EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 591:

  What kind of detection techniques is being used in antivirus software that identifies malware by collecting data from multiple protected systems and instead of analyzing files locally it's made on the provider's environment?

  A. Behavioral based
  B. Heuristics based
  C. Honeypot based
  D. Cloud based
  D. Cloud based

  ---

  Explanation

  Cloud-based antivirus relies on data collected from endpoint devices and sends that data to cloud servers for real-time malware analysis. This allows rapid updates and detection of new threats without waiting for local signature updates.

  # Reference: CEH v13 Official Study Guide, Module 20: Cryptography and Malware

  "Cloud-based detection systems analyze suspicious files and behaviors in the provider's environment, enabling faster response and reduced endpoint resource usage."

  # Incorrect options:

  A. Behavioral-based detection monitors live activity locally.

  B. Heuristic-based detection uses rules or behavior patterns locally.

  C. Honeypots are decoys for detecting attackers, not antivirus methods.

• Question 592:

  A multinational corporation recently survived a severe Distributed Denial-of-Service (DDoS) attack and has implemented enhanced security measures. During an audit, you discover that the organization uses both hardware- and cloud-based solutions to distribute incoming traffic in order to absorb and mitigate DDoS attacks while ensuring legitimate traffic remains available. What type of DDoS mitigation strategy is the company utilizing?

  A. Black Hole Routing
  B. Load Balancing
  C. Rate Limiting
  D. Sinkholing
  B. Load Balancing

  ---

  Explanation

  This scenario clearly describes Load Balancing as a DDoS mitigation strategy, which is covered under the CEH v13 Network and Perimeter Hacking module. Load balancing distributes incoming network or application traffic across multiple servers or resources to prevent any single system from becoming overwhelmed.

  According to CEH v13, modern DDoS mitigation architectures often combine hardware load balancers with cloud-based scrubbing centers or Content Delivery Networks (CDNs). These systems absorb high traffic volumes and ensure availability by spreading requests across multiple nodes. This approach aligns perfectly with the organization's strategy of absorbing and distributing traffic rather than blocking it outright.

  Other options are incorrect:

  Black hole routing drops all traffic, including legitimate traffic.

  Rate limiting restricts traffic volume rather than distributing it.

  Sinkholing redirects traffic for analysis, not load distribution.

• Question 593:

  An attacker exploits medical imaging protocols to intercept patient data. Which sniffing technique is most challenging?

  A. MRI firmware interception
  B. Ultrasound malware
  C. Covert channel within administrative messages
  D. Embedding data inside CT scan images
  D. Embedding data inside CT scan images

  ---

  Explanation

  This scenario describes steganographic sniffing , a highly sophisticated technique covered in CEH v13 Network Sniffing and Steganography . By embedding sensitive data inside legitimate image files-such as CT scans-attackers can intercept or exfiltrate patient information while avoiding detection.

  Option D represents a steganography-based covert channel , which is extremely difficult to identify because:

  The file appears legitimate

  Standard encryption and IDS tools do not flag it

  Medical images naturally contain large data volumes

  Options A and B involve malware, which is more detectable. Option C involves text-based covert channels, which are easier to analyze than binary image embedding.

  CEH v13 identifies steganography as one of the hardest data-hiding techniques to detect , making Option D correct.

• Question 594:

  An organization has automated the operation of critical infrastructure from a remote location. For this purpose, all the industrial control systems are connected to the Internet. To empower the manufacturing process, ensure the reliability of industrial networks, and reduce downtime and service disruption, the organization deckled to install an OT security tool that further protects against security incidents such as cyber espionage, zero-day attacks, and malware. Which of the following tools must the organization employ to protect its critical infrastructure?

  A. Robotium
  B. BalenaCloud
  C. Flowmon
  D. IntentFuzzer
  C. Flowmon

  ---

  Explanation

  Source: https://www.flowmon.com

  Flowmon empowers manufacturers and utility companies to ensure the reliability of their industrial networks confidently to avoid downtime and disruption of service continuity. This can be achieved by continuous monitoring and anomaly detection so that malfunctioning devices or security incidents, such as cyber espionage, zero-days, or malware, can be reported and remedied as quickly as possible.

• Question 595:

  Morris, an attacker, wanted to check whether the target AP is in a locked state. He attempted using different utilities to identify WPS-enabled APs in the target wireless network. Ultimately, he succeeded with one special command-line utility.

  Which of the following command-line utilities allowed Morris to discover the WPS-enabled APs?

  A. wash
  B. ntptrace
  C. macof
  D. net view
  A. wash

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, WPS (Wi-Fi Protected Setup) is discussed as a vulnerable configuration that can be exploited using tools like Reaver and wash.

  Wash is a command-line utility used to detect WPS-enabled Access Points.

  It provides information about:

  Whether WPS is enabled or locked.

  Signal strength, BSSID, channel, etc.

  Very useful before attempting WPS PIN attacks.

  Option Clarifications:

  B. ntptrace: Used for querying NTP servers, not wireless networks.

  C. macof: Part of dsniff suite; floods network with MAC addresses (DoS tool).

  D. net view: Windows command for listing network shares, not for wireless or WPS.

  Correct answer is A. wash.

  Module 11 - Wireless Tools: Reaver and wash

  CEH iLabs: Using wash to Scan for WPS-enabled Devices

• Question 596:

  You are attempting to crack LM Manager hashes from a Windows 2000 SAM file. You will be using an LM brute-force hacking tool for decryption.

  What encryption algorithm will you be decrypting?

  A. MD4
  B. DES
  C. SHA
  D. SSL
  B. DES

  ---

  Explanation

  LAN Manager (LM) hashes use the DES (Data Encryption Standard) algorithm to hash passwords. Here's how LM hashing works:

  The password is converted to uppercase and padded/truncated to 14 characters.

