EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 341:

  During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities?

  A. Temporal metric represents the inherent qualities of a vulnerability
  B. Base metric represents the inherent qualities of a vulnerability
  C. Environmental metric involves the features that change during the lifetime of the vulnerability
  D. Temporal metric involves measuring vulnerabilities based on a_ specific environment or implementation
  B. Base metric represents the inherent qualities of a vulnerability

  ---

  Explanation

  The base metric represents the inherent qualities of a vulnerability, according to the Common Vulnerability Scoring System (CVSS). CVSS is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS consists of three metric groups: Base, Temporal, and Environmental. The base metric group captures the characteristics of a vulnerability that are constant over time and across user environments. The base metric group consists of six sub-metrics:

  Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact. The impact sub-metric further consists of three sub-metrics: Confidentiality, Integrity, and Availability. The base metric group produces a score ranging from 0 to 10, which reflects the intrinsic and fundamental properties of a vulnerability12.

  The other options are not correct for the following reasons:

  A. Temporal metric represents the inherent qualities of a vulnerability: This option is incorrect because the temporal metric group captures the characteristics of a vulnerability that change over time due to events external to the vulnerability. The temporal metric group consists of three sub-metrics: Exploit Code Maturity, Remediation Level, and Report Confidence. The temporal metric group modifies the base score to reflect the current state of the vulnerability, such as the availability of exploit code, the

  existence of patches or workarounds, and the degree of verification of the vulnerability report12.

  C. Environmental metric involves the features that change during the lifetime of the vulnerability: This option is incorrect because the environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user's environment. The environmental metric group consists of three sub-metrics:

  Modified Attack Vector, Modified Attack Complexity, and Modified Privileges Required. The environmental metric group also allows the user to assign importance values to the impact sub-metrics: Confidentiality Requirement, Integrity Requirement, and Availability Requirement. The environmental metric group modifies the base and temporal scores to reflect the impact of the vulnerability on the user's specific environment, such as the network configuration, the security objectives, and the asset value12.

  D. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation:

  This option is incorrect because the temporal metric group does not involve measuring vulnerabilities based on a specific environment or implementation, but rather on the factors that change over time due to events external to the vulnerability. The environmental metric group, not the temporal metric group, involves measuring vulnerabilities based on a specific environment or implementation, as explained in option C.

  References:

  1: What is CVSS - Common Vulnerability Scoring System - SANS Institute 2: Common Vulnerability Scoring System - Wikipedia

• Question 342:

  Websites and web portals that provide web services commonly use the Simple Object Access Protocol (SOAP).

  Which of the following is an incorrect definition or characteristic of the protocol?

  A. Exchanges data between web services
  B. Only compatible with the application protocol HTTP
  C. Provides a structured model for messaging
  D. Based on XML
  B. Only compatible with the application protocol HTTP

  ---

  Explanation

  In CEH v13 Module 12: Hacking Web Applications, SOAP (Simple Object Access Protocol) is discussed as a protocol that allows web service communication using XML-based messages.

  Correct SOAP Characteristics:

  Structured model for data exchange, used in SOAP envelopes.

  Built on XML format.

  Can operate over multiple application layer protocols, not just HTTP (e.g., SMTP, FTP, JMS).

  Option B is incorrect because:

  While SOAP most commonly uses HTTP, it is not limited to it. SOAP is protocol-independent at the transport layer.

  Module 12 - SOAP, WSDL, and Web Services Protocols

  CEH iLabs: SOAP and XML Request Manipulation in Web Services

• Question 343:

  A known vulnerability exists on a production server, but patching is delayed due to operational constraints. What immediate action can reduce risk without disrupting operations?

  A. Conduct a full penetration test
  B. Shut down the server
  C. Monitor traffic continuously
  D. Implement Virtual Patching
  D. Implement Virtual Patching

  ---

  Explanation

  Virtual Patching is a risk-mitigation technique emphasized in CEH v13 Security Operations . It involves deploying compensating controls-such as WAF rules, IPS signatures, or firewall policies-to block exploitation attempts without modifying the vulnerable system.

  CEH v13 highlights virtual patching as especially useful when:

  Downtime is unacceptable

  Vendor patches are delayed

  Legacy systems are in use

  Monitoring alone does not prevent exploitation, and shutting down systems is often impractical. Virtual patching provides immediate protection while maintaining availability.

• Question 344:

  John, a professional hacker, decided to use DNS to perform data exfiltration on a target network, in this process, he embedded malicious data into the DNS protocol packets that even DNSSEC cannot detect. Using this technique. John successfully injected malware to bypass a firewall and maintained communication with the victim machine and CandC server. What is the technique employed by John to bypass the firewall?

