EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 551:

  An ethical hacker needs to enumerate user accounts and shared resources within a company's internal network without raising any security alerts. The network consists of Windows servers running default configurations. Which method should the hacker use to gather this information covertly?

  A. Deploy a packet sniffer to capture and analyze network traffic
  B. Perform a DNS zone transfer to obtain internal domain details
  C. Exploit null sessions to connect anonymously to the IPC$ share
  D. Utilize SNMP queries to extract user information from network devices
  C. Exploit null sessions to connect anonymously to the IPC$ share

  ---

  Explanation

  CEH v13 explains that Windows systems running older or default configurations often allow anonymous or null session connections to IPC$ shares, enabling attackers to enumerate users, groups, shares, and other system details without authentication. Null session enumeration is highlighted as a classic yet effective technique because it generates minimal detectable activity and does not require credentials, making it ideal for stealth operations. CEH stresses that SMB null sessions are frequently overlooked in legacy or poorly hardened environments, especially when default permissions remain unchanged. Packet sniffing (Option A) may provide some data but requires traffic visibility and may be detected through monitoring tools. DNS zone transfers (Option B) require misconfigurations and usually do not reveal user list details. SNMP queries (Option D) require community strings and often generate alerts. Therefore, exploiting null sessions is the most covert and effective method for enumerating Windows systems under default configurations.

• Question 552:

  Which of the following steps for risk assessment methodology refers to vulnerability identification?

  A. Determines if any flaws exist in systems, policies, or procedures
  B. Assigns values to risk probabilities; Impact values
  C. Determines risk probability that vulnerability will be exploited (High, Medium, Low)
  D. Identifies sources of harm to an IT system (Natural, Human, Environmental)
  A. Determines if any flaws exist in systems, policies, or procedures

  ---

  Explanation

  Comprehensive and Detailed Explanation From CEH v13 Guide:

  Vulnerability identification is the step in the risk assessment process where security flaws or weaknesses are identified in existing systems, policies, or procedures.

  CEH v13 Reference:

  Module 5: Vulnerability Assessment - Risk Assessment Concepts

  "Vulnerability identification is the process of discovering existing flaws and weaknesses in systems or processes that may be exploited."

• Question 553:

  Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan?

  A. -T5
  B. -O
  C. -T0
  D. -A
  A. -T5

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, Nmap includes timing templates for controlling the speed and stealthiness of scans.

  -T5: Insane mode - very fast, highly aggressive, easily detectable.

  -T0: Paranoid mode - very slow and stealthy.

  -O: Enables OS detection (not related to scan speed).

  -A: Enables OS detection, version detection, script scanning, and traceroute (comprehensive but not specifically about speed).

  Therefore:

  If speed is your goal and you are not concerned about detection, then:

  -T5 is the correct answer.

  Module 03 - Nmap Timing Options

  Nmap Documentation: https://nmap.org/book/man-performance.html

• Question 554:

  The Payment Card Industry Data Security Standard (PCI DSS) contains six different categories of control objectives. Each objective contains one or more requirements, which must be followed in order to achieve compliance. Which of the following requirements would best fit under the objective, "Implement strong access control measures"?

  A. Regularly test security systems and processes.
  B. Encrypt transmission of cardholder data across open, public networks.
  C. Assign a unique ID to each person with computer access.
  D. Use and regularly update anti-virus software on all systems commonly affected by malware.
  C. Assign a unique ID to each person with computer access.

  ---

  Explanation

  This falls under Requirement 8 of PCI DSS: "Identify and authenticate access to system components," which supports the objective of implementing strong access control measures.

  CEH v13 Reference:

  Module 20: Hacking Mobile Platforms and IoT - Compliance Standards

  "PCI DSS requires unique identification for each person with access to ensure accountability and access control."

• Question 555:

  In the process of implementing a network vulnerability assessment strategy for a tech company, the security analyst is confronted with the following scenarios:

  1) A legacy application is discovered on the network, which no longer receives updates from the vendor.

  2) Several systems in the network are found running outdated versions of web browsers prone to distributed attacks.

  3) The network firewall has been configured using default settings and passwords.

