EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 391:

  Wilson, a professional hacker, targets an organization for financial benefit and plans to compromise its systems by sending malicious emails. For this purpose, he uses a tool to track the emails of the target and extracts information such as sender identities, mall servers, sender IP addresses, and sender locations from different public sources. He also checks if an email address was leaked using the haveibeenpwned.com API. Which of the following tools is used by Wilson in the above scenario?

  A. Factiva
  B. Netcraft
  C. infoga
  D. Zoominfo
  C. infoga

  ---

  Explanation

  Infoga may be a tool gathering email accounts informations (ip,hostname,country,...) from completely different public supply (search engines, pgp key servers and shodan) and check if email was leaked using haveibeenpwned.com API. is a really simple tool, however very effective for the first stages of a penetration test or just to know the visibility of your company within the net.

• Question 392:

  Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?

  A. ACK flag probe scanning
  B. ICMP Echo scanning
  C. SYN/FIN scanning using IP fragments
  D. IPID scanning
  C. SYN/FIN scanning using IP fragments

  ---

  Explanation

  SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.

• Question 393:

  Fingerprinting an Operating System helps a cracker because:

  A. It defines exactly what software you have installed
  B. It opens a security-delayed window based on the port being scanned
  C. It doesn't depend on the patches that have been applied to fix existing security holes
  D. It informs the cracker of which vulnerabilities he may be able to exploit on your system
  D. It informs the cracker of which vulnerabilities he may be able to exploit on your system

  ---

  Explanation

  OS fingerprinting helps attackers identify the operating system and version running on a target host. This allows them to:

  Determine potential vulnerabilities

  Choose appropriate exploits for the OS version and configuration

  Bypass ineffective defenses

  From CEH v13 Courseware:

  Module 3: Scanning Networks

  Topic: Active and Passive OS Fingerprinting

  CEH v13 Study Guide states:

  "Fingerprinting identifies the OS type/version and helps attackers choose specific exploits that apply to that system."

  Incorrect Options:

  A: Software enumeration is different from OS fingerprinting.

  B/C: Misleading or incorrect in this context.

  CEH v13 Study Guide -Module 3: OS Fingerprinting and ReconnaissanceNmap OS Detection (nmap.org)

• Question 394:

  A penetration tester performs a vulnerability scan on a company's web server and identifies several medium- risk vulnerabilities related to misconfigured settings. What should the tester do to verify the vulnerabilities?

  A. Use publicly available tools to exploit the vulnerabilities and confirm their impact
  B. Ignore the vulnerabilities since they are medium-risk
  C. Perform a brute-force attack on the web server's login page
  D. Conduct a denial-of-service (DoS) attack to test the server's resilience
  A. Use publicly available tools to exploit the vulnerabilities and confirm their impact

  ---

  Explanation

  CEH v13 emphasizes that after identifying vulnerabilities during scanning, testers must validate findings to determine real impact and eliminate false positives. This requires safe, controlled exploitation using approved tools such as Metasploit, Nikto, or custom proof-of-concept scripts. Misconfigurations labeled as medium-risk may still provide privilege escalation, data exposure, or footholds for further attacks. CEH methodology reinforces that exploitation should always follow the scope and rules of engagement and should avoid disruptive activities like brute-forcing or DoS attacks unless explicitly authorized. Ignoring the vulnerabilities is never acceptable in a professional assessment. Verifying the issue helps the organization prioritize remediation using evidence-based results. Therefore, the correct next step is to verify the vulnerability through controlled exploitation .

• Question 395:

  Which countermeasure best mitigates brute-force attacks on Bluetooth SSP?

  A. Use BLE exclusively
  B. Increase Diffie-Hellman key length
  C. Apply rate-limiting
  D. Device whitelisting
  C. Apply rate-limiting

  ---

  Explanation

  In CEH v13 Wireless Hacking , brute-force attacks against Secure Simple Pairing (SSP) exploit repeated attempts to guess cryptographic values. The most effective defense is rate limiting , which restricts how many pairing attempts can be made in a given timeframe.

  Increasing key length does not stop brute-force attempts if unlimited tries are allowed. BLE still uses pairing mechanisms and is not immune. Whitelisting controls access but does not prevent cryptographic attacks during pairing.

  CEH v13 explicitly recommends rate limiting and pairing attempt thresholds as primary mitigations.

• Question 396:

  A multinational company plans to deploy an IoT-based environmental control system across global manufacturing units. The security team must identify the most likely attack vector an Advanced Persistent Threat (APT) group would use to compromise the system. What is the most plausible method?

  A. Launching a DDoS attack to overload IoT devices
  B. Compromising the system using stolen user credentials
  C. Exploiting zero-day vulnerabilities in IoT device firmware
  D. Performing an encryption-based Man-in-the-Middle attack
  C. Exploiting zero-day vulnerabilities in IoT device firmware

  ---

  Explanation

  The CEH IoT and APT Threat modules describe APT groups as highly skilled adversaries that favor stealth, persistence, and advanced exploitation techniques . IoT environments are particularly attractive due to:

  Limited monitoring

  Infrequent firmware updates

  Weak or proprietary security mechanisms

  CEH highlights that APT actors often exploit zero-day vulnerabilities in firmware to gain long-term, covert access to IoT systems. Firmware-level exploitation allows attackers to maintain persistence while evading traditional security controls.

