EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 301:

  Sam, a web developer, was instructed to incorporate a hybrid encryption software program into a web application to secure email messages. Sam used an encryption software, which is a free implementation of the OpenPGP standard that uses both symmetric-key cryptography and asymmetric-key cryptography for improved speed and secure key exchange. What is the encryption software employed by Sam for securing the email messages?

  A. PGP
  B. S/MIME
  C. SMTP
  D. GPG
  D. GPG

  ---

  Explanation

  The scenario describes a hybrid encryption solution based on the OpenPGP standard that uses both symmetric and asymmetric encryption. The key phrase in the question is "a free implementation of the OpenPGP standard," which directly refers to GPG.

  GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP standard.

  It combines symmetric encryption for data encryption (fast and efficient) and asymmetric encryption for secure key exchange (using public/private key pairs).

  GPG is widely used to secure emails, files, and messages, often in conjunction with tools like Thunderbird or command-line utilities.

  Incorrect Options:

  A. PGP (Pretty Good Privacy) is the original proprietary implementation of OpenPGP, not free/open-source by default.

  B. S/MIME (Secure/Multipurpose Internet Mail Extensions) is another email encryption standard but does not implement OpenPGP.

  C. SMTP (Simple Mail Transfer Protocol) is a mail transport protocol, not an encryption method.

  CEH v13 Official Courseware:

  Module 20: Cryptography

  Section: "Hybrid Encryption and Email Encryption Tools"

  Subsection: "GPG and OpenPGP-Based Encryption"

• Question 302:

  Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access. In the university campus, there are many Ethernet ports available for professors and authorized visitors but not for students.

  He identified this when the IDS alerted for malware activities in the network. What should Bob do to avoid this problem?

  A. Disable unused ports in the switches
  B. Separate students in a different VLAN
  C. Use the 802.1x protocol
  D. Ask students to use the wireless network
  C. Use the 802.1x protocol

  ---

  Explanation

  The best security practice in this scenario is to implement IEEE 802.1X. This is a port-based Network Access Control (NAC) protocol that provides authentication for devices before they are allowed to transmit traffic on the network. It ensures that only authorized users/devices can access the network through physical (wired) or wireless connections.

  CEH v13 Official Courseware states:

  "802.1X provides a framework for authenticating and authorizing devices attached to a LAN port, enforcing port-based network access control. It helps prevent unauthorized users from connecting to an internal network, particularly in environments where physical access to network jacks cannot be fully controlled."

  Incorrect Options:

  A. Disabling unused ports is a good practice, but students may still use open ports intended for authorized personnel. It does not scale or provide identity-based access control.

  B. Separating users in VLANs helps in segmentation, but it does not prevent unauthorized physical access to ports.

  D. Asking students to use wireless is administrative, not a technical enforcement measure.

  CEH v13 Guide:

  Module 04: Enumeration

  Topic: Network Access Control (802.1X) and Switch Port Security

• Question 303:

  During a black-box internal penetration test, a security analyst identifies an SNMPv2-enabled Linux server using the default community string "public." The analyst wants to enumerate running processes. Which Nmap command retrieves this information?

  A. nmap -sU -p 161 --script snmp-sysdescr
  B. nmap -sU -p 161 --script snmp-win32-services
  C. nmap -sU -p 161 --script snmp-processes
  D. nmap -sU -p 161 --script snmp-interfaces
  C. nmap -sU -p 161 --script snmp-processes

  ---

  Explanation

  CEH v13 highlights that SNMPv1/v2 environments configured with default community strings such as "public" or "private" present significant security risks because they allow unauthorized users to query system information. SNMP enumeration can reveal processes, interfaces, routing tables, users, device configurations, and more. The snmp-processes Nmap NSE script is specifically designed to enumerate running processes on an SNMP-enabled host. It queries the Host Resources MIB (HR-MIB), which stores operational information about system processes, CPU usage, and memory consumption. This information provides attackers with insights into what services may be exploitable or misconfigured. CEH stresses that SNMPv2 is particularly vulnerable due to lack of encryption and authentication hardening. By enumerating processes, penetration testers can identify potential privilege escalation paths, outdated services, or rogue applications that may aid lateral movement. Other scripts such as snmp- sysdescr or snmp-interfaces retrieve system description or interface data but do not enumerate processes.

• Question 304:

  A cybersecurity analyst in an organization is using the Common Vulnerability Scoring System to assess and prioritize identified vulnerabilities in their IT infrastructure. They encountered a vulnerability with a base metric score of 7, a temporal metric score of 8, and an environmental metric score of 5. Which statement best describes this scenario?

