EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 521:

  Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weaknesses and keyloggers.

  Which of the following options best represents the means that Bob can adopt to retrieve passwords from his clients' hosts and servers?

  A. Hardware, Software, and Sniffing.
  B. Hardware and Software Keyloggers.
  C. Passwords are always best obtained using Hardware key loggers.
  D. Software only, they are the most effective.
  A. Hardware, Software, and Sniffing.

  ---

  Explanation

  To perform a thorough password assessment, Bob can use:

  Hardware Keyloggers: Installed between the keyboard and computer; captures keystrokes.

  Software Keyloggers: Installed on the OS; logs keystrokes and system activity.

  Network Sniffing: Captures plaintext passwords from unencrypted protocols (e.g., FTP, Telnet).

  From CEH v13 Official Courseware:

  Module 4: Enumeration

  Module 6: Malware Threats

  Module 8: Sniffing

  CEH v13 Study Guide states:

  "A comprehensive password audit can involve passive sniffing of credentials on the wire, software keyloggers for direct input capture, and hardware keyloggers for stealthy physical surveillance."

  Incorrect Options:

  B, C, D: Limiting to just one method misses out on broader techniques.

  CEH v13 Study Guide - Module 6: Keystroke Logging and Credential CaptureNIST SP 800-115 - Security Testing Guide

• Question 522:

  An IDS generates alerts during normal user activity. What is the most likely cause?

  A. Firewall failure
  B. IDS outdated
  C. Excessive IDS sensitivity causing false positives
  D. Users triggering protocols
  C. Excessive IDS sensitivity causing false positives

  ---

  Explanation

  In CEH v13 , IDS effectiveness is closely tied to proper signature tuning and sensitivity thresholds . When IDS alerts are triggered by legitimate user behavior, the most common cause is overly sensitive configuration , resulting in false positives .

  False positives occur when normal traffic patterns match intrusion signatures. CEH v13 emphasizes that IDS systems must be calibrated to the organization's baseline traffic profile. Without tuning, IDS logs become noisy and reduce analyst effectiveness.

  Firewall issues (Option A) and outdated IDS signatures (Option B) can cause missed detections, not excessive alerts. Users unintentionally triggering protocols (Option D) is not a root cause but a symptom of misconfiguration.

  Thus, excessive IDS sensitivity is the correct explanation.

• Question 523:

  BitLocker encryption has been implemented for all the Windows-based computers in an organization. You are concerned that someone might lose their cryptographic key. Therefore, a mechanism was implemented to recover the keys from Active Directory.

  What is this mechanism called in cryptography?

  A. Key archival
  B. Key escrow
  C. Certificate rollover
  D. Key renewal
  B. Key escrow

  ---

  Explanation

  In CEH v13 Module 14: Cryptography, key escrow is discussed as a recovery mechanism where a third party securely holds a cryptographic key for retrieval if it's lost.

  Key Escrow Characteristics:

  Common in enterprise environments for systems like BitLocker.

  Keys are automatically backed up to Active Directory (AD) for future retrieval.

  Ensures that encrypted data is not permanently lost due to forgotten or deleted keys.

  Option Clarification:

  A. Key archival: Storing old keys for audit/record-keeping.

  B. Key escrow: Correct - Third-party or central storage for recovery purposes.

  C. Certificate rollover: Replacement of expiring certificates.

  D. Key renewal: Generating a new key after expiration or compromise.

  Module 14 - Key Management and Recovery # Key Escrow

  CEH iLabs: BitLocker Key Recovery through Active Directory Escrow

• Question 524:

  Which of the following allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to hack.

  A. Enumeration
  B. Vulnerability analysis
  C. Malware analysis
  D. Scanning networks
  D. Scanning networks

  ---

  Explanation

  Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization's network presence. Specficially, it allows attackers to draw a map or outline of the target organization's network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)

• Question 525:

  A kernel-level rootkit is discovered. What is the safest remediation strategy?

