites to scale easily, dividing the work between multiple mirror sites.

  A mirror site is typically updated frequently to make sure it reflects the contents of the first site. In some cases, the first site may arrange for a mirror site at a bigger location with a better speed connection and, perhaps, a better proximity to an outsized audience.

  If the first site generates an excessive amount of traffic, a mirror site can ensure better availability of the web site or files. For websites that provide copies or updates of widely used software, a mirror site allows the location to handle larger demands and enables the downloaded files to arrive more quickly. Microsoft, Sun Microsystems and other companies have mirror sites from which their browser software are often downloaded.

  Mirror sites are wont to make site access faster when the first site could also be geographically distant from those accessing it. A mirrored web server is usually located on a special continent from the principal site, allowing users on the brink of the mirror site to urge faster and more reliable access.

  Mirroring an internet site also can be done to make sure that information are often made available to places where access could also be unreliable or censored. In 2013, when Chinese authorities blocked access to foreign media outlets just like the Wall Street Journal and Reuters, site mirroring was wont to restore access and circumvent government censorship.

• Question 275:

  You want to do an ICMP scan on a remote computer using hping2. What is the proper syntax?

  A. hping2 host.domain.com
  B. hping2 --set-ICMP host.domain.com
  C. hping2 -i host.domain.com
  D. hping2 -1 host.domain.com
  D. hping2 -1 host.domain.com

  ---

  Explanation

  http://www.carnal0wnage.com/papers/LSO-Hping2-Basics.pdf

  Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

  [root@localhost hping2-rc3]# hping2 -1 192.168.0.100

  HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes

  len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms

  len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms

  len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms

  len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms

  len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms

  - 192.168.0.100 hping statistic -

  5 packets tramitted, 5 packets received, 0% packet loss

  round-trip min/avg/max = 0.5/3.7/14.9 ms

  [root@localhost hping2-rc3]#

• Question 276:

  A user on your Windows 2000 network has discovered that he can use L0phtCrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems.

  However, he is unable to capture any logons though he knows that other users are logging in.

  What do you think is the most likely reason behind this?

  A. There is a NIDS present on that segment.
  B. Kerberos is preventing it.
  C. Windows logons cannot be sniffed.
  D. L0phtCrack only sniffs logons to web servers.
  B. Kerberos is preventing it.

  ---

  Explanation

  Windows 2000 and newer systems use Kerberos as their default authentication protocol rather than NTLM or LM challenge/response over SMB. Kerberos is encrypted and does not rely on the older SMB logon exchange methods that L0phtCrack can sniff.

  From CEH v13 Courseware:

  Module 6: Malware and Password Attacks

  Module 4: Enumeration

  CEH v13 Study Guide states:

  "Kerberos is the default authentication protocol in Windows 2000 and newer systems. It encrypts communication and is not vulnerable to the same sniffing attacks that work against LM/NTLM challenge- response mechanisms."

  Incorrect Options:

  A: While a NIDS may detect traffic, it doesn't prevent sniffing.

  C: Logons can be sniffed in older systems using NTLM.

  D: L0phtCrack does not sniff web logons-it targets SMB and Windows logins.

  CEH v13 Study Guide - Module 6: Password Sniffing TechniquesMicrosoft TechNet - Overview of Kerberos Authentication

• Question 277:

  A zero-day vulnerability is actively exploited in a critical web server, but no vendor patch is available. What should be the FIRST step to manage this risk?

  A. Shut down the server
  B. Apply a virtual patch using a WAF
  C. Perform regular backups and prepare IR plans
  D. Monitor for suspicious activity
  B. Apply a virtual patch using a WAF

  ---

  Explanation

  According to CEH v13 Security Operations and Incident Response zero-day vulnerabilities , pose one of the highest operational risks because exploits exist before official remediation is available. When active exploitation is observed and no vendor patch exists, immediate compensating controls must be deployed.

