EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 621:

  While performing an Nmap scan against a host, Paola determines the existence of a firewall. In an attempt to determine whether the firewall is stateful or stateless, which of the following options would be best to use?

  A. -sA
  B. -sX
  C. -sT
  D. -sF
  A. -sA

  ---

  Explanation

  -sA (TCP ACK scan)

  This scan is different than the others discussed so far in that it never determines open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

  The ACK scan probe packet has only the ACK flag set (unless you use --scanflags). When scanning unfiltered systems, open and closed ports will both return a RST packet. Nmap then labels them as unfiltered, meaning that they are reachable by the ACK packet, but whether they are open or closed is undetermined. Ports that don't respond, or send certain ICMP error messages back (type 3, code 0, 1, 2, 3, 9, 10, or 13), are labeled filtered.

• Question 622:

  A penetration tester must enumerate user accounts and network resources in a highly secured Windows environment where SMB null sessions are blocked. Which technique should be used to gather this information discreetly?

  A. Utilize NetBIOS over TCP/IP to list shared resources anonymously
  B. Exploit a misconfigured LDAP service to perform anonymous searches
  C. Leverage Active Directory Web Services for unauthorized queries
  D. Conduct a zone transfer by querying the organization's DNS servers
  B. Exploit a misconfigured LDAP service to perform anonymous searches

  ---

  Explanation

  CEH v13 explains that when traditional enumeration techniques-such as SMB null sessions-are disabled, attackers often pivot to misconfigured LDAP services that still allow anonymous binding. LDAP anonymous bind, when not properly restricted, exposes directory information such as usernames, organizational units, group memberships, and other metadata. This aligns directly with the scenario, where the tester must avoid triggering alarms while still gathering internal data. LDAP queries generate minimal noise, often blending with normal authentication-related traffic, making them ideal for covert enumeration. Options A and C would require authentication or violate access restrictions, and DNS zone transfers (Option D) rarely succeed because modern DNS servers disable AXFR requests from unauthorized clients. CEH repeatedly stresses the importance of detecting and securing LDAP anonymous bind due to its potential for silent information leakage-making Option B the correct choice.

• Question 623:

  While assessing a web server, a tester sends malformed HTTP requests and compares responses to identify the server type and version. What technique is being employed?

  A. Fingerprinting server identity using banner-grabbing techniques
  B. Sending phishing emails to extract web server login credentials
  C. Conducting session fixation using malformed cookie headers
  D. Injecting scripts into headers for persistent XSS attacks
  A. Fingerprinting server identity using banner-grabbing techniques

  ---

  Explanation

  CEH v13 explains that fingerprinting is a core reconnaissance technique used to identify software versions, server types, and configurations by analyzing how systems respond to crafted or abnormal input. When testers send malformed HTTP verbs, unusual headers, or atypical URI structures, the server's specific response codes, banners, and error messages reveal distinctive behavioral patterns. These patterns allow tools like httprint, Nmap NSE scripts, and custom probes to match the responses to known server profiles. This technique is part of active reconnaissance, enabling attackers to determine vulnerabilities associated with specific versions. Phishing (Option B) is unrelated to protocol analysis. Session fixation (Option C) manipulates session identifiers, not HTTP response patterns. Persistent XSS (Option D) relies on web application vulnerabilities, not server fingerprinting. Thus, the tester is performing HTTP-based server fingerprinting.

• Question 624:

  As an IT security analyst, you perform network scanning using ICMP Echo Requests . During the scan, several IP addresses do not return Echo Replies, yet other network services remain operational. How should this situation be interpreted?

  A. The non-responsive IP addresses indicate severe network congestion.
  B. A firewall or security control is likely blocking ICMP Echo Requests.
  C. The lack of Echo Replies indicates an active security breach.
  D. The IP addresses are unused and available for reassignment.
  B. A firewall or security control is likely blocking ICMP Echo Requests.

  ---

  Explanation

  The CEH Network Scanning module explains that ICMP Echo Requests are often filtered or blocked by firewalls, routers, or host-based security controls as a defensive measure to reduce reconnaissance exposure. When systems fail to respond to ICMP Echo Requests but continue to function normally for other services, CEH indicates that this behavior typically means ICMP traffic is being blocked , not that the host is offline or compromised.

  Option B is correct.

  Option A would affect all services.

  Option C lacks supporting indicators.

  Option D is speculative and unreliable.

  CEH emphasizes that ICMP filtering is common in hardened networks.

• Question 625:

  CyberTech Inc. recently experienced SQL injection attacks on its official website. The company appointed Bob, a security professional, to build and incorporate defensive strategies against such attacks. Bob adopted a practice whereby only a list of entities such as the data type, range, size, and value, which have been approved for secured access, is accepted. What is the defensive technique employed by Bob in the above scenario?

  A. Output encoding
  B. Enforce least privileges
  C. Whitelist validation
  D. Blacklist validation
  C. Whitelist validation

  ---

  Explanation

  Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre- approved input formats are accepted. This includes:

  Restricting input to specific data types (e.g., integer, string)

  Limiting size, format, or allowed characters

  Accepting only expected values (e.g., country codes, age ranges)

  This practice is highly effective in mitigating SQL injection and other input-based attacks.

