EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 401:

  Daniel Is a professional hacker who Is attempting to perform an SQL injection attack on a target website. www.movlescope.com. During this process, he encountered an IDS that detects SQL Injection attempts based on predefined signatures. To evade any comparison statement, he attempted placing characters such as `'or '1'='1" In any bask injection statement such as "or 1=1." Identify the evasion technique used by Daniel in the above scenario.

  A. Null byte
  B. IP fragmentation
  C. Char encoding
  D. Variation
  D. Variation

  ---

  Explanation

  One may append the comment "? operator along with the String for the username and whole avoid executing the password segment of the SQL query. Everything when the -- operator would be considered as comment and not dead.

  To launch such an attack, the value passed for name could be 'OR `1'=`1' ; -- Statement = "SELECT * FROM `CustomerDB' WHERE `name' = ` "+ userName + " ` AND `password' = ` " + passwd + " ` ; "

  Statement = "SELECT * FROM `CustomerDB' WHERE `name' = ` ' OR `1'=`1`;?+ " ` AND `password' = ` " + passwd + " ` ; "

  All the records from the customer database would be listed.

  Yet, another variation of the SQL Injection Attack can be conducted in dbms systems that allow multiple SQL injection statements. Here, we will also create use of the vulnerability in sure dbms whereby a user provided field isn't strongly used in or isn't checked for sort constraints.

  This could take place once a numeric field is to be employed in a SQL statement; but, the programmer makes no checks to validate that the user supplied input is numeric.

  Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as "' or '1'='1'" in any basic injection statement such as "or 1=1" or with other accepted SQL comments.

  Evasion Technique: Variation Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as "' or '1'='1'" in any basic injection statement such as "or 1=1" or with other accepted SQL comments. The SQL interprets this as a comparison between two strings or characters instead of two numeric values. As the evaluation of two strings yields a true statement, similarly, the evaluation of two numeric values yields a true statement, thus rendering the evaluation of the complete query unaffected. It is also possible to write many other signatures; thus, there are infinite possibilities of variation as well. The main aim of the attacker is to have a WHERE statement that is always evaluated as "true" so that any mathematical or string comparison can be used, where the SQL can perform the same.

• Question 402:

  During a security assessment of an internal network, a penetration tester discovers that UDP port 123 is open, indicating that the NTP service is active. The tester wants to enumerate NTP peers, check synchronization status, offset, and stratum levels. Which command should the tester use?

  A. ntpdc
  B. ntpq
  C. ntptrace
  D. ntpdate
  B. ntpq

  ---

  Explanation

  The ntpq utility provides detailed NTP peer information, synchronization states, offsets, delays, and strata. CEH specifically lists ntpq as the tool for querying NTP daemon status and enumerating peer relationships, making it essential for reconnaissance and lateral movement mapping.

• Question 403:

  You are the chief cybersecurity officer at CloudSecure Inc., and your team is responsible for securing a cloudbased application that handles sensitive customer data. To ensure that the data is protected from breaches, you have decided to implement encryption for both data-at-rest and data-in-transit. The development team suggests using SSL/TLS for securing data in transit. However, you want to also implement a mechanism to detect if the data was tampered with during transmission. Which of the following should you propose?

  A. Implement IPsec in addition to SSL/TLS.
  B. Qswitch to using SSH for data transmission.
  C. Use the cloud service provider's built-in encryption services.
  D. Encrypt data using the AES algorithm before transmission.
  A. Implement IPsec in addition to SSL/TLS.

  ---

  Explanation

  SSL/TLS is a protocol that provides encryption and authentication for data in transit between a client and a server. However, SSL/TLS does not provide any protection against data tampering, which is the alteration, deletion, or insertion of data without authorization or proper validation. Data tampering can compromise the integrity and accuracy of the data, and potentially lead to breaches or fraud. To detect and prevent data tampering, you should implement IPsec in addition to SSL/TLS. IPsec is a protocol that provides encryption, authentication, and integrity for data in transit at the network layer. IPsec uses cryptographic mechanisms, such as digital signatures and hash-based message authentication codes (HMACs), to verify the identity of the sender and the receiver, and to ensure that the data has not been modified during transmission. IPsec can also provide replay protection, which prevents an attacker from retransmitting old or duplicate packets. By combining SSL/TLS and IPsec, you can achieve a higher level of security and reliability for your cloud-based application. References:

  EC-Council CEHv13 Courseware Module 18: Cryptography, page 18-20

  EC-Council CEHv13 Courseware Module 19: Cloud Computing, page 19-29

• Question 404:

  When configuring wireless on his home router, Javik disables SSID broadcast. He leaves authentication "open" but sets the SSID to a 32-character string of random letters and numbers.

  What is an accurate assessment of this scenario from a security perspective?

  A. Since the SSID is required in order to connect, the 32-character string is sufficient to prevent brute- force attacks.
  B. Disabling SSID broadcast prevents 802.11 beacons from being transmitted from the access point, resulting in a valid setup leveraging "security through obscurity".
  C. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association.
  D. Javik's router is still vulnerable to wireless hacking attempts because the SSID broadcast setting can be enabled using a specially crafted packet sent to the hardware address of the access point.
  C. It is still possible for a hacker to connect to the network after sniffing the SSID from a successful wireless association.

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, it is explained that disabling SSID broadcast only hides the SSID from casual scanning, not from determined attackers.

  When a legitimate client connects to a hidden SSID, the SSID is included in the probe request and association packets, which can be easily sniffed using tools like Wireshark or Kismet.

