EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 471:

  Which of the following is the BEST way to defend against network sniffing?

  A. Using encryption protocols to secure network communications
  B. Register all machines MAC Address in a Centralized Database
  C. Use Static IP Address
  D. Restrict Physical Access to Server Rooms hosting Critical Servers
  A. Using encryption protocols to secure network communications

  ---

  Explanation

  https://en.wikipedia.org/wiki/Sniffing_attack

  To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users.

  NOTE: I want to note that the wording "best option" is valid only for the EC-Council's exam since the other options will not help against sniffing or will only help from some specific attack vectors.

  The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted - an attacker cannot understand it.

• Question 472:

  You are a penetration tester and are about to perform a scan on a specific server. The agreement that you signed with the client contains the following specific condition for the scan: "The attacker must scan every port on the server several times using a set of spoofed sources IP addresses. " Suppose that you are using Nmap to perform this scan. What flag will you use to satisfy this requirement?

  A. The -A flag
  B. The -g flag
  C. The -f flag
  D. The -D flag
  D. The -D flag

  ---

  Explanation

  flags -source-port and -g are equivalent and instruct nmap to send packets through a selected port. this option is used to try to cheat firewalls whitelisting traffic from specific ports. the following example can scan the target from the port twenty to ports eighty, 22, 21,23 and 25 sending fragmented packets to LinuxHint.

• Question 473:

  A large corporate network is being subjected to repeated sniffing attacks. To increase security, the company's IT department decides to implement a combination of several security measures. They permanently add theMAC address of the gateway to the ARP cache, switch to using IPv6 instead of IPv4, implement the use of encrypted sessions such as SSH instead of Telnet, and use Secure File Transfer Protocol instead of FTP.

  However, they are still faced with the threat of sniffing. Considering the countermeasures, what should be their next step to enhance network security?

  A. Use HTTP instead of HTTPS for protecting usernames and passwords
  B. Implement network scanning and monitoring tools
  C. Enable network identification broadcasts
  D. Retrieve MAC addresses from the OS
  B. Implement network scanning and monitoring tools

  ---

  Explanation

  Sniffing attacks are a type of network attack that involves intercepting and analyzing data packets as they travel over a network. Sniffing attacks can be used to steal sensitive information, such as usernames, passwords, credit card numbers, etc. Sniffing attacks can also be used to perform reconnaissance, spoofing, or man-in-the-middle attacks.

  The IT department of the company has implemented some security measures to prevent or mitigate sniffing attacks, such as:

  Adding the MAC address of the gateway to the ARP cache: This prevents ARP spoofing, which is a technique that allows an attacker to redirect network traffic to their own device by sending fake ARP messages that associate their MAC address with the IP address of the gateway.

  Switching to IPv6 instead of IPv4: This reduces the risk of IP spoofing, which is a technique that allows an attacker to send packets with a forged source IP address, pretending to be another device on the network.

  Using encrypted sessions such as SSH instead of Telnet, and Secure File Transfer Protocol instead of FTP:

  This protects the data from being read or modified by an attacker who can capture the packets, as the data is encrypted and authenticated using cryptographic protocols. However, these measures are not enough to completely eliminate the threat of sniffing, as an attacker can still use other techniques, such as:

  Passive sniffing: This involves monitoring the network traffic without injecting any packets or altering the data. Passive sniffing can be done on a shared network, such as a hub, or on a switched network, using techniques such as MAC flooding, port mirroring, or VLAN hopping.

  Active sniffing: This involves injecting packets or modifying the data to manipulate the network behavior or gain access to more traffic. Active sniffing can be done using techniques such as DHCP spoofing, DNS poisoning, ICMP redirection, or TCP session hijacking.

  Therefore, the next step to enhance network security is to implement network scanning and monitoring tools, which can help detect and prevent sniffing attacks by:

  Scanning the network for unauthorized devices, such as rogue access points, hubs, or sniffers, and removing them or isolating them from the network.

