EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 601:

  A penetration tester is assessing a company's vulnerability to advanced social engineering attacks targeting its legal department. Using detailed knowledge of mergers and legal proceedings, the tester crafts a highly credible pretext to deceive legal employees into sharing confidential case documents. What is the most effective technique?

  A. Send a spear-phishing email referencing specific merger details and requesting document access
  B. Create a fake LinkedIn profile to connect with legal employees and request document sharing
  C. Visit the office in person posing as a new legal intern to request document access
  D. Conduct a mass phishing campaign with generic legal templates attached
  A. Send a spear-phishing email referencing specific merger details and requesting document access

  ---

  Explanation

  CEH identifies spear-phishing as a targeted, context-rich social engineering method tailored to specific individuals or departments. By incorporating accurate insider details, attackers significantly increase trust and likelihood of disclosure.

• Question 602:

  Don, a student, came across a gaming app in a third-party app store and Installed it. Subsequently, all the legitimate apps in his smartphone were replaced by deceptive applications that appeared legitimate. He also received many advertisements on his smartphone after Installing the app. What is the attack performed on Don in the above scenario?

  A. SMS phishing attack
  B. SIM card attack
  C. Agent Smith attack
  D. Clickjacking
  C. Agent Smith attack

  ---

  Explanation

  Agent Smith Attack Agent Smith attacks are carried out by luring victims into downloading and installing malicious apps designed and published by attackers in the form of games, photo editors, or other attractive tools from third-party app stores such as 9Apps. Once the user has installed the app, the core malicious code inside the application infects or replaces the legitimate apps in the victim's mobile device CandC commands. The deceptive application replaces legitimate apps such as WhatsApp, SHAREit, and MX Player with similar infected versions. The application sometimes also appears to be an authentic Google product such as Google Updater or Themes. The attacker then produces a massive volume of irrelevant and fraudulent advertisements on the victim's device through the infected app for financial gain. Attackers exploit these apps to steal critical information such as personal information, credentials, and bank details, from the victim's mobile device through CandC commands.

• Question 603:

  A penetration tester targets a WPA2-PSK wireless network. The tester captures the handshake and wants to speed up cracking the pre-shared key. Which approach is most effective?

  A. Conduct a Cross-Site Scripting (XSS) attack on the router's login page
  B. Use a brute-force attack to crack the pre-shared key manually
  C. Use a dictionary attack with a large wordlist to crack the WPA2 key
  D. Perform a SQL injection attack to bypass the WPA2 authentication
  C. Use a dictionary attack with a large wordlist to crack the WPA2 key

  ---

  Explanation

  CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router's web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

• Question 604:

  What is GINA?

  A. Gateway Interface Network Application
  B. GUI Installed Network Application CLASS
  C. Global Internet National Authority (G-USA)
  D. Graphical Identification and Authentication DLL
  D. Graphical Identification and Authentication DLL

  ---

  Explanation

  GINA stands for Graphical Identification and Authentication. It is a Windows component (a DLL) that provides the user interface for logging into a Windows system.

  Located in msgina.dll (in legacy Windows)

  Handles the Ctrl+Alt+Del screen

  Collects credentials (username/password) and passes them to the Local Security Authority (LSA)

  From CEH v13 Courseware:

  Module 6: Malware Threats

  Module 4: Windows Authentication Internals

  CEH v13 Study Guide states:

  "The Graphical Identification and Authentication (GINA) is a DLL that implements the authentication UI for Windows systems. Malicious actors can create custom GINA DLLs to capture login credentials."

  Microsoft MSDN - GINA Architecture (legacy documentation)

• Question 605:

  An employee finds a USB drive labeled "Employee Salary Info 2024" and plugs it into a company computer, causing erratic behavior. What type of social engineering attack is this?

  A. Tempting the victim to engage with a malicious device using curiosity.
  B. Impersonating a senior staff member to extract login credentials.
  C. Using a discarded document to retrieve sensitive information.
  D. Bypassing physical security by following an authorized employee.
  A. Tempting the victim to engage with a malicious device using curiosity.

  ---

  Explanation

  This scenario represents a classic baiting attack , a social engineering technique explicitly described in CEH v13 Social Engineering . In baiting, attackers exploit human curiosity or greed by leaving behind a malicious physical device-most commonly a USB drive-with an enticing label. When the victim plugs the device into a system, malware is automatically executed, leading to compromise.

  Option A precisely captures this behavior. The label "Employee Salary Info 2024" is intentionally designed to entice the victim into interacting with the device. CEH v13 highlights USB baiting as particularly dangerous because it bypasses technical controls and relies solely on human behavior.

  Option B describes pretexting, which involves impersonation. Option C refers to dumpster diving. Option D describes tailgating, a physical access attack. None of these match the USB-based lure described.

  CEH v13 emphasizes that baiting attacks are highly effective in corporate environments and recommends strong security awareness training and disabling USB autorun features as mitigation.

• Question 606:

  A security analyst uses Zenmap to perform an ICMP timestamp ping scan to acquire information related to the current time from the target host machine.

  Which of the following Zenmap options must the analyst use to perform the ICMP timestamp ping scan?

  A. -PY
  B. -PU
  C. -PP
  D. -Pn
  C. -PP

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, ICMP scan types are covered under host discovery techniques in Nmap/Zenmap.

  The -PP option in Nmap is used to perform an ICMP timestamp request scan.

  This method sends an ICMP timestamp request and listens for a timestamp reply from the target.

  It helps analysts determine the system uptime and verify whether the host is alive (for stealthy discovery).

  Option Clarification:

  A. -PY: SCTP INIT Ping (used for SCTP-based hosts).

  B. -PU: UDP Ping (sends UDP packets).

  C. -PP: ICMP Timestamp Ping - correct answer.

  D. -Pn: Skips host discovery (treats all hosts as alive), not a ping type.

  Module 03 - Host Discovery Techniques

  CEH Labs: Zenmap and Nmap Scanning with ICMP Ping Options

  Nmap Docs: https://nmap.org/book/man-host-discovery.html

• Question 607:

  Which advanced evasion technique poses the greatest challenge to detect and mitigate?

  A. Covert channel communication using IP header fields
  B. Honeypot spoofing
  C. Polymorphic malware
  D. Packet fragmentation evasion
  A. Covert channel communication using IP header fields

  ---

  Explanation

  Covert channel communication is one of the most sophisticated evasion techniques described in CEH v13 Evasion Techniques . By embedding malicious data within unused or rarely inspected protocol fields (such as IP headers), attackers can bypass firewalls, IDS, and IPS systems entirely.

  Unlike polymorphic malware (Option C), which can still be detected using behavior analysis, covert channels blend seamlessly into legitimate traffic. Packet fragmentation (Option D) is well-known and often mitigated. Honeypot spoofing (Option B) is rare and defensive in nature.

  CEH v13 emphasizes that covert channels are difficult because:

  They do not violate protocol specifications

  They evade signature-based and stateful inspection

  They appear as normal traffic

  Detecting covert channels often requires deep protocol analysis and statistical traffic inspection, making them extremely challenging to mitigate.

• Question 608:

  During a routine security audit, administrators discover that cloud storage backups were illegally accessed and modified . Which countermeasure would most directly mitigate such incidents in the future?

  A. Implementing resource auto-scaling
  B. Regularly conducting SQL injection testing
  C. Deploying biometric entry systems
  D. Adopting the 3-2-1 backup model
  D. Adopting the 3-2-1 backup model

  ---

  Explanation

  The Certified Ethical Hacker (CEH) Cloud Computing and Data Protection module emphasizes the importance of resilient backup strategies to protect against data tampering, ransomware, and unauthorized modification.

  The 3-2-1 backup model is a widely recommended best practice referenced in CEH materials. It requires maintaining:

  3 copies of data

  Stored on 2 different media types

  With 1 copy stored offsite

  This approach ensures that even if cloud backups are compromised or altered, clean and uncompromised versions remain available. CEH documentation highlights this model as a core defense against data integrity attacks in cloud environments.

  Option D directly mitigates the risk of backup tampering.

  Options A B, and C address unrelated security concerns and do not protect backup integrity.

• Question 609:

  A penetration tester is mapping a Windows-based internal network. The tester notices that TCP port 139 and UDP port 137 are open on multiple systems. File and printer sharing is enabled. To retrieve hostnames, user details, and domain roles without triggering alerts, which tool and method would be most effective?

  A. Perform LDAP enumeration via anonymous bind
  B. Use pspasswd to change remote passwords
  C. Run nbtstat -A to query the NetBIOS name table
  D. Use psloggedon to retrieve remote login sessions
  C. Run nbtstat -A to query the NetBIOS name table

  ---

  Explanation

  CEH v13 teaches that NetBIOS enumeration is a key technique for gathering information in Windows environments without raising alarms. Ports 137 and 139 indicate that NetBIOS Name Service (NBNS) and SMB services are active. The tool nbtstat -A retrieves valuable information including computer names, logged-in users, domain/workgroup membership, and system roles-all passively and without authentication. CEH emphasizes that querying NetBIOS is often overlooked by defenders and generates minimal noise, making it ideal for stealth enumeration. LDAP enumeration (Option A) requires directory access and tends to trigger logs. Psloggedon and pspasswd (Options B and D) involve active interaction and authentication attempts, which are far more detectable. nbtstat is the CEH-recommended tool for initial reconnaissance on Windows networks using NetBIOS and SMB, especially when quiet enumeration is required.

• Question 610:

  Ethical backer jane Doe is attempting to crack the password of the head of the it department of ABC company. She Is utilizing a rainbow table and notices upon entering a password that extra characters are added to the password after submitting. What countermeasure is the company using to protect against rainbow tables?

  A. Password key hashing
  B. Password salting
  C. Password hashing
  D. Account lockout
  B. Password salting

  ---

  Explanation

  Passwords are usually delineated as "hashed and salted". salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it's hashed, typically this "salt" is placed in front of each password.

  The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used.

  The use of unique salts means that common passwords shared by multiple users - like "123456" or "password" - aren't revealed revealed when one such hashed password is known - because despite the passwords being the same the immediately and hashed values are not.

  Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken.

  Both hashing and salting may be repeated more than once to increase the issue in breaking the security.