  Incorrect Options:

  A. Output encoding prevents XSS by encoding output but doesn't validate input.

  B. Enforcing least privilege is an access control principle.

  D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

  Reference - CEH v13 Official Courseware:

  Module 14: Hacking Web Applications

  Section: "Input Validation and SQL Injection Mitigation"

  Subsection: "Whitelist vs Blacklist Input Validation"

• Question 626:

  You start performing a penetration test against a specific website and have decided to start by grabbing all the links from the main page.

  What is the best Linux pipe to achieve your milestone?

  A. dirb https://site.com | grep "site"
  B. curl -s https://site.com | grep '
  C. wget https://site.com | grep "
  D. wget https://site.com | cut -d"http"
  B. curl -s https://site.com | grep '

  ---

  Explanation

  This question is about web link enumeration using Linux CLI tools - a common initial step during information gathering in penetration testing, covered in CEH v13 Module 02: Footprinting and Reconnaissance.

  Objective:

  Extract all hyperlinks (i.e., ) from the homepage of a target site to collect subpages, links, or external URLs.

  Let's analyze each component of Option B:

  curl -s https://site.com | grep '

  curl -s https://site.com: Silently fetches the HTML source of the main page.

  grep '

  grep "site.com": Further filters those that point to site.com.

  cut -d "v" -f 2: Cuts the line based on the delimiter v to isolate part of the URL - though not perfect, it attempts to extract the visible link.

  While not perfectly formed (due to slightly inconsistent quote usage), Option B demonstrates the correct logic chain for web link enumeration using pipes in Linux: fetching, filtering, and extracting.

  Why Other Options Are Incorrect:

  A. dirb https://site.com | grep "site"

  # dirb is used for brute-forcing directories, not grabbing links from HTML.

  C. wget https://site.com | grep "

  # Incorrect. wget will download the entire content (including binary files by default), and piping it directly to grep without -O - or -q -O - makes it ineffective.

  D. wget https://site.com | cut -d"http"

  # Incorrect. Syntax error (cut -d"http" is invalid without correct delimiter formatting), and again wget needs to be directed to stdout using -O -.

  Corrected Optimal Syntax for Real-World Use:

  bash

  CopyEdit

  curl -s https://site.com | grep -oP 'href="\Khttp[^"]+' | grep "site.com"

  This uses -oP with Perl-compatible regex to extract only URLs and is a method recommended in CEH iLabs and demonstrations.

  Reference from CEH v13 Study Materials:

  Module 02 - Footprinting and Reconnaissance, Section: Website Footprinting and Web Crawling

  CEH iLabs - Website Information Gathering Lab

  CEH Engage Range: Passive and Active Footprinting Phase - Linux Scripting Tasks

• Question 627:

  Which technique best exploits session management despite MFA, encrypted cookies, and WAFs?

  A. CSRF
  B. Side jacking
  C. Session fixation
  D. Insecure deserialization
  D. Insecure deserialization

  ---

  Explanation

  CEH v13 emphasizes that insecure deserialization is one of the most dangerous application vulnerabilities because it can lead to arbitrary code execution , bypassing authentication, authorization, and session protections entirely.

  Even with MFA, encrypted cookies, and WAFs, deserialization flaws allow attackers to manipulate serialized objects used in session handling. When deserialized without validation, these objects may execute attacker- controlled code.

  CSRF relies on authenticated users. Side jacking is mitigated by encryption. Session fixation is ineffective if session regeneration and MFA are implemented. Insecure deserialization, however, attacks the application logic itself , making it the most effective option.

• Question 628:

  A penetration tester needs to map open ports on a target network without triggering the organization's intrusion detection systems (IDS), which are configured to detect standard scanning patterns and abnormal traffic volumes. To achieve this, the tester decides to use a method that leverages a third-party host to obscure the origin of the scan. Which scanning technique should be employed to accomplish this stealthily?

  A. Conduct a TCP FIN scan with randomized port sequences
  B. Perform a TCP SYN scan using slow-timing options
  C. Execute a UDP scan with packet fragmentation
  D. Use an Idle scan by exploiting a "zombie" host
  D. Use an Idle scan by exploiting a "zombie" host

  ---

  Explanation

  CEH v13 identifies the Idle Scan as one of the most stealthy and advanced reconnaissance techniques due to its ability to avoid generating any traffic directly between the attacker and the target. Using a "zombie host," which has predictable IP ID sequencing, the attacker forges packets so that all scan traffic appears to originate from the zombie. The IDS sees communication only between the zombie and the target, not the attacker. This allows evasion of network monitoring tools, traffic correlation systems, and intrusion detection signatures. CEH highlights Idle Scanning as a core technique for bypassing sophisticated detection controls because it leaves no direct fingerprint of the attacker. Options A and B still originate from the attacker's IP. Option C can evade some filters but remains detectable due to packet anomalies. Only Idle Scanning provides full origin obfuscation , making it the most appropriate method for stealth port enumeration.

• Question 629:

  Which of the following Google advanced search operators helps an attacker in gathering information about websites that are similar to a specified target URL?

  A. inurl:
  B. related:
  C. info:
  D. site:
  B. related:

  ---

  Explanation

  In CEH v13 Module 02: Footprinting and Reconnaissance, Google advanced operators are tools for passive information gathering.

  related: operator is used to find websites similar to a given domain or webpage.

  This helps attackