EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 331:

  What is the proper response for a NULL scan if the port is open?

  A. SYN
  B. ACK
  C. FIN
  D. PSH
  E. RST
  F. No response
  F. No response

  ---

  Explanation

  When a NULL scan is sent to a port on a UNIX-based system:

  If the port is OPEN: The system does not respond at all.

  If the port is CLOSED: The system responds with a RST packet.

  This behavior is based on how the TCP stack processes unexpected packets.

  From CEH v13 Courseware:

  Module 3: Scanning Networks

  Topic: Stealth Scanning Techniques # NULL Scan

  CEH v13 Official Guide states:

  "A NULL scan sends a TCP packet with no flags set. On systems following RFC 793 (like many Unix /Linux), open ports silently drop such packets (no response), while closed ports respond with a TCP RST."

  Incorrect Options:

  A-E: Not standard responses for an open port in a NULL scan scenario.

  CEH v13 Study Guide - Module 3: Scanning Networks # NULL Scan BehaviorRFC 793 - TCP State Machine

• Question 332:

  An ethical hacker has been tasked with assessing the security of a major corporation's network. She suspects the network uses default SNMP community strings. To exploit this, she plans to extract valuable network information using SNMP enumeration.

  Which tool could best help her to get the information without directly modifying any parameters within the SNMP agent's management information base (MIB)?

  A. snmp-check (snmp_enum Module) to gather a wide array of information about the target
  B. Nmap, with a script to retrieve all running SNMP processes and associated ports
  C. Oputits, are mainly designed for device management and not SNMP enumeration
  D. SnmpWalk, with a command to change an OID to a different value
  A. snmp-check (snmp_enum Module) to gather a wide array of information about the target

  ---

  Explanation

  snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent's MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp- check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

  The other options are not as effective or suitable as snmp-check for the ethical hacker's task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker's task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent's MIB and affect its functionality or security. References:

  snmp-check - The SNMP enumerator

  SNMP Enumeration | Ethical Hacking - GreyCampus

  SNMP Enumeration - GeeksforGeeks

  Nmap - the Network Mapper - Free Security Scanner

  OpUtils - Network Monitoring and Management Toolset

  SnmpWalk - SNMP MIB Browser

• Question 333:

  During a red team simul-ation, an attacker crafts packets with malformed checksums so the IDS accepts them but the target silently discards them. Which evasion technique is being employed?

  A. Insertion attack
  B. Polymorphic shellcode
  C. Session splicing
  D. Fragmentation attack
  A. Insertion attack

  ---

  Explanation

  CEH v13 outlines insertion attacks as IDS evasion methods in which attackers send packets deliberately crafted so that the IDS processes them differently from the target host. In an insertion attack, malformed packets appear legitimate to the IDS-allowing malicious traffic to blend with benign inspection results- while the end host rejects or modifies the packets due to incorrect checksums, invalid flags, or protocol inconsistencies. As a result, the IDS sees one set of reconstructed data, while the actual host processes a different version or nothing at all. CEH emphasizes that intrusion detection systems may not follow full TCP /IP stack validation, making them susceptible to deception by malformed or borderline-conformant packets. Polymorphic shellcode (Option B) changes payload signatures, not packet structure. Session splicing (Option C) splits payload across packets to evade pattern matching but does not rely on checksum manipulation. Fragmentation attacks (Option D) divide traffic into smaller fragments, not alter validity fields. The described behavior fits insertion attacks precisely.

• Question 334:

  A security analyst investigates unusual east-west traffic on a corporate network. A rogue device has been physically inserted between a workstation and the switch, enabling unauthorized access while inheriting the workstation's authenticated network state. Which evasion technique is being used?

  A. Exploiting a wireless rogue access point to tunnel through the firewall
  B. NAC bypass using a pre-authenticated device for network bridging
  C. Spoofing ARP responses from a dynamic IP allocation pool
  D. VLAN double tagging to shift between network segments
  B. NAC bypass using a pre-authenticated device for network bridging

  ---

  Explanation

  Network Access Control (NAC) solutions often authenticate only the first device connected to a port. CEH explains that attackers can insert a rogue device behind an already authenticated host, bypassing NAC checks. This creates a transparent bridge that forwards legitimate traffic while injecting attacker-controlled communications.

• Question 335:

  Louis, a professional hacker, had used specialized tools or search engines to encrypt all his browsing activity and navigate anonymously to obtain sensitive/hidden information about official government or federal databases. After gathering the information, he successfully performed an attack on the target government organization without being traced. Which of the following techniques is described in the above scenario?

