EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 321:

  A penetration tester gains access to a target system through a vulnerability in a third-party software application. What is the most effective next step to take to gain full control over the system?

  A. Conduct a denial-of-service (DoS) attack to disrupt the system's services
  B. Execute a Cross-Site Request Forgery (CSRF) attack to steal session data
  C. Perform a brute-force attack on the system's root password
  D. Use a privilege escalation exploit to gain administrative privileges on the system
  D. Use a privilege escalation exploit to gain administrative privileges on the system

  ---

  Explanation

  According to the CEH attack methodology, once an attacker obtains initial access-whether through exploitation, misconfiguration, or credential compromise-the next critical phase is privilege escalation. Gaining system-level or administrative control is essential for maintaining persistence, accessing protected data, modifying system configurations, and pivoting further into the network. Privilege escalation exploits target kernel flaws, misconfigured services, improper permission settings, or vulnerable drivers.

  CEH emphasizes that performing a DoS attack disrupts the engagement and provides no strategic advantage. Similarly, CSRF targets web applications rather than operating systems, and brute-force password attempts are inefficient, noisy, and often ineffective once local access has already been established. By leveraging privilege escalation techniques, the tester converts limited user access into full system control, enabling comprehensive post-exploitation activities aligned with CEH system hacking procedures.

• Question 322:

  You have successfully logged on to a Linux system. You want to now cover your tracks. Your login attempt may be logged in several files located in /var/log. Which file does NOT belong to this list?

  A. user.log
  B. auth.fesg
  C. wtmp
  D. btmp
  B. auth.fesg

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The correct file name is /var/log/auth.log (not auth.fesg). "auth.fesg" is a typo or does not exist by default in Linux systems.

  Linux login records include:

  /var/log/auth.log - authentication logs

  /var/log/wtmp - records login sessions

  /var/log/btmp - records failed logins

  /var/log/user.log - logs user-level messages (optional)

  Therefore, B is not a valid log file.

  From CEH v13 Courseware:

  Module 6: System Hacking # Covering Tracks in Linux

  Linux Man Pages - wtmp, btmp, auth.log

• Question 323:

  A penetration tester is assessing a company's executive team for vulnerability to sophisticated social engineering attacks by impersonating a trusted vendor and leveraging internal communications. What is the most effective social engineering technique to obtain sensitive executive credentials without being detected?

  A. Develop a fake social media profile to connect with executives and request private information
  B. Conduct a phone call posing as the CEO to request immediate password changes
  C. Create a targeted spear-phishing email that references recent internal projects and requests credential verification
  D. Send a mass phishing email with a malicious link disguised as a company-wide update
  C. Create a targeted spear-phishing email that references recent internal projects and requests credential verification

  ---

  Explanation

  CEH categorizes spear phishing as a highly targeted, research-driven social engineering technique that tailors the message to the victim's role, responsibilities, and current organizational activities. When attackers reference specific internal projects, personnel names, vendor relationships, or operational details, the message appears authentic and bypasses normal suspicion. Executives are especially vulnerable because they routinely receive sensitive operational updates and work closely with vendors and partners, making them prime targets for tailored deception. CEH stresses that spear phishing is significantly more effective than generic phishing because personalization increases trust. Social media-based attempts and mass phishing lack specificity and raise suspicion. Impersonating the CEO over the phone is riskier and more detectable due to real-time human interaction. A targeted spear-phishing email referencing internal projects best aligns with CEH-described advanced social engineering strategy.

• Question 324:

  in an attempt to increase the security of your network, you Implement a solution that will help keep your wireless network undiscoverable and accessible only to those that know It. How do you accomplish this?

  A. Delete the wireless network
  B. Remove all passwords
  C. Lock all users
  D. Disable SSID broadcasting
  D. Disable SSID broadcasting

  ---

  Explanation

  The SSID (service set identifier) is the name of your wireless network. SSID broadcast is how your router transmits this name to surrounding devices. Its primary function is to make your network visible and easily accessible. Most routers broadcast their SSIDs automatically. To disable or enable SSID broadcast, you need to change your router's settings.

  Disabling SSID broadcast will make your Wi-FI network name invisible to other users. However, this only hides the name, not the network itself. You cannot disguise the router's activity, so hackers can still attack it.

