EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 611:

  This TCP flag instructs the sending system to transmit all buffered data immediately.

  A. SYN
  B. RST
  C. PSH
  D. URG
  E. FIN
  C. PSH

  ---

  Explanation

  The PSH (Push) flag in TCP instructs the sending system to:

  Immediately deliver data to the application.

  Avoid waiting for additional buffered data to form a full segment.

  This is important in interactive communications like Telnet or SSH, where the delay in transmission would degrade the user experience.

  From CEH v13 Courseware:

  Module 3: Scanning Networks # TCP Flags and Packet Structure

  CEH v13 Study Guide - Module 3: TCP Header Fields and FlagsRFC 793 - Transmission Control Protocol (TCP)

• Question 612:

  You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet.

  How will you achieve this without raising suspicion?

  A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
  B. Package the Sales.xls using Trojan wrappers and telnet them back to your home computer
  C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent-looking email or file transfer using Steganography techniques
  D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your Hotmail account
  C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent-looking email or file transfer using Steganography techniques

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Steganography allows someone to hide data (like a spreadsheet or document) within another innocuous- looking file (like an image, video, or audio). This disguises the presence of the data entirely, allowing it to bypass standard data loss prevention (DLP) systems and firewalls, which look for file types and suspicious patterns.

  From CEH v13 Courseware:

  Module 6: Malware Threats # Steganography and Covert Channels

  CEH v13 Study Guide - Module 6: Data Hiding Techniques Using SteganographyNIST SP 800-83 - Guide to Malware Handling and Prevention

• Question 613:

  An attacker scans a host with the below command. Which three flags are set?

  # nmap -sX host.domain.com

  A. This is SYN scan. SYN flag is set.
  B. This is Xmas scan. URG, PUSH and FIN are set.
  C. This is ACK scan. ACK flag is set.
  D. This is Xmas scan. SYN and ACK flags are set.
  B. This is Xmas scan. URG, PUSH and FIN are set.

  ---

  Explanation

  The command nmap -sX initiates what is known as a Xmas Scan. This type of scan is used to analyze how a target system responds to TCP packets with unusual flag combinations, helping the attacker identify live hosts and open ports without completing a full TCP handshake.

  In the Xmas scan, three specific TCP flags are set in the packet:

  URG (Urgent)

  PSH (Push)

  FIN (Finish)

  This combination makes the packet appear "lit up like a Christmas tree," hence the name Xmas scan. These packets are sent to target ports to observe the system's behavior, especially when it does not follow standard RFC 793 behavior.

  Closed ports will usually respond with a RST (reset).

  Open ports may not respond at all, depending on the operating system and configuration.

  This method is typically used to evade detection by firewalls and intrusion detection systems that expect normal TCP traffic patterns.

  Reference CEH v13 Official Study Guide:

  Module 03: Scanning Networks, Section: "TCP Scan Types", Subsection: "Xmas Tree Scan", Page Reference: typically listed under TCP Flag Scanning Techniques.

  CEH v13 iLabs and practical guidance in CEH Engage also cover this scan in reconnaissance simulations.

  Incorrect Options Explained:

  A. SYN scan (-sS) sets only the SYN flag.

  C. ACK scan (-sA) sets the ACK flag.

  D. SYN and ACK flags are used in TCP handshake, not in Xmas scan.

• Question 614:

  Which of the following tools are used for enumeration? (Choose three.)

  A. SolarWinds
  B. USER2SID
  C. Cheops
  D. SID2USER
  E. DumpSec
  B. USER2SID
  D. SID2USER
  E. DumpSec

  ---

  Explanation

  Enumeration is the process of extracting usernames, shares, services, and other system-specific information from a target system. Tools used for enumeration include:

  B. USER2SID: Resolves a username to its associated Security Identifier (SID).

  D. SID2USER: Resolves an SID back to the corresponding username.

  E. DumpSec: A powerful GUI tool used to enumerate users, shares, and permissions on Windows systems.

  From CEH v13 Courseware:

  Module 4: Enumeration

  Section: NetBIOS and Windows Enumeration Tools

  CEH v13 Study Guide states:

  "USER2SID and SID2USER are classic tools used to map usernames to SIDs and vice versa during Windows enumeration. DumpSec can enumerate user accounts, group memberships, and shared resources on systems with open permissions."

  Incorrect Options:

  A. SolarWinds: Primarily a network performance monitoring tool, not designed for enumeration.

  C. Cheops: A network mapping tool, not an enumeration utility.

  CEH v13 Study Guide - Module 4: Enumeration # Windows Enumeration ToolsMicrosoft Windows Security SID Documentation

• Question 615:

  What tool can crack Windows SMB passwords simply by listening to network traffic?

  A. This is not possible
  B. Netbus
  C. NTFSDOS
  D. L0phtcrack
  D. L0phtcrack

  ---

  Explanation

  L0phtCrack is a password auditing and recovery tool. It can:

  Capture password hashes over the network (e.g., via SMB).

  Crack password hashes using dictionary, brute-force, or hybrid attacks.

  It's particularly effective when used on SMB-based challenge-response authentication (NTLM/LM) captured via packet sniffing.

  From CEH v13 Courseware:

  Module 4: Enumeration

  Module 6: Malware Threats

  CEH v13 Study Guide states:

  "L0phtCrack can sniff SMB authentication exchanges from network traffic and extract NTLM password hashes to crack them offline."