  A. DNS cache snooping
  B. DNSSEC zone walking
  C. DNS tunneling method
  D. DNS enumeration
  C. DNS tunneling method

  ---

  Explanation

  DNS tunneling may be a method wont to send data over the DNS protocol, a protocol which has never been intended for data transfer. due to that, people tend to overlook it and it's become a well-liked but effective tool in many attacks.

  Most popular use case for DNS tunneling is obtaining free internet through bypassing captive portals at airports, hotels, or if you are feeling patient the not-so-cheap on the wing Wi-Fi.

  On those shared internet hotspots HTTP traffic is blocked until a username/password is provided, however DNS traffic is usually still allowed within the background: we will encode our HTTP traffic over DNS and voil? we've internet access.

  This sounds fun but reality is, browsing anything on DNS tunneling is slow. Like, back to 1998 slow.

  Another more dangerous use of DNS tunneling would be bypassing network security devices (Firewalls, DLP appliances...) to line up an immediate and unmonitored communications channel on an organisation's network. Possibilities here are endless: Data exfiltration, fixing another penetration testing tool... you name it. To make it even more worrying, there's an outsized amount of easy to use DNS tunneling tools out there.

  There's even a minimum of one VPN over DNS protocol provider (warning: the planning of the web site is hideous, making me doubt on the legitimacy of it).

  As a pentester all this is often great, as a network admin not such a lot .

  How does it work:

  For those that ignoramus about DNS protocol but still made it here, i feel you deserve a really brief explanation on what DNS does: DNS is sort of a phonebook for the web , it translates URLs (human-friendly language, the person's name), into an IP address (machine-friendly language, the phone number). That helps us remember many websites, same as we will remember many people's names.

  For those that know what DNS is i might suggest looking here for a fast refresh on DNS protocol, but briefly what you would like to understand is:

  A Record: Maps a website name to an IP address.

  example.com - 12.34.52.67

  NS Record (a.k.a. Nameserver record): Maps a website name to an inventory of DNS servers, just in case our website is hosted in multiple servers.

  example.com - server1.example.com, server2.example.com

  Who is involved in DNS tunneling?

  Client. Will launch DNS requests with data in them to a website .

  One Domain that we will configure. So DNS servers will redirect its requests to an outlined server of our own.

  Server. this is often the defined nameserver which can ultimately receive the DNS requests.

  The 6 Steps in DNS tunneling (simplified):

  1. The client encodes data during a DNS request. The way it does this is often by prepending a bit of knowledge within the domain of the request. for instance : mypieceofdata.server1.example.com

  2. The DNS request goes bent a DNS server.

  3. The DNS server finds out the A register of your domain with the IP address of your server.

  4. The request for mypieceofdata.server1.example.com is forwarded to the server.

  5. The server processes regardless of the mypieceofdata was alleged to do. Let's assume it had been an HTTP request.

  6. The server replies back over DNS and woop woop, we've got signal. Bypassing Firewalls through the DNS Tunneling Method DNS operates using UDP, and it has a 255-byte limit on outbound queries. Moreover, it allows only alphanumeric characters and hyphens. Such small size constraints on external queries allow DNS to be used as an ideal choice to perform data exfiltration by various malicious entities. Since corrupt or malicious data can be secretly embedded into the DNS protocol packets, even DNSSEC cannot detect the abnormality in DNS tunneling. It is effectively used by malware to bypass the firewall to maintain communication between the victim machine and the CandC

  server. Tools such as NSTX (https://sourceforge.net), Heyoka (http://heyoka.sourceforge.netuse), and Iodine (https://code.kryo.se) use this technique of tunneling traffic across DNS port 53. CEH v11 Module 12 Page

• Question 345:

  Robin, a professional hacker, targeted an organization's network to sniff all the traffic. During this process.

  Robin plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the network.

  What is the attack performed by Robin in the above scenario?

  A. ARP spoofing attack
  B. VLAN hopping attack
  C. DNS poisoning attack
  D. STP attack
  D. STP attack

  ---

  Explanation

  STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm.

  STP is a hierarchical tree-like topology with a "root" switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/TCA) using bridge protocol data units (BPDU).

  An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

• Question 346:

  Which of the following describes the characteristics of a Boot Sector Virus?

  A. Modifies directory table entries so that directory entries point to the virus code instead of the actual program.
  B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR.
  C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
  D. Overwrites the original MBR and only executes the new virus code.
  C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.

