EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 441:

  Which of the following Bluetooth hacking techniques refers to the theft of information from a wireless device through Bluetooth?

  A. Bluesmacking
  B. Bluebugging
  C. Bluejacking
  D. Bluesnarfing
  D. Bluesnarfing

  ---

  Explanation

  Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs (personal digital assistant).

• Question 442:

  Morris, a professional hacker, performed a vulnerability scan on a target organization by sniffing the traffic on the network lo identify the active systems, network services, applications, and vulnerabilities. He also obtained the list of the users who are currently accessing the network. What is the type of vulnerability assessment that Morris performed on the target organization?

  A. internal assessment
  B. Passive assessment
  C. External assessment
  D. Credentialed assessment
  B. Passive assessment

  ---

  Explanation

  Passive Assessment Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently accessing the network.

• Question 443:

  An ethical hacker is testing the security of a website's database system against SQL Injection attacks. They discover that the IDS has a strong signature detection mechanism to detect typical SQL injection patterns.

  Which evasion technique can be most effectively used to bypass the IDS signature detection while performing a SQL Injection attack?

  A. Implement case variation by altering the case of SQL statements
  B. Employ IP fragmentation to obscure the attack payload
  C. Use Hex encoding to represent the SQL query string
  D. Leverage string concatenation to break identifiable keywords
  D. Leverage string concatenation to break identifiable keywords

  ---

  Explanation

  The most effective evasion technique to bypass the IDS signature detection while performing a SQL Injection attack is to leverage string concatenation to break identifiable keywords. This technique involves splitting SQL keywords or operators into smaller parts and joining them with string concatenation operators, such as `+' or `||'. This way, the SQL query can still be executed by the database engine, but the IDS cannot recognize the keywords or operators as malicious, as they are hidden within strings. For example, the hacker could replace the keyword `OR' with `O'||`R' or `O'+`R' in the SQL query, and the IDS would not be able to match the signature of a typical SQL injection pattern12.

  The other options are not as effective as option D for the following reasons:

  A. Implement case variation by altering the case of SQL statements: This option is not effective because most SQL engines and IDS systems are case-insensitive, meaning that they treat SQL keywords and operators the same regardless of their case. Therefore, altering the case of SQL statements would not help evade the IDS signature detection, as the IDS would still be able to match the signature of a typical SQL injection pattern3.

  B. Employ IP fragmentation to obscure the attack payload: This option is not applicable because IP fragmentation is a network-level technique that splits IP packets into smaller fragments to fit the maximum transmission unit (MTU) of the network. IP fragmentation does not affect the content or structure of the SQL query, and it does not help evade the IDS signature detection, as the IDS would still be able to reassemble the fragments and match the signature of a typical SQL injection pattern4.

  C. Use Hex encoding to represent the SQL query string: This option is not feasible because Hex encoding is a method of representing binary data in hexadecimal format, such as `0x41' for `A'. Hex encoding does not work for SQL queries, as the SQL engine would not be able to interpret the hexadecimal values as valid SQL syntax. Moreover, Hex encoding would not help evade the IDS signature detection, as the IDS would still be able to decode the hexadecimal values and match the signature of a typical

  SQL injection pattern.

  References:

  1: SQL Injection Evasion Detection - F5 2: Mastering SQL Injection with SQLmap: A Comprehensive Evasion Techniques Cheatsheet 3: SQL Injection Prevention - OWASP Cheat Sheet Series 4: IP Fragmentation - an overview | ScienceDirect Topics Hex Encoding - an overview | ScienceDirect Topics

• Question 444:

  A BLE attack captured LL_ENC_REQ and LL_ENC_RSP packets but not the LTK. What is the next step?

  A. Decrypt pcap using -o option
  B. Attack cannot continue without LTK
  C. Use hcitool inq
  D. Use Btlejacking
  D. Use Btlejacking

  ---

  Explanation

  In CEH v13 Mobile, IoT, and OT Hacking , Bluetooth Low Energy (BLE) attacks often involve capturing pairing exchanges. If the Long-Term Key (LTK) is not captured, decryption is not immediately possible.

  CEH v13 explains that in such cases, attackers may attempt Btlejacking , which hijacks an existing BLE connection rather than decrypting it. This allows command injection and data manipulation without needing the LTK.

  Options A and B are incorrect because decryption is not the only attack path. hcitool is for discovery, not exploitation. Therefore, Option D is correct.

• Question 445:

  A future-focused security audit discusses risks where attackers collect encrypted data today , anticipating they will be able to decrypt it later using quantum computers . What is this threat commonly known as?

  A. Saving data today for future quantum decryption
  B. Breaking RSA using quantum algorithms
  C. Flipping qubit values to corrupt output
  D. Replaying intercepted quantum messages
  A. Saving data today for future quantum decryption

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as "Harvest Now, Decrypt Later" . This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

  Option A accurately reflects this concept.

  Option B describes a method (Shor's algorithm) but not the threat model itself.

  Option C is unrelated to cryptographic attacks.

  Option D refers to quantum communication attacks, not classical encrypted data harvesting.

  CEH emphasizes post-quantum cryptography as a mitigation strategy.

• Question 446:

  As a security analyst, you are testing a company's network for potential vulnerabilities. You suspect an attacker may be using MAC flooding to compromise network switches and sniff traffic. Which of the following indicators would most likely confirm your suspicion?

  A. An increased number of ARP requests in network traffic.
  B. Multiple MAC addresses assigned to a single IP address.
  C. Multiple IP addresses assigned to a single MAC address.
  D. Numerous MAC addresses associated with a single switch port.
  D. Numerous MAC addresses associated with a single switch port.

