EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 561:

  Kevin, a professional hacker, wants to penetrate CyberTech Inc.'s network. He employed a technique, using which he encoded packets with Unicode characters. The company's IDS cannot recognize the packet, but the target web server can decode them.

  What is the technique used by Kevin to evade the IDS system?

  A. Desynchronization
  B. Obfuscating
  C. Session splicing
  D. Urgency flag
  B. Obfuscating

  ---

  Explanation

  Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different platforms and therefore the network to evade defenses.

  Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user's action could also be needed to open and Deobfuscate/Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like JavaScript.

  Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once reassembled.

  Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to evade signature based mostly detections and application management mechanisms.

• Question 562:

  Attacker Steve targeted an organization's network with the aim of redirecting the company's web traffic to another malicious website. To achieve this goal, Steve performed DNS cache poisoning by exploiting the vulnerabilities In the DNS server software and modified the original IP address of the target website to that of a fake website.

  What is the technique employed by Steve to gather information for identity theft?

  A. Pretexting
  B. Pharming
  C. Wardriving
  D. Skimming
  B. Pharming

  ---

  Explanation

  A pharming attacker tries to send a web site's traffic to a faux website controlled by the offender, typically for the aim of collection sensitive data from victims or putting in malware on their machines. Attacker tend to specialize in making look-alike ecommerce and digital banking websites to reap credentials and payment card data.

  Though they share similar goals, pharming uses a special technique from phishing. "Pharming attacker are targeted on manipulating a system, instead of tricking people into reaching to a dangerous web site," explains David Emm, principal security man of science at Kaspersky. "When either a phishing or pharming attacker is completed by a criminal, they need a similar driving issue to induce victims onto a corrupt location, however the mechanisms during which this is often undertaken are completely different."

• Question 563:

  While performing a security audit of a web application, an ethical hacker discovers a potential vulnerability.

  The application responds to logically incorrect queries with detailed error messages that divulge the underlying database's structure. The ethical hacker decides to exploit this vulnerability further. Which type of SQL Injection attack is the ethical hacker likely to use?

  A. UNION SQL Injection
  B. Blind/inferential SQL Injection
  C. In-band SQL Injection
  D. Error-based SOL Injection
  D. Error-based SOL Injection

  ---

  Explanation

  Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.

  The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database's structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.

  For example, if the application uses the following query to display the username of a user based on the user ID:

  SELECT username FROM users WHERE id = '$id'

  The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:

  SELECT username FROM users WHERE id = '1'

  The application might display an error message like this:

  You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1

  This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.

  References:

  [CEHv13 Module 05: Sniffing]

  Types of SQL Injection (SQLi) - GeeksforGeeks

  Types of SQL Injection? - Acunetix

• Question 564:

  A sophisticated attacker targets your web server with the intent to execute a Denial of Service (DoS) attack. His strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using 'r' packets per second. Your server, reinforced with advanced security measures, can handle 'h' packets per second before it starts showing signs of strain. If 'r' surpasses 'h', it overwhelms the server, causing it to become unresponsive. In a peculiar pattern, the attacker selects 'r' as a composite number and 'h' as a prime number, making the attack detection more challenging. Considering 'r2010' and different values for 'h', which of the following scenarios would potentially cause the server to falter?

  A. h1999 (prime): Despite the attacker's packet flood, the server can handle these requests, remaining responsive
  B. h2003 (prime): The server can manage more packets than the attacker is sending, hence it stays operational
  C. h1993 (prime): Despite being less than 'r', the server's prime number capacity keeps it barely operational, but the risk of falling is imminent
  D. h1987 (prime): The attacker's packet rate exceeds the server's capacity, causing potential unresponsiveness
  D. h1987 (prime): The attacker's packet rate exceeds the server's capacity, causing potential unresponsiveness

  ---

  Explanation

  A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target

  server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

  The attacker's strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using `r' packets per second. The server can handle `h' packets per second before it starts showing signs of strain. If `r' surpasses `h', it overwhelms the server, causing it to become unresponsive. The attacker selects `r' as a composite number and `h' as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

  Considering `r2010' and different values for `h', the scenario that would potentially cause the server to falter is the one where `h1987' (prime). This is because `r' is greater than `h' by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as `h' is either greater than or very close to `r', which means the server can either manage or barely cope with the incoming traffic. References:

  What is a denial-of-service (DoS) attack? | Cloudflare

  Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

  DDoS Attack Types: Glossary of Terms

  What is a Denial of Service (DoS) Attack? | Webopedia

• Question 565:

  Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an attacker's message ''Hacker Message: You are dead! Freaks!" From his office, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact.

  No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connection. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using hisdial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. After his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page:

  

  After seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the entire Web site, and determined that every system file and all the Web content on the server were intact. How did the attacker accomplish this hack?

  A. ARP spoofing
  B. SQL injection
  C. DNS poisoning
  D. Routing table injection
  C. DNS poisoning

  ---

  Explanation

  In this scenario, users outside the organization (like Smith and Joseph on dial-up) see the defaced site, while Joseph on the internal corporate network sees the legitimate site. Tripwire confirms that the files on the actual web server are intact. This clearly indicates that the attack was not on the server itself, but rather on how external users are being directed to a malicious server.

