EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 571:

  You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles.

  You know that conventional hacking doesn't work in this case, because organizations such as banks are generally tight and secure when it comes to protecting their systems. In other words, you are trying to penetrate an otherwise impenetrable system.

  How would you proceed?

  A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network
  B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly- paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information
  C. Launch DDOS attacks against Merclyn Barley Bank's routers and firewall systems using 100, 000 or more "zombies" and "bots"
  D. Try to conduct Man-in-the-Middle (MiTM) attack and divert the network traffic going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques
  B. Try to hang around the local pubs or restaurants near the bank, get talking to a poorly- paid or disgruntled employee, and offer them money if they'll abuse their access privileges by providing you with sensitive information

  ---

  Explanation

• Question 572:

  A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo.

  Which test did the ethical hacker conduct and why was this specific approach adopted?

  A. Test 3: The test was executed to observe the response of the target system when a packet with URG, PSH, SYN, and FIN flags was sent, thereby identifying the OS
  B. Qrest 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker to probe the nature of the response and subsequently determine the OS fingerprint
  C. Test 2: This test was chosen because a TCP packet with no flags enabled is known as a NULL packet and this would allow the hacker to assess the OS of the target
  D. Test 6; The hacker selected this test because a TCP packet with the ACK flag enabled sent to a closed TCP port would yield more information about the OS
  B. Qrest 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker to probe the nature of the response and subsequently determine the OS fingerprint

  ---

  Explanation

  The ethical hacker conducted Test 1, which is a TCP/IP stack fingerprinting technique that uses the SYN and ECN-Echo flags to determine the OS of the target system. The SYN flag is used to initiate a TCP connection, and the ECN-Echo flag is used to indicate that the sender supports Explicit Congestion Notification (ECN), which is a mechanism to reduce network congestion. Different OSes have different implementations and responses to these flags, which can reveal their identity. For example, Windows XP and 2000 will reply with SYN and ECN-Echo flags set, while Linux will reply with only SYN flag set. By sending a TCP packet with these flags enabled to an open TCP port and observing the reply, the ethical hacker can probe the nature of the response and subsequently determine the OS fingerprint.

  The ethical hacker adopted this specific approach because it is an advanced and stealthy technique that can evade some firewalls and intrusion detection systems (IDS) that may block or alert other types of packets, such as NULL, FIN, or Xmas packets. Moreover, this technique can provide more accurate and reliable results than other techniques, such as banner grabbing or passive analysis, that may depend on the availability or validity of the information provided by the target system.

  The other options are not correct, as they describe different tests and reasons. Test 3 is a TCP/IP stack fingerprinting technique that uses the URG, PSH, SYN, and FIN flags to determine the OS of the target system. Test 2 is a TCP/IP stack fingerprinting technique that uses a NULL packet, which is a TCP packet with no flags enabled, to determine the OS of the target system. Test 6 is a TCP/IP stack fingerprinting technique that uses the ACK flag, which is used to acknowledge the receipt of a TCP segment, to determine the OS of the target system. References:

  OS and Application Fingerprinting | SANS Institute

  Operating System Fingerprinting | SpringerLink

  OS and Application Fingerprinting - community.akamai.com

  What is OS Fingerprinting and Techniques - Zerosuniverse

• Question 573:

  Which of the following best describes the role of a penetration tester?

  A. A security professional hired to identify and exploit vulnerabilities with permission
  B. A developer who writes malicious code for cyberattacks
  C. A hacker who gains unauthorized access to systems for malicious purposes
  D. A hacker who spreads malware to compromise systems
  A. A security professional hired to identify and exploit vulnerabilities with permission

  ---

  Explanation

  CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization's systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries , under documented Rules of Engagement (RoE) , and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers-roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers , with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH's definition of a penetration tester.

• Question 574:

  During a review for DoS threats, several IP addresses generate excessive traffic. Packet inspection shows the TCP three-way handshake is never completed , leaving many connections in a SYN_RECEIVED state and consuming server resources without completing sessions. What type of DoS attack is most likely occurring?

  A. SYN Flood
  B. Ping of Death
  C. UDP Flood
  D. Smurf Attack
  A. SYN Flood

  ---

  Explanation

  In the CEH Denial-of-Service and Network Attacks coverage, a SYN flood is a classic TCP-based DoS technique that exploits the TCP connection establishment process. In a normal handshake, the client sends SYN , the server replies SYN/ACK , and the client completes with ACK . A SYN flood deliberately sends a high volume of SYN packets (often spoofed) but never completes the final ACK. As CEH describes, this leaves the server holding many half-open connections in SYN_RECEIVED , consuming memory and connection table resources (backlog queue). When the backlog fills, legitimate clients cannot establish connections, degrading availability.

  The indicators in your scenario align exactly with CEH's SYN flood fingerprints: incomplete handshakes and accumulation of half-open connections. The goal is resource exhaustion at the connection-management layer rather than bandwidth saturation.

  Option B (Ping of Death) involves malformed/oversized ICMP packets and does not match SYN_RECEIVED behavior. Option C (UDP flood) targets UDP services/ports and creates different symptoms (high UDP traffic, ICMP unreachable messages, service degradation) without half-open TCP states. Option D (Smurf) is ICMP- based amplification via broadcast addresses-again unrelated to incomplete TCP handshakes.

  CEH also notes mitigations such as SYN cookies, increasing backlog, reducing SYN-RECEIVED timers, rate limiting, and upstream filtering-further reinforcing that the described event is a SYN flood.

