EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 381:

  A malware analyst finds JavaScript and /OpenAction keywords in a suspicious PDF using pdfid . What should be the next step to assess the potential impact?

  A. Upload the file to VirusTotal
  B. Extract and analyze stream objects using PDFStreamDumper
  C. Compute file hashes for signature matching
  B. Extract and analyze stream objects using PDFStreamDumper

  ---

  Explanation

  CEH's Malware Analysis module outlines a structured approach:

  Identify suspicious indicators (e.g., JavaScript, OpenAction)

  Extract and analyze embedded objects

  Determine behavior and exploit logic

  PDFStreamDumper allows analysts to extract JavaScript code and embedded objects for detailed inspection.

  Option B is correct.

  Option A is useful but insufficient for deep analysis.

  Option C only aids identification, not behavior understanding.

• Question 382:

  You have been authorized to perform a penetration test against a website. You want to use Google dorks to footprint the site but only want results that show file extensions. What Google dork operator would you use?

  A. filetype
  B. ext
  C. inurl
  D. site
  A. filetype

  ---

  Explanation

  Restrict results to those of a certain filetype. E.g., PDF, DOCX, TXT, PPT, etc. Note: The "ext:" operator can also be used-the results are identical.

  Example: apple filetype:pdf / apple ext:pdf

• Question 383:

  Hackers often raise the trust level of a phishing message by modeling the email to look similar to the internal email used by the target company. This includes using logos, formatting, and names of the target company. The phishing message will often use the name of the company CEO, President, or Managers. The time a hacker spends performing research to locate this information about a company is known as?

  A. Exploration
  B. Investigation
  C. Reconnaissance
  D. Enumeration
  C. Reconnaissance

  ---

  Explanation

  Reconnaissance is the first phase of ethical hacking and also part of the cyber kill chain. It involves gathering publicly available information about a target, such as employee names, company structure, and branding, which is later used in social engineering or phishing attacks.

  Reference -CEH v13 Official Study Guide:

  Module 2: Footprinting and Reconnaissance

  Quote:

  "Reconnaissance involves gathering information from public sources such as websites, social networks, and press releases. This is used to craft targeted phishing messages or exploit organizational weaknesses."

  Incorrect Options Explained:

  A and B. Not formal terms in ethical hacking.

  D. Enumeration involves interacting with systems to extract technical data.

• Question 384:

  Your company, SecureTech Inc., is planning to transmit some sensitive data over an unsecured communication channel. As a cyber security expert, you decide to use symmetric key encryption to protect the data.

  However, you must also ensure the secure exchange of the symmetric key.

  Which of the following protocols would you recommend to the team to achieve this?

  A. Implementing SSL certificates on your company's web servers.
  B. Applying the Diffie-Hellman protocol to exchange the symmetric key.
  C. Switching all data transmission to the HTTPS protocol.
  D. Utilizing SSH for secure remote logins to the servers.
  B. Applying the Diffie-Hellman protocol to exchange the symmetric key.

  ---

  Explanation

  The protocol that you would recommend to the team to achieve the secure exchange of the symmetric key is the Diffie-Hellman protocol. The Diffie-Hellman protocol is a key agreement protocol that allows two or more parties to establish a shared secret key over an unsecured communication channel, without having to exchange the key itself. The Diffie-Hellman protocol works as follows:

  The parties agree on a large prime number p and a generator g, which are public parameters that can be known by anyone.

  Each party chooses a random private number a or b, which are kept secret from anyone else.

  Each party computes a public value A or B, by raising g to the power of a or b modulo p, i.e., A = g^a mod p and B = g^b mod p.

  Each party sends their public value A or B to the other party over the unsecured channel.

  Each party computes the shared secret key K, by raising the received public value to the power of their own private number modulo p, i.e., K = A^b mod p = B^a mod p.

  The parties can now use the shared secret key K to encrypt and decrypt the data using a symmetric key encryption algorithm, such as AES or 3DES.

