EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 491:

  Which of the following is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications and unpatched security flaws in a computer system?

  A. Wireshark
  B. Maltego
  C. Metasploit
  D. Nessus
  C. Metasploit

  ---

  Explanation

  https://en.wikipedia.org/wiki/Metasploit_Project

  The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid.

  Its best-known sub-project is the open-source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

  The Metasploit Project includes anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Metasploit is pre-installed in the Kali Linux operating system.

  The basic steps for exploiting a system using the Framework include.

  1. Optionally checking whether the intended target system is vulnerable to an exploit.

  2. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and macOS systems are included).

  3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server). Metasploit often recommends a payload that should work.

  4. Choosing the encoding technique so that hexadecimal opcodes known as "bad characters" are removed from the payload, these characters will cause the exploit to fail.

  5. Executing the exploit.

  This modular approach - allowing the combination of any exploit with any payload - is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.

• Question 492:

  Which approach should an ethical hacker avoid to maintain passive reconnaissance?

  A. Direct interaction with the threat actor
  B. WHOIS and DNS lookups
  C. Anonymous browsing via Tor
  D. Using the Wayback Machine
  A. Direct interaction with the threat actor

  ---

  Explanation

  CEH v13 defines passive reconnaissance as information gathering without interacting directly with the target or alerting them . The goal is to remain undetected while collecting intelligence from publicly available sources.

  Directly interacting with a threat actor on forums-even under a pseudonym-constitutes active engagement . CEH v13 warns that such interaction risks exposure, attribution, and legal complications. It can alert the adversary, cause them to alter behavior, or even retaliate.

  WHOIS lookups, DNS queries, archived web content, and anonymous browsing are all passive techniques endorsed in CEH v13. These methods do not notify the target and leave minimal trace.

  Thus, Option A should be avoided to maintain a low profile.

• Question 493:

  Which method best bypasses client-side controls without triggering server-side alarms?

  A. Disable JavaScript in the browser
  B. Intercept and modify requests using a proxy tool
  C. Inject malicious JavaScript into the login form
  D. Reverse-engineer the encryption algorithm
  B. Intercept and modify requests using a proxy tool

  ---

  Explanation

  Client-side controls, such as JavaScript validation and CAPTCHA enforcement, are explicitly described in CEH v13 as inherently untrustworthy , since they run on the user's device. The most effective way to bypass them is by intercepting and modifying HTTP requests after client-side validation but before server- side processing .

  Using a proxy tool (such as Burp Suite) allows the tester to manipulate parameters invisibly, without disabling JavaScript or injecting code that could raise alarms. This makes Option B the most stealthy and effective method.

  Disabling JavaScript (Option A) is noisy and easily detected. Injecting JavaScript (Option C) may trigger client-side protections. Reverse-engineering encryption (Option D) is complex and unnecessary.

  CEH v13 emphasizes proxy-based manipulation as the preferred technique for bypassing client-side security mechanisms. Therefore, Option B is correct.

• Question 494:

  An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.

  What is the most likely cause?

  A. The network devices are not all synchronized.
  B. Proper chain of custody was not observed while collecting the logs.
  C. The attacker altered or erased events from the logs.
  D. The security breach was a false positive.
  A. The network devices are not all synchronized.

  ---

  Explanation

  Many network and system administrators don't pay enough attention to system clock accuracy and time synchronization. Computer clocks can run faster or slower over time, batteries and power sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing security issues to deal with, but not ensuring that the time on network devices is synchronized can cause problems. And these problems often only come to light after a security incident.

  If you suspect a hacker is accessing your network, for example, you will want to analyze your log files to look for any suspicious activity. If your network's security devices do not have synchronized times, the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only will you have difficulty in tracking events, but you will also find it difficult to use such evidence in court; you won't be able to illustrate a smooth progression of events as they occurred throughout your network.

• Question 495:

  You want to analyze packets on your wireless network. Which program would you use?

