EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 371:

  An AWS security operations team receives an alert regarding abnormal outbound traffic from an EC2 instance. The instance begins transmitting encrypted data packets to an external domain that resolves to a Dropbox account not associated with the organization. Further analysis reveals that a malicious executable silently modified the Dropbox sync configuration to use the attacker's access token, allowing automatic synchronization of internal files to the attacker's cloud storage. What type of attack has likely occurred?

  A. Cloud Snooper attack leveraging port masquerading
  B. Man-in-the-Cloud (MITC) attack
  C. Side-channel attack exploiting CPU cache
  D. Cryptojacking using Coin Hive scripts
  B. Man-in-the-Cloud (MITC) attack

  ---

  Explanation

  Man-in-the-Cloud (MITC) attacks target cloud synchronization services such as Dropbox, Google Drive, and OneDrive by manipulating authentication tokens instead of user passwords. CEH courseware explains that cloud storage clients rely heavily on sync tokens stored locally, which authorize access without user interaction. If an attacker replaces or injects a malicious token, they can hijack the victim's cloud account or redirect synced data to attacker-controlled locations. In this scenario, the EC2 instance continues to operate normally, but its Dropbox client silently synchronizes data to an external account using the attacker's token. This bypasses traditional defenses such as perimeter firewalls, credential monitoring, or user behavior analytics, because the synchronization process appears legitimate and authenticated. MITC attacks are uniquely stealthy, as they require no further compromise once the sync token is stolen or replaced. Other choices, such as Cloud Snooper or cryptojacking, do not match the described behavior. Therefore, this attack clearly aligns with a Man-in-the-Cloud attack.

• Question 372:

  Which of the following are well-known password-cracking programs?

  A. L0phtcrack
  B. NetCat
  C. Jack the Ripper
  D. Netbus
  E. John the Ripper
  A. L0phtcrack
  E. John the Ripper

  ---

  Explanation

  Well-known and widely used password-cracking tools include:

  A. L0phtcrack Windows password auditing tool that can crack LM and NTLM hashes.

  E. John the Ripper Versatile password cracker that supports many hash types on Unix, Windows, etc.

  Incorrect Options:

  B. NetCat A network tool used for port scanning and data transfer.

  C. "Jack the Ripper" is likely a mistaken reference to John the Ripper.

  D. Netbus A remote access Trojan, not a password cracker.

  From CEH v13 Courseware:

  Module 6: Password Cracking Tools

  CEH v13 Study Guide Module 6: Common Password Cracking Tools

• Question 373:

  A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode?

  A. Libpcap
  B. Awinpcap
  C. Winprom
  D. WinPcap
  D. WinPcap

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Wireshark on Windows requires WinPcap to operate. WinPcap is a packet capture library that allows network interfaces to operate in promiscuous mode, which is essential for sniffing traffic.

  From CEH v13 Courseware:

  Module 8: Sniffing # Sniffing Tools # WinPcap for Windows

  Wireshark Documentation - "On Windows, WinPcap is required to capture live network traffic."

  Note: WinPcap has been succeeded by Npcap in modern versions.

• Question 374:

  A system administrator observes that several machines in the network are repeatedly sending out traffic to unknown IP addresses. Upon inspection, these machines were part of a coordinated spam campaign. What is the most probable cause?

  A. Keyloggers were harvesting user credentials
  B. Devices were enslaved into a botnet network
  C. Browsers were redirected to adware-injected sites
  D. Worms exploited zero-day vulnerabilities
  B. Devices were enslaved into a botnet network

  ---

  Explanation

  CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

• Question 375:

  A WPA2-PSK wireless network is tested. Which method would allow identification of a key vulnerability?

  A. De-authentication attack to capture the four-way handshake
  B. MITM to steal the PSK directly
  C. Jamming to force PSK disclosure
  D. Rogue AP revealing PSK
  A. De-authentication attack to capture the four-way handshake

  ---

  Explanation

  CEH v13 states that the only viable way to attack WPA2-PSK is by capturing the four-way handshake . De- authentication forces clients to reconnect, allowing the handshake to be captured and later cracked offline.

