EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 411:

  A certified ethical hacker is conducting a Whois footprinting activity on a specific domain. The individual is leveraging various tools such as Batch IP Converter and Whols Analyzer Pro to retrieve vital details but is unable to gather complete Whois information from the registrar for a particular set of data. As the hacker, what might be the probable data model being utilized by the domain's registrar for storing and looking up

  Who is information?

  A. Thick Whois model with a malfunctioning server
  B. Thick Whois model working correctly
  C. Thin Whois model with a malfunctioning server
  D. Thin Whois model working correctly
  D. Thin Whois model working correctly

  ---

  Explanation

  A thin Whois model is a type of data model that is used by some domain registrars for storing and looking up Whois information. In a thin Whois model, the registrar only stores the basic information about the domain, such as the domain name, the registrar name, the name servers, and the registration and expiration dates. The rest of the information, such as the contact details of the domain owner, the administrative contact, and the technical contact, is stored by the registry that manages the top-level domain (TLD) of the domain. For example, the registry for .com and .net domains is Verisign, and the registry for .org domains is Public Interest Registry. When a Whois lookup is performed on a domain that uses a thin Whois model, the registrar' s Whois server only returns the basic information and refers the query to the registry's Whois server for the complete information1.

  As a hacker, if you are unable to gather complete Whois information from the registrar for a particular set of data, it might be because the domain's registrar is using a thin Whois model and the registry's Whois server is not responding or providing the information. This could be due to various reasons, such as network issues, server errors, rate limits, privacy policies, or legal restrictions. Therefore, the probable data model being utilized by the domain's registrar for storing and looking up Whois information is a thin Whois model working correctly.

  References:

  Differences Between Thin WHOIS vs Thick WHOIS - OpenSRS Helpand; Support

• Question 412:

  Henry Is a cyber security specialist hired by BlackEye - Cyber security solutions. He was tasked with discovering the operating system (OS) of a host. He used the Unkornscan tool to discover the OS of the target system. As a result, he obtained a TTL value, which Indicates that the target system is running a Windows OS. Identify the TTL value Henry obtained, which indicates that the target OS is Windows?

  A. 64
  B. 128
  C. 255
  D. 138
  B. 128

  ---

  Explanation

  Windows TTL 128, Linux TTL 64, OpenBSD 255 ... https://subinsb.com/default-device-ttl-values/

  Time to Live (TTL) represents to number of 'hops' a packet can take before it is considered invalid. For Windows/Windows Phone, this value is 128. This value is 64 for Linux/Android.

• Question 413:

  Which Nmap switch helps evade IDS or firewalls?

  A. -n/-R
  B. -0N/-0X/-0G
  C. -T
  D. -D
  D. -D

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, Nmap's evasion techniques are discussed for bypassing or confusing Intrusion Detection Systems (IDS) and firewalls.

  The -D option in Nmap is used to enable decoy scanning. It inserts false IP addresses in the scan to obfuscate the true origin of the scan.

  This technique helps in masking the attacker's IP and can confuse IDS logs.

  Option Clarification:

  A. -n/-R: Disables DNS resolution (-n) or uses reverse DNS (-R), does not evade detection.

  B. -0N/-0X/-0G: Output formats (normal, XML, grepable), not related to evasion.

  C. -T: Controls timing (e.g., -T0 is stealthy, -T5 is aggressive), but not explicitly for IDS evasion.

  D. -D: Correct. Used for IDS/firewall evasion by using decoy IPs.

  Module 03 - Scanning with Evasion Options

  Nmap Official Docs: https://nmap.org/book/man-bypass-firewalls-ids.html

• Question 414:

  Cross-site request forgery involves:

  A. A request sent by a malicious user from a browser to a server
  B. Modification of a request by a proxy between client and server
  C. A browser making a request to a server without the user's knowledge
  D. A server making a request to another server without the user's knowledge
  C. A browser making a request to a server without the user's knowledge

  ---

  Explanation

  https://owasp.org/www-community/attacks/csrf Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

  CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user's session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.