  Monitoring the network for abnormal traffic patterns, such as excessive ARP requests, DNS queries, ICMP messages, or TCP connections, and alerting the network administrators or blocking the suspicious sources.

  Analyzing the network traffic for malicious content, such as malware, phishing, or exfiltration, and filtering or quarantining the infected or compromised devices.

  References:

  CEHv13 Module 05: Sniffing

  Sniffing attacks - Types, Examples and Preventing it

  How to Prevent and Detect Packet Sniffing Attacks

  Understanding Sniffing in Cybersecurity and How to Prevent It

• Question 474:

  During a security assessment, an attacker identifies a flaw in a multi-user file system. The system first verifies access rights to a temporary file created by a user. However, immediately after this verification, and before the file is processed, the attacker manages to swap the original file with a malicious version. This manipulation happens in the brief interval between the system's access verification and the moment it handles the file, resulting in the malicious file being treated as legitimate. Which vulnerability is the attacker exploiting?

  A. Time-of-validation/time-of-execution issue in resource management logic.
  B. Improper certificate validation in trusted communication channels.
  C. Integer overflow during arithmetic computations with limited memory bounds.
  D. Null pointer dereference leading to unexpected application behavior.
  A. Time-of-validation/time-of-execution issue in resource management logic.

  ---

  Explanation

  Comprehensive Explanation from CEH v13 Courseware:

  CEH v13 explains that TOCTOU (Time-of-Check Time-of-Use) vulnerabilities arise when a system checks a condition (such as file permissions) and then later uses the resource based on that assumption. If there is even a tiny gap between the validation and the actual use , attackers can exploit this race condition by replacing or modifying the resource after validation but before execution. This is common in file-handling operations involving temporary files, symbolic links, or shared directories. CEH emphasizes that TOCTOU attacks often lead to privilege escalation, unauthorized execution, or tampering with data because the system trusts the earlier validation step. The attacker swaps the file at precisely the right moment, taking advantage of a race window. The other options--certificate validation, integer overflow, and null pointer dereference--do not involve timing-based race conditions. The scenario exactly matches CEH's description of TOCTOU exploitation, where attackers manipulate file access in the interval between validation and execution.

• Question 475:

  During an Xmas scan, what indicates a port is closed?

  A. No return response
  B. RST
  C. ACK
  D. SYN
  B. RST

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  An Xmas scan is a type of stealth TCP scan that sets the FIN, PSH, and URG flags. According to RFC 793:

  If the port is closed, the target responds with a TCP RST (Reset) packet.

  If the port is open or filtered, there is no response.

  Thus, receiving a RST response indicates a closed port.

  From CEH v13 Courseware:

  Module 3: Scanning Networks # TCP Flag Scanning Techniques

  CEH v13 Study Guide - Module 3: Xmas, Null, and FIN ScansRFC 793 - Transmission Control Protocol Specification

• Question 476:

  Which of the following tools can be used to perform a zone transfer?

  A. NSLookup
  B. Finger
  C. Dig
  D. Sam Spade
  E. Host
  F. Netcat
  G. Neotrace
  A. NSLookup
  C. Dig
  D. Sam Spade
  E. Host

  ---

  Explanation

  Zone transfers (AXFR) are DNS operations that replicate zone data from a primary server to a secondary server. These can be abused during DNS enumeration if improperly secured.

  CEH v13 recommends using the following tools for attempting or testing zone transfers:

  A. NSLookup - supports AXFR using set type=any or set type=AXFR

  C. Dig - dig @ns.example.com example.com AXFR

  D. Sam Spade - GUI tool capable of DNS zone transfer

  E. Host - command-line tool used for DNS lookups and AXFR

  Incorrect Tools:

  B. Finger - used for user enumeration, not DNS

  F. Netcat - general-purpose networking tool, not specific to DNS

  G. Neotrace - used for traceroute/path tracing, not DNS

  CEH v13 Study Guide - Module 3: DNS Enumeration # Tools for DNS Zone TransfersCEH v13 iLabs - DNS Enumeration using Dig, Host, and NSLookup

• Question 477:

  While using your bank's online servicing you notice the following string in the URL bar:

  " http://www.MyPersonalBank.com/account?id368940911028389 andDamount10980andCamount21"

  You observe that if you modify the Damount and Camount values and submit the request, that data on the web page reflects the changes.