  A. Power down immediately
  B. Deploy honeypots
  C. Full system format and reinstall
  D. Use rootkit scanners and tailored removal
  C. Full system format and reinstall

  ---

  Explanation

  CEH v13 identifies kernel-level rootkits as among the most dangerous malware types. Because they operate at the lowest OS level, they can hide processes, files, and system calls.

  CEH v13 states that the only guaranteed remediation is a complete system wipe and clean OS reinstallation from a trusted source . Attempting removal risks incomplete eradication.

  Powering down alone does not remove the rootkit. Honeypots are for detection, not remediation. Tailored removal tools may fail at kernel depth.

• Question 526:

  Which strategy best mitigates session hijacking?

  A. IPsec VPN encryption
  B. Physical security
  C. Network IPS
  D. Security awareness training
  A. IPsec VPN encryption

  ---

  Explanation

  CEH v13 highlights that encrypting session data in transit is one of the strongest defenses against session hijacking. IPsec VPN encrypts the entire IP packet, preventing attackers from capturing usable session tokens.

  IPS helps detection but not prevention. Physical security and awareness do not address technical hijacking.

  Therefore, Option A is correct.

• Question 527:

  Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?

  A. SFTP
  B. Ipsec
  C. SSL
  D. FTPS
  B. Ipsec

  ---

  Explanation

  https://en.wikipedia.org/wiki/IPsec

  Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

  IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

  The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the Application layer, IPsec can automatically secure applications at the IP layer.

• Question 528:

  Mason, a professional hacker, targets an organization and spreads Emotet malware through malicious script. After infecting the victim's device. Mason further used Emotet to spread the infection across local networks and beyond to compromise as many machines as possible. In this process, he used a tool, which is a self- extracting RAR file, to retrieve information related to network resources such as writable share drives. What is the tool employed by Mason in the above scenario?

  A. NetPass.exe
  B. Outlook scraper
  C. WebBrowserPassView
  D. Credential enumerator
  D. Credential enumerator

  ---

  Explanation

  https://us-cert.cisa.gov/ncas/alerts/TA18-201A

  Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet's access to SMB can result in the infection of entire domains (servers and clients).

• Question 529:

  A penetration tester is investigating a web server that allows unrestricted file uploads without validating file types. Which technique should be used to exploit this vulnerability and potentially gain control of the server?

  A. Perform a SQL injection attack to extract sensitive database information
  B. Upload a shell script disguised as an image file to execute commands on the server
  C. Conduct a brute-force attack on the server's FTP service to gain access
  D. Use a Cross-Site Scripting (XSS) attack to steal user session cookies
  B. Upload a shell script disguised as an image file to execute commands on the server

  ---

  Explanation

  CEH teaches that unrestricted file upload vulnerabilities are among the most dangerous in web applications because they allow attackers to bypass extension checks and upload malicious executable files. When the server fails to validate MIME types, file extensions, or execution permissions, an attacker can upload a web shell disguised as a harmless file, such as "image.php.jpg," which may pass superficial validation and still be executed by the server's interpreter. Once executed, the shell provides the attacker with command execution capabilities, allowing full control over the system. CEH emphasizes that web shells can enable privilege escalation, database compromise, lateral movement, or full server takeover. Unlike SQL injection or XSS, file upload exploitation directly affects server-side execution, making it significantly more severe. Unrestricted upload flaws are commonly tested in CEH labs with tools like Burp Suite to alter content-type headers or bypass client-side filters. This is a high-impact vulnerability requiring strict validation and sandboxing controls.

• Question 530:

  An ethical hacker is hired to conduct a comprehensive network scan of a large organization that strongly suspects potential intrusions into their internal systems. The hacker decides to employ a combination of scanning tools to obtain a detailed understanding of the network. Which sequence of actions would provide the most comprehensive information about the network's status?