  CSRF attacks target functionality that causes a state change on the server, such as changing the victim's email address or password, or purchasing something. Forcing the victim to retrieve data doesn't benefit an attacker because the attacker doesn't receive the response, the victim does. As such, CSRF attacks target state- changing requests.

  It's sometimes possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called "stored CSRF flaws". This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already.

• Question 415:

  Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

  A. Yagi antenna
  B. Dipole antenna
  C. Parabolic grid antenna
  D. Omnidirectional antenna
  A. Yagi antenna

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, antenna types are critical for wireless communications, signal strength, and attack range.

  Yagi Antenna

  A directional antenna designed to operate in VHF (30 MHz to 300 MHz) and UHF (300 MHz to 3 GHz) frequency bands.

  Frequently used for point-to-point communication, such as long-distance Wi-Fi or directional signal monitoring.

  Offers high gain, narrow beamwidth, and works well for capturing or projecting signals over long distances.

  Why Other Options Are Incorrect:

  B. Dipole antenna: Typically omnidirectional; less gain; not optimized for long-distance VHF/UHF.

  C. Parabolic grid antenna: Used in microwave and satellite frequencies; not suited for 10 MHz-VHF.

  D. Omnidirectional antenna: Broadcasts in all directions; used in short-range access points.

  Module 11 - Antenna Typesand; Frequencies

  CEH iLabs: Wireless Attacks Using Yagi Antenna for Directional Wi-Fi Hacking

• Question 416:

  Which advanced session-hijacking technique is hardest to detect and mitigate?

  A. Covert XSS attack
  B. Man-in-the-Browser (MitB) attack
  C. Passive sniffing on Wi-Fi
  D. Session fixation
  B. Man-in-the-Browser (MitB) attack

  ---

  Explanation

  CEH v13 identifies Man-in-the-Browser (MitB) attacks as one of the most dangerous and difficult-to-detect session hijacking techniques, especially in online banking environments . In MitB attacks, malware operates inside the user's browser , intercepting and manipulating transactions in real time.

  Unlike XSS or session fixation attacks, MitB bypasses server-side security controls entirely. Even strong encryption, multi-factor authentication, and secure cookies are ineffective because the attack occurs after authentication , within a trusted session.

  Passive sniffing is limited by encryption, and session fixation relies on poor session management. Covert XSS requires injection points and is more easily mitigated.

  CEH v13 emphasizes that MitB attacks can modify transaction details without user awareness, making detection extremely difficult. Therefore, Option B is correct.

• Question 417:

  Security administrator John Smith has noticed abnormal amounts of traffic coming from local computers at night. Upon reviewing, he finds that user data have been exfilltrated by an attacker. AV tools are unable to find any malicious software, and the IDS/IPS has not reported on any non-whitelisted programs, what type of malware did the attacker use to bypass the company's application whitelisting?

  A. Phishing malware
  B. Zero-day malware
  C. File-less malware
  D. Logic bomb malware
  C. File-less malware

  ---

  Explanation

  https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html

  Fileless malware can easily evade various security controls, organizations need to focus on monitoring, detecting, and preventing malicious activities instead of using traditional approaches such as scanning for malware through file signatures.Also known as non-malware, infects legitimate software, applications, and other protocols existing in the system to perform various malicious activities.It resides in the system's RAM. It injects malicious code into the running processes. (P.966/950)

• Question 418:

  A future-focused security audit discusses risks where attackers collect encrypted data now, anticipating that they can decrypt it later with quantum computers. What is this threat known as?

  A. Saving data today for future quantum decryption
  B. Replaying intercepted quantum messages
  C. Breaking RSA using quantum algorithms
  D. Flipping qubit values to corrupt the output
  A. Saving data today for future quantum decryption

  ---

  Explanation

  In CEH v13 Cryptography , this threat is formally referred to as "Harvest Now, Decrypt Later" (HNDL) . It describes a long-term cryptographic risk where adversaries intercept and store encrypted communications today , even though they cannot decrypt them with current computational capabilities. The expectation is that future quantum computers will be powerful enough to break widely used public-key cryptographic algorithms.

