EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 281:

  A cyber adversary wants to enumerate firewall rules while minimizing noise and mimicking normal traffic behavior.

  Which reconnaissance technique enables mapping of firewall filtering behavior using TTL- manipulated packets?

  A. Sending ICMP Echo requests to the network's broadcast address
  B. Passive DNS monitoring to observe domain-to-IP relationships
  C. Conducting full SYN scans on all ports for each discovered IP
  D. Firewalking with manipulated TTL values to analyze ACL responses
  D. Firewalking with manipulated TTL values to analyze ACL responses

  ---

  Explanation

  Comprehensive Explanation from CEH v13 Courseware:

  CEH v13 describes Firewalking as a reconnaissance technique designed to determine which layer-4 protocols and ports a firewall allows. The attacker sends packets with carefully adjusted TTL values so that the packet expires just beyond the firewall. If the next hop generates ICMP Time Exceeded responses, the attacker can infer which ports the firewall permits. This method mimics normal TTL behavior, making it stealthier than full SYN scans or high-noise probing. Firewalking is expressly highlighted in CEH as a low-profile way to map firewall ACLs without triggering alarms. Broadcast pings are noisy and detectable, passive DNS monitoring does not reveal firewall rule sets, and full SYN scans are easily flagged by IDS systems. Firewalking's reliance on TTL behavior, combined with protocol-specific probes, makes it the correct and CEH-aligned technique for quietly discovering open ports and firewall filtering rules.

• Question 282:

  A penetration tester is evaluating a web application that does not properly validate the authenticity of HTTP requests. The tester suspects the application is vulnerable to Cross-Site Request Forgery (CSRF). Which approach should the tester use to exploit this vulnerability?

  A. Execute a directory traversal attack to access restricted server files
  B. Create a malicious website that sends a crafted request on behalf of the user when visited
  C. Perform a brute-force attack on the application's login page to guess weak credentials
  D. Inject a SQL query into the input fields to perform SQL injection
  B. Create a malicious website that sends a crafted request on behalf of the user when visited

  ---

  Explanation

  CSRF occurs when a vulnerable application processes unauthorized state-changing requests because it does not verify whether the request was intentionally initiated by the authenticated user. CEH v13 explains that exploitation involves tricking a logged-in user into unknowingly executing a crafted HTTP request-usually via a malicious webpage, hidden form submission, embedded image tag, or JavaScript trigger. When the victim visits the attacker-controlled page, the browser automatically includes the user's active session cookies, allowing the server to treat the forged request as legitimate. This technique is central to CSRF attacks and is highlighted in the CEH curriculum as the correct exploitation path. Directory traversal, SQL injection, and brute-force attacks target different vulnerabilities and do not exploit missing request authenticity validation. The key requirement for CSRF exploitation is user interaction via a malicious external resource, making option B the correct CEH-aligned method.

• Question 283:

  Which type of malware spreads from one system to another or from one network to another and causes similar types of damage as viruses do to the infected system?

  A. Rootkit
  B. Trojan
  C. Worm
  D. Adware
  C. Worm

  ---

  Explanation

  In CEH v13 Module 06: Malware Threats, a worm is described as a self-replicating piece of malware that spreads independently from one system to another without needing to attach itself to any file or program (unlike viruses).

  Key Characteristics of Worms:

  Capable of network propagation without human interaction.

  Often used in mass attacks (e.g., WannaCry, Conficker).

  Can cause significant damage by:

  Consuming bandwidth.

  Spreading payloads (e.g., ransomware).

  Modifying or deleting files.

  Option Clarification:

  A. Rootkit: Hides presence of malware or attacker activities.

  B. Trojan: Disguised as legitimate software; does not replicate.

  C. Worm: Correct - self-replicating and spreads automatically.

  D. Adware: Primarily shows ads; not typically destructive or self-replicating.

  Module 06 - Types of Malware # Worms CEH iLabs: Network Infection with Self-Spreading Worms

• Question 284:

  Suppose that you test an application for the SQL injection vulnerability. You know that the backend database is based on Microsoft SQL Server. In the login/password form, you enter the following credentials:

  Username: attack' or 1=1 --

  Password: 123456

  Based on the above credentials, which of the following SQL commands are you expecting to be executed by the server, if there is indeed an SQL injection vulnerability?