  With your network invisible to wireless devices, connecting becomes a bit more complicated. Just giving a Wi-FI password to your guests is no longer enough. They have to configure their settings manually by including the network name, security mode, and other relevant info.

  Disabling SSID might be a small step towards online security, but by no means should it be your final one. Before considering it as a security measure, consider the following aspects:

  - Disabling SSID broadcast will not hide your network completely

  Disabling SSID broadcast only hides the network name, not the fact that it exists. Your router constantly transmits so-called beacon frames to announce the presence of a wireless network. They contain essential information about the network and help the device connect.

  - Third-party software can easily trace a hidden network

  Programs such as NetStumbler or Kismet can easily locate hidden networks. You can try using them yourself to see how easy it is to find available networks - hidden or not.

  - You might attract unwanted attention.

  Disabling your SSID broadcast could also raise suspicion. Most of us assume that when somebody hides something, they have a reason to do so. Thus, some hackers might be attracted to your network.

• Question 325:

  Tony is a penetration tester tasked with performing a penetration test. After gaining initial access to a target system, he finds a list of hashed passwords.

  Which of the following tools would not be useful for cracking the hashed passwords?

  A. John the Ripper
  B. Hashcat
  C. netcat
  D. THC-Hydra
  C. netcat

  ---

  Explanation

  In CEH v13 Module 05: System Hacking, once an attacker gains access to hashed passwords, cracking tools are employed to reverse or brute-force them.

  Tool Breakdown:

  John the Ripper: A powerful password cracking tool that supports many hash formats.

  Hashcat: GPU-based, extremely fast password hash cracking tool.

  THC-Hydra: Used for online attacks (e.g., SSH, FTP brute force).

  Netcat: Not a password cracking tool - it's a network utility used for:

  Remote shell connections

  Banner grabbing

  File transfers

  Port scanning

  Therefore:

  C. Netcat is the correct answer - it is not used for password cracking.

  Module 05 Password Cracking Techniques and Tools

  CEH Labs: Using Hashcat and John the Ripper on Extracted Hashes

• Question 326:

  In the context of password security, a simple dictionary attack involves loading a dictionary file into a cracking application such as L0phtCrack or John the Ripper. The brute force method is slow but exhaustive. If you use both brute force and dictionary methods combined to vary words, what would you call such an attack?

  A. Full Blown
  B. Thorough
  C. Hybrid
  D. BruteDics
  C. Hybrid

  ---

  Explanation

  A hybrid attack combines the benefits of both dictionary and brute-force attacks. It takes words from a dictionary and applies modifications such as:

  Appending or prepending numbers or symbols

  Changing case (e.g., admin # Admin1!)

  Leetspeak substitutions (e.g., p@ssw0rd)

  From CEH v13 Official Courseware:

  Module 6: Malware Threats

  Topic: Password Cracking Methods

  CEH v13 Study Guide states:

  "A hybrid attack is a combination of dictionary and brute-force techniques. It takes dictionary words and mutates them to cover common variations, making it more effective than pure dictionary attacks."

  Incorrect Options:

  A/B/D: These are not standard terminology in cryptographic or password auditing literature.

  CEH v13 Study Guide Module 6: Hybrid Attack TechniquesOWASP Password Attack Cheat Sheet

• Question 327:

  During a red team engagement, an ethical hacker is tasked with testing the security measures of an organization's wireless network. The hacker needs to select an appropriate tool to carry out a session hijacking attack. Which of the following tools should the hacker use to effectively perform session hijacking and subsequent security analysis, given that the target wireless network has the Wi-Fi Protected Access-preshared key (WPA-PSK) security protocol in place?

  A. FaceNiff
  B. Hetty
  C. Droidsheep
  D. bettercap
  D. bettercap

  ---

  Explanation

  bettercap is a tool that can perform session hijacking attacks on wireless networks, among other network security and penetration testing tasks. bettercap can capture and manipulate network traffic, perform man-in- the-middle attacks, spoof and sniff protocols, inject custom payloads, and more.

  bettercap can perform session hijacking attacks on wireless networks that use the WPA-PSK security protocol by exploiting the four-way handshake process that occurs when a client connects to a wireless access point. The four-way handshake is used to establish a shared encryption key between the client and the access point, based on the pre-shared key (PSK) that is configured on both devices. However, the four-way handshake also exposes some information that can be used to crack the PSK offline, such as the nonce values, the MAC addresses, and the message integrity code (MIC) of the packets.

  bettercap can capture the four-way handshake packets using its Wi-Fi module and save them in a file. The file can then be fed to a tool like Hashcat or Aircrack-ng to crack the PSK using brute force or dictionary attacks. Once the PSK is obtained, bettercap can use it to decrypt the wireless traffic and perform session hijacking attacks on the clients connected to the access point.