  4) Certain TCP/IP protocols used in the organization are inherently insecure.

  The security analyst decides to use vulnerability scanning software. Which of the following limitations of vulnerability assessment should the analyst be most cautious about in this context?

  A. Vulnerability scanning software is limited in its ability to perform live tests on web applications to detect errors or unexpected behavior
  B. Vulnerability scanning software cannot define the impact of an identified vulnerability on different business operations
  C. Vulnerability scanning software is limited in its ability to detect vulnerabilities at a given point in time
  D. Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed
  D. Vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed

  ---

  Explanation

  Vulnerability scanning software is a tool that can help security analysts identify and prioritize known vulnerabilities in their systems and applications. However, it is not a perfect solution and has some limitations that need to be considered. One of the most critical limitations is that vulnerability scanning software is not immune to software engineering flaws that might lead to serious vulnerabilities being missed. This means that the software itself might have bugs, errors, or oversights that could affect its accuracy, reliability, or performance. For example, the software might:

  Fail to detect some vulnerabilities due to incomplete or outdated databases, incorrect signatures, or insufficient coverage of the target system or application.

  Produce false positives or false negatives due to misinterpretation of the scan results, incorrect configuration, or lack of context or validation.

  Cause unintended consequences or damage to the target system or application due to intrusive or aggressive scanning techniques, such as exploiting vulnerabilities, modifying data, or crashing services.

  Be vulnerable to attacks or compromise by malicious actors who could exploit its weaknesses, tamper with its functionality, or steal its data.

  Therefore, the security analyst should be most cautious about this limitation of vulnerability scanning software, as it could lead to a false sense of security, missed opportunities for remediation, or increased exposure to threats. The security analyst should always verify the scan results, use multiple tools and methods, and update and patch the software regularly to mitigate this risk.

  References:

  [CEHv13 Module 03: Vulnerability Analysis]

  7 limitations of vulnerability scanners

  The pros and cons of vulnerability scanning tools

• Question 556:

  An attacker performs DNS cache snooping using the dig command with the +norecurse flag against a known DNS server. The server returns NOERROR but provides no answer to the query. What does this most likely suggest?

  A. The record was found in the DNS cache and successfully returned.
  B. The DNS server failed to resolve the request.
  C. No client from the DNS server's network has recently accessed the queried domain.
  D. The queried domain has expired and no longer exists.
  C. No client from the DNS server's network has recently accessed the queried domain.

  ---

  Explanation

  According to the Certified Ethical Hacker (CEH) Reconnaissance and Footprinting module, DNS cache snooping is a passive information-gathering technique used to determine whether a specific DNS record exists in a server's cache. Attackers commonly use the dig +norecurse option to prevent the DNS server from querying other DNS servers, thereby revealing only cached results.

  When a DNS server responds with NOERROR but does not return an answer , it indicates that the domain name itself is valid, but the requested record is not present in the DNS cache . CEH documentation explains that this situation usually occurs when no internal client has recently queried that domain , so the DNS server has no cached entry for it.

  Option A is incorrect because a cached record would return a valid answer section.

  Option B is incorrect because NOERROR explicitly means the DNS query was processed successfully.

  Option D is incorrect because an expired or non-existent domain would typically return NXDOMAIN , not NOERROR.

  CEH materials highlight that attackers use DNS cache snooping to infer user behavior, internal browsing habits, and potential target systems within an organization-making option C the correct conclusion.

• Question 557:

  Attackers exfiltrate data using steganography embedded in images. What is the best countermeasure?

  A. Block all outbound traffic
  B. Deploy IPS
  C. Monitor outbound traffic for anomalies
  D. Use steganalysis tools
  D. Use steganalysis tools

  ---

  Explanation

  CEH v13 explains that steganography-based exfiltration hides data within benign-looking files, making it extremely difficult to detect via firewalls or IPS alone. Blocking all outbound traffic is impractical, and IPS systems are not designed to analyze file content deeply for hidden data.

  The most effective countermeasure is steganalysis , which involves inspecting files for statistical anomalies, altered pixel distributions, or hidden payload patterns. CEH v13 identifies steganalysis tools as the only reliable method to detect and decode hidden data.

