EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 421:

  An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

  A. Wireshark
  B. Ettercap
  C. Aircrack-ng
  D. Tcpdump
  B. Ettercap

  ---

  Explanation

  Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

  Reference CEH v13 Official Study Guide:

  Module 8: Sniffing

  Quote:

  "Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks."

  Incorrect Options Explained:

  A and D. Wireshark and Tcpdump are passive sniffers with no injection capability.

  C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

• Question 422:

  What is the least important information when you analyze a public IP address in a security alert?

  A. DNS
  B. Whois
  C. Geolocation
  D. ARP
  D. ARP

  ---

  Explanation

  In CEH v13 Module 02: Footprinting and Reconnaissance, and Module 03: Scanning Networks, several tools and techniques are introduced for analyzing public IP addresses when investigating a security alert.

  Let's evaluate the options:

  A. DNS: Domain Name System (DNS) is essential in mapping IPs to domains. Reverse DNS lookups can reveal if the IP is associated with a malicious domain, and forward lookups can confirm legitimacy.

  B. Whois: WHOIS records are crucial for identifying IP ownership, registration data, and abuse contacts. It helps assess if the IP belongs to a known threat actor or suspicious hosting provider.

  C. Geolocation: Helps you understand where the IP is physically located. If the IP is in a country known for cybercrime or doesn't match your user's location, it raises red flags.

  D. ARP (Address Resolution Protocol): # ARP is local to Layer 2 and works only within a LAN (Local Area Network). ARP cannot resolve or analyze public IP addresses which operate in Layer 3 of the OSI model.

  Thus, ARP is the least relevant when analyzing a public IP address, as it deals with MAC-to-IP mapping only in local environments.

  Module 02 - Public IP Analysis Tools (WHOIS, DNS, IP Lookup)

  CEH iLabs: IP Attribution and Threat Hunting using WHOIS and Geolocation

• Question 423:

  You have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly.

  What is the best Nmap command you will use?

  A. nmap -T4 -q 10.10.0.0/24
  B. nmap -T4 -F 10.10.0.0/24
  C. nmap -T4 -r 10.10.1.0/24
  D. nmap -T4 -O 10.10.0.0/24
  B. nmap -T4 -F 10.10.0.0/24

  ---

  Explanation

  https://nmap.org/book/man-port-specification.html

  NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come across a question with a similar wording on the exam. What does "fast" mean? If we want to increase the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T values, we will sacrifice stealth and gain speed, but we will not limit functionality.

  map -T4 -F 10.10.0.0/24?This option is";correc"; because of the -F flag.

  -F (Fast (limited port) scan)

  Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

  Technically, scanning will be faster, but just because we have reduced the number of ports by 10 times, we are just doing 10 times less work, not faster.

• Question 424:

  You must map open ports and services while remaining stealthy and avoiding IDS detection. Which scanning technique is best?

  A. FIN Scan
  B. TCP Connect Scan
  C. ACK Scan
  D. Stealth Scan (SYN Scan)
  D. Stealth Scan (SYN Scan)

  ---

  Explanation

  The TCP SYN scan , also known as a Stealth Scan , is emphasized in CEH v13 Network Scanning as the most effective balance between accuracy and stealth. It sends a SYN packet and analyzes the response without completing the TCP handshake.

  Because the connection is never fully established, SYN scans are less likely to be logged by applications and are harder for IDS systems to detect compared to TCP Connect scans.

  FIN and ACK scans are used for firewall rule mapping and evasion, but they do not reliably enumerate services. TCP Connect scans are noisy and easily detected. Therefore, Stealth (SYN) Scan is the best choice.

• Question 425:

  A web server experienced a DDoS attack that specifically targeted the application layer . Which type of DDoS attack was most likely used?

  A. HTTP flood attack
  B. ICMP flood attack
  C. UDP flood attack
  D. SYN flood attack
  A. HTTP flood attack

  ---

  Explanation

  An HTTP Flood attack is an Application Layer (Layer 7) DDoS attack, as defined in CEH v13 . In this attack, the adversary sends a massive number of seemingly legitimate HTTP GET or POST requests to exhaust server resources such as CPU, memory, and application threads.

  CEH v13 emphasizes that HTTP floods are difficult to detect because they mimic normal user behavior and often bypass traditional network-layer defenses.

  Other attacks operate at lower layers:

  ICMP, UDP, and SYN floods target network and transport layers.

• Question 426:

  A cybersecurity analyst wants to monitor competitors' web content updates. What key element is missing from the plan?

  A. Hacking competitor databases
  B. Google Alerts for content monitoring
  C. Engaging in blog discussions
  D. Using a VPN
  B. Google Alerts for content monitoring

  ---

  Explanation

  In CEH v13 Reconnaissance Techniques , passive monitoring of competitors' online presence is a legitimate and effective intelligence-gathering activity. One of the most efficient tools for this purpose is Google Alerts .

  Google Alerts allow analysts to receive automated notifications when new content containing specific keywords-such as company names, products, or executives-is indexed online. This enables continuous, passive surveillance without repeatedly visiting websites manually.

  Option B directly addresses the analyst's goal of staying updated efficiently.

  Option A is illegal and unethical.

  Option C involves direct interaction, which may reveal the analyst's presence.

  Option D provides anonymity but does not actively monitor changes.

