EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 451:

  A penetration tester is hired by a company to assess its vulnerability to social engineering attacks targeting its IT department. The tester decides to use a sophisticated pretext involving technical jargon and insider information to deceive employees into revealing their network credentials.

  What is the most effective social engineering technique the tester should employ to maximize the chances of obtaining valid credentials without raising suspicion?

  A. Conduct a phone call posing as a high-level executive requesting urgent password resets
  B. Send a generic phishing email with a malicious attachment to multiple employees
  C. Create a convincing fake IT support portal that mimics the company's internal systems
  D. Visit the office in person as a maintenance worker to gain physical access to terminals
  C. Create a convincing fake IT support portal that mimics the company's internal systems

  ---

  Explanation

  CEH training emphasizes that highly tailored social engineering attacks-those exploiting trust in internal workflows and perceived technical authority-are far more effective than generic or mass-distributed phishing attempts. A fake IT support portal that mirrors internal systems leverages procedural familiarity: IT departments commonly instruct employees to log into support portals for troubleshooting, credential verification, or ticket updates. When the attacker enhances the pretext with insider terminology and references to real internal systems, employees are more likely to trust the portal and enter credentials. CEH highlights that successful social engineering attacks mimic legitimate processes to avoid suspicion. Phone calls posing as executives often introduce risk due to real-time interaction and scrutiny. Generic phishing lacks personalization and is easily detected. Physical impersonation introduces operational risk and may not yield credentials. Therefore, a fake IT support portal aligned with IT workflows is the optimal method.

• Question 452:

  Which address translation scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"?

  A. Overloading Port Address Translation
  B. Dynamic Port Address Translation
  C. Dynamic Network Address Translation
  D. Static Network Address Translation
  D. Static Network Address Translation

  ---

  Explanation

  Static Network Address Translation (Static NAT) allows a single private IP address to be mapped to a single public IP address. This one-to-one mapping ensures that the same internal machine is always reachable through the same external IP address, which is crucial for "server publishing" - making internal servers (e.g., web servers, FTP servers) accessible from the internet.

  From CEH v13 Courseware:

  Module 03: Scanning Networks

  Topic: Network Address Translation

  Section: Types of NAT

  CEH v13 Study Guide states:

  "Static NAT provides a fixed translation of a private IP address to a public IP address. It is commonly used when an internal server must always be accessible from the Internet using a consistent IP address - this is known as server publishing."

  Incorrect Options:

  A. Overloading PAT: Multiple private IPs share a single public IP using port numbers - not suited for static mappings.

  B. Dynamic PAT: Similar to overloading; used for outbound traffic only.

  C. Dynamic NAT: Assigns a public IP from a pool; the mapping can change, not suitable for server publishing.

  CEH v13 Study Guide - Module 3: Scanning Networks # NAT TypesRFC 3022 - Traditional NAT Terminology

• Question 453:

  Which of the following statements is FALSE with respect to Intrusion Detection Systems?

  A. Intrusion Detection Systems can be configured to distinguish specific content in network packets
  B. Intrusion Detection Systems can easily distinguish a malicious payload in encrypted traffic
  C. Intrusion Detection Systems require constant update of the signature library
  D. Intrusion Detection Systems can examine the contents of the data in context of the network protocol
  B. Intrusion Detection Systems can easily distinguish a malicious payload in encrypted traffic

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  IDS cannot easily detect malicious content in encrypted traffic. Since the payload is encrypted (e.g., HTTPS, SSL/TLS), it is unreadable without decryption.

  Statement B is therefore FALSE.

  From CEH v13 Courseware:

  Module 13: IDS, Firewalls and Honeypots # Limitations of IDS

  CEH v13 Study Guide - IDS Capabilities and Limitations

• Question 454:

  Joel, a professional hacker, targeted a company and identified the types of websites frequently visited by its employees. Using this information, he searched for possible loopholes in these websites and injected a malicious script that can redirect users from the web page and download malware onto a victim's machine. Joel waits for the victim to access the infected web application so as to compromise the victim's machine. Which of the following techniques is used by Joel in the above scenario?

  A. DNS rebinding attack
  B. Clickjacking attack
  C. MarioNet attack
  D. Watering hole attack
  D. Watering hole attack

  ---

  Explanation

  Web Application Threats - Watering Hole Attack In a watering hole attack, the attacker identifies the kinds of websites a target company/individual frequently surfs and tests those particular websites to identify any possible vulnerabilities. Attacker injects malicious script/code into the web application that can redirect the webpage and download malware onto the victim machine. (P.1797/1781)

• Question 455:

  A penetration tester is conducting an external assessment of a corporate web server. They start by accessing https://www.targetcorp.com/robots.txt and observe multiple Disallow entries that reference directories such as /admin-panel/, /backup/, and /confidentialdocs/. When the tester directly visits these paths via a browser, they find that access is not restricted by authentication and gain access to sensitive files, including server configuration and unprotected credentials. Which stage of the web server attack methodology is demonstrated in this scenario?