  Option C is correct.

  Option A is noisy and short-term.

  Option B is common but less sophisticated for APTs.

  Option D is possible but secondary compared to firmware exploitation. CEH emphasizes firmware security as a critical concern in IoT deployments.

• Question 397:

  The establishment of a TCP connection involves a negotiation called three-way handshake. What type of message does the client send to the server in order to begin this negotiation?

  A. ACK
  B. SYN
  C. RST
  D. SYN-ACK
  B. SYN

  ---

  Explanation

  The TCP three-way handshake is the foundational mechanism used to establish a reliable connection between two devices. The sequence is as follows:

  The client sends a SYN (synchronize) packet to the server to initiate the connection.

  The server replies with a SYN-ACK (synchronize-acknowledge) packet.

  The client sends an ACK (acknowledge) packet back to the server.

  Therefore, the connection starts with a SYN packet from the client.

  CEH v13 eCourseware - Module 03: Scanning Networks # "Understanding TCP Handshake"

  CEH v13 Study Guide - Chapter: "Scanning and Enumeration"

• Question 398:

  A large company intends to use BlackBerry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the analyst use to perform a Blackjacking attack?

  A. Paros Proxy
  B. BBProxy
  C. Blooover
  D. BBCrack
  B. BBProxy

  ---

  Explanation

  The Blackjacking attack involves leveraging a compromised BlackBerry device and its connection through the BlackBerry Enterprise Server (BES) to tunnel back into the internal corporate network, bypassing perimeter firewalls. The tool used in this method is BBProxy.

  BBProxy is installed on the BlackBerry device and establishes a covert tunnel via BES, allowing attackers to pivot into the internal LAN from outside the perimeter.

  CEH v13 Official Study Guide:

  Module 17: Hacking Mobile Platforms

  Quote:

  "Blackjacking is a technique in which attackers use BBProxy to exploit a trusted path from a BlackBerry device to the corporate LAN through BES."

  Incorrect Options Explained:

  A. Paros Proxy is a web proxy used for intercepting HTTP/S traffic.

  C. Blooover is used for Bluetooth security auditing.

  D. BBCrack is used for password recovery on BlackBerry devices, not for tunneling.

• Question 399:

  This type of injection attack does not show any error message. It is difficult to exploit as it returns information when the application is given SQL payloads that elicit a true or false response from the server. By observing the response, an attacker can extract sensitive information. What type of attack is this?

  A. Time-based SQL injection
  B. Union SQL injection
  C. Error-based SQL injection
  D. Blind SQL injection
  D. Blind SQL injection

  ---

  Explanation

  Blind SQL Injection is a type of SQL injection attack where no error messages or data are directly returned to the attacker. Instead, the attacker sends specially crafted SQL queries that result in true or false responses. Based on how the application responds (such as redirecting to a different page or loading time), the attacker infers information about the backend database.

  According to CEH v13:

  Blind SQLi is used when standard SQL injection yields no visible output.

  It comes in two forms:

  Boolean-based: Infers information based on application behavior.

  Time-based: Infers information based on server response time delays.

  Incorrect Options:

  A. Time-based SQLi is a sub-type of Blind SQLi, but the question describes Boolean-based behavior.

  B. Union SQL injection uses the UNION keyword to fetch additional rows; requires visible output.

  C. Error-based SQL injection relies on database error messages.

  CEH v13 Official Courseware:

  Module 14: Hacking Web Applications

  Section: "Types of SQL Injection"

  Subsection: "Blind SQL Injection (Boolean and Time-Based)"

• Question 400:

  How does a denial-of-service (DoS) attack work?

  A. A hacker prevents a legitimate user (or group of users) from accessing a service
  B. A hacker uses every character, word, or letter he or she can think of to defeat authentication
  C. A hacker tries to decipher a password by using a system, which subsequently crashes the network
  D. A hacker attempts to imitate a legitimate user by confusing a computer or even another person
  A. A hacker prevents a legitimate user (or group of users) from accessing a service

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  A Denial-of-Service (DoS) attack aims to overwhelm a system or service with excessive requests, rendering it unavailable to legitimate users. It targets:

  Bandwidth (e.g., flooding with traffic)

  Resources (CPU, memory, or disk usage)

  Applications (exploiting bugs that crash services)

  From CEH v13 Courseware:

  Module 9: Denial-of-Service Attacks

  Incorrect Options:

  B refers to brute-force attacks.

  C mischaracterizes password cracking.

  D describes impersonation or spoofing, not DoS.

  CEH v13 Study Guide - Module 9: Types of DoS AttacksNIST SP 800-61r2 - Incident Handling Guide