  Which type of vulnerability is present on this site?

  A. Cookie Tampering
  B. SQL Injection
  C. Web Parameter Tampering
  D. XSS Reflection
  C. Web Parameter Tampering

  ---

  Explanation

  This is a classic example of Web Parameter Tampering. This occurs when attackers manipulate parameters exchanged between client and server to exploit vulnerabilities in the application logic. In this case:

  Damount and Camount are passed via URL parameters.

  The web application is not validating or sanitizing the values.

  Altering the values affects the transaction outcome.

  This is not an SQL Injection (no SQL code shown), nor is it XSS (no script injection), and it is unrelated to Cookie Tampering (which involves browser-stored cookies).

  CEH v13 eCourseware - Module 14: Hacking Web Applications # "Parameter Tampering"

  CEH v13 Study Guide - Web Application Attacks # "Client-side Parameter Tampering"

• Question 478:

  User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?

  A. Application
  B. Transport
  C. Session
  D. Presentation
  D. Presentation

  ---

  Explanation

  https://en.wikipedia.org/wiki/Presentation_layer

  In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display. Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.

• Question 479:

  Shellshock allowed an unauthorized user to gain access to a server. It affected many Internet-facing services, which OS did it not directly affect?

  A. Linux
  B. Unix
  C. OS X
  D. Windows
  D. Windows

  ---

  Explanation

  Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash (Bourne Again Shell) that allows remote code execution via crafted environment variables. It was disclosed in 2014 and had a wide impact on systems that relied on Bash as a command-line shell interpreter.

  Affected systems include:

  Linux distributions (Red Hat, Debian, CentOS, Ubuntu, etc.)

  Unix variants (e.g., FreeBSD, OpenBSD, etc.)

  Apple macOS (formerly OS X), since it uses Bash as the default shell

  Windows systems were not directly affected because they do not use Bash by default. Bash is not a native component of Windows operating systems, and Shellshock exploits Bash-specific behavior. Only Windows systems where Bash was manually installed through a third-party method or environment (e.g., Cygwin) might be susceptible - but by default, Windows systems are immune.

  Incorrect options:

  A. Linux - Affected

  B. Unix - Affected

  C. OS X - Affected

  D. Windows - Not directly affected (Correct answer)

  CEH v13 eCourseware - Module 06: System Hacking #";Common Vulnerabilities: Shellshoc";

  CEH v13 Study Guide - Chapter: "Understanding Common Exploits and Vulnerabilities" # Section: "Shellshock Bash Vulnerability"

  Additional Reference (Public Disclosure):

  NVD - CVE-2014-6271 (Shellshock) https://nvd.nist.gov/vuln/detail/CVE-2014-6271

• Question 480:

  Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetration Test for?

  A. To determine who is the holder of the root account
  B. To perform a DoS
  C. To create needless SPAM
  D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail
  E. To test for virus protection
  D. To illicit a response back that will reveal information about email servers and how they treat undeliverable mail

  ---

  Explanation

  Sending an email to a known non-existent user is a reconnaissance technique used to:

  Analyze bounce-back (NDR) messages.

  Discover the email server's operating system, filtering behavior, internal mail routing, and directory structure.

  Reveal technologies such as Exchange, Postfix, etc.

  From CEH v13 Official Courseware:

  Module 2: Footprinting and Reconnaissance

  CEH v13 Study Guide states:

  "Sending a message to an invalid address can reveal error messages or NDRs that leak internal system details, such as mail server versions, spam filtering technologies, and internal naming conventions."

  Incorrect Options:

  A: Not applicable.

  B/C: Not the purpose here.

  E: Anti-virus testing requires a separate controlled method.

  CEH v13 Study Guide - Module 2: Email Footprinting TechniquesRFC 3463 - Enhanced Mail System Status Codes