EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 541:

  You are the Network Admin, and you get a complaint that some of the websites are no longer accessible. You try to ping the servers and find them to be reachable. Then you type the IP address and then you try on the browser, and find it to be accessible. But they are not accessible when you try using the URL.

  What may be the problem?

  A. Traffic is Blocked on UDP Port 53
  B. Traffic is Blocked on TCP Port 80
  C. Traffic is Blocked on TCP Port 54
  D. Traffic is Blocked on UDP Port 80
  A. Traffic is Blocked on UDP Port 53

  ---

  Explanation

  Most likely have an issue with DNS.

  DNS stands for "Domain Name System." It's a system that lets you connect to websites by matching human- readable domain names (like example.com) with the server's unique ID where a website is stored.

  Think of the DNS system as the internet's phonebook. It lists domain names with their corresponding identifiers called IP addresses, instead of listing people's names with their phone numbers. When a user enters a domain name like wpbeginner.com on their device, it looks up the IP address and connects them to the physical location where that website is stored.

  NOTE: Often DNS lookup information will be cached locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process, making it quicker. The example below outlines all 8 steps when nothing is cached.

  The 8 steps in a DNS lookup:

  1. A user types `example.com' into a web browser, and the query travels into the Internet and is received by a DNS recursive resolver;

  2. The resolver then queries a DNS root nameserver;

  3. The root server then responds to the resolver with the address of a Top-Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD;

  4. The resolver then requests the .com TLD;

  5. The TLD server then responds with the IP address of the domain's nameserver, example.com;

  6. Lastly, the recursive resolver sends a query to the domain's nameserver;

  7. The IP address for example.com is then returned to the resolver from the nameserver;

  8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially;

  Once the 8 steps of the DNS lookup have returned the IP address for example.com, the browser can request the web page:

  9. The browser makes an HTTP request to the IP address;

  10. The server at that IP returns the webpage to be rendered in the browser.

  NOTE 2: DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. And if this port is blocked, then a problem arises already in the first step. But the ninth step is performed without problems.

• Question 542:

  You have been hired as an intern at a start-up company. Your first task is to help set up a basic web server for the company's new website. The team leader has asked you to make sure the server is secure from common - threats. Based on your knowledge from studying for the CEH exam, which of the following actions should be your priority to secure the web server?

  A. Installing a web application firewall
  B. limiting the number of concurrent connections to the server
  C. Encrypting the company's website with SSL/TLS
  D. Regularly updating and patching the server software
  D. Regularly updating and patching the server software

  ---

  Explanation

  One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc.

  Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company's website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company's website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself.

  Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software.

  References:

  Web Server Security- Beginner's Guide - Astra Security Blog

  Top 10 Web Server Security Best Practices | Liquid Web

  Server Security Tips and Best Practices To Secure Your Server - phoenixNAP

• Question 543:

  An organization decided to harden its security against web-application and web-server attacks. John, a security personnel in the organization, employed a security scanner to automate web-application security testing and to guard the organization's web infrastructure against web-application threats. Using that tool, he also wants to detect XSS, directory transversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks. Which of the following security scanners will help John perform the above task?

  A. AlienVaultSSIMTM
  B. Syhunt Hybrid
  C. Saleae Logic Analyzer
  D. Cisco ASA
  B. Syhunt Hybrid

  ---

  Explanation

  Syhunt Hybrid combines comprehensive static and dynamic security scans to detect vulnerabilities like XSS, File Inclusion, SQL Injection, Command Execution and many more, including inferential, in-band and out-of- band attacks through Hybrid-Augmented Analysis (HAST). With Syhunt's unique gray box/hybrid scanning capability the information acquired during source code scans is automatically used to create and enhance dynamic scans. All entry points are covered generating detailed information about the security level of your web applications. Available for on-premises deployment for businesses using Windows and Linux 64-bit.