  A. select * from Users where UserName = 'attack'' or 1=1 -- and UserPassword = '123456'
  B. select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'
  C. select * from Users where UserName = 'attack or 1=1 -- and UserPassword = '123456'
  D. select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'
  B. select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'

  ---

  Explanation

  In CEH v13 Module 10: Injection Attacks, the SQL Injection technique is covered extensively. A common attack method is to manipulate the input fields so that the resulting SQL query becomes logically always true, effectively bypassing authentication.

  Given the input:

  Username: attack' or 1=1 --

  Password: 123456

  And assuming the original SQL query is:

  SELECT * FROM Users WHERE UserName = '' AND UserPassword = '';

  When inputs are substituted, the query becomes:

  SELECT * FROM Users WHERE UserName = 'attack' or 1=1 --' AND UserPassword = '123456';

  The -- sequence is used in SQL to indicate a comment. Everything after -- is ignored by the SQL engine. So the query essentially becomes:CopyEdit

  SELECT * FROM Users WHERE UserName = 'attack' or 1=1;

  This query is always true due to 1=1, and if the application is vulnerable, it grants access regardless of the password.

  Option Analysis:

  A. Incorrect - Contains '' (double quote) after attack, which would cause a syntax error due to extra quotation marks.

  B. Correct - This is the accurate representation of what the SQL query would look like with a successful injection.

  C. Incorrect - The input string is malformed, combining input into one literal string.

  D. Incorrect - Misplacement of ' after the comment token -- invalidates the SQL syntax.

  Reference from CEH v13 Study Materials:

  Module 10 Injection Attacks, Section: SQL Injection - Authentication Bypass

  CEH v13 eCourseware Practical Lab: Exploiting SQL Injection Vulnerability in Login Forms

  CEH Engage - Web Application Testing Phase: SQLi Exploitation in Login Panels

• Question 285:

  Which of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS?

  A. Produces less false positives
  B. Can identify unknown attacks
  C. Requires vendor updates for a new threat
  D. Cannot deal with encrypted network traffic
  B. Can identify unknown attacks

  ---

  Explanation

  An anomaly-based intrusion detection system is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

  In order to positively identify attack traffic, the system must be taught to recognize normal system activity. The two phases of a majority of anomaly detection systems consist of the training phase (where a profile of normal behaviors is built) and the testing phase (where current traffic is compared with the profile created in the training phase). Anomalies are detected in several ways, most often with artificial intelligence type techniques. Systems using artificial neural networks have been used to great effect.

  Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection.[3] Other techniques used to detect anomalies include data mining methods, grammar-based methods, and the Artificial Immune System.

  Network-based anomalous intrusion detection systems often provide a second line of defense to detect anomalous traffic at the physical and network layers after it has passed through a firewall or other security appliance on the border of a network. Host-based anomalous intrusion detection systems are one of the last layers of defense and reside on computer endpoints. They allow for fine-tuned, granular protection of endpoints at the application level.

  Anomaly-based Intrusion Detection at both the network and host levels have a few shortcomings; namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. Attempts have been made to address these issues through techniques used by PAYL and MCPAD.

• Question 286:

  Which type of attack attempts to overflow the content-addressable memory (CAM) table in an Ethernet switch?

  A. Evil twin attack
  B. DNS cache flooding
  C. MAC flooding
  D. DDoS attack
  C. MAC flooding

  ---

  Explanation

  MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

  The switch enters "fail-open" mode and broadcasts traffic to all ports

  The attacker can then sniff sensitive traffic

  This attack effectively turns a switch into a hub, facilitating data sniffing.

  Incorrect Options:

  A. Evil twin is a wireless attack using rogue access points.

  B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

  D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

  CEH v13 Official Courseware:

  Module 11: Sniffing

  Section: "Switch Port Stealing and MAC Flooding"

  Subsection: "Layer 2 Attacks and CAM Table Poisoning"

• Question 287:

  Study the snort rule given below:

  

  From the options below, choose the exploit against which this rule applies.