  MITM, jamming, and rogue AP attacks do not directly expose the PSK.

• Question 376:

  An attacker exploits legacy protocols to perform advanced sniffing. Which technique is the most difficult to detect and neutralize?

  A. HTTP header overflow extraction
  B. SMTP steganographic payloads
  C. Covert channel via Modbus protocol manipulation
  D. X.25 packet fragmentation
  C. Covert channel via Modbus protocol manipulation

  ---

  Explanation

  CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus , widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.

  Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.

  Other options are less realistic or less persistent in modern enterprise environments.

• Question 377:

  Which Intrusion Detection System is the best applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?

  A. Honeypots
  B. Firewalls
  C. Network-based intrusion detection system (NIDS)
  D. Host-based intrusion detection system (HIDS)
  C. Network-based intrusion detection system (NIDS)

  ---

  Explanation

  A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

  NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

  CEH v13 Official Courseware:

  Module 13: Evading IDS, Firewalls, and Honeypots

  Quote:

  "Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets."

  Incorrect Options Explained:

  A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

  B. Firewalls filter traffic but are not detection systems.

  D. HIDS monitors activity on a single host only.

• Question 378:

  To create a botnet. the attacker can use several techniques to scan vulnerable machines. The attacker first collects Information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list Is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensures the spreading and installation of malicious code in little time.

  Which technique is discussed here?

  A. Hit-list-scanning technique
  B. Topological scanning technique
  C. Subnet scanning technique
  D. Permutation scanning technique
  A. Hit-list-scanning technique

  ---

  Explanation

  One of the biggest problems a worm faces in achieving a very fast rate of infection is "getting off the ground." although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time. There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

  This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

  The hit-list needn't be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

  Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it'd not.

  Distributed scanning. an assailant might scan the web using a few dozen to some thousand already- compromised "zombies," the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wild-Lawrence Berkeley National Laboratory received ten throughout the past year.

  DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

  Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

  Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

  Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS serversecause each came knock on everyone's door!

• Question 379:

  Bobby, an attacker, targeted a user and decided to hijack and intercept all their wireless communications. He installed a fake communication tower between two authentic endpoints to mislead the victim.

  Bobby used this virtual tower to interrupt the data transmission between the user and real tower, attempting to hijack an active session, upon receiving the users request. Bobby manipulated the traffic with the virtual tower and redirected the victim to a malicious website.

  What is the attack performed by Bobby in the above scenario?

  A. Wardriving
  B. KRACK attack
  C. jamming signal attack
  D. aLTEr attack
  D. aLTEr attack

  ---

  Explanation

  aLTEr attacks are usually performed on LTE devices Attacker installs a virtual (fake) communication tower between two authentic endpoints intending to mislead the victim This virtual tower is used to interrupt the data transmission between the user and real tower attempting to hijack the active session.

  https://alter-attack.net/media/breaking_lte_on_layer_two.pdf

  The new aLTEr attack can be used against nearly all LTE connected endpoints by intercepting traffic and redirecting it to malicious websites together with a particular approach for Apple iOS devices.

  This attack works by taking advantage of a style flaw among the LTE network - the information link layer (aka: layer-2) of the LTE network is encrypted with AES-CTR however it's not integrity-protected, that is why an offender will modify the payload.

• Question 380:

  In an attempt to damage the reputation of a competitor organization, Hailey, a professional hacker, gathers a list of employee and client email addresses and other related information by using various search engines, social networking sites, and web spidering tools. In this process, she also uses an automated tool to gather a list of words from the target website to further perform a brute-force attack on the previously gathered email addresses.

  What is the tool used by Hailey for gathering a list of words from the target website?

  A. Shadowsocks
  B. CeWL
  C. Psiphon
  D. Orbot
  B. CeWL

  ---

  Explanation

  Gathering Wordlist from the Target Website An attacker uses the CeWL tool to gather a list of words from the target website and perform a brute-force attack on the email addresses gathered earlier. # Cewl www.certifiedhacker.com (P.200/184)