  The Diffie-Hellman protocol can ensure the secure exchange of the symmetric key because it relies on the mathematical difficulty of computing discrete logarithms, which means that it is hard to find the private numbers a or b given the public values A or B, g, and p. Therefore, an attacker who intercepts the public values A or B cannot easily compute the shared secret key K, and thus cannot decrypt the data encrypted with K.

  The other options are not as appropriate as option B for the following reasons:

  A. Implementing SSL certificates on your company's web servers: This option is not relevant because SSL certificates are not used to exchange symmetric keys, but to authenticate the identity of the web servers and to establish a secure connection using public key encryption. SSL certificates are digital certificates that contain the public key and the identity information of the web server, and are issued and signed by a trusted certificate authority (CA). When a client connects to a web server, the web server

  sends its SSL certificate to the client, who verifies it with the CA. If the verification is successful, the client and the web server use the public key in the certificate to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or SSL certificates.

  C. Switching all data transmission to the HTTPS protocol: This option is not sufficient because HTTPS protocol is not a protocol for exchanging symmetric keys, but a protocol for securing web traffic using SSL or TLS encryption. HTTPS protocol is a combination of HTTP protocol and SSL or TLS protocol, which means that it uses HTTP for the application layer communication and SSL or TLS for the transport layer encryption. When a client requests a web page from a web server using HTTPS protocol, the

  client and the web server establish a secure connection using SSL or TLS protocol, which involves the exchange of SSL certificates and a symmetric key, as explained in option A. Then, the client and the web server use the symmetric key to encrypt and decrypt the HTTP data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or HTTPS protocol .

  D. Utilizing SSH for secure remote logins to the servers: This option is not applicable because SSH is not a protocol for exchanging symmetric keys, but a protocol for securing remote access to servers using public key authentication and encryption. SSH is a protocol that allows a client to securely connect to a server and execute commands or transfer files over an encrypted channel. SSH uses public key cryptography to authenticate the identity of the server and the client, and to exchange a symmetric key,

  which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve remote logins or SSH protocol .

  References:

  1: Diffie-Hellman key exchange - Wikipedia

  2: Diffie-Hellman Key Exchange - an overview | ScienceDirect Topics

  3: SSL Certificate - an overview | ScienceDirect Topics

  4: What is an SSL Certificate? | DigiCert.com

  5: HTTPS - Wikipedia

  What is HTTPS? | Cloudflare SSH (Secure Shell) - Wikipedia What is SSH? | SSH.COM

• Question 385:

  Which scenario best describes a tailgating attack?

  A. Following an employee through a secured door
  B. Phishing email requesting credentials
  C. Phone-based impersonation
  D. Leaving a malicious USB device
  A. Following an employee through a secured door

  ---

  Explanation

  Tailgating, as defined in CEH v13 Social Engineering , is a physical social engineering attack where an unauthorized individual gains access by following an authorized person into a restricted area.

  The attacker exploits human courtesy rather than technical vulnerabilities. Options B, C, and D describe phishing, pretexting, and baiting respectively.

  Thus, option A is the correct representation of tailgating.

• Question 386:

  Susan, a software developer, wants her web API to update other applications with the latest information. For this purpose, she uses a user-defined HTTP tailback or push APIs that are raised based on trigger events:

  when invoked, this feature supplies data to other applications so that users can instantly receive real-time Information.

  Which of the following techniques is employed by Susan?

  A. web shells
  B. Webhooks
  C. REST API
  D. SOAP API
  B. Webhooks

  ---

  Explanation

  Webhooks are one of a few ways internet applications will communicate with one another.

  It allows you to send real-time data from one application to another whenever a given event happens.

  For example, let's say you've created an application using the Foursquare API that tracks when people check into your restaurant. You ideally wish to be able to greet customers by name and provide a complimentary drink when they check in.

  What a webhook will is notify you any time someone checks in, therefore you'd be able to run any processes that you simply had in your application once this event is triggered.

  The data is then sent over the web from the application wherever the event originally occurred, to the receiving application that handles the data.