  A. Wireshark with Airpcap
  B. Airsnort with Airpcap
  C. Wireshark with Winpcap
  D. Ethereal with Winpcap
  A. Wireshark with Airpcap

  ---

  Explanation

  https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html

  Since this question refers specifically to analyzing a wireless network, it is obvious that we need an option with AirPcap (Riverbed AirPcap USB-based adapters capture 802.11 wireless traffic for analysis). Since it works with two traffic analyzers SteelCentral Packet Analyzer (Cascade Pilot) or Wireshark, the correct option would be "Wireshark with Airpcap."

  NOTE: AirPcap adapters no longer available for sale effective January 1, 2018, but a question on this topic may occur on your exam.

• Question 496:

  When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, DELETE, PUT, TRACE) using NMAP script engine. What Nmap script will help you with this task?

  A. http-methods
  B. http enum
  C. http-headers
  D. http-git
  A. http-methods

  ---

  Explanation

  Nmap provides a scripting engine (NSE) that includes a script named http-methods. This script sends OPTIONS requests to the web server to determine which HTTP methods are supported. Identifying risky methods like PUT and DELETE helps detect misconfigured or vulnerable web servers.

  Example command:

  nmap --script http-methods -p 80

  Reference - CEH v13 Official Study Guide:

  Module 11: Hacking Web Applications

  Quote:

  "The Nmap script http-methods helps identify enabled HTTP methods including potentially dangerous ones like PUT and DELETE."

  Incorrect Options Explained:

  B. http-enum is used to enumerate directories and applications, not methods.

  C. http-headers retrieves HTTP headers.

  D. http-git checks for Git repositories on web servers.

• Question 497:

  Eric, a cloud security engineer, implements a technique for securing the cloud resources used by his organization. This technique assumes by default that a user attempting to access the network is not an authentic entity and verifies every incoming connection before allowing access to the network. Using this technique, he also imposed conditions such that employees can access only the resources required for their role.

  What is the technique employed by Eric to secure cloud resources?

  A. Serverless computing
  B. Demilitarized zone
  C. Container technology
  D. Zero trust network
  D. Zero trust network

  ---

  Explanation

  Zero Trust Networks The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network.It strictly follows the principle, "Trust no one and validate before providing a cloud service or granting access permission."It also allows companies to impose conditions, such as allowing employees to only access the appropriate resources required for their work role.

  (P.2997/2981)

  Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization's network architecture. Rooted in the principle of "never trust, always verify," Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.

• Question 498:

  Harry. a professional hacker, targets the IT infrastructure of an organization. After preparing for the attack, he attempts to enter the target network using techniques such as sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Using these techniques, he successfully deployed malware on the target system to establish an outbound connection. What is the APT lifecycle phase that Harry is currently executing?

  A. Preparation
  B. Cleanup
  C. Persistence
  D. initial intrusion
  A. Preparation

  ---

  Explanation

  After the attacker completes preparations, subsequent step is an effort to realize an edge within the target's environment. a particularly common entry tactic is that the use of spearphishing emails containing an internet link or attachment. Email links usually cause sites where the target's browser and related software are subjected to varied exploit techniques or where the APT actors plan to social engineer information from the victim which will be used later. If a successful exploit takes place, it installs an initial malware payload on the victim's computer. Figure 2 illustrates an example of a spearphishing email that contains an attachment. Attachments are usually executable malware, a zipper or other archive containing malware, or a malicious Office or Adobe PDF (Portable Document Format) document that exploits vulnerabilities within the victim's applications to ultimately execute malware on the victim's computer. Once the user has opened a malicious file using vulnerable software, malware is executing on the target system. These phishing emails are often very convincing and difficult to differentiate from legitimate email messages. Tactics to extend their believability include modifying legitimate documents from or associated with the organization. Documents are sometimes stolen from the organization or their collaborators during previous exploitation operations. Actors modify the documents by adding exploits and malicious code then send them to the victims. Phishing emails are commonly sent through previously compromised email servers, email accounts at organizations associated with the target or public email services. Emails also can be sent through mail relays with modified email headers to form the messages appear to possess originated from legitimate sources. Exploitation of vulnerabilities on public-facing servers is another favorite technique of some APT groups. Though this will be accomplished using exploits for known vulnerabilities, 0-days are often developed or purchased to be used in intrusions as required .

