EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 581:

  Ralph, a professional hacker, targeted Jane, who had recently bought new systems for her company. After a few days, Ralph contacted Jane while masquerading as a legitimate customer support executive, informing that her systems need to be serviced for proper functioning and that customer support will send a computer technician. Jane promptly replied positively. Ralph entered Jane's company using this opportunity and gathered sensitive information by scanning terminals for passwords, searching for important documents in desks, and rummaging bins. What is the type of attack technique Ralph used on jane?

  A. Dumpster diving
  B. Eavesdropping
  C. Shoulder surfing
  D. impersonation
  D. impersonation

  ---

  Explanation

• Question 582:

  A penetration tester is conducting a security assessment for a client and needs to capture sensitive information transmitted across multiple VLANs without being detected by the organization's security monitoring systems. The network employs strict VLAN segmentation and port security measures. Which advanced sniffing technique should the tester use to discreetly intercept and analyze traffic across all VLANs?

  A. Deploy a rogue DHCP server to redirect network traffic
  B. Exploit a VLAN hopping vulnerability to access multiple VLANs
  C. Implement switch port mirroring on all VLANs
  D. Use ARP poisoning to perform a man-in-the-middle attack
  B. Exploit a VLAN hopping vulnerability to access multiple VLANs

  ---

  Explanation

  VLAN hopping is an advanced attack technique described in CEH materials, used to bypass VLAN segmentation by exploiting switch misconfigurations or vulnerabilities. Two primary methods--switch spoofing and double tagging--allow attackers to gain access to traffic from VLANs they are not authorized to view. This technique enables the capture of inter-VLAN traffic without requiring administrative privileges or triggering security tools. Port mirroring requires administrative control and is not an attack method. Rogue DHCP servers target IP assignment, not VLAN segmentation. ARP poisoning is effective only within a single broadcast domain and cannot traverse VLAN boundaries. Because the objective is to silently access multiple VLANs despite enforced segmentation, VLAN hopping is the correct technique as per CEH's network perimeter attack methodology.

• Question 583:

  Annie, a cloud security engineer, uses the Docker architecture to employ a client/server model in the application she is working on. She utilizes a component that can process API requests and handle various Docker objects, such as containers, volumes. Images, and networks. What is the component of the Docker architecture used by Annie in the above scenario?

  A. Docker client
  B. Docker objects
  C. Docker daemon
  D. Docker registries
  C. Docker daemon

  ---

  Explanation

  Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers.

  The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

  The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

• Question 584:

  What is the purpose of a DNS AAAA record?

  A. Authorization, Authentication and Auditing record
  B. Address prefix record
  C. Address database record
  D. IPv6 address resolution record
  D. IPv6 address resolution record

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  The AAAA (Quad A) record is the DNS record type used to map a domain name to an IPv6 address. It is the IPv6 equivalent of an A (Address) record, which maps to an IPv4 address.

  From CEH v13 Courseware:

  Module 4: Enumeration # DNS Record Types

  IETF RFC 3596 - DNS Extensions for IPv6

• Question 585:

  Geena, a cloud architect, uses a master component in the Kubernetes cluster architecture that scans newly generated pods and allocates a node to them. This component can also assign nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.

  Which of the following master components is explained in the above scenario?

  A. Kube-controller-manager
  B. Kube-scheduler
  C. Kube-apiserver
  D. Etcd cluster
  B. Kube-scheduler

  ---

  Explanation

  In CEH v13 Module 16: Cloud Computing and Container Security, Kubernetes components are explained for understanding container orchestration risks.

  Kube-scheduler is the master node component responsible for:

  Assigning newly created pods to available nodes.

  Evaluating each pod's resource requirements.

  Considering node affinity/anti-affinity, data locality, hardware restrictions, etc.

  Ensuring workload balancing across nodes.

  Other Options:

  A. Kube-controller-manager: Manages control loops for replication and status.

  C. Kube-apiserver: Acts as the entry point for all REST commands.

  D. Etcd: A key-value store used to save configuration data.

  Module 16 Kubernetes Architecture and Security Risks

  CEH eBook: Kubernetes Scheduler Role in Pod Lifecycle

• Question 586:

  What is the first step for a hacker conducting a DNS cache poisoning (DNS spoofing) attack against an organization?