  Web Server Security Tools - Web Application Security Scanners The Syhunt Hybrid scanner automates web application security testing and guards the organization's web infrastructure against web application security threats. Syhunt Dynamic crawls websites and detects XSS, directory transversal problems, fault injection, SQL injection, attempts to execute commands, and several other attacks. (P.1713/1697)

• Question 544:

  Which of the following tools can be used for passive OS fingerprinting?

  A. nmap
  B. tcpdump
  C. tracert
  D. ping
  B. tcpdump

  ---

  Explanation

  Passive OS fingerprinting involves observing traffic from a remote host and analyzing it to infer details about the operating system without actively sending packets or probes. This is useful in stealthy reconnaissance where avoiding detection is critical.

  tcpdump is a packet analyzer that captures traffic in real time. By analyzing certain TCP/IP header fields such as TTL (Time-To-Live), window size, TCP options, and DF (Don't Fragment) flags, attackers can passively deduce the operating system of the target host.

  CEH v13 Guide states: "Passive fingerprinting tools like tcpdump and Wireshark allow the attacker to capture packets and analyze them for OS-specific traits, making it possible to identify the OS without sending packets to the target system."

  CEH v13 Study Guide:

  Module 02: Footprinting and Reconnaissance, Section: "OS Fingerprinting Techniques", Subsection: "Passive OS Fingerprinting"

  Incorrect Options Explained:

  A: nmap is primarily an active scanning tool (though it has limited passive capabilities).

  C: tracert is used for tracing packet routes, not OS fingerprinting.

  D: ping checks host availability and latency, not OS details.

• Question 545:

  John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization. Which of the following attack techniques is used by John?

  A. Advanced persistent theft
  B. threat Diversion theft
  C. Spear-phishing sites
  D. insider threat
  A. Advanced persistent theft

  ---

  Explanation

  An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.

  The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:

  Intellectual property thieving (e.g., trade secrets or patents)

  Compromised sensitive info (e.g., worker and user personal data)

  The sabotaging of essential structure infrastructures (e.g., information deletion)

  Total website takeovers

  Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.

  APT attacks dissent from ancient internet application threats, in that:

  They're considerably additional advanced.

  They're not hit and run attacks-once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.

  They're manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.

  They typically aim to infiltrate a complete network, as opposition one specific half.

  More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.

• Question 546:

  Abel, a cloud architect, uses container technology to deploy applications/software including all its dependencies, such as libraries and configuration files, binaries, and other resources that run independently from other processes in the cloud environment. For the containerization of applications, he follows the five- tier container technology architecture. Currently. Abel is verifying and validating image contents, signing images, and sending them to the registries.

  Which of the following tiers of the container technology architecture Is Abel currently working in?

  A. Tier-1: Developer machines
  B. Tier-4: Orchestrators
  C. Tier-3: Registries
  D. Tier-2: Testing and accreditation systems
  D. Tier-2: Testing and accreditation systems

  ---

  Explanation

  The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. See authorization to operate (ATO). Rationale: The Risk Management Framework uses a new term to refer to this concept, and it is called authorization.

  Identifies the information resources covered by an accreditation decision, as distinguished from separately accredited information resources that are interconnected or with which information is exchanged via messaging. Synonymous with Security Perimeter.

  For the purposes of identifying the Protection Level for confidentiality of a system to be accredited, the system has a conceptual boundary that extends to all intended users of the system, both directly and indirectly connected, who receive output from the system. See authorization boundary. Rationale: The Risk Management Framework uses a new term to refer to the concept of accreditation, and it is called authorization. Extrapolating, the accreditation boundary would then be referred to as the authorization boundary.

• Question 547:

  A penetration tester evaluates a secure web application using HTTPS, secure cookies, and multi-factor authentication. To hijack a legitimate user's session without triggering alerts, which technique should be used?