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Network and Perimeter Hacking module describes MAC flooding as an attack targeting switch CAM (Content Addressable Memory) tables. The attacker overwhelms the switch by sending frames with spoofed MAC addresses , forcing the switch to broadcast traffic like a hub.

  Option D is the correct indicator because MAC flooding results in many different MAC addresses being learned on a single switch port , which is abnormal behavior. CEH documentation identifies this as the primary forensic sign of a MAC flooding attack.

  Option A relates more closely to ARP poisoning rather than MAC flooding.

  Option B can occur in network misconfigurations but is not a primary MAC flooding indicator.

  Option C is common in NAT environments and is not malicious by itself.

  CEH emphasizes monitoring CAM table behavior and port security violations to detect MAC flooding attacks effectively.

• Question 447:

  The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the Central Processing Unit (CPU), rather than passing only the frames that the controller is intended to receive.

  Which of the following is being described?

  A. Multi-cast mode
  B. Promiscuous mode
  C. WEM
  D. Port forwarding
  B. Promiscuous mode

  ---

  Explanation

  Promiscuous mode is a configuration for a network interface card (NIC) that allows it to pass all network traffic to the CPU for processing, not just the traffic addressed to that NIC. It is commonly used in:

  Network sniffing and monitoring

  Packet analysis tools like Wireshark

  IDS/IPS systems

  CEH v13 Official Study Guide:

  Module 8: Sniffing

  Quote:

  "Promiscuous mode allows a NIC to capture all packets on the network segment, regardless of the destination MAC address."

  Incorrect Options:

  A. Multicast mode handles group address traffic, not all frames

  C. WEM is not a valid network mode term

  D. Port forwarding redirects traffic to specific internal IPs

• Question 448:

  An attacker analyzes how small changes in plaintext input affect ciphertext output to deduce encryption key patterns in a symmetric algorithm. What technique is being used?

  A. Differential cryptanalysis
  B. Timing attack
  C. Chosen-ciphertext attack
  D. Brute-force attack
  A. Differential cryptanalysis

  ---

  Explanation

  The CEH Cryptanalysis module describes differential cryptanalysis as an attack that studies the relationship between differences in input and resulting differences in output to recover secret keys.

  Option A precisely matches this definition.

  Option B relies on execution timing.

  Option C requires ciphertext manipulation.

  Option D exhaustively tests keys.

  CEH lists differential cryptanalysis as a foundational theoretical attack.

• Question 449:

  You suspect a Man-in-the-Middle (MitM) attack inside the network. Which network activity would help confirm this?

  A. Sudden increase in traffic
  B. Multiple login attempts from one IP
  C. IP addresses resolving to multiple MAC addresses
  D. Abnormal DNS request volumes
  C. IP addresses resolving to multiple MAC addresses

  ---

  Explanation

  CEH v13 identifies ARP spoofing/poisoning as a primary MitM technique in local networks. In such attacks, a single IP address maps to multiple MAC addresses , indicating ARP table manipulation.

  This anomaly allows attackers to intercept traffic between victims and gateways. Increased traffic or DNS activity may occur but are not definitive indicators. Thus, IP-to-MAC inconsistencies are the most reliable confirmation of MitM activity.

• Question 450:

  An experienced cyber attacker has created a fake Linkedin profile, successfully impersonating a high-ranking official from a well-established company, to execute a social engineering attack. The attacker then connected with other employees within the organization, receiving invitations to exclusive corporate events and gaining access to proprietary project details shared within the network. What advanced social engineering technique has the attacker primarily used to exploit the system and what is the most likely immediate threat to the organization?

  A. Pretexting and Network Vulnerability
  B. Spear Phishing and Spam
  C. Whaling and Targeted Attacks
  D. Baiting and Involuntary Data Leakage
  C. Whaling and Targeted Attacks

  ---

  Explanation

  Whaling is an advanced social engineering technique that targets high-profile individuals, such as executives, managers, or celebrities, by impersonating them or someone they trust, such as a colleague, partner, or vendor. The attacker creates a fake Linkedin profile, pretending to be a high-ranking official from a well- established company, and uses it to connect with other employees within the organization. The attacker then leverages the trust and authority of the fake profile to gain access to exclusive corporate events and proprietary project details shared within the network. This way, the attacker can launch targeted attacks against the organization, such as stealing sensitive data, compromising systems, or extorting money.

  The most likely immediate threat to the organization is the loss of confidential information and intellectual property, which can damage the organization's reputation, competitiveness, and profitability. The attacker can also use the information to launch further attacks, such as ransomware, malware, or sabotage, against the organization or its partners and customers.

  The other options are not as accurate as whaling for describing this scenario. Pretexting is a social engineering technique that involves creating a false scenario or identity to obtain information or access from a victim. However, pretexting usually involves direct communication with the victim, such as a phone call or an email, rather than creating a fake Linkedin profile and connecting with the victim's network. Spear phishing is a social engineering technique that involves sending a personalized and targeted email to a specific individual or group, usually containing a malicious link or attachment. However, spear phishing does not involve creating a fake Linkedin profile and connecting with the victim's network. Baiting and involuntary data leakage are not social engineering techniques, but rather possible outcomes of social engineering attacks. Baiting is a technique that involves offering something enticing to the victim, such as a free download, a gift card, or a job opportunity, in exchange for information or access.

  Involuntary data leakage is a situation where the victim unintentionally or unknowingly exposes sensitive information to the attacker, such as by clicking on a malicious link, opening an infected attachment, or using an unsecured network. References:

  Whaling: What is a whaling attack?

  Advanced Social Engineering Attack Techniques

  Top 8 Social Engineering Techniques and How to Prevent Them