  Traffic monitoring (Option C) helps identify suspicious transfers but cannot confirm steganography.

• Question 558:

  Peter extracts the SIDs list from a Windows 2000 Server machine using the hacking tool "SIDExtractor".

  Here is the output of the SIDs:

  

  [Image showing multiple user accounts with their Security Identifiers (SIDs)]

  From the above list identify the user account with System Administrator privileges.

  A. John
  B. Rebecca
  C. Sheela
  D. Shawn
  E. Somia
  F. Chang
  G. Micah
  A. John

  ---

  Explanation

  In a Windows system, a Security Identifier (SID) uniquely identifies each user and group. The SID format is:

  S-1-5-21--

  The Relative Identifier (RID) is the last component in the SID string.

  According to Microsoft and CEH v13:

  RID 500 # Built-in Administrator account

  RID 501 # Guest account

  RIDs > 1000 # Regular user accounts

  In the given image, the SID:

  s-1-5-21-1125394485-807628933-54978560-500chang

  has a RID of 500, indicating the built-in administrator account.

  From CEH v13:

  Module 4: Enumeration

  Topic: SID Enumeration

  CEH v13 States:

  "When enumerating Windows systems, the account with RID 500 is always the default Administrator account, unless renamed. Attackers often target this account due to its elevated privileges."

  Incorrect Options:

  All others have RIDs not equal to 500 (e.g., 100, 652, 412, etc.)

  CEH v13 Study Guide - Module 4: Enumeration # Section: SID Enumerationand; Windows Security AccountsMicrosoft Documentation on Well-known SIDs: https://learn.microsoft.com/en-us/windows-server /identity/ad-ds/manage/understand-security-identifiers

• Question 559:

  Steve, a scientist who works in a governmental security agency, developed a technological solution to identify people based on walking patterns and implemented this approach to a physical control access.

  A camera captures people walking and identifies the individuals using Steve's approach.

  After that, people must approximate their RFID badges. Both the identifications are required to open the door.

  In this case, we can say:

  A. Although the approach has two phases, it actually implements just one authentication factor
  B. The solution implements the two authentication factors: physical object and physical characteristic
  C. The solution will have a high level of false positives
  D. Biological motion cannot be used to identify people
  B. The solution implements the two authentication factors: physical object and physical characteristic

  ---

  Explanation

  In authentication, Multi-Factor Authentication (MFA) involves using more than one category of authentication factors:

  Something you know (e.g., password)

  Something you have (e.g., RFID badge, token)

  Something you are (e.g., biometrics like fingerprints, facial recognition, gait)

  In this scenario:

  The RFID badge is "something you have" (a physical object).

  The gait recognition (walking pattern) captured by the camera is a biometric-"something you are" (a physical characteristic).

  Together, these two methods represent two distinct authentication factors, thereby implementing true multi- factor authentication.

  CEH v13 Official Study Guide:

  Module 5: System Hacking

  Topic: Authentication Mechanisms

  Quote:

  "Examples of multi-factor authentication include combining biometrics (something you are) with a smart card or badge (something you have). Gait recognition is considered a behavioral biometric and falls under `something you are'."

  Incorrect Options Explained:

  A. Incorrect - gait and RFID represent two separate factor types, not one.

  C. No evidence in the scenario supports high false positives.

  D. Gait analysis is a recognized biometric method and can be used for identification.

• Question 560:

  A Nessus scan reports a CVSS 9.0 SSH vulnerability allowing remote code execution. What should be immediately prioritized?

  A. Apply the vendor patch and reboot during maintenance
  B. Dismiss it as a false positive if unverified
  C. Reroute SSH traffic to another server
  D. Isolate the server, audit it, and apply patches
  D. Isolate the server, audit it, and apply patches

  ---

  Explanation

  CEH v13 states that vulnerabilities with a CVSS score # 9.0 are critical and require immediate containment . When remote code execution is possible, the system may already be compromised.

  The recommended response is to isolate the affected system , preventing lateral movement, then perform a forensic audit before applying patches. Immediate patching without isolation may alert attackers or destroy evidence.

  Thus, option D aligns with CEH incident response best practices.