• Question 575:

  Attackers abused Android Debug Bridge (ADB) to issue unauthorized commands. What is the strongest countermeasure?

  A. Enforce VPN usage
  B. Adopt biometric authentication
  C. Disable ADB except in strictly controlled environments
  D. Frequently update MDM systems
  C. Disable ADB except in strictly controlled environments

  ---

  Explanation

  Android Debug Bridge (ADB) is a powerful debugging interface that, if misconfigured, allows attackers to execute commands remotely. CEH v13 identifies exposed ADB as a critical mobile security risk , especially in enterprise environments.

  The most effective countermeasure is to disable ADB entirely , except when explicitly required for development or troubleshooting, and only within tightly controlled environments. This directly removes the attack vector.

  VPNs and biometrics improve security but do not prevent ADB abuse. Updating MDM systems is important but does not eliminate the risk if ADB remains enabled.

  CEH v13 explicitly recommends strict ADB control as a best practice. Therefore, Option C is the correct answer.

• Question 576:

  Mary, a penetration tester, has found password hashes in a client system she managed to breach. She needs to use these passwords to continue with the test, but she does not have time to find the passwords that correspond to these hashes. Which type of attack can she implement in order to continue?

  A. LLMNR/NBT-NS poisoning
  B. Internal monologue attack
  C. Pass the ticket
  D. Pass the hash
  D. Pass the hash

  ---

  Explanation

  Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack A hash injection/PtH attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources The attacker finds and extracts a logged-on domain admin account hash The attacker uses the extracted hash to log on to the domain controller

• Question 577:

  Which protocol is used for setting up secure channels between two devices, typically in VPNs?

  A. PEM
  B. ppp
  C. IPSEC
  D. SET
  C. IPSEC

  ---

  Explanation

  In CEH v13 Module 14: Cryptography, IPSec (Internet Protocol Security) is defined as a framework used to establish secure communication channels over IP networks, particularly in VPNs.

  IPSec supports encryption, authentication, and integrity.

  Operates in Tunnel Mode (VPNs) or Transport Mode (End-to-End).

  Core protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload).

  Option Analysis:

  A. PEM: Privacy Enhanced Mail (email encryption).

  B. PPP: Point-to-Point Protocol (data link layer, not encryption).

  C. IPSEC: VPN encryption protocol.

  D. SET: Secure Electronic Transaction (used in payment systems, obsolete).

  Module 14 - IPSec Overview in VPN Security

  CEH eBook: Protocols Used in VPNs - IPSec, L2TP, PPTP

• Question 578:

  Abel, a security professional, conducts penetration testing in his client organization to check for any security loopholes. He launched an attack on the DHCP servers by broadcasting forged DHCP requests and leased all the DHCP addresses available in the DHCP scope until the server could not issue any more IP addresses. This led to a Dos attack, and as a result, legitimate employees were unable to access the clients network. Which of the following attacks did Abel perform in the above scenario?

  A. VLAN hopping
  B. DHCP starvation
  C. Rogue DHCP server attack
  D. STP attack
  B. DHCP starvation

  ---

  Explanation

  A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the- Middle (MITM) assault.

  In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they've used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they're refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What's more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

  In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn't send a modest bunch - it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

  In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

  When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

  The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor's machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

• Question 579:

  After an audit, the auditors Inform you that there is a critical finding that you must tackle Immediately. You read the audit report, and the problem is the service running on port 389. Which service Is this and how can you tackle the problem?

  A. The service is LDAP. and you must change it to 636. which is LDPAPS.
  B. The service is NTP. and you have to change It from UDP to TCP in order to encrypt it
  C. The findings do not require immediate actions and are only suggestions.
  D. The service is SMTP, and you must change it to SMIME. which is an encrypted way to send emails.
  A. The service is LDAP. and you must change it to 636. which is LDPAPS.

  ---

  Explanation

  https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

  LDAP, the Lightweight Directory Access Protocol, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It's often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications. The LDAP protocol can deal in quite a bit of sensitive data: Active Directory usernames, login attempts, failed-login notifications, and more. If attackers get ahold of that data in flight, they might be able to compromise data like legitimate AD credentials and use it to poke around your network in search of valuable assets.

  Encrypting LDAP traffic in flight across the network can help prevent credential theft and other malicious activity, but it's not a failsafe-and if traffic is encrypted, your own team might miss the signs of an attempted attack in progress.

  While LDAP encryption isn't standard, there is a nonstandard version of LDAP called Secure LDAP, also known as "LDAPS" or "LDAP over SSL" (SSL, or Secure Socket Layer, being the now-deprecated ancestor of Transport Layer Security).

  LDAPS uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connecting with a client.

• Question 580:

  You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place.

  Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain.

  What is Peter Smith talking about?

  A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain
  B. "Zero-day" exploits are the weakest link in the security chain since IDS will not be able to detect these attacks
  C. "Polymorphic viruses" are the weakest link in the security chain since antivirus scanners will not be able to detect these attacks
  D. Continuous spam emails cannot be blocked by your security system since spammers use different techniques to bypass filters
  A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The "weakest link" in cybersecurity is almost always the human element. Even with cutting-edge technology and airtight configurations, untrained or careless users can fall for phishing attacks, use weak passwords, or mishandle sensitive data - giving hackers a path into the system.

  From CEH v13 Courseware:

  Module 7: Social Engineering

  Topic: Human Element in Security Breaches

  CEH v13 Study Guide - Module 7: Insider Threats and Social EngineeringSANS Security Awareness Program - Human Risk Management