  Gaining an edge within the target environment is that the primary goal of the initial intrusion. Once a system is exploited, the attacker usually places malware on the compromised system and uses it as a jump point or proxy for further actions. Malware placed during the initial intrusion phase is usually an easy downloader, basic Remote Access Trojan or an easy shell. Figure 3 illustrates a newly infected system initiating an outbound connection to notify the APT actor that the initial intrusion attempt was successful which it's able to accept commands.

• Question 499:

  A Certified Ethical Hacker (CEH) is auditing a company's web server that employs virtual hosting . The server hosts multiple domains and uses a web proxy to maintain anonymity and prevent IP blocking. The CEH discovers that the server's document directory (containing critical HTML files) is named "certrcx" and stored in /admin/web . The server root (containing configuration, error, executable, and log files) is also identified. The CEH also notes that the server uses a virtual document tree for additional storage. Which action would most likely increase the security of the web server?

  A. Moving the document root directory to a different disk
  B. Regularly updating and patching the server software
  C. Changing the server's IP address regularly
  D. Implementing an open-source web server architecture such as LAMP
  B. Regularly updating and patching the server software

  ---

  Explanation

  CEH guidance for web server hardening prioritizes controls that reduce exploitable conditions across the broadest set of threats. While obscuring paths (for example, unusual directory names like "certrcx" or storing content under "/admin/web") may slightly slow down casual discovery, CEH emphasizes that security through obscurity is not a reliable control . If an attacker can identify the server root, document root, and virtual directory structure (through misconfigurations, directory listing, error leakage, backup exposure, or known-path enumeration), then the real risk becomes unpatched vulnerabilities in the web server, modules, libraries, and underlying OS.

  Regularly updating and patching the server software is the most direct, high-impact countermeasure because it closes known vulnerabilities attackers routinely exploit (RCE, privilege escalation, auth bypass, path traversal, request smuggling, etc.). CEH materials also stress that virtual hosting expands the attack surface (multiple sites, shared services, shared misconfigurations), making systematic patching and configuration management even more important.

  Option A (moving the document root to a different disk) may help with organization and, in some cases, recovery planning, but it does not inherently reduce vulnerabilities. Option C (changing IPs) is not a security control; it may complicate blocking lists but doesn't fix the underlying weakness. Option D (using LAMP) is an architectural choice, not a security measure by itself-an open-source stack can still be insecure if misconfigured or unpatched.

  Therefore, CEH-aligned best practice is regular patching and updates .

• Question 500:

  In your role as a cybersecurity analyst at a large e-commerce company, you have been tasked with reinforcing the firm's defenses against potential Denial-of-Service (DoS) attacks. During a recent review, you noticed several IP addresses generating excessive traffic, causing an unusually high server load. Inspection of packets revealed that the TCP three-way handshake was never completed, leaving multiple connections in a SYN_RECEIVED state. The intent appears to be saturating server resources without completing connections.

  Which type of DoS attack is most likely being executed?

  A. SYN Flood
  B. Smurf Attack
  C. Ping of Death
  D. UDP Flood
  A. SYN Flood

  ---

  Explanation

  This scenario clearly indicates a SYN Flood attack , a classic Denial-of-Service technique discussed in CEH v13 Network and Perimeter Hacking . In a normal TCP three-way handshake, a client sends a SYN, the server responds with SYN-ACK, and the client completes the connection with an ACK. In a SYN flood, attackers send a massive number of SYN packets but never complete the handshake.

  As described in CEH v13, the server allocates memory and resources for each half-open connection, placing them in the SYN_RECEIVED state. When these connections are not finalized, the server's connection table becomes saturated, preventing legitimate users from establishing new sessions.

  Other options are incorrect:

  Smurf attacks rely on ICMP amplification, not TCP handshakes.

  Ping of Death uses malformed ICMP packets.

  UDP Floods overwhelm ports using UDP, not TCP session states.

  CEH v13 emphasizes SYN floods as one of the most common Layer 4 DoS attacks due to their simplicity and effectiveness.