  A. The vulnerability has a medium severity with a high likelihood of exploitability over time and a considerable impact in their specific environment
  B. The vulnerability has a medium severity with a diminishing likelihood of exploitability over time, but a significant impact in their specific environment
  C. The vulnerability has an overall high severity with a diminishing likelihood of exploitability over time, but it is less impactful in their specific environment
  D. The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment
  D. The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment

  ---

  Explanation

  The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1

  The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

  The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

  The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1

  In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

  The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

  The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

  The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

  Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

  References:

  NVD - Vulnerability Metrics

• Question 305:

  Under what conditions does a secondary name server request a zone transfer from a primary name server?

  A. When a primary SOA is higher than a secondary SOA
  B. When a secondary SOA is higher than a primary SOA
  C. When a primary name server has had its service restarted
  D. When a secondary name server has had its service restarted
  E. When the TTL falls to zero
  A. When a primary SOA is higher than a secondary SOA

  ---

  Explanation

  DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

  If:

  Primary SOA serial > Secondary SOA serial

  # Zone transfer is initiated by the secondary server to update its data.

  From CEH v13:

  Module 3: DNS Enumeration

  Topic: Zone Transfers and SOA Logic

  CEH v13 Study Guide states:

  "A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered."

  Incorrect Options:

  B: Reversed condition

  C/D: Restarting services doesn't necessarily trigger a transfer

  E: TTL expiration affects caching, not zone transfer logic Reference:CEH v13 Study Guide - Module 3: DNS Zone TransfersRFC 1035 - DNS Protocol, SOA Serial Logic

• Question 306:

  A penetration tester finds malware that spreads across a network without user interaction, replicating itself from one machine to another. What type of malware is this?

  A. Keylogger
  B. Ransomware
  C. Virus
  D. Worm
  D. Worm

  ---

  Explanation

  Comprehensive Explanation from CEH v13 Courseware:

  CEH v13 describes worms as standalone malicious programs capable of self-replication without requiring user assistance. Unlike viruses, which need a host file and are triggered typically by user actions, worms propagate autonomously by scanning networks, exploiting vulnerabilities, or copying themselves to accessible machines. Worms are known for causing rapid, widespread damage by consuming bandwidth, degrading system performance, and creating backdoors for attackers. Classic examples such as Conficker, WannaCry, and SQL Slammer reinforce the destructive potential of automated propagation. CEH stresses that worms often use network shares, open ports, or unpatched vulnerabilities to move laterally. In contrast, keyloggers harvest keystrokes, ransomware encrypts data and demands payment, and viruses require user involvement to spread. The behavior in the scenario-automatic replication across the network-is the defining characteristic of worm activity according to CEH's malware taxonomy.

• Question 307:

  Infected systems receive external instructions over HTTP and DNS, with fileless payloads modifying system components. What is the most effective action to detect and disrupt this malware?

  A. Update antivirus signatures regularly
  B. Allow only encrypted traffic via proxies
  C. Block common malware ports
  D. Use behavioral analytics to monitor abnormal outbound behavior
  D. Use behavioral analytics to monitor abnormal outbound behavior

  ---

  Explanation

  This scenario describes fileless malware using covert command-and-control (C2) channels over commonly allowed protocols such as HTTP and DNS , a technique heavily emphasized in CEH v13 Malware Threats . Such malware avoids writing files to disk and instead leverages memory, legitimate system tools, and trusted protocols to evade traditional defenses.

  Signature-based antivirus updates (Option A) are ineffective against fileless malware because there are no static artifacts to match. Blocking known malware ports (Option C) is also ineffective, as the malware intentionally uses ports 80 and 53 , which must remain open for normal business operations. Restricting plain HTTP (Option B) may reduce visibility but does not stop DNS tunneling or encrypted malicious traffic.

  CEH v13 identifies behavioral analytics as the most effective countermeasure against advanced malware. Behavioral solutions establish a baseline of normal system and network activity, then detect anomalies such as:

  Unusual outbound DNS query patterns

  Abnormal HTTP beaconing intervals

  Legitimate applications behaving suspiciously

  PowerShell or system tools generating network traffic unexpectedly

  By monitoring how systems behave rather than what files exist , behavioral analytics can identify stealthy C2 communications and disrupt them early. Therefore, Option D is the most effective and CEH-aligned response.

• Question 308:

  Take a look at the following attack on a Web Server using an obfuscated URL:

  

  How would you protect from these attacks?

