EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 481:

  You are a penetration tester tasked with testing the wireless network of your client Brakeme SA. You are attempting to break into the wireless network with the SSID "Brakeme-lnternal." You realize that this network uses WPA3 encryption, which of the following vulnerabilities is the promising to exploit?

  A. Dragonblood
  B. Cross-site request forgery
  C. Key reinstallation attack
  D. AP Myconfiguration
  A. Dragonblood

  ---

  Explanation

  Dragonblood allows an attacker in range of a password-protected Wi-Fi network to get the password and gain access to sensitive information like user credentials, emails and mastercard numbers. consistent with the published report:

  "The WPA3 certification aims to secure Wi-Fi networks, and provides several advantages over its predecessor WPA2, like protection against offline dictionary attacks and forward secrecy. Unfortunately, we show that WPA3 is suffering from several design flaws, and analyze these flaws both theoretically and practically. Most prominently, we show that WPA3's Simultaneous Authentication of Equals (SAE) handshake, commonly referred to as Dragonfly, is suffering from password partitioning attacks."

  Our Wi-Fi researchers at WatchGuard are educating businesses globally that WPA3 alone won't stop the Wi- Fi hacks that allow attackers to steal information over the air (learn more in our recent blog post on the topic). These Dragonblood vulnerabilities impact alittle amount of devices that were released with WPA3 support, and makers are currently making patches available. one among the most important takeaways for businesses of all sizes is to know that a long-term fix might not be technically feasible

  for devices with lightweight processing capabilities like IoT and embedded systems. Businesses got to consider adding products that enable a Trusted Wireless Environment for all kinds of devices and users alike.

  Recognizing that vulnerabilities like KRACK and Dragonblood require attackers to initiate these attacks by bringing an "Evil Twin" Access Point or a Rogue Access Point into a Wi-Fi environment, we've been that specialize in developing Wi-Fi security solutions that neutralize these threats in order that these attacks can never occur. The Trusted Wireless Environment framework protects against the "Evil Twin" Access Point and Rogue Access Point. one among these hacks is required to initiate the 2 downgrade or side-channel attacks referenced in Dragonblood.

  What's next? WPA3 is an improvement over WPA2 Wi-Fi encryption protocol, however, as we predicted, it still doesn't provide protection from the six known Wi-Fi threat categories. It's highly likely that we'll see more WPA3 vulnerabilities announced within the near future.

  To help reduce Wi-Fi vulnerabilities, we're asking all of you to hitch the Trusted Wireless Environment movement and advocate for a worldwide security standard for Wi-Fi.

• Question 482:

  Sophia is a shopping enthusiast who spends significant time searching for trendy outfits online. Clark, an attacker, noticed her activities several times and sent a fake email containing a deceptive page link to her social media page displaying all-new and trendy outfits. In excitement, Sophia clicked on the malicious link and logged in to that page using her valid credentials. Which of the following tools is employed by Clark to create the spoofed email?

  A. PyLoris
  B. Slowloris
  C. Evilginx
  D. PLCinject
  C. Evilginx

  ---

  Explanation

  Evilginx Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxy_pass and sub_filter to proxy and modify HTTP content, while intercepting traffic between client and server.

• Question 483:

  The Heartbleed bug was discovered in 2014 and is widely referred to under MITRE's Common Vulnerabilities and Exposures (CVE) as CVE-2014-0160. This bug affects the OpenSSL implementation of the Transport Layer Security (TLS) protocols defined in RFC6520.

  What type of key does this bug leave exposed to the Internet making exploitation of any compromised system very easy?

  A. Public
  B. Private
  C. Shared
  D. Root
  B. Private

  ---

  Explanation

  The Heartbleed vulnerability (CVE-2014-0160) is a critical buffer over-read flaw in OpenSSL's implementation of the TLS heartbeat extension. It allows attackers to read portions of memory from a server using vulnerable versions of OpenSSL.

  This exposed sensitive data including:

  Usernames and passwords

  Session tokens

  Private encryption keys

  From CEH v13 Study Guide Module 5: Vulnerability Analysis and Module 6: Malware Threats:

  "The Heartbleed vulnerability allowed attackers to extract memory contents from the OpenSSL process, including sensitive materials such as private SSL keys. These private keys are used in the TLS protocol to encrypt and decrypt secure communications. Once compromised, attackers could decrypt communications or impersonate the server."

  Private keys being compromised allow attackers to decrypt HTTPS traffic, impersonate trusted servers, and conduct MITM (Man-in-the-Middle) attacks.

