EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 501:

  Which DNS resource record can indicate how long any "DNS poisoning" could last?

  A. MX
  B. SOA
  C. NS
  D. TIMEOUT
  B. SOA

  ---

  Explanation

  DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.

  The SOA record contains several fields including:

  Serial number

  Refresh

  Retry

  Expire

  Minimum TTL

  The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data

  - including any potentially poisoned data.

  From CEH v13 Official Courseware:

  Module 3: Scanning Networks

  Topic: DNS Enumeration and Poisoning

  CEH v13 Study Guide states:

  "The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires."

  Incorrect Options:

  A: MX (Mail Exchange) defines mail servers, not TTLs.

  C: NS (Name Server) specifies authoritative servers, not caching durations.

  D: TIMEOUT is not a valid DNS resource record.

  CEH v13 Study Guide - Module 3: DNS Records # SOA Record Structure and TTLRFC 1035 - Domain Names: Implementation and Specification (Section 3.3.13)

• Question 502:

  Which of the following is the primary objective of a rootkit?

  A. It opens a port to provide an unauthorized service
  B. It creates a buffer overflow
  C. It replaces legitimate programs
  D. It provides an undocumented opening in a program
  C. It replaces legitimate programs

  ---

  Explanation

  The main purpose of a rootkit is to hide malicious activity by modifying or replacing legitimate system binaries (e.g., ls, ps, netstat) so they no longer show the presence of malicious files, users, or processes. This enables attackers to maintain persistent and stealthy access.

  From CEH v13 Official Courseware:

  Module 6: Malware Threats # Rootkits

  CEH v13 Study Guide states:

  "Rootkits are stealthy programs designed to conceal the existence of other malicious processes or programs by replacing legitimate operating system utilities and binaries. This makes detection and removal extremely difficult."

  Incorrect Options:

  A: This is a backdoor's behavior.

  B: A buffer overflow is a method of exploitation, not the rootkit's purpose.

  D: Refers to a backdoor or vulnerability, not a rootkit's core function.

  CEH v13 Study Guide - Module 6: Rootkits and Malware TypesNIST SP 800-83 - Malware Incident Prevention and Handling

• Question 503:

  A penetration tester is attempting to gain access to a wireless network that is secured with WPA2 encryption. The tester successfully captures the WPA2 handshake but now needs to crack the pre-shared key. What is the most effective method to proceed?

  A. Perform a brute-force attack using common passwords against the captured handshake
  B. Use a dictionary attack against the captured WPA2 handshake to crack the key
  C. Execute a SQL injection attack on the router's login page
  D. Conduct a de-authentication attack to disconnect all clients from the network
  B. Use a dictionary attack against the captured WPA2 handshake to crack the key

  ---

  Explanation

  WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

• Question 504:

  ping-* 6 192.168.0.101

  Output:

  Pinging 192.168.0.101 with 32 bytes of data:

  Reply from 192.168.0.101: bytes=32 time<1ms TTL=128

  Reply from 192.168.0.101: bytes=32 time<1ms TTL=128

  Reply from 192.168.0.101: bytes=32 time<1ms TTL=128

  Reply from 192.168.0.101: bytes=32 time<1ms TTL=128

  Reply from 192.168.0.101: bytes=32 time<1ms TTL=128

  Reply from 192.168.0.101:

  Ping statistics for 192.168.0101

  Packets: Sent = 6, Received = 6, Lost = 0 (0% loss).

  Approximate round trip times in milli-seconds:

  Minimum = 0ms, Maximum = 0ms, Average = 0ms

  What does the option * indicate?

  A. t
  B. s
  C. a
  D. n
  A. t

  ---

  Explanation

  While the question as shown appears slightly misformatted, this closely resembles the Windows command:

  ping -t 192.168.0.101

  Here:

  -t means to ping continuously until manually stopped.

  In the question: ping -* 6 192.168.0.101, the * is most likely a placeholder or typographical error. Based on CEH format questions and how command-line flags work in ping, -t is the correct flag.

  Option A. t - Correct (ping continuously)

  Why Others Are Incorrect:

  B. s: Not a valid option in Windows ping.

  C. a: Used to resolve the hostname from an IP (not related to this).

  D. n: Specifies the number of echo requests to send.

  CEH v13 Module 03 - ICMP Tools and Ping Usage

  Windows ping command help: ping /?

• Question 505:

  Which encryption method supports secure key distribution?

  A. Disk encryption
  B. Symmetric encryption
  C. Hash functions
  D. Asymmetric encryption
  D. Asymmetric encryption

  ---

  Explanation

  Asymmetric encryption, as defined in CEH v13 Cryptography , uses a public-private key pair, solving the key distribution problem inherent in symmetric encryption.

  Public keys can be freely shared, enabling secure communication initiation without prior shared secrets. Disk encryption and hashes do not address key exchange.

• Question 506:

  As an IT technician in a small software development company, you are responsible for protecting the network against various cyber threats. You learn that attackers often try to bypass firewalls. Which of the following is a common technique used by attackers to evade firewall detection -

  A. Changing the source IP address of packets to make traffic appear to originate from a trusted source
  B. Using encrypted communication channels to evade network monitoring tools
  C. Using social engineering techniques to trick employees into revealing sensitive information
  D. Implementing an open-source operating system to bypass proprietary software restrictions
  B. Using encrypted communication channels to evade network monitoring tools

  ---

  Explanation

  According to the CEH Network and Perimeter Security module, one of the most effective and widely used firewall evasion techniques is the use of encrypted communication channels . When traffic is encrypted using protocols such as HTTPS, TLS, or VPN tunnels, traditional firewalls and packet-inspection tools may be unable to inspect payload contents unless SSL/TLS inspection is explicitly enabled.