  A. Dark web footprinting
  B. VoIP footprinting
  C. VPN footprinting
  D. Website footprinting
  A. Dark web footprinting

  ---

  Explanation

  In CEH v13 Module 02: Footprinting and Reconnaissance, Dark Web Footprinting is discussed as an advanced form of reconnaissance where attackers access hidden services and data using anonymity networks such as Tor (The Onion Router), I2P, or Freenet. These networks enable access to the deep web and dark web, where unindexed, and often illicit, content resides.

  Key points relevant to this scenario:

  The attacker encrypted browsing traffic and navigated anonymously, which strongly implies the use of tools like Tor or VPNs to mask identity.

  The attacker used specialized tools/search engines like:

  Torch

  Ahmia

  DarkSearch

  Candle

  The goal was to find sensitive or hidden information in government or federal systems - a common dark web footprinting objective.

  The final step involved an attack that left no trace, which aligns with using the dark web for anonymity and obfuscation.

  Option Analysis:

  A. Dark web footprinting

  Correct. This matches the behavior described: encrypted, anonymous access to sensitive information through dark web tools.

  B. VoIP footprinting #

  Incorrect. VoIP footprinting relates to identifying vulnerabilities or metadata in Voice over IP systems, not anonymous browsing or dark web activities.

  C. VPN footprinting #

  Incorrect. While VPNs may be used as part of anonymity, VPN footprinting refers to identifying systems using VPNs - not the act of gathering data anonymously.

  D. Website footprinting #

  Incorrect. Website footprinting involves gathering information from public-facing websites, like WHOIS data, robots.txt, and HTML metadata - not hidden dark web content.

  Reference from CEH v13 Study Guide and Courseware:

  Module 02 Footprinting and Reconnaissance, Section: Footprinting through Dark Web and Deep Web

  CEH v13 iLabs: Using Tor and Dark Web Search Engines for Reconnaissance

  CEH Engage - Phase 1 (Reconnaissance): Dark Web Intelligence Gathering

• Question 336:

  Which of the following tools performs comprehensive tests against web servers, including dangerous files and CGIs?

  A. Nikto
  B. John the Ripper
  C. Dsniff
  D. Snort
  A. Nikto

  ---

  Explanation

  https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner)

  Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not.

• Question 337:

  James is working as an ethical hacker at Technix Solutions. The management ordered James to discover how vulnerable its network is towards footprinting attacks. James took the help of an open-source framework for performing automated reconnaissance activities. This framework helped James in gathering information using free tools and resources.

  What is the framework used by James to conduct footprinting and reconnaissance activities?

  A. WebSploit Framework
  B. Browser Exploitation Framework
  C. OSINT framework
  D. SpeedPhish Framework
  C. OSINT framework

  ---

  Explanation

  In CEH v13 Module 02: Footprinting and Reconnaissance, the OSINT Framework is introduced as a collection of free, open-source tools and resources to aid ethical hackers in passive reconnaissance.

  Key Features of OSINT Framework:

  Web-based visual tool that maps out links to open-source intelligence tools.

  Allows collection of emails, domains, usernames, IPs, social media data, and more.

  Focuses on passive footprinting to avoid detection.

  Option Clarification:

  A. WebSploit Framework: Used for man-in-the-middle attacks and web vulnerabilities.

  B. Browser Exploitation Framework (BeEF): Browser-focused attack tool.

  C. OSINT Framework: Correct -- open-source intelligence and reconnaissance.

  D. SpeedPhish Framework: Phishing simulation tool, not used for passive information gathering.

  Module 02 - Tools for Footprinting and Reconnaissance

  CEH iLabs: Using OSINT Framework for Target Profiling

• Question 338:

  Which of the following information security controls creates an appealing isolated environment for hackers to prevent them from compromising critical targets while simultaneously gathering information about the hacker?

  A. intrusion detection system
  B. Honeypot
  C. Botnet
  D. Firewall
  B. Honeypot

  ---

  Explanation

  A honeypot may be a trap that an IT pro lays for a malicious hacker, hoping that they will interact with it during a way that gives useful intelligence. It's one among the oldest security measures in IT, but beware:

  luring hackers onto your network, even on an isolated system, are often a dangerous game.

  honeypot may be a good starting place: "A honeypot may be a computer or computing system intended to mimic likely targets of cyberattacks." Often a honeypot are going to be deliberately configured with known vulnerabilities in situation to form a more tempting or obvious target for attackers. A honeypot won't contain production data or participate in legitimate traffic on your network -- that's how you'll tell anything happening within it's a results of an attack. If someone's stopping by, they're up to no good.