  Incorrect Options:

  A: This is possible (hence A is wrong).

  B: Netbus is a backdoor/trojan tool.

  C: NTFSDOS is used to read NTFS partitions under DOS, not for password cracking.

  CEH v13 Study Guide - Module 4: Password Cracking # ToolsL0phtCrack Documentation

• Question 616:

  A Nessus scan reveals a critical SSH vulnerability (CVSS 9.0) allowing potential remote code execution on a Linux server. What action should be immediately prioritized?

  A. Redirect SSH traffic to another server
  B. Treat the finding as a possible false positive
  C. Immediately apply vendor patches and reboot during scheduled downtime
  D. Temporarily isolate the affected server, conduct a forensic audit, and then patch
  D. Temporarily isolate the affected server, conduct a forensic audit, and then patch

  ---

  Explanation

  According to the CEH Vulnerability Assessment and Incident Response modules, vulnerabilities with high CVSS scores and potential RCE must be treated as active threats .

  CEH best practices recommend:

  Immediate containment (network isolation)

  Investigation and impact analysis

  Patch application

  Recovery

  Option D follows the CEH incident response lifecycle precisely.

  Option C is incomplete without containment.

  Options A and B are unsafe.

  CEH emphasizes containment before remediation.

• Question 617:

  A penetration tester is assessing an organization's cloud infrastructure and discovers misconfigured IAM policies on storage buckets. The IAM settings grant read and write permissions to any authenticated user. What is the most effective way to exploit this misconfiguration?

  A. Use leaked API keys to access the cloud storage buckets and exfiltrate data
  B. Execute a SQL injection attack on the organization's website to retrieve sensitive information
  C. Create a personal cloud account to authenticate and access the misconfigured storage buckets
  D. Perform a Cross-Site Scripting (XSS) attack on the cloud management portal to gain access
  C. Create a personal cloud account to authenticate and access the misconfigured storage buckets

  ---

  Explanation

  CEH notes that cloud IAM misconfigurations can unintentionally grant broad access. If any authenticated cloud account is permitted read/write access, attackers can simply authenticate with their own cloud identity and directly interact with the misconfigured storage buckets, enabling data exfiltration or manipulation.

• Question 618:

  A security analyst is preparing to analyze a potentially malicious program believed to have infiltrated an organization's network. To ensure the safety and integrity of the production environment, the analyst decided to use a sheep dip computer for the analysis. Before initiating the analysis, what key step should the analyst take?

  A. Run the potentially malicious program on the sheep dip computer to determine its behavior
  B. Store the potentially malicious program on an external medium, such as a CD-ROM
  C. Connect the sheep dip computer to the organization's internal network
  D. install the potentially malicious program on the sheep dip computer
  B. Store the potentially malicious program on an external medium, such as a CD-ROM

  ---

  Explanation

  A sheep dip computer is a dedicated device that is used to test inbound files or physical media for viruses, malware, or other harmful content, before they are allowed to be used with other computers. The term sheep dip comes from a method of preventing the spread of parasites in a flock of sheep by dipping the new animals that farmers are adding to the flock in a trough of pesticide. A sheep dip computer is isolated from the organization's network and has port monitors, file monitors, network monitors, and antivirus software installed. Before initiating the analysis of a potentially malicious program, the analyst should store the program on an external medium, such as a CD-ROM, and then insert it into the sheep dip computer. This way, the analyst can prevent the program from infecting other devices or spreading over the network, and can safely analyze its behavior and characteristics.

  The other options are not correct steps to take before initiating the analysis. Running the potentially malicious program on the sheep dip computer may cause irreversible damage to the device or compromise its security. Connecting the sheep dip computer to the organization's internal network may expose the network to the risk of infection or attack. Installing the potentially malicious program on the sheep dip computer may not be possible or advisable, as the program may require certain dependencies or permissions that the sheep dip computer does not have or allow.

  References:

  Sheep dip (computing) What Does `Sheep Dip' Mean in Cyber Security?

  Malware Analysis What is a Sheepdip?

• Question 619:

  Which of the following programs is usually targeted at Microsoft Office products?

  A. Polymorphic virus
  B. Multipart virus
  C. Macro virus
  D. Stealth virus
  C. Macro virus

  ---

  Explanation

  A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. (Wikipedia) NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

• Question 620:

  A penetration tester discovers malware on a system that disguises itself as legitimate software but performs malicious actions in the background. What type of malware is this?

  A. Trojan
  B. Spyware
  C. Worm
  D. Rootkit
  A. Trojan

  ---

  Explanation

  CEH v13 defines a Trojan as malware that appears as a legitimate, trusted software application while secretly executing malicious actions behind the scenes. Trojans rely on deception rather than replication, often masquerading as tools, utilities, updates, or installers. Once executed, they may install backdoors, steal credentials, exfiltrate data, or modify system settings. The defining characteristic emphasized in CEH is the legitimate-looking fade combined with hidden malicious intent , which matches the scenario perfectly.

  Spyware (Option B) focuses on monitoring and data collection but does not necessarily disguise itself as legitimate software.

  Worms (Option C) self-replicate across networks, which is not described here.

  Rootkits (Option D) hide system compromise but do not necessarily pose as legitimate software. Therefore, the malware described is a Trojan.