  Leaving authentication open adds no real protection.

  Attackers can still capture traffic and use it to determine the SSID and connect to the access point.

  Module 11 - Wireless Reconnaissance and Attacks CEH iLabs: Sniffing Hidden SSID and Open Authentication Attacks

• Question 405:

  E-mail scams and mail fraud are regulated by which of the following?

  A. 18 U.S.C. - 030 - Fraud and Related Activity in Connection with Computers
  B. 18 U.S.C. - 029 - Fraud and Related Activity in Connection with Access Devices
  C. 18 U.S.C. - 362 - Communication Lines, Stations, or Systems
  D. 18 U.S.C. - 510 - Wire and Electronic Communications Interception and Interception of Oral Communication
  A. 18 U.S.C. - 030 - Fraud and Related Activity in Connection with Computers

  ---

  Explanation

  18 U.S.C. - 030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities-including phishing and email scams.

  From CEH v13 Official Courseware:

  Module 1: Introduction to Ethical Hacking

  Topic: U.S. Laws Related to Cybercrime

  CEH v13 Study Guide states:

  "Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. - 030), which criminalizes unauthorized access and fraudulent behavior in computing systems."

  Incorrect Options:

  B: Relates to credit cards and access devices.

  C: Covers interference with government communication systems.

  D: Covers illegal wiretapping and eavesdropping.

  United States Code - Title 18, Section 1030 (Computer Fraud and Abuse Act)

• Question 406:

  Which method of password cracking takes the most time and effort?

  A. Dictionary attack
  B. Shoulder surfing
  C. Rainbow tables
  D. Brute force
  D. Brute force

  ---

  Explanation

  Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. It will take more time if it is larger, but there is a better probability of success. In a traditional brute-force attack, the passcode or password is incrementally increased by one letter/number each time until the right passcode/password is found.

• Question 407:

  An attacker performs DNS cache snooping using dig +norecurse. The DNS server returns NOERROR but no answer. What does this indicate?

  A. The domain has expired
  B. The record was cached and returned
  C. The DNS server failed
  D. No recent client from that network accessed the domain
  D. No recent client from that network accessed the domain

  ---

  Explanation

  In CEH v13 DNS Enumeration , DNS cache snooping determines whether a DNS resolver has a record cached. When +norecurse is used and the response is NOERROR with no answer , it means the server is authoritative but does not have the record cached .

  CEH v13 explains that this suggests no internal client has recently queried the domain , making option D correct.

• Question 408:

  A global fintech company receives extortion emails threatening a severe DDoS attack unless ransom is paid. The attacker briefly launches an HTTP flood to demonstrate capability. The attack uses incomplete POST requests that overload application-layer resources, causing performance degradation. The attacker reinforces their demand with a second threat email. What type of DDoS attack is being carried out?

  A. RDDoS attack combining threat and extortion
  B. DRDoS attack using intermediaries
  C. Recursive GET flood disguised as crawling
  D. Pulse wave attack with burst patterns
  A. RDDoS attack combining threat and extortion

  ---

  Explanation

  CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests-an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

• Question 409:

  After installing a backdoor on a web server, what action best ensures it remains undetected?

  A. Embed it in a frequently updated web file
  B. Increase the backdoor code size
  C. Install it on a non-web file referenced in a URL
  D. Place it in a file type excluded from resource maps
  D. Place it in a file type excluded from resource maps

  ---

  Explanation

  In CEH v13 Maintaining Access , stealth and persistence are key goals after compromise. Placing a backdoor in a file type excluded from resource maps (such as image metadata, configuration files, or uncommon extensions) reduces the likelihood of discovery by automated scanners and integrity checks.

  Option D is correct because many security tools focus on executable or commonly accessed web files. Files excluded from resource maps are less likely to be scanned or monitored.

  Option A increases detection risk due to frequent changes. Option B increases signature visibility. Option C still exposes the file to access logs and monitoring.

  CEH v13 highlights that attackers often hide backdoors in non-obvious locations to avoid detection. Therefore, Option D is correct.

• Question 410:

  John, a disgruntled ex-employee of an organization, contacted a professional hacker to exploit the organization. In the attack process, the professional hacker Installed a scanner on a machine belonging to one of the vktims and scanned several machines on the same network to Identify vulnerabilities to perform further exploitation. What is the type of vulnerability assessment tool employed by John in the above scenario?

  A. Proxy scanner
  B. Agent-based scanner
  C. Network-based scanner
  D. Cluster scanner
  B. Agent-based scanner

  ---

  Explanation

  Agent-based scanners reside on a single machine but can scan several machines on the same network.

  Network-based scanner

  A network-based vulnerability scanner, in simplistic terms, is the process of identifying loopholes on a computer's network or IT assets, which hackers and threat actors can exploit. By implementing this process, one can successfully identify their organization's current risk(s). This is not where the buck stops; one can also verify the effectiveness of your system's security measures while improving internal and external defenses. Through this review, an organization is well equipped to take an extensive inventory of all systems, including operating systems, installed software, security patches, hardware, firewalls, anti-virus software, and much more.

  Agent-based scanner

  Agent-based scanners make use of software scanners on each and every device; the results of the scans are reported back to the central server. Such scanners are well equipped to find and report out on a range of vulnerabilities.

  NOTE: This option is not suitable for us, since for it to work, you need to install a special agent on each computer before you start collecting data from them.