  Here's a visual representation of what that looks like:

  A webhook url is provided by the receiving application, and acts as a phone number that the other application will call once an event happens.

  Only it's more complicated than a phone number, because data about the event is shipped to the webhook url in either JSON or XML format. this is known as the "payload."

  Here's an example of what a webhook url looks like with the payload it's carrying:

  What are Webhooks? Webhooks are user-defined HTTP callback or push APIs that are raised based on events triggered, such as comment received on a post and pushing code to the registry. A webhook allows an application to update other applications with the latest information. Once invoked, it supplies data to the other applications, which means that users instantly receive real-time information. Webhooks are sometimes called "Reverse APIs" as they provide what is required for API specification, and the developer should create an API to use a webhook. A webhook is an API concept that is also used to send text messages and notifications to mobile numbers or email addresses from an application when a specific event is triggered. For instance, if you search for something in the online store and the required item is out of stock, you click on the "Notify me" bar to get an alert from the application when that item is available for purchase. These notifications from the applications are usually sent through webhooks.

• Question 387:

  in this attack, an adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstall the key, associated parameters such as the incremental transmit packet number and receive packet number are reset to their initial values. What is this attack called?

  A. Chop chop attack
  B. KRACK
  C. Evil twin
  D. Wardriving
  B. KRACK

  ---

  Explanation

  In this attack KRACK is an acronym for Key Reinstallation Attack. KRACK may be a severe replay attack on Wi-Fi Protected Access protocol (WPA2), which secures your Wi-Fi connection. Hackers use KRACK to take advantage of a vulnerability in WPA2. When in close range of a possible victim, attackers can access and skim encrypted data using KRACK.

  How KRACK Works

  Your Wi-Fi client uses a four-way handshake when attempting to attach to a protected network. The handshake confirms that both the client -- your smartphone, laptop, et cetera -- and therefore the access point share the right credentials, usually a password for the network. This establishes the Pairwise passkey (PMK), which allows for encoding .

  Overall, this handshake procedure allows for quick logins and connections and sets up a replacement encryption key with each connection. this is often what keeps data secure on Wi-Fi connections, and every one protected Wi-Fi connections use the four-way handshake for security. This protocol is that the reason users are encouraged to use private or credential-protected Wi-Fi instead of public connections.

  KRACK affects the third step of the handshake, allowing the attacker to control and replay the WPA2 encryption key to trick it into installing a key already in use. When the key's reinstalled, other parameters related to it -- the incremental transmit packet number called the nonce and therefore the replay counter -- are set to their original values.

  Rather than move to the fourth step within the four-way handshake, nonce resets still replay transmissions of the third step. This sets up the encryption protocol for attack, and counting on how the attackers replay the third-step transmissions, they will take down Wi-Fi security.

  Why KRACK may be a Threat

  Think of all the devices you employ that believe Wi-Fi. it isn't almost laptops and smartphones; numerous smart devices now structure the web of Things (IoT). due to the vulnerability in WPA2, everything connected to Wi-Fi is in danger of being hacked or hijacked.

  Attackers using KRACK can gain access to usernames and passwords also as data stored on devices. Hackers can read emails and consider photos of transmitted data then use that information to blackmail users or sell it on the Dark Web.

  Theft of stored data requires more steps, like an HTTP content injection to load malware into the system. Hackers could conceivably take hold of any device used thereon Wi-Fi connection. Because the attacks require hackers to be on the brink of the target, these internet security threats could also cause physical security threats.

  On the opposite hand, the necessity to be in close proximity is that the only excellent news associated with KRACK, as meaning a widespread attack would be extremely difficult.

  Victims are specifically targeted. However, there are concerns that a experienced attacker could develop the talents to use HTTP content injection to load malware onto websites to make a more widespread affect.

  Everyone is in danger from KRACK vulnerability. Patches are available for Windows and iOS devices, but a released patch for Android devices is currently in question (November 2017). There are issues with the discharge , and lots of question if all versions and devices are covered.