  That definition covers a various array of systems, from bare-bones virtual machines that only offer a couple of vulnerable systems to ornately constructed fake networks spanning multiple servers. and therefore the goals of these who build honeypots can vary widely also , starting from defense thorough to academic research. additionally , there's now an entire marketing category of deception technology that, while not meeting the strict definition of a honeypot, is certainly within the same family. But we'll get thereto during a moment.

  honeypots aim to permit close analysis of how hackers do their dirty work. The team controlling the honeypot can watch the techniques hackers use to infiltrate systems, escalate privileges, and otherwise run amok through target networks. These sorts of honeypots are found out by security companies, academics, and government agencies looking to look at the threat landscape. Their creators could also be curious about learning what kind of attacks are out there, getting details on how specific sorts of attacks work, or maybe trying to lure a specific hackers within the hopes of tracing the attack back to its source. These systems are often inbuilt fully isolated lab environments, which ensures that any breaches don't end in non-honeypot machines falling prey to attacks.

  Production honeypots, on the opposite hand, are usually deployed in proximity to some organization's production infrastructure, though measures are taken to isolate it the maximum amount as possible. These honeypots often serve both as bait to distract hackers who could also be trying to interrupt into that organization's network, keeping them faraway from valuable data or services; they will also function a canary within the coalpit , indicating that attacks are underway and are a minimum of partially succeeding.

• Question 339:

  You have the SOA presented below in your Zone.

  Your secondary servers have not been able to contact your primary server to synchronize information.

  How long will the secondary servers attempt to contact the primary server before it considers that zone is dead and stops responding to queries?

  collegae.edu. SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600)

  A. One day
  B. One hour
  C. One week
  D. One month
  C. One week

  ---

  Explanation

  In an SOA (Start of Authority) record, the fifth value represents the "Expire" interval - the time a secondary DNS server will keep trying to contact the primary server before considering the zone data stale or invalid.

  SOA Format:

  SOA Primary-NS Hostmaster (Serial Refresh Retry Expire Minimum-TTL)

  Given SOA:

  (200302028 3600 3600 604800 3600)

  Serial: 200302028

  Refresh: 3600 seconds

  Retry: 3600 seconds

  Expire: 604800 seconds 7 days 1 week

  Minimum TTL: 3600

  So, if the secondary DNS cannot contact the primary for 604800 seconds (1 week), it will stop serving that zone's data.

  CEH v13 Study Guide - Module 3: DNS Zone Transfersand; SOA RecordsRFC 1035 - Domain Names - Section 3.3.13 (SOA Record Format)

• Question 340:

  A global media streaming platform experiences traffic surges every 10 minutes, with spikes over 300 Gbps followed by quiet intervals. Which DDoS attack explains this behavior?

  A. UDP flood sustained attack
  B. Recursive HTTP GET flood
  C. Permanent DoS (PDoS)
  D. Pulse Wave attack
  D. Pulse Wave attack

  ---

  Explanation

  This scenario clearly aligns with a Pulse Wave DDoS attack , a sophisticated denial-of-service technique described in CEH v13 Network and Perimeter Hacking . Unlike traditional volumetric DDoS attacks that rely on sustained flooding, pulse wave attacks deliver short, extremely high-volume bursts of traffic , followed by periods of inactivity.

  The defining characteristics described- intermittent spikes exceeding 300 Gbps , regular intervals (every 10 minutes), and temporary recovery-are hallmark indicators of pulse wave attacks. CEH v13 explains that attackers use this method to overwhelm server resources, trigger auto-scaling failures, exhaust mitigation thresholds, and evade detection systems that rely on sustained traffic baselines.

  Option A is incorrect because UDP floods are continuous. Option B (HTTP GET flood) targets the application layer with sustained requests. Option C (PDoS) permanently damages hardware, which does not match the recurring pattern.

  Pulse wave attacks are particularly effective against large platforms like streaming services because they:

  Exploit elasticity limits of cloud infrastructure

  Confuse rate-based detection systems

  Cause repeated service degradation without long attack durations

  CEH v13 emphasizes that pulse wave attacks are difficult to mitigate without adaptive, behavior-based DDoS protection. Therefore, Option D is the correct and CEH-aligned answer.