  Incorrect Options:

  A. Public: Public keys are already shared and not a security risk if disclosed.

  C. Shared: Vague term not applicable here.

  D. Root: Heartbleed doesn't directly expose root keys; rather, it leaks application memory including private SSL/TLS keys.

  CEH v13 Study Guide - Module 5: Vulnerability Analysis # Case Study: HeartbleedNVD/CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2014-0160OpenSSL Advisory: https://www.openssl.org/news /secadv_20140407.txt

• Question 484:

  One of your team members has asked you to analyze the following SOA record. What is the version?

  Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)

  A. 200303028
  B. 3600
  C. 604800
  D. 2400
  E. 60
  F. 4800
  A. 200303028
  B. 3600
  C. 604800
  D. 2400

  ---

  Explanation

  The SOA (Start of Authority) record is a DNS record that defines the authoritative information about a domain. Its format includes the following fields:

  (domain) IN SOA (Primary Name Server) (Responsible Email)

  (Serial) (Refresh) (Retry) (Expire) (Minimum TTL)

  Given:

  Rutgers.edu. SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.)

  Field values:

  Serial: 200302028 (# This is the version number of the zone file.)

  Refresh: 3600 seconds

  Retry: 3600 seconds

  Expire: 604800 seconds

  Minimum TTL: 2400 seconds

  These values represent key configurations and are all part of the SOA record's operational data.

  A: 200302028 = Serial/version (correct)

  B: 3600 = Refresh (correct)

  C: 604800 = Expire (correct)

  D: 2400 = Minimum TTL (correct)

  Incorrect Options:

  E and F (60, 4800): Not part of the SOA record shown.

  CEH v13 Study Guide - Module 3: DNS Enumeration # SOA Record FormatRFC 1035 - Section 3.3.13: Start of Authority Record

• Question 485:

  An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site Scripting (XSS) vulnerability. However, the application has a stringent Content Security Policy (CSP) disallowing inline scripts and scripts from external domains but permitting scripts from its own domain. What would be the hacker's next step to confirm the XSS vulnerability?

  A. Try to disable the CSP to bypass script restrictions
  B. Inject a benign script inline to the form to see if it executes
  C. Utilize a script hosted on the application's domain to test the form
  D. Load a script from an external domain to test the vulnerability
  C. Utilize a script hosted on the application's domain to test the form

  ---

  Explanation

  The hacker's next step to confirm the XSS vulnerability would be to utilize a script hosted on the application' s domain to test the form. This is because the application's CSP allows scripts from its own domain, but not from inline or external sources. Therefore, the hacker can try to inject a payload that references a script file on the same domain as the application, such as:

  where script.js contains some benign code, such as alert('XSS') or print('XSS'). If the script executes in the browser, then the hacker has confirmed the XSS vulnerability. Otherwise, the CSP has blocked the script and prevented the XSS attack.

  The other options are not feasible or effective for the following reasons:

  A. Try to disable the CSP to bypass script restrictions: This option is not feasible because the hacker cannot disable the CSP on the server side, and the browser enforces the CSP on the client side. The hacker would need to modify the browser settings or use a browser extension to disable the CSP, but this would not affect the victim's browser or the application's security.

  B. Inject a benign script inline to the form to see if it executes: This option is not effective because the application's CSP disallows inline scripts, meaning scripts that are embedded in the HTML code. Therefore, the hacker would not be able to inject a script tag or an event handler attribute that contains some code, such as:

  or The CSP would block these scripts and prevent the XSS attack.

  D. Load a script from an external domain to test the vulnerability: This option is not effective because the application's CSP disallows scripts from external domains, meaning scripts that are loaded from a different domain than the application. Therefore, the hacker would not be able to inject a script tag that references a script file on another domain, such as:

  The CSP would block these scripts and prevent the XSS attack.

  References:

  1: Content Security Policy (CSP) - HTTP | MDN

  2: What is Content Security Policy (CSP) | Header Examples | Imperva

  3: Content-Security-Policy (CSP) Header Quick Reference

  4: What is cross-site scripting (XSS)? - PortSwigger

  5: Cross Site Scripting (XSS) | OWASP Foundation

  6: The Impact of Cross-Site Scripting Vulnerabilities and their Prevention

  7: XSS Vulnerability 101: Identify and Stop Cross-Site Scripting

• Question 486:

  Stella, a professional hacker, performs an attack on web services by exploiting a vulnerability that provides additional routing information in the SOAP header to support asynchronous communication. This further allows the transmission of web-service requests and response messages using different TCP connections.

  Which of the following attack techniques is used by Stella to compromise the web services?