  A. The attacker queries a nameserver using the DNS resolver.
  B. The attacker makes a request to the DNS resolver.
  C. The attacker forges a reply from the DNS resolver.
  D. The attacker uses TCP to poison the ONS resofver.
  B. The attacker makes a request to the DNS resolver.

  ---

  Explanation

  https://ru.wikipedia.org/wiki/DNS_spoofing

  DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer.

  The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well.

  Different Stages of Attack of DNS Cache Poisoning:

  - The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer.

  - The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success.

  - If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.

• Question 587:

  What two conditions must a digital signature meet?

  A. Has to be the same number of characters as a physical signature and must be unique.
  B. Has to be unforgeable, and has to be authentic.
  C. Must be unique and have special characters.
  D. Has to be legible and neat.
  B. Has to be unforgeable, and has to be authentic.

  ---

  Explanation

  Digital signatures are designed to provide two key guarantees:

  Authenticity - confirming the identity of the sender.

  Unforgeability - ensuring that no one else can produce the same signature without the sender's private key.

  These properties are achieved using a combination of hash functions and asymmetric encryption (digital certificates/private keys).

  CEH v13 Official Study Guide:

  Module 20: Cryptography

  Quote:

  "A valid digital signature ensures that the message comes from a legitimate sender (authenticity) and has not been altered or forged (unforgeability)."

  Incorrect Options:

  A, C, D: Refer to human/visual signatures, not cryptographic properties

• Question 588:

  A cyber attacker has initiated a series of activities against a high-profile organization following the Cyber Kill Chain Methodology. The attacker is presently in the "Delivery" stage. As an Ethical Hacker, you are trying to anticipate the adversary's next move. What is the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology?

  A. The attacker will attempt to escalate privileges to gain complete control of the compromised system.
  B. The attacker will exploit the malicious payload delivered to the target organization and establish a foothold.
  C. The attacker will initiate an active connection to the target system to gather more data.
  D. The attacker will start reconnaissance to gather as much information as possible about the target.
  B. The attacker will exploit the malicious payload delivered to the target organization and establish a foothold.

  ---

  Explanation

  The most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold. This option works as follows:

  The Cyber Kill Chain Methodology is a framework that describes the stages of a cyberattack from the perspective of the attacker. It helps defenders to understand the attacker's objectives, tactics, and techniques, and to design effective countermeasures. The Cyber Kill Chain Methodology consists of seven stages:

  reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives12.

  The delivery stage is the third stage in the Cyber Kill Chain Methodology, and it involves sending or transmitting the weaponized payload to the target system. The delivery stage can use various methods, such as email attachments, web links, removable media, or network protocols. The delivery stage aims to reach the target system and bypass any security controls, such as firewalls, antivirus, or email filters.

  The exploitation stage is the fourth stage in the Cyber Kill Chain Methodology, and it involves executing the malicious payload on the target system. The exploitation stage can use various techniques, such as buffer overflows, code injection, or privilege escalation. The exploitation stage aims to exploit a vulnerability or a weakness in the target system and gain access to its resources, such as files, processes, or memory.

  The installation stage is the fifth stage in the Cyber Kill Chain Methodology, and it involves installing a backdoor or a malware on the target system. The installation stage can use various tools, such as rootkits, trojans, or ransomware. The installation stage aims to establish a foothold on the target system and maintain persistence, which means to survive reboots, updates, or scans.

  Therefore, the most probable subsequent action from the attacker based on the Cyber Kill Chain Methodology is to exploit the malicious payload delivered to the target organization and establish a foothold, because:

  This action follows the logical sequence of the Cyber Kill Chain Methodology, as it is the next stage after the delivery stage.

  This action is consistent with the attacker's goal, as it allows the attacker to gain access and control over the target system and prepare for further actions.

  This action is feasible, as the attacker has already delivered the malicious payload to the target system and may have bypassed some security controls.

  The other options are not as probable as option B for the following reasons:

  A. The attacker will attempt to escalate privileges to gain complete control of the compromised system: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the exploitation stage or the installation stage. Privilege escalation is a method of increasing the level of access or permissions on a system, such as from a normal user to an administrator. Privilege escalation can help the attacker to gain

  complete control of the compromised system, but it is not a mandatory step, as the attacker may already have sufficient privileges or may use other techniques to achieve the same goal.