  A. Configure the Web Server to deny requests involving "hex encoded" characters
  B. Create rules in IDS to alert on strange Unicode requests
  C. Use SSL authentication on Web Servers
  D. Enable Active Scripts Detection at the firewall and routers
  A. Configure the Web Server to deny requests involving "hex encoded" characters

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The attack shown is a Directory Traversal Attack. It uses URL encoding (hexadecimal obfuscation) to bypass input filters and access unauthorized files such as /etc/passwd.

  %2e = . (dot)

  %2f = / (forward slash)

  So, ../../../etc/passwd becomes %2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73% 77%64

  The best protection against this attack is to:

  Normalize and sanitize user input on the server.

  Deny directory traversal patterns, whether encoded or not.

  Specifically reject or deny hex-encoded path characters (%2e, %2f, etc.)

  Option A directly mitigates this by preventing the server from decoding and processing hex-encoded directory traversal attempts.

  From CEH v13 Courseware:

  Module 10: Web Application Hacking

  Topic: Directory Traversal and Input Validation

  Incorrect Options:

  B: IDS can alert, but it's reactive rather than preventative.

  C: SSL encrypts communication but does not prevent path traversal.

  D: Active script detection is unrelated to path traversal attacks.

  CEH v13 Study Guide - Module 10: Directory Traversal MitigationOWASP Top 10 - A5:2017 - Broken Access Control (Directory Traversal)RFC 3986 - URI Syntax and Encoding

• Question 309:

  In a large organization, a network security analyst discovered a series of packet captures that seem unusual.

  The network operates on a switched Ethernet environment. The security team suspects that an attacker might be using a sniffer tool. Which technique could the attacker be using to successfully carry out this attack, considering the switched nature of the network?

  A. The attacker might be compromising physical security to plug into the network directly
  B. The attacker might be implementing MAC flooding to overwhelm the switch's memory
  C. The attacker is probably using a Trojan horse with in-built sniffing capability
  D. The attacker might be using passive sniffing, as it provides significant stealth advantages
  B. The attacker might be implementing MAC flooding to overwhelm the switch's memory

  ---

  Explanation

  A sniffer tool is a software or hardware device that can capture and analyze network traffic. In a switched Ethernet environment, where each port on a switch is connected to a single device, a sniffer tool can only see the traffic that is destined for or originated from the device it is attached to. However, an attacker can use various techniques to overcome this limitation and sniff the traffic of other devices on the same network. One of these techniques is MAC flooding, which exploits the finite memory of the switch's MAC address table. The attacker sends a large number of frames with different source MAC addresses to the switch, which fills up the MAC address table and causes the switch to enter a fail-open mode, where it broadcasts all incoming frames to all ports, regardless of the destination MAC address. This way, the attacker can see all the traffic on the network and capture it with a sniffer tool.

  The other options are less likely or less effective techniques for sniffing a switched Ethernet network. Compromising physical security to plug into the network directly may allow the attacker to sniff the traffic of the device they are connected to, but not the traffic of other devices on the network. Using a Trojan horse with in-built sniffing capability may allow the attacker to sniff the traffic of the infected device, but not the traffic of other devices on the network, unless the Trojan horse also performs MAC flooding or other techniques to bypass the switch. Using passive sniffing, which involves listening to the network traffic without sending any packets, may provide significant stealth advantages, but it does not help the attacker to see the traffic of other devices on the network, unless the switch is already in fail-open mode or the attacker uses other techniques to induce it.

  References:

  Sniffing: A Beginners Guide In 4 Important Points How can I run a packet sniffer on a Router or Switch Detection of Sniffers in an Ethernet Network

• Question 310:

  What is a NULL scan?

  A. A scan in which all flags are turned off
  B. A scan in which certain flags are off
  C. A scan in which all flags are on
  D. A scan in which the packet size is set to zero
  E. A scan with an illegal packet size
  A. A scan in which all flags are turned off

  ---

  Explanation

  A NULL scan is a type of TCP scan where no TCP flags are set in the packet. This unconventional packet is used to evade firewalls and intrusion detection systems and to determine the state of a port based on the response.

  Behavior:

  Open port # No response

  Closed port # RST (Reset)

  From CEH v13 Courseware:

  Module 3: Scanning Networks

  Topic: TCP Flag Scanning Methods

  CEH v13 Study Guide states:

  "A NULL scan sends a TCP packet with all flags turned off. The system's response (or lack thereof) allows the attacker to infer whether a port is open or closed, especially on UNIX-based systems."

  Incorrect Options:

  B: Vague and inaccurate

  C: Refers to Xmas scan (URG, PSH, FIN)

  D/E: Irrelevant to TCP flags

  CEH v13 Study Guide - Module 3: Scanning Networks # TCP NULL ScansRFC 793 - TCP Protocol Behavior