  A. Injecting malicious SQL queries to access sensitive database records
  B. Performing a cross-site request forgery (CSRF) attack to manipulate user actions
  C. Gathering information through exposed indexing instructions
  D. Leveraging the directory traversal flaw to access critical server files
  C. Gathering information through exposed indexing instructions

  ---

  Explanation

  The CEH web server attack methodology describes reconnaissance as a key phase, where testers gather publicly available information before attempting exploitation. Robots.txt is commonly used by administrators to instruct web crawlers about which directories should not be indexed. CEH emphasizes that attackers regularly review robots.txt because it often exposes sensitive directories unintentionally, providing valuable intelligence about internal structure, configuration paths, administrative pages, and potential weak points. In this scenario, the tester observes "Disallow" entries and then discovers the directories are not protected by authentication, allowing direct access to sensitive files. This falls under information gathering through exposed indexing instructions rather than directory traversal, which involves path-manipulation exploits. The tester is not altering file paths or inserting traversal sequences; instead, they are reviewing publicly available indexing instructions and discovering misconfigured access controls. This perfectly aligns with the reconnaissance phase of the CEH methodology, where attackers learn about server architecture using passive or minimally intrusive techniques.

• Question 456:

  A penetration tester alters the "file" parameter in a web application (e.g., view?file=report.txt) to ../../../../etc /passwd and successfully accesses restricted system files. What attack method does this scenario illustrate?

  A. Conduct a brute-force attack to obtain administrative credentials
  B. Use directory traversal sequences in URL parameters to retrieve unauthorized system content
  C. Inject malicious scripts into web pages to manipulate content via XSS vulnerabilities
  D. Exploit buffer overflow issues by injecting oversized data in HTTP request headers
  B. Use directory traversal sequences in URL parameters to retrieve unauthorized system content

  ---

  Explanation

  CEH v13 explains that directory traversal (also called path traversal) occurs when an application improperly handles user-supplied input used for file path generation. Attackers exploit this by inserting traversal sequences such as ../ beyond the intended directories, gaining access to sensitive files like /etc/passwd, configuration data, or source code. The vulnerability arises from missing input validation and failure to restrict file access to safe directories. CEH stresses that directory traversal is common in file handling functions such as view, download, or include operations. Brute-forcing credentials (Option A) is unrelated. XSS (Option C) targets script injection into web pages, not file access. Buffer overflow (Option D) manipulates memory, not file paths. Therefore, the scenario represents classic directory traversal exploitation .

• Question 457:

  what firewall evasion scanning technique make use of a zombie system that has low network activity as well as its fragment identification numbers?

  A. Decoy scanning
  B. Packet fragmentation scanning
  C. Spoof source address scanning
  D. Idle scanning
  D. Idle scanning

  ---

  Explanation

  The idle scan could be a communications protocol port scan technique that consists of causing spoofed packets to a pc to seek out out what services square measure obtainable. this can be accomplished by impersonating another pc whose network traffic is extremely slow or nonexistent (that is, not transmission or receiving information). this might be associate idle pc, known as a "zombie".

  This action are often done through common code network utilities like nmap and hping. The attack involves causing solid packets to a particular machine target in an attempt to seek out distinct characteristics of another zombie machine. The attack is refined as a result of there's no interaction between the offender pc and also the target: the offender interacts solely with the "zombie" pc.

  This exploit functions with 2 functions, as a port scanner and a clerk of sure informatics relationships between machines. The target system interacts with the "zombie" pc and distinction in behavior are often discovered mistreatment totally different|completely different "zombies" with proof of various privileges granted by the target to different computers.

  The overall intention behind the idle scan is to "check the port standing whereas remaining utterly invisible to the targeted host."

  The first step in execution associate idle scan is to seek out associate applicable zombie. It must assign informatics ID packets incrementally on a worldwide (rather than per-host it communicates with) basis. It ought to be idle (hence the scan name), as extraneous traffic can raise its informatics ID sequence, confusing the scan logic. The lower the latency between the offender and also the zombie, and between the zombie and also the target, the quicker the scan can proceed.

  Note that once a port is open, IPIDs increment by a pair of. Following is that the sequence:

  offender to focus on -> SYN, target to zombie ->SYN/ACK, Zombie to focus on -> RST (IPID increment by 1)

  currently offender tries to probe zombie for result. offender to Zombie ->SYN/ACK, Zombie to offender -> RST (IPID increment by 1)

  So, during this method IPID increments by a pair of finally.