  A. Exploit a browser zero-day vulnerability to inject malicious scripts
  B. Implement a man-in-the-middle attack by compromising a trusted network device
  C. Perform a Cross-Site Request Forgery (CSRF) attack to manipulate session tokens
  D. Utilize a session token replay attack by capturing encrypted tokens
  C. Perform a Cross-Site Request Forgery (CSRF) attack to manipulate session tokens

  ---

  Explanation

  CEH v13 describes Cross-Site Request Forgery (CSRF) as a technique that forces authenticated users to unknowingly execute actions within a web application without their intent. Unlike session hijacking methods that require stealing or replaying session cookies, CSRF exploits the trust relationship that the server has with a user's browser. Even with HTTPS, secure cookies, and MFA, once a user is authenticated, the browser automatically sends session cookies with each request. If the attacker convinces the victim to load a maliciously crafted webpage or URL, the browser sends a forged request to the target application, executing actions under the user's authenticated session. CEH notes that secure cookies and MFA do not stop CSRF because no credentials are stolen-only forced actions occur. This technique is sophisticated because it leaves minimal traces, avoids direct cookie manipulation, bypasses robust authentication mechanisms, and leverages design weaknesses rather than technical misconfigurations. Protection typically requires anti-CSRF tokens and proper origin validation.

• Question 548:

  As a Certified Ethical Hacker, you are assessing a corporation's serverless cloud architecture . The organization experienced an attack where a user manipulated a function-as-a-service (FaaS) component to execute malicious commands. The root cause was traced to an insecure third-party API used within a serverless function. What is the most effective countermeasure to strengthen the security posture?

  A. Regularly updating serverless functions to reduce vulnerabilities.
  B. Using a Cloud Access Security Broker (CASB) to enforce third-party policies.
  C. Deploying a Cloud-Native Security Platform (CNSP) for full cloud protection.
  D. Implementing function-level permissions and enforcing the principle of least privilege.
  D. Implementing function-level permissions and enforcing the principle of least privilege.

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Cloud Computing module emphasizes that serverless environments rely heavily on granular permission models . Attacks involving compromised APIs often succeed because functions are granted excessive privileges .

  Option D is correct because enforcing function-level permissions and the principle of least privilege directly limits what a compromised function can execute. CEH documentation states this is the primary defense against serverless abuse.

  Option A is beneficial but reactive.

  Option B focuses on SaaS governance rather than FaaS execution control.

  Option C provides visibility but does not directly prevent privilege misuse.

  CEH highlights identity and access management (IAM) as critical in serverless security.

• Question 549:

  Johnson, an attacker, performed online research for the contact details of reputed cybersecurity firms. He found the contact number of sibertech.org and dialed the number, claiming himself to represent a technical support team from a vendor. He warned that a specific server is about to be compromised and requested sibertech.org to follow the provided instructions. Consequently, he prompted the victim to execute unusual commands and install malicious files, which were then used to collect and pass critical Information to Johnson's machine. What is the social engineering technique Steve employed in the above scenario?

  A. Quid pro quo
  B. Diversion theft
  C. Elicitation
  D. Phishing
  A. Quid pro quo

  ---

  Explanation

  https://www.eccouncil.org/what-is-social-engineering/

  This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company's computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company's computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

  "A quid pro quo attack (aka something for something" attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action."

• Question 550:

  Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

  A. ESP transport mode
  B. ESP confidential
  C. AH permiscuous
  D. AH Tunnel mode
  A. ESP transport mode

  ---

  Explanation

  ESP (Encapsulating Security Payload) in transport mode is used for end-to-end communication between hosts within the same LAN. It encrypts only the payload, not the header, ensuring confidentiality and integrity while maintaining efficient routing.

  CEH v13 Official Study Guide:

  Module 20: Cryptography

  Quote:

  "In ESP transport mode, only the data payload is encrypted, making it ideal for secure communication within a LAN where the IP header must remain intact for routing."

  Incorrect Options Explained:

  B and C. Not valid IPSec modes.

  D. AH tunnel mode ensures integrity but does not provide encryption.