  The first and most effective action is implementing virtual patching , typically through a Web Application Firewall (WAF) or Intrusion Prevention System (IPS). CEH v13 defines virtual patching as a security measure that blocks exploitation attempts at the network or application layer without modifying the vulnerable software. This approach allows organizations to maintain service availability while reducing exposure.

  Shutting down the server (Option A) may prevent exploitation but introduces unacceptable business disruption and is not recommended as a first response. Backups and incident response planning (Option C) are critical but do not actively prevent exploitation. Passive monitoring (Option D) allows attackers to continue exploiting the vulnerability unchecked.

  CEH v13 emphasizes that virtual patching is the preferred first response for zero-day threats , especially when systems are mission-critical. It provides immediate risk reduction while allowing time for vendor patch development and controlled deployment.

• Question 278:

  A critical flaw exists in a cloud provider's API. What is the most likely threat?

  A. Physical security breaches
  B. Unauthorized access to cloud resources
  C. DDoS attacks
  D. Compromise of encrypted data at rest
  B. Unauthorized access to cloud resources

  ---

  Explanation

  In CEH v13 Cloud Computing , APIs are identified as the primary control plane for managing cloud resources. A vulnerability in a cloud API can allow attackers to bypass authentication, escalate privileges, and manipulate resources.

  Unauthorized access may lead to:

  Data exposure

  Resource abuse

  Account takeover

  Lateral movement within the cloud environment Physical security (Option A) and encryption at rest (Option D) are unrelated to API flaws. DDoS attacks (Option C) are possible but not the primary risk of API vulnerabilities.

• Question 279:

  Which best describes the role of a penetration tester?

  A. Unauthorized malicious hacker
  B. Malware distributor
  C. Authorized security professional who exploits vulnerabilities
  D. Malicious code developer
  C. Authorized security professional who exploits vulnerabilities

  ---

  Explanation

  In CEH v13 Information Security and Ethical Hacking Overview , a penetration tester is defined as a trusted, authorized security professional hired to simulate real-world attacks in order to identify and exploit vulnerabilities with explicit permission .

  The primary objectives of a penetration tester are:

  Identify weaknesses in systems, networks, and applications

  Demonstrate real-world impact of vulnerabilities

  Help organizations improve their security posture

  Unlike malicious hackers (Option A) or malware authors (Options B and D), penetration testers operate under strict legal and ethical guidelines, following scopes of engagement and reporting findings responsibly.

  CEH v13 emphasizes that penetration testing is proactive defense, not crime. Therefore, Option C accurately defines the role.

• Question 280:

  During a black-box security assessment of a large enterprise network, the penetration tester scans the internal environment and identifies that TCP port 389 is open on a domain controller. Upon further investigation, the tester runs the ldapsearch utility without providing any authentication credentials and successfully retrieves a list of usernames, email addresses, and departmental affiliations from the LDAP directory. The tester notes that this sensitive information was disclosed without triggering any access control mechanisms or requiring login credentials. Based on this behavior, what type of LDAP access mechanism is most likely being exploited?

  A. LDAP over SSL (LDAPS)
  B. Authenticated LDAP with Kerberos
  C. Anonymous LDAP binding
  D. LDAP via RADIUS relay
  C. Anonymous LDAP binding

  ---

  Explanation

  CEH reconnaissance and enumeration modules explain that LDAP services often support anonymous binding by default unless explicitly disabled. Anonymous bind allows unauthenticated users to query certain directory attributes, which can lead to disclosure of usernames, organizational hierarchy, and email addresses-critical information for password attacks, phishing campaigns, and privilege escalation planning. In the scenario described, the tester obtained directory data without providing any credentials, demonstrating that anonymous bind permissions were enabled. LDAPS requires TLS encryption and authentication, which contradicts the observed access. Kerberos authentication mandates valid credentials. LDAP via RADIUS is used for authentication integration, not for information disclosure. Since the query was successful with no authentication and no access controls triggered, this aligns exactly with CEH's description of anonymous LDAP binding.