  CEH documentation explains that attackers commonly encrypt command-and-control (C2) traffic to:

  Blend in with legitimate encrypted traffic

  Bypass content-based inspection

  Evade signature-based detection

  Option B is therefore correct.

  Option A (IP spoofing) is less effective against stateful firewalls.

  Option C is a human-focused attack, not firewall evasion.

  Option D has no relevance to firewall bypass techniques.

  CEH highlights encryption misuse as a major blind spot in perimeter defenses.

• Question 507:

  An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?

  A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
  B. He will activate OSPF on the spoofed root bridge.
  C. He will repeat this action so that it escalates to a DoS attack.
  D. He will repeat the same attack against all L2 switches of the network.
  A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.

  ---

  Explanation

  Spanning Tree Protocol (STP) manipulation attacks involve an attacker injecting BPDUs (Bridge Protocol Data Units) to force a switch to recognize the attacker's system as the root bridge. Once this is achieved, the attacker can:

  Redirect traffic through their own machine

  Create a SPAN (Switched Port Analyzer) session to mirror traffic

  Intercept, sniff, or modify data passing through the network

  This is typically the next logical step in an STP attack to facilitate a Man-in-the-Middle (MITM) position.

  CEH v13 Official Study Guide:

  Module 8: Sniffing

  Quote:

  "An attacker who becomes the root bridge using STP manipulation can redirect traffic and use SPAN ports to mirror traffic to their system for analysis or manipulation."

  Incorrect Options:

  B. OSPF is a Layer 3 routing protocol, not relevant here.

  C. DoS is not the goal of this specific attack.

  D. Attacking all switches is inefficient and unnecessary once root access is gained.

• Question 508:

  Harris is attempting to identify the OS running on his target machine. He inspected the initial TTL in the IP header and the related TCP window size and obtained the following results:

  TTL: 64

  Window Size: 5840

  What is the OS running on the target machine?

  A. Solaris OS
  B. Windows OS
  C. Mac OS
  D. Linux OS
  D. Linux OS

  ---

  Explanation

  The TTL (Time-To-Live) and TCP window size are commonly used values for passive OS fingerprinting. Different operating systems set default values for these fields in IP and TCP headers.

  From CEH v13 Official Courseware and tools like Nmap and Netcraft:

  A TTL of 64 and TCP window size of 5840 is a strong indicator of a Linux-based operating system.

  This combination is one of the signature responses used in tools such as Nmap and p0f to fingerprint OS remotely.

  Here's a general reference table:

  OS

  Default TTL

  TCP Window Size

  Windows 8192/65535

  Linux Solaris Mac OS 65535

  Therefore, TTL: 64 + Window Size: 5840 = Linux OS Incorrect Options:

  A. Solaris typically has a TTL of 255 and a different window size.

  B. Windows defaults to TTL 128.

  C. Mac OS uses TTL 64 but has a window size of 65535.

  CEH v13 Official Courseware:

  Module 03: Scanning Networks

  Section: "OS Detection Using TTL and TCP Window Size"

  Tools: Nmap OS Fingerprinting, Xprobe2

  CEH iLab: OS Fingerprinting with TCP/IP Stack Behavior

• Question 509:

  Upon establishing his new startup, Tom hired a cloud service provider (CSP) but was dissatisfied with their service and wanted to move to another CSP.

  What part of the contract might prevent him from doing so?

  A. Virtualization
  B. Lock-in
  C. Lock-down
  D. Lock-up
  B. Lock-in

  ---

  Explanation

  Lock-in reflects the inability of the client to migrate from one CSP to another or in-house systems owing to the lack of tools, procedures, standard data formats, applications, and service portability. This threat is related to the inappropriate selection of a CSP, incomplete and non-transparent terms of use, lack of standard mechanisms, etc. (P.2884/2868)

• Question 510:

  A penetration tester suspects that the web application's "Order History" page is vulnerable to SQL injection because it displays user orders based on an unprotected user ID parameter in the URL. What is the most appropriate approach to test this?

  A. Inject JavaScript into the URL parameter to test for Cross-Site Scripting (XSS)
  B. Modify the URL parameter to userID=1 OR 1=1 and observe if all orders are displayed
  C. Perform a directory traversal attack to access sensitive system files
  D. Use a brute-force attack on the login form to identify valid user credentials
  B. Modify the URL parameter to userID=1 OR 1=1 and observe if all orders are displayed

  ---

  Explanation

  CEH v13 identifies URL parameters used in dynamic SQL queries as common injection points. When user- controlled values are passed directly into database queries without validation, attackers can manipulate query logic. Injecting a test payload such as 1 OR 1=1 into the userID parameter is a standard method to determine whether the application concatenates input into SQL statements. If the page displays all user orders instead of only the authenticated user's orders, this confirms SQL injection. CEH teaches that conditional tautologies are one of the safest and most reliable ways to probe SQL vulnerabilities, especially in GET parameters. JavaScript injection (Option A) tests XSS, not SQLi. Directory traversal (Option C) targets filesystem issues, not database logic. Brute-forcing user credentials (Option D) does not test query sanitization. Therefore, modifying the userID parameter with a SQL injection payload is the correct CEH-aligned method.