  This behavior is indicative of a DNS poisoning attack. The attacker poisoned the DNS cache of an external DNS resolver, redirecting www.masonins.com to a malicious server. Internal DNS servers, unaffected by the poisoning, still resolved to the correct IP address.

  From CEH v13:

  Module 3: DNS Poisoning and Spoofing

  Module 5: Vulnerability Analysis

  CEH v13 Study Guide states:

  "DNS poisoning involves injecting false information into a DNS resolver's cache, causing users to be redirected to malicious websites without changing the actual web server's content."

  Incorrect Options:

  A: ARP spoofing affects local network address resolution, not global DNS.

  B: SQL injection is used to exploit databases, not alter DNS records.

  D: Routing table injection affects traffic routes, but wouldn't explain DNS-level redirection discrepancies.

  CEH v13 Study Guide - Module 3: DNS Poisoning # Real-World ExamplesNIST SP 800-81r2 - Secure DNS Deployment Guide

• Question 566:

  Which among the following is the best example of the hacking concept called "clearing tracks"?

  A. After a system is breached, a hacker creates a backdoor to allow re-entry into a system.
  B. During a cyberattack, a hacker injects a rootkit into a server.
  C. An attacker gains access to a server through an exploitable vulnerability.
  D. During a cyberattack, a hacker corrupts the event logs on all machines.
  D. During a cyberattack, a hacker corrupts the event logs on all machines.

  ---

  Explanation

  "Clearing tracks" is a post-exploitation phase in the ethical hacking methodology in which the attacker removes or alters system evidence to hide their activities and avoid detection. This may include:

  Deleting or modifying event logs

  Clearing bash history or command history

  Removing malware traces

  Disabling auditing

  From CEH v13:

  Corrupting or erasing event logs ensures that system administrators or forensic investigators cannot trace the intrusion or determine how the system was compromised.

  Incorrect Options:

  A. Creating a backdoor is part of the "Maintaining Access" phase, not "Clearing Tracks."

  B. Injecting a rootkit is part of the "Gaining or Maintaining Access" stage.

  C. Exploiting a vulnerability is part of the "Gaining Access" phase.

  CEH v13 Official Courseware:

  Module 05: System Hacking

  Section: "Clearing Logs and Erasing Evidence"

  Subsection: "Track-Clearing Techniques"

  Lab: Log Manipulation and Covering Tracks

• Question 567:

  Jude, a pen tester working in Keiltech Ltd., performs sophisticated security testing on his company's network infrastructure to identify security loopholes. In this process, he started to circumvent the network protection tools and firewalls used in the company. He employed a technique that can create forged TCP sessions by carrying out multiple SYN, ACK, and RST or FIN packets. Further, this process allowed Jude to execute DDoS attacks that can exhaust the network resources. What is the attack technique used by Jude for finding loopholes in the above scenario?

  A. UDP flood attack
  B. Ping-of-death attack
  C. Spoofed session flood attack
  D. Peer-to-peer attack
  C. Spoofed session flood attack

  ---

  Explanation

  In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic.

• Question 568:

  An organization is performing a vulnerability assessment tor mitigating threats. James, a pen tester, scanned the organization by building an inventory of the protocols found on the organization's machines to detect which ports are attached to services such as an email server, a web server or a database server. After identifying the services, he selected the vulnerabilities on each machine and started executing only the relevant tests. What is the type of vulnerability assessment solution that James employed in the above scenario?

  A. Product-based solutions
  B. Tree-based assessment
  C. Service-based solutions
  D. inference-based assessment
  D. inference-based assessment

  ---

  Explanation

  In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

• Question 569:

  Larry, a security professional in an organization, has noticed some abnormalities In the user accounts on a web server. To thwart evolving attacks, he decided to harden the security of the web server by adopting a countermeasures to secure the accounts on the web server.

  Which of the following countermeasures must Larry implement to secure the user accounts on the web server?

  A. Enable unused default user accounts created during the installation of an OS
  B. Enable all non-interactive accounts that should exist but do not require interactive login
  C. Limit the administrator or toot-level access to the minimum number of users
  D. Retain all unused modules and application extensions
  C. Limit the administrator or toot-level access to the minimum number of users

  ---

  Explanation

• Question 570:

  When considering how an attacker may exploit a web server, what is web server footprinting?

  A. When an attacker implements a vulnerability scanner to identify weaknesses
  B. When an attacker creates a complete profile of the site's external links and file structures
  C. When an attacker gathers system-level data, including account details and server names
  D. When an attacker uses a brute-force attack to crack a web-server password
  B. When an attacker creates a complete profile of the site's external links and file structures

  ---

  Explanation

  Web server footprinting is part of the reconnaissance phase in ethical hacking. It involves gathering detailed information about a web server's structure, external links, available directories, scripts, and technologies in use.

  Techniques include:

  Spidering the site to map all accessible URLs and file paths Identifying hidden directories or backup files

  Analyzing page structures and URL patterns

  This information helps attackers identify areas to target for further scanning or exploitation.

  Incorrect Options:

  A. Vulnerability scanning is active testing, not passive footprinting.

  C. System-level data is gathered in OS or network footprinting.

  D. Brute-force attacks are exploitation techniques, not reconnaissance.

  CEH v13 Official Courseware:

  Module 02: Footprinting and Reconnaissance

  Section: "Web Server Footprinting Techniques"

  Tool Reference: HTTrack, Burp Spider, OWASP ZAP