  A. XML injection
  B. WS-Address spoofing
  C. SOAPAction spoofing
  D. Web services parsing attacks
  B. WS-Address spoofing

  ---

  Explanation

  WS-Address provides additional routing information in the SOAP header to support asynchronous communication. This technique allows the transmission of web service requests and response messages using different TCP connections

  https://www.google.com/search?client=firefox-b-dandq=WS-Address+spoofing

  CEH V11 Module 14 Page 1896

• Question 487:

  A penetration tester is assessing a mobile application and discovers that the app is vulnerable to improper session management. The session tokens are not invalidated upon logout, allowing the tokens to be reused. What is the most effective way to exploit this vulnerability?

  A. Perform a replay attack by using the same session token after the user logs out
  B. Use a Cross-Site Request Forgery (CSRF) attack to steal the session tokens
  C. Use a brute-force attack to guess valid session tokens
  D. Execute a SQL injection attack to retrieve session tokens from the database
  A. Perform a replay attack by using the same session token after the user logs out

  ---

  Explanation

  In CEH's web application and mobile security modules, improper session management is defined as a failure to enforce session expiration, token invalidation, or secure session lifecycle controls. When an application does not invalidate a session token after logout, attackers can exploit this by performing a replay attack:

  reusing previously captured session identifiers to impersonate the user and gain unauthorized access. CEH teaches that replaying a live token is the simplest and most direct exploitation method because it does not require guessing or stealing new tokens-the attacker simply reuses a valid one that should have been invalidated. CSRF relies on exploiting a user's active session and is not required when the attacker already possesses a reusable token. Brute-forcing session tokens is computationally expensive and unnecessary. SQL injection is unrelated to session lifecycle flaws unless token storage is directly exposed. Therefore, a replay attack is the correct exploitation method.

• Question 488:

  In the field of cryptanalysis, what is meant by a "rubber-hose" attack?

  A. Attempting to decrypt cipher text by making logical assumptions about the contents of the original plain text.
  B. Extraction of cryptographic secrets through coercion or torture.
  C. Forcing the targeted key stream through a hardware-accelerated device such as an ASIC.
  D. A backdoor placed into a cryptographic algorithm by its creator.
  B. Extraction of cryptographic secrets through coercion or torture.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  A rubber-hose attack refers to extracting cryptographic secrets by means of physical coercion, threats, or torture, rather than technical attacks on the algorithm or implementation.

  From CEH v13 Official Study Guide:

  Module 10: Cryptography # Types of Attacks

  "A rubber-hose attack bypasses technical security by attacking the human element."

  Hacker lexicon and Bruce Schneier's discussions on physical security vulnerabilities

• Question 489:

  Which access control mechanism allows for multiple systems to use a central authentication server (CAS) that permits users to authenticate once and gain access to multiple systems?

  A. Role Based Access Control (RBAC)
  B. Discretionary Access Control (DAC)
  C. Single sign-on
  D. Windows authentication
  C. Single sign-on

  ---

  Explanation

  In CEH v13 Module 05: System Hacking, and Module 14: Access Control, Identity Management, and Cryptography, Single Sign-On (SSO) is defined as a system that allows users to authenticate once and gain access to multiple systems without re-entering credentials.

  SSO uses a Central Authentication Server (CAS).

  Common technologies: Kerberos, OAuth, SAML, AD Federation Services.

  Improves user convenience and centralized credential management.

  CEH v13 Module 14 - Identity and Access Management Concepts

  CEH iLabs: SSO Architecture Demonstration

• Question 490:

  An attacker runs netcat tool to transfer a secret file between two hosts.

  

  He is worried about information being sniffed on the network.

  How would the attacker use netcat to encrypt the information before transmitting onto the wire?

  A. Machine A: netcat -l -p -s password 1234 < testfile Machine B: netcat 1234
  B. Machine A: netcat -l -e magickey -p 1234 < testfile Machine B: netcat 1234
  C. Machine A: netcat -l -p 1234 < testfile -pw password Machine B: netcat 1234 -pw password
  D. Use cryptcat instead of netcat
  D. Use cryptcat instead of netcat

  ---

  Explanation

  Netcat does not support encryption natively. To securely transmit data over the network, the attacker must use a variant like Cryptcat, which adds symmetric encryption to standard netcat functionality.

  From CEH v13 Courseware:

  Module 8: Sniffing and Secure Communication

  CEH v13 Study Guide states:

  "Cryptcat is a netcat clone that supports encryption. For secure file transfers or remote shell access, cryptcat is the recommended tool."

  Incorrect Options:

  A/B/C: These are invalid or non-existent netcat parameters. Reference:CEH v13 Study Guide - Module 8: Netcat and Cryptcat Usagehttps://sourceforge.net/projects /cryptcat/