  Split into two 7-character halves.

  Each half is used as a DES key to encrypt a constant string ("KGS!@#$%")-resulting in a 16-byte LM hash.

  From CEH v13 Courseware:

  Module 6: Malware Threats

  Topic: Windows Password Storage and Cracking

  CEH v13 Study Guide states:

  "LM hashes use the DES encryption algorithm to create password hashes. Due to this method, they are highly vulnerable to brute-force attacks, particularly because they split the password into two 7-character blocks."

  Incorrect Options:

  A: MD4 is used in NTLM hashes.

  C: SHA is not used in LM.

  D: SSL is a transport security protocol, not a hashing algorithm.

  CEH v13 Study Guide - Module 6: Password Storage and Hashing AlgorithmsMicrosoft Documentation LM vs. NTLM Authentication

• Question 597:

  Your company was hired by a small healthcare provider to perform a technical assessment on the network.

  What is the best approach for discovering vulnerabilities on a Windows-based computer?

  A. Use the built-in Windows Update tool
  B. Use a scan tool like Nessus
  C. Check MITRE.org for the latest list of CVE findings
  D. Create a disk image of a clean Windows installation
  B. Use a scan tool like Nessus

  ---

  Explanation

  In a professional penetration test or vulnerability assessment, the most efficient and effective way to discover vulnerabilities on a Windows-based system is to use an automated vulnerability scanning tool such as Nessus.

  Nessus is a widely used vulnerability scanner developed by Tenable. It performs comprehensive scans across systems to identify:

  Missing patches and updates

  Misconfigurations

  Weak or default credentials

  Known vulnerabilities and associated CVEs

  Outdated software versions

  CEH v13 course material emphasizes the use of tools like Nessus, OpenVAS, and Qualys during the Vulnerability Analysis phase of ethical hacking engagements.

  From CEH v13 Official Study Guide (Module 05: Vulnerability Analysis):

  "Vulnerability scanning tools such as Nessus and OpenVAS are used to automatically identify known vulnerabilities in systems, including operating systems, applications, and services. These tools correlate identified issues with CVE entries and offer severity ratings based on CVSS scores."

  Incorrect Options Explained:

  A. The Windows Update tool only updates the operating system and Microsoft applications. It is not designed to detect security flaws or vulnerabilities comprehensively.

  C. MITRE.org is an excellent source of information for known vulnerabilities (CVEs), but it does not scan systems or detect vulnerabilities in a target environment.

  D. Creating a disk image is useful for forensic purposes or backup, but it does not help in actively identifying vulnerabilities in a live system.

  CEH v13 Study Guide:

  Module 05: Vulnerability Analysis

  Section: "Vulnerability Assessment Tools"

  CEH iLabs Exercise: "Using Nessus to Perform Vulnerability Scanning"

• Question 598:

  During a security assessment, a consultant investigates how the application handles requests from authenticated users. They discover that once a user logs in, the application does not verify the origin of subsequent requests. To exploit this, the consultant creates a web page containing a malicious form that submits a funds transfer request to the application. A logged-in user, believing the page is part of a promotional campaign, fills out the form and submits it. The application processes the request successfully without any reauthentication or user confirmation, completing the transaction under the victim's session. Which session hijacking technique is being used in this scenario?

  A. Hijacking a user session using a session fixation attack
  B. Hijacking a user session using a session replay attack
  C. Hijacking a user session using a cross-site request forgery attack
  D. Hijacking a user session using a cross-site script attack
  C. Hijacking a user session using a cross-site request forgery attack

  ---

  Explanation

  CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user's browser is tricked into submitting unauthorized actions to a trusted application without the user's intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker's forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim's authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

• Question 599:

  An attacker gained escalated privileges on a critical server. What should be done FIRST to contain the threat with minimal disruption?

  A. Engage a forensic team immediately
  B. Power down the server and isolate it
  C. Monitor, analyze, and then isolate the server
  D. Conduct a vulnerability scan on all servers
  C. Monitor, analyze, and then isolate the server

  ---

  Explanation

  CEH v13 follows the Incident Response Lifecycle , which prioritizes identification and analysis before containment , unless there is immediate risk of catastrophic damage. In this scenario, the attacker has escalated privileges, but the organization still needs to understand what actions are being taken , what systems are affected, and whether lateral movement is occurring.

  Option C aligns with CEH v13 best practices. Real-time monitoring and documentation allow analysts to:

  Identify attacker techniques and tools

  Preserve volatile evidence

  Understand scope and impact

  Implement targeted containment

  Immediately powering down the server (Option B) may destroy volatile forensic evidence and disrupt services unnecessarily. Engaging forensic teams (Option A) is important but premature without initial analysis. Running vulnerability scans (Option D) does not address the active threat.

  CEH v13 stresses that informed containment is more effective than reactive shutdowns. Therefore, Option C is correct.

• Question 600:

  During an IDS audit, you notice numerous alerts triggered by legitimate user activity . What is the most likely cause?

  A. Regular users are unintentionally triggering security protocols
  B. The firewall is failing to block malicious traffic
  C. The IDS is outdated and unpatched
  D. The IDS is configured with overly sensitive thresholds
  D. The IDS is configured with overly sensitive thresholds

  ---

  Explanation

  According to the CEH IDS/IPS module, false positives occur when legitimate activity is incorrectly flagged as malicious. The most common cause is overly sensitive IDS rules or thresholds .

  Option D correctly identifies this issue.

  Option A describes the symptom, not the root cause.

  Option B is unrelated to IDS alert behavior.

  Option C can cause missed detections, not excessive alerts.

  CEH recommends proper tuning and baseline profiling .