  A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting
  B. Use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities
  C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities
  D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3
  B. Use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities

  ---

  Explanation

  The sequence of actions that would provide the most comprehensive information about the network's status is to use Hping3 for an ICMP ping scan on the entire subnet, then use Nmap for a SYN scan on identified active hosts, and finally use Metasploit to exploit identified vulnerabilities. This sequence of actions works as follows:

  Use Hping3 for an ICMP ping scan on the entire subnet: This action is used to discover the active hosts on the network by sending ICMP echo request packets to each possible IP address on the subnet and waiting for ICMP echo reply packets from the hosts. Hping3 is a command-line tool that can craft and send custom packets, such as TCP, UDP, or ICMP, and analyze the responses. By using Hping3 for an ICMP ping scan, the hacker can quickly and efficiently identify the live hosts on the network, as well as their response times and packet loss rates12.

  Use Nmap for a SYN scan on identified active hosts: This action is used to scan the open ports and services on the active hosts by sending TCP SYN packets to a range of ports and analyzing the TCP responses. Nmap is a popular and powerful tool that can perform various types of network scans, such as port scanning, service detection, OS detection, and vulnerability scanning. By using Nmap for a SYN scan, the hacker can determine the state of the ports on the active hosts, such as open, closed, filtered, or unfiltered, as well as the services and protocols running on them. A SYN scan is also known as a stealth scan, as it does not complete the TCP three-way handshake and thus avoids logging on the target system34.

  Use Metasploit to exploit identified vulnerabilities: This action is used to exploit the vulnerabilities on the active hosts by using pre-built or custom modules that leverage the open ports and services. Metasploit is a framework that contains a collection of tools and modules for penetration testing and exploitation. By using Metasploit, the hacker can launch various attacks on the active hosts, such as remote code execution, privilege escalation, or backdoor installation, and gain access to the target system or data. Metasploit can also be used to perform post-exploitation tasks, such as gathering information, maintaining persistence, or pivoting to other systems .

  The other options are not as comprehensive as option B for the following reasons:

  A. Initiate with Nmap for a ping sweep, then use Metasploit to scan for open ports and services, and finally use Hping3 to perform remote OS fingerprinting: This option is not optimal because it does not use the tools in the most efficient and effective way. Nmap can perform a ping sweep, but it is slower and less flexible than Hping3, which can craft and send custom packets. Metasploit can scan for open ports and services, but it is more suitable for exploitation than scanning, and it relies on Nmap for port

  scanning anyway. Hping3 can perform remote OS fingerprinting, but it is less accurate and reliable than Nmap, which can use various techniques and probes to determine the OS type and version13 .

  C. Start with Hping3 for a UDP scan on random ports, then use Nmap for a version detection scan, and finally use Metasploit to exploit detected vulnerabilities: This option is not effective because it does not use the best scanning methods and techniques. Hping3 can perform a UDP scan, but it is slower and less reliable than a TCP scan, as UDP is a connectionless protocol that does not always generate responses. Scanning random ports is also inefficient and incomplete, as it may miss important ports or

  services. Nmap can perform a version detection scan, but it is more useful to perform a port scan first, as it can narrow down the scope and speed up the scan. Metasploit can exploit detected vulnerabilities, but it is not clear how the hacker can identify the vulnerabilities without performing a vulnerability scan first13 .

  D. Begin with NetScanTools Pro for a general network scan, then use Nmap for OS detection and version detection, and finally perform an SYN flooding with Hping3: This option is not comprehensive because it does not cover all the aspects and objectives of a network scan. NetScanTools Pro is a graphical tool that can perform various network tasks, such as ping, traceroute, DNS lookup, or port scan, but it is less powerful and versatile than Nmap or Hping3, which can perform more advanced and

  customized scans. Nmap can perform OS detection and version detection, but it is more useful to perform a port scan first, as it can provide more information and insights into the target system. Performing an SYN flooding with Hping3 is not a network scan, but a denial-of-service attack, which can disrupt the network and alert the target system, and it is not an ethical or legal action for a hired hacker13 .

  References:

  1: Hping - Wikipedia

  2: Hping3 Examples - NetworkProGuide

  3: Nmap - Wikipedia

  4: Nmap Tutorial: From Discovery to Exploits Part 1: Introduction to Nmap | HackerTarget.com

  Metasploit Project - Wikipedia Metasploit Unleashed - Offensive Security NetScanTools Pro - Northwest Performance Software, Inc.