  [Image shows two Snort rules with alert messages for NETBIOS DCERPC ISystemActivator bind attempt, targeting TCP ports 135 and 445. References include CVE: CAN-2003-0352.]

  A. WebDav
  B. SQL Slammer
  C. MS Blaster
  D. MyDoom
  C. MS Blaster

  ---

  Explanation

  The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

  CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

  Key Indicators from the Snort Rule:

  alert tcp $EXTERNAL_NET any -> $HOME_NET 135

  content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

  Reference to CVE-2003-0352

  Class type: attempted-admin

  The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

  From CEH v13 Courseware:

  Module 6: Malware Threats

  Module 11: Session Hijacking Discussion of historic worms and their exploit signatures, including MS Blaster.

  Incorrect Options:

  A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

  B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

  D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

  CEH v13 Study Guide - Module 6: Malware Threats # Classic Worm AttacksCVE Details:

  https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2003-0352Microsoft Security Bulletin MS03-026 - RPC Vulnerability

• Question 288:

  A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.

  What kind of Web application vulnerability likely exists in their software?

  A. Cross-site scripting vulnerability
  B. SQL injection vulnerability
  C. Web site defacement vulnerability
  D. Gross-site Request Forgery vulnerability
  A. Cross-site scripting vulnerability

  ---

  Explanation

  There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability.

  The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content.

  Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross- site scripting flaw will ensue.

• Question 289:

  Sarah, a system administrator, was alerted of potential malicious activity on the network of her company. She discovered a malicious program spread through the instant messenger application used by her team. The attacker had obtained access to one of her teammate's messenger accounts and started sending files across the contact list.

  Which best describes the attack scenario and what measure could have prevented it?

  A. Instant Messenger Applications; verifying the sender's identity before opening any files
  B. Insecure Patch Management; updating application software regularly
  C. Rogue/Decoy Applications; ensuring software is labeled as TRUSTED
  D. Portable Hardware Media/Removable Devices; disabling Autorun functionality
  A. Instant Messenger Applications; verifying the sender's identity before opening any files

  ---

  Explanation

  The attack scenario is best described as Instant Messenger Applications, and the measure that could have prevented it is verifying the sender's identity before opening any files. Instant Messenger Applications are communication tools that allow users to exchange text, voice, video, and file messages in real time. However, they can also be used as attack vectors for spreading malware, such as viruses, worms, or Trojans, by exploiting the trust and familiarity between the users. In this scenario, the attacker compromised one of the team member's messenger account and used it to send malicious files to the other team members, who may have opened them without suspicion, thus infecting their systems. This type of attack is also known as an instant messaging worm.

  To prevent this type of attack, the users should verify the sender's identity before opening any files sent through instant messenger applications. This can be done by checking the sender's profile, asking for confirmation, or using a secure channel. Additionally, the users should also follow other security tips, such as using strong passwords, updating the application software, scanning the files with antivirus software, and reporting any suspicious activity.

  References:

  1: Instant Messaging Worm - Techopedia

  2: Cybersecurity's Silent Foe: A Comprehensive Guide to Computer Worms | Silent Quadrant

  3: Instant Messenger Hacks: 10 Security Tips to Protect Yourself - MUO

  4: Increased phishing attacks on instant messaging platforms: how to prevent them | Think Digital Partners

• Question 290:

  Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is:

  S-1-5-21-1223352397-1872883824-861252104-501

  What needs to happen before Matthew has full administrator access?

  A. He must perform privilege escalation.
  B. He needs to disable antivirus protection.
  C. He needs to gain physical access.
  D. He already has admin privileges, as shown by the "501" at the end of the SID.
  A. He must perform privilege escalation.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  In Windows SID structure:

  RID 500 Default Administrator

  RID 501 Guest Account

  Therefore, "-501" at the end indicates Matthew is operating as the Guest user, which has very limited privileges. To gain full administrative control, he must escalate his privileges.

  From CEH v13 Courseware:

  Module 6: System Hacking # Privilege Escalation Techniques

  Microsoft Documentation - Security Identifiers (SIDs) and Well-Known RIDsCEH v13 Study Guide - Module 6: Windows User Privileges