  When associate idle scan is tried, tools (for example nmap) tests the projected zombie and reports any issues with it. If one does not work, attempt another. Enough net hosts square measure vulnerable that zombie candidates are not exhausting to seek out. a standard approach is to easily execute a ping sweep of some network. selecting a network close to your supply address, or close to the target, produces higher results. you' ll be able to attempt associate idle scan mistreatment every obtainable host from the ping sweep results till you discover one that works. As usual, it's best to raise permission before mistreatment someone's machines for surprising functions like idle scanning.

  Simple network devices typically create nice zombies as a result of {they square measure|they're} normally each underused (idle) and designed with straightforward network stacks that are susceptible to informatics ID traffic detection.

  While distinguishing an acceptable zombie takes some initial work, you'll be able to keep re-using the nice ones. as an alternative, there are some analysis on utilizing unplanned public internet services as zombie hosts to perform similar idle scans. leverage the approach a number of these services perform departing connections upon user submissions will function some quite poor's man idle scanning.

• Question 458:

  The collection of potentially actionable, overt, and publicly available information is known as

  A. Open-source intelligence
  B. Real intelligence
  C. Social intelligence
  D. Human intelligence
  A. Open-source intelligence

  ---

  Explanation

  Open-source intelligence (OSINT) refers to the process of collecting and analyzing information from publicly available sources. This can include social media, websites, press releases, job boards, government databases, and more.

  OSINT is a crucial part of the reconnaissance phase in ethical hacking and penetration testing, where attackers or analysts gather intel without directly interacting with the target system.

  Reference CEH v13 Official Study Guide:

  Module 2: Footprinting and Reconnaissance

  Quote:

  "OSINT is derived from public sources and includes blogs, websites, public records, and social networks. It helps attackers or analysts understand the target's digital footprint."

  Incorrect Options Explained:

  B. "Real intelligence" is not a cybersecurity term.

  C. Social intelligence refers to interpersonal awareness, not cyber reconnaissance.

  D. Human intelligence (HUMINT) involves person-to-person intel, not publicly available data.

• Question 459:

  Which technique is most likely used to evade detection by an Intrusion Detection System (IDS)?

  A. Fragmenting malicious packets into smaller segments
  B. Using self-replicating malware
  C. Sending phishing emails
  D. Flooding the IDS with ping requests
  A. Fragmenting malicious packets into smaller segments

  ---

  Explanation

  CEH v13 explains that packet fragmentation is a classic and effective IDS evasion technique . By breaking malicious payloads into smaller fragments, attackers attempt to prevent the IDS from reconstructing the full packet stream correctly, thereby avoiding signature detection.

  Many IDS systems rely on packet reassembly and pattern matching. Fragmented packets can confuse or overload the reassembly process, especially if the IDS is poorly configured. CEH v13 specifically lists fragmentation, overlapping fragments, and out-of-order packets as evasion techniques used to bypass network defenses.

  Option B describes malware propagation, not IDS evasion. Option C is a social engineering attack, unrelated to IDS detection. Option D is a denial-of-service attempt, not a stealth evasion method.

  CEH v13 highlights that defending against fragmentation-based evasion requires proper normalization and reassembly configuration in IDS/IPS systems. Therefore, Option A is the correct answer.

• Question 460:

  A penetration tester is tasked with assessing the security of a smart home IoT device that communicates with a mobile app over an unencrypted connection. The tester wants to intercept the communication and extract sensitive information. What is the most effective approach to exploit this vulnerability?

  A. Perform a brute-force attack on the device's Wi-Fi credentials
  B. Use a man-in-the-middle (MitM) attack to intercept and analyze the unencrypted traffic
  C. Execute a SQL injection attack on the IoT device's cloud management portal
  D. Use a dictionary attack to guess the admin login credentials of the device
  B. Use a man-in-the-middle (MitM) attack to intercept and analyze the unencrypted traffic

  ---

  Explanation

  IoT devices often suffer from weak or missing encryption protocols, creating opportunities for attackers to intercept sensitive information. CEH courseware highlights that when device-to-app communication occurs in plaintext, a man-in-the-middle attack becomes one of the most effective exploitation methods. By positioning themselves between the device and the mobile application, the attacker can observe all transmitted data, including configuration updates, authentication tokens, and personal information.

  Tools such as Wireshark, mitmproxy, and specialized IoT interception frameworks allow testers to capture packets, decode protocols, and reconstruct application logic. The CEH curriculum stresses the importance of evaluating IoT device communication channels, because many rely on unsecured HTTP or proprietary plaintext protocols. Brute- force attempts, SQL injection, or dictionary attacks do not directly target the devicepp communication pathway and would not exploit the fundamental weakness present here: lack of encryption. A MitM attack directly takes advantage of this flaw and provides comprehensive visibility into all transmitted data, making it the most effective and CEH-aligned method of exploitation.