  The real problem is with routers and IoT devices. These devices aren't updated as regularly as computer operating systems, and for several devices, security flaws got to be addressed on the manufacturing side. New devices should address KRACK, but the devices you have already got in your home probably aren't protected.

  The best protection against KRACK is to make sure any device connected to Wi-Fi is patched and updated with the newest firmware. that has checking together with your router's manufacturer periodically to ascertain if patches are available.

  The safest connection option may be a private VPN, especially when publicly spaces. If you would like a VPN for private use, avoid free options, as they need their own security problems and there'll even be issues with HTTPs. Use a paid service offered by a trusted vendor like Kaspersky. Also, more modern networks use WPA3 for better security.

  Avoid using public Wi-Fi, albeit it's password protection. That password is out there to almost anyone, which reduces the safety level considerably.

  All the widespread implications of KRACK and therefore the WPA2 vulnerability aren't yet clear. what's certain is that everybody who uses Wi-Fi is in danger and wishes to require precautions to guard their data and devices.

• Question 388:

  This is an attack that takes advantage of a web site vulnerability in which the site displays content that includes un-sanitized user-provided data.

  

  What is this attack?

  A. Cross-site-scripting attack
  B. SQL Injection
  C. URL Traversal attack
  D. Buffer Overflow attack
  A. Cross-site-scripting attack

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The code shown in the image is indicative of a Cross-Site Scripting (XSS) attack, where malicious JavaScript is injected into a web page via user input. In this case, the attacker includes:

  %3Cscript%20src...%3E - URL-encoded JavaScript tag to load a malicious script from an external source.

  If the web application echoes this input back without sanitization, the script will execute in the context of the victim's browser.

  This allows the attacker to:

  Steal cookies/session tokens

  Perform actions on behalf of the victim

  Redirect the victim to malicious websites

  From CEH v13 Courseware:

  Module 10: Web Application Hacking # Cross-Site Scripting (XSS)

• Question 389:

  A penetration tester is performing the footprinting process and is reviewing publicly available information about an organization by using the Google search engine.

  Which of the following advanced operators would allow the pen tester to restrict the search to the organization's web domain?

  A. [allinurl:]
  B. [location:]
  C. [site:]
  D. [link:]
  C. [site:]

  ---

  Explanation

  Google hacking or Google dorking https://en.wikipedia.org/wiki/Google_hacking

  It is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

  Search syntax https://en.wikipedia.org/wiki/Google_Search

  Google's search engine has its own built-in query language. The following list of queries can be run to find a list of files, find information about your competition, track people, get information about SEO backlinks, build email lists, and of course, discover web vulnerabilities.

  [site:] Search within a specific website

• Question 390:

  Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.

  

  In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports.

  What happens when the CAM table becomes full?

  A. Switch then acts as hub by broadcasting packets to all machines on the network
  B. The CAM overflow table will cause the switch to crash causing Denial of Service
  C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
  D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port
  A. Switch then acts as hub by broadcasting packets to all machines on the network

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  In a MAC flooding attack, tools like macof (shown in the image) rapidly generate a large number of Ethernet frames with spoofed source MAC addresses. These are sent to the switch to overflow its CAM (Content Addressable Memory) table.

  Once the CAM table is full:

  The switch can no longer learn new MAC-to-port associations. It fails open and starts broadcasting all incoming traffic to all ports.

  This causes the switch to act like a hub.

  Consequently, the attacker can:

  Sniff traffic that would otherwise be switched.

  Intercept data not destined for their system.

  From CEH v13 Courseware:

  Module 8: Sniffing # Switch-Based Attacks # MAC Flooding

  Incorrect Options:

  B: A switch typically does not crash but reverts to hub behavior.

  C: There is no factory default override behavior like this.

  D: Packets are not dropped-this would defeat the attack's purpose.

  CEH v13 Study Guide - Module 8: MAC Flooding and Layer 2 AttacksCisco Security Best Practices - Switch CAM Table Protection