  Therefore, bettercap is an appropriate tool to carry out a session hijacking attack on a wireless network that uses the WPA-PSK security protocol.

  References:

  bettercap: the Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks

  How the WPA2 Enterprise Wireless Security Protocol Works

  Cracking WPA/WPA2 Passwords with Bettercap and Hashcat

• Question 328:

  Which of the following statements is TRUE?

  A. Packet Sniffers operate on the Layer 1 of the OSI model.
  B. Packet Sniffers operate on Layer 2 of the OSI model.
  C. Packet Sniffers operate on both Layer 2 and Layer 3 of the OSI model.
  D. Packet Sniffers operate on Layer 3 of the OSI model.
  C. Packet Sniffers operate on both Layer 2 and Layer 3 of the OSI model.

  ---

  Explanation

  According to CEH v13 Module 04: Enumeration and Module 08: Sniffing, packet sniffers such as Wireshark, tcpdump, and EtherApe are designed to capture and analyze network traffic at the data link (Layer 2) and network (Layer 3) layers of the OSI model.

  At Layer 2 (Data Link), sniffers capture Ethernet frames, including MAC addresses and frame type.

  At Layer 3 (Network), sniffers interpret IP headers, IP addresses, and transport layer protocols (TCP, UDP).

  They do not operate at Layer 1 (Physical) as they do not deal with raw electrical signals.

  Packet sniffers also do not manipulate traffic but passively monitor and capture packets that traverse the network.

  Therefore, the correct statement is:

  Packet Sniffers operate on both Layer 2 and Layer 3 of the OSI model.

  Option Analysis:

  A. Layer 1: # Incorrect. Layer 1 is the physical layer (electrical, optical signals).

  B. Layer 2: # Partially correct but incomplete.

  C. Both Layer 2 and Layer 3: Correct. Full coverage of packet sniffing capabilities.

  D. Layer 3: # Partially correct but incomplete.

  Reference from CEH v13 Courseware:

  Module 08 Sniffing, Section: How Packet Sniffers Work

  CEH iLabs: Capturing Ethernet Frames and IP Packets Using Wireshark

  OSI Model Mapping in CEH Official eBook

• Question 329:

  Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bob denies that he had ever sent a mail. What do you want to "know" to prove yourself that it was Bob who had sent the mail?

  A. Authentication
  B. Confidentiality
  C. Integrity
  D. Non-Repudiation
  D. Non-Repudiation

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Non-repudiation ensures that a sender cannot deny having sent a message. This is typically achieved through digital signatures or logs which verify the origin and integrity of communications.

  From CEH v13 Courseware:

  Module 10: Cryptography # Security Services

  "Non-repudiation prevents entities from denying their actions, such as sending emails or digital transactions." Reference: NIST SP 800-53 - Non-repudiation defined under Access Control and Audit

• Question 330:

  Given below are different steps involved in the vulnerability-management life cycle:

  Remediation

  Identify assets and create a baseline

  Verification

  Monitor

  Vulnerability scan

  Risk assessment

  Identify the correct sequence of steps involved in vulnerability management.

  A. 2 # 5 # 6 # 1 # 3 # 4
  B. 2 # 1 # 5 # 6 # 4 # 3
  C. 2 # 4 # 5 # 3 # 6 # 1
  D. 1 # 2 # 3 # 4 # 5 # 6
  A. 2 # 5 # 6 # 1 # 3 # 4

  ---

  Explanation

  In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:

  Identify assets and baseline (Step 2)

  Vulnerability scanning (Step 5)

  Risk assessment/prioritization (Step 6)

  Remediation (Step 1)

  Verification (Step 3)

  Continuous monitoring (Step 4)

  So the correct lifecycle flow is:

  2 # 5 # 6 # 1 # 3 # 4

  This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.

  Module 10 - Vulnerability Management Lifecycle CEH iLabs: End-to-End Vulnerability Assessment and Remediation