  ---

  Explanation

  A Boot Sector Virus infects the master boot record (MBR) of the system. When a system boots, it first loads the MBR into memory. A Boot Sector Virus takes advantage of this by moving the original MBR to a different location on the hard disk and writing itself to the original MBR location. This ensures that it is executed first during system startup.

  As per CEH v13 course material:

  "A boot sector virus infects the master boot record of a hard disk. It moves the original boot sector to a different location on the hard disk and replaces it with its own malicious code. When the computer is booted, the virus loads first and then hands control to the original boot sector code." Reference: CEH v13 Study Guide:

  Module 06: Malware Threats, Section: "Types of Malware", Subsection: "Boot Sector Viruses"

  Incorrect Options Explained:

  A: Describes directory virus behavior, not boot sector.

  B: The virus moves MBR on the hard disk, not RAM.

  D: Some viruses overwrite MBR, but most preserve the original and move it to another disk location to maintain system operability.

• Question 347:

  What is one of the advantages of using both symmetric and asymmetric cryptography in SSL/TLS?

  A. Supporting both types of algorithms allows less-powerful devices such as mobile phones to use symmetric encryption instead.
  B. Symmetric algorithms such as AES provide a failsafe when asymmetric methods fail.
  C. Symmetric encryption allows the server to securely transmit the session keys out-of-band.
  D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely negotiate keys for use with symmetric cryptography.
  D. Asymmetric cryptography is computationally expensive in comparison. However, it is well-suited to securely negotiate keys for use with symmetric cryptography.

  ---

  Explanation

  SSL/TLS uses a hybrid cryptographic approach:

  Asymmetric cryptography is used during the handshake phase to securely exchange symmetric session keys over an insecure network.

  After the key exchange, symmetric encryption (e.g., AES) is used for the bulk of data transfer due to its high performance and lower overhead.

  This approach balances security and efficiency by leveraging asymmetric encryption for secure key exchange and symmetric encryption for speed.

  CEH v13 Official Study Guide:

  Module 20: Cryptography

  Section: SSL/TLS

  Quote:

  "SSL/TLS uses asymmetric cryptography to negotiate keys and symmetric cryptography to encrypt data. This combination ensures secure, fast, and reliable communication."

  Incorrect Options Explained:

  A. Not relevant - all devices follow the protocol regardless of capability.

  B. There is no failover mechanism as described.

  C. Session keys are exchanged during the handshake, not out-of-band.

• Question 348:

  A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The "ps" command shows that the "nc" file is running as process, and the netstat command shows the "nc" process is listening on a network port.

  What kind of vulnerability must be present to make this remote attack possible?

  A. File system permissions
  B. Privilege escalation
  C. Directory traversal
  D. Brute force login
  A. File system permissions

  ---

  Explanation

  File system permissions

  Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

  Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

• Question 349:

  During a red team assessment of an enterprise LAN environment, the tester discovers an access switch that connects multiple internal workstations. The switch has no port security measures in place. To silently intercept communication between different hosts without deploying ARP poisoning or modifying the routing table, the tester launches a MAC flooding attack using the macof utility from the dsniff suite. This command sends thousands of Ethernet frames per minute, each with random, spoofed source MAC addresses. Soon after the flooding begins, the tester puts their network interface into promiscuous mode and starts capturing packets. They observe unicast traffic between internal machines appearing in their packet sniffer-traffic that should have been isolated. What internal switch behavior is responsible for this sudden exposure of isolated traffic?

  A. The switch performed ARP spoofing to misroute packets.
  B. The switch entered hub-like behavior due to a full CAM table.
  C. The interface performed DHCP starvation to capture broadcasts.
  D. The switch disabled MAC filtering due to duplicate address conflicts.
  B. The switch entered hub-like behavior due to a full CAM table.

  ---

  Explanation

  CEH explains that MAC flooding overwhelms a switch's CAM table, causing it to fail open. When the table fills, the switch broadcasts frames out all ports, behaving like a hub. This exposes unicast traffic to attackers operating in promiscuous mode.

• Question 350:

  Who are "script kiddies" in the context of ethical hacking?

  A. Highly skilled hackers who write custom scripts
  B. Novices who use scripts developed by others
  C. Ethical hackers using scripts for penetration testing
  D. Hackers specializing in scripting languages
  B. Novices who use scripts developed by others

  ---

  Explanation

  In CEH v13 Information Security and Ethical Hacking Overview script kiddies , are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.

  CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.

  Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.

  CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.