  CEH v13 strongly encourages automation in reconnaissance to reduce noise, effort, and detection risk. Therefore, Option B is the correct and CEH-aligned answer.

• Question 427:

  A hacker has successfully infected an internet-facing server which he will then use to send junk mail, take part in coordinated attacks, or host junk email content. Which sort of trojan infects this server?

  A. Botnet Trojan
  B. Banking Trojans
  C. Turtle Trojans
  D. Ransomware Trojans
  A. Botnet Trojan

  ---

  Explanation

  The scenario describes a situation where a hacker infects an internet-facing server and leverages it to perform malicious activities such as sending spam emails, participating in distributed denial-of-service (DDoS) attacks, or hosting spam content. This behavior is characteristic of a Botnet Trojan.

  According to the CEH v13 Official Courseware and Study Guide:

  A Botnet Trojan is a type of malware that transforms infected machines into bots (also called zombies), which can be remotely controlled by an attacker (bot herder or bot master).

  These bots become part of a botnet - a network of compromised machines used for coordinated cyberattacks including:

  Sending unsolicited spam emails (junk mail)

  Participating in DDoS attacks

  Hosting or distributing malware and phishing content

  The infected machine can receive commands from a command-and-control (CandC) server and act in concert with other infected machines to amplify attacks or spread malware.

  Incorrect Options:

  B. Banking Trojans are designed specifically to steal financial data such as online banking credentials.

  C. Turtle Trojans is not a valid classification in CEH v13 or cybersecurity literature (may be a distractor).

  D. Ransomware Trojans encrypt data and demand a ransom for decryption, not typically used for junk mail or botnet activities.

  CEH v13 Official Courseware:

  Module 06: Malware Threats

  Section: "Types of Trojans"

  Subsection: "Botnet Trojans"

  CEH v13 eBook or Study Guide - usually found under "Trojan Classifications by Payload"

  Practical labs in CEH Engage and iLabs also demonstrate botnet functionality using tools like Zeus and Emotet in real-world botnet infection scenarios.

• Question 428:

  Which payload is most effective for testing time-based blind SQL injection -

  A. AND 1=0 UNION ALL SELECT 'admin','admin
  B. UNION SELECT NULL, NULL, NULL --
  C. OR '1'='1';
  D. AND BENCHMARK(5000000,ENCODE('test','test'))
  D. AND BENCHMARK(5000000,ENCODE('test','test'))

  ---

  Explanation

  Time-based blind SQL injection is used when applications suppress error messages and do not display query results. According to CEH v13 , attackers rely on response time delays to infer whether injected SQL statements are executed.

  The BENCHMARK() function forces the database to perform a CPU-intensive operation repeatedly, causing a noticeable delay if the injected condition is executed successfully. Option D explicitly introduces such a delay and is a textbook time-based blind SQL injection payload.

  Options A, B, and C are used for union-based or boolean-based SQL injection and rely on visible output or content changes, which are ineffective in blind scenarios.

  CEH v13 clearly states that time-delay functions such as SLEEP(), WAITFOR DELAY, and BENCHMARK() are the primary indicators for time-based blind SQL injection testing. Hence, Option D is correct.

• Question 429:

  Systems are communicating with unknown external entities, raising concerns about exfiltration or malware. Which strategy most directly identifies and mitigates the risk?

  A. Aggressive zero-trust shutdown
  B. Deep forensic analysis
  C. Behavioral analytics profiling normal interactions
  D. Employee awareness training
  C. Behavioral analytics profiling normal interactions

  ---

  Explanation

  CEH v13 highlights behavioral analytics as one of the most effective techniques for identifying ambiguous or stealthy threats such as data exfiltration, command-and-control traffic, and insider abuse. When interactions appear suspicious but not definitively malicious, behavioral profiling provides the most direct visibility.

  Behavioral analytics tools establish a baseline of normal system and network behavior , including typical communication patterns, data transfer volumes, destinations, and timing. Deviations from this baseline trigger alerts, allowing analysts to detect previously unknown threats without relying on signatures.

  Option C is the most appropriate because it both identifies anomalies and supports continuous mitigation . A full zero-trust shutdown (Option A) is disruptive. Forensics (Option B) is reactive and better suited after confirmation of compromise. Training (Option D) does not address system-level interactions.

  CEH v13 emphasizes that modern attacks often blend into normal traffic, making behavioral analysis essential. Therefore, Option C is the correct answer.

• Question 430:

  Sam is a penetration tester hired by Inception Tech, a security organization. He was asked to perform port scanning on a target host in the network. While performing the given task, Sam sends FIN/ACK probes and determines that an RST packet is sent in response by the target host, indicating that the port is closed.

  What is the port scanning technique used by Sam to discover open ports?

  A. Xmas scan
  B. IDLE/IPID header scan
  C. TCP Maimon scan
  D. ACK flag probe scan
  C. TCP Maimon scan

  ---

  Explanation

  TCP Maimon scan

  This scan technique is very similar to NULL, FIN, and Xmas scan, but the probe used here is

  FIN/ACK. In most cases, to determine if the port is open or closed, the RST packet should be generated as a response to a probe request. However, in many BSD systems, the port is open if the packet gets dropped in response to a probe.

  https://nmap.org/book/scan-methods-maimon-scan.html

  How Nmap interprets responses to a Maimon scan probe

  Probe Response Assigned State

  No response received (even after retransmissions) open|filtered

  TCP RST packet closed

  ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) filtered