  CEH v13 emphasizes that quantum algorithms such as Shor's Algorithm can theoretically break RSA, DSA, and ECC by efficiently solving integer factorization and discrete logarithm problems. However, the defining feature of this threat is not the act of breaking encryption itself, but rather the strategic collection and storage of encrypted data in advance .

  Option C is incomplete because it focuses only on the cryptographic mechanism rather than the threat model. Options B and D are unrelated to the scenario described and refer to quantum communication integrity issues, not long-term cryptographic exposure.

  CEH v13 highlights that sensitive data with long confidentiality lifetimes-such as government records, financial data, healthcare information, and intellectual property-is especially vulnerable to this threat. As a result, organizations are encouraged to adopt quantum-resistant (post-quantum) cryptographic algorithms proactively.

  Thus, Option A accurately describes the threat model and aligns with CEH v13's treatment of future cryptographic risks.

• Question 419:

  Peter, a system administrator working at a reputed IT firm, decided to work from his home and login remotely. Later, he anticipated that the remote connection could be exposed to session hijacking. To curb this possibility, he implemented a technique that creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information and prevent hackers from decrypting the data flow between the endpoints.

  What is the technique followed by Peter to send files securely through a remote connection?

  A. DMZ
  B. SMB signing
  C. VPN
  D. Switch network
  C. VPN

  ---

  Explanation

  In CEH v13 Module 14: Cryptography, VPN (Virtual Private Network) technology is described as the method that allows users to securely transmit data over an insecure (public) network by establishing a secure, encrypted tunnel.

  VPN Features:

  Encrypts all traffic between the user's device and the target network.

  Prevents session hijacking, eavesdropping, and man-in-the-middle (MITM) attacks.

  Common protocols: IPSec, L2TP, SSL VPN, and OpenVPN.

  Option Clarification:

  A. DMZ: A network segmentation strategy, not an encryption method.

  B. SMB signing: Ensures integrity for SMB protocol, but not for remote tunneling.

  C. VPN: Correct. Used to securely tunnel over public networks.

  D. Switch network: Refers to network segmentation using switches, unrelated to tunneling.

  Module 14 - VPNs and Secure Communication Protocols

  CEH iLabs: Configuring and Testing a VPN Tunnel

• Question 420:

  Which of the following is a component of a risk assessment?

  A. Administrative safeguards
  B. Physical security
  C. DMZ
  D. Logical interface
  A. Administrative safeguards

  ---

  Explanation

  Risk assessment is a key process in security management that identifies, evaluates, and prioritizes risks to organizational operations and assets. It considers various controls and safeguards to mitigate those risks.

  Administrative safeguards are part of the components used in risk assessments and include:

  Policies

  Procedures

  Training

  Security awareness programs

  Incident response planning

  From CEH v13:

  Module 1: Introduction to Ethical Hacking

  Module 20: Cryptography (as it discusses risk management and governance)

  Topic: Security Controls and Risk Management Frameworks

  CEH v13 Official Courseware states:

  "Administrative controls, also known as administrative safeguards, form a critical component of risk assessments. These include documented security policies, user training, security audits, and incident response plans that help an organization manage and reduce risks."

  Incorrect Options:

  B. Physical security is a type of safeguard but not typically referred to as a "component" of a risk assessment itself.

  C. DMZ (Demilitarized Zone) is a network architecture concept, not a risk assessment component.

  D. Logical interface refers to system architecture and network segmentation-not risk assessment methodology.

  CEH v13 Study Guide - Module 1: Introduction to Ethical Hacking # Section: "Risk Management Concepts"NIST SP 800-30: Guide for Conducting Risk Assessments