  C. The attacker will initiate an active connection to the target system to gather more data: This option is possible, but not the most probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather a technique that can be used in the command and control stage or the actions on objectives stage. An active connection is a communication channel that allows the attacker to send commands or receive data from the target system, such as a remote shell or a botnet. An active connection

  can help the attacker to gather more data from the target system, but it is not a necessary step, as the attacker may already have enough data or may use other techniques to obtain more data.

  D. The attacker will start reconnaissance to gather as much information as possible about the target: This option is not probable, because it is not the next stage in the Cyber Kill Chain Methodology, but rather the first stage. Reconnaissance is the process of collecting information about the target, such as its IP address, domain name, network structure, services, vulnerabilities, or employees. Reconnaissance is usually done before the delivery stage, as it helps the attacker to identify the target and plan the

  attack. Reconnaissance can be done again after the delivery stage, but it is not the most likely action, as the attacker may already have enough information or may focus on other actions.

  References:

  1: The Cyber Kill Chain: The Seven Steps of a Cyberattack - EC-Council 2: Cyber Kill Chain?| Lockheed Martin

• Question 589:

  Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he properly configures the firewall to allow access just to servers/ports, which can have direct internet access, and block the access to workstations.

  Bob also concluded that DMZ makes sense just when a stateful firewall is available, which is not the case of TPNQM SA.

  In this context, what can you say?

  A. Bob can be right since DMZ does not make sense when combined with stateless firewalls
  B. Bob is partially right. He does not need to separate networks if he can create rules by destination IPs, one by one
  C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations
  D. Bob is partially right. DMZ does not make sense when a stateless firewall is available
  C. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations

  ---

  Explanation

  A DMZ (Demilitarized Zone) is a physical or logical subnet that separates an internal local area network (LAN) from untrusted networks-typically the Internet. It allows an organization to provide external-facing services while isolating internal systems from direct exposure.

  From CEH v13 Official Courseware:

  Module 13: Hacking Web Applications

  Module 14: Hacking Web Servers

  Module 1: Introduction to Ethical Hacking - Security Architecture Concepts

  CEH v13 clearly outlines:

  "A DMZ is critical when deploying Internet-facing servers such as web servers, FTP servers, or mail servers. It provides a buffer zone that allows public access to specific resources while keeping the internal network isolated."

  Bob's assumption is flawed for several reasons:

  DMZs can be implemented even with stateless firewalls using strict access control rules.

  Relying solely on IP-based filtering is error-prone and doesn't offer layered defense.

  A DMZ provides an essential layer of segmentation, protecting internal assets from compromised public servers.

  Incorrect Options:

  A/D: DMZ can still make sense even with stateless firewalls if properly configured.

  B: IP filtering is insufficient as a sole security measure; does not replace the need for network segmentation.

  CEH v13 Study Guide - Module 1and; 14 # Topic: DMZ Design and PurposeNIST SP 800-41 Rev. 1 - Guidelines on Firewalls and Firewall Policy

• Question 590:

  Which type of security feature stops vehicles from crashing through the doors of a building?

  A. Bollards
  B. Receptionist
  C. Mantrap
  D. Turnstile
  A. Bollards

  ---

  Explanation

  Bollards are short vertical posts installed to control or direct road traffic, but more importantly, they act as physical security controls to prevent vehicle-ramming attacks or unauthorized vehicle entry into sensitive or secure areas such as building entrances. They are often reinforced and strategically placed to withstand high- speed collisions.

  This is a physical security control described in CEH v13 Module 01 (Introduction to Ethical Hacking) and further discussed in physical security best practices for preventing unauthorized physical access.

  Incorrect Options:

  B. Receptionist is a human control, not a physical barrier for vehicles.

  C. Mantrap is used to control personnel access, not vehicle access.

  D. Turnstile controls pedestrian entry, not vehicles.

  CEH v13 Official Courseware - Module 01: Introduction to Ethical Hacking # Physical Security Controls # "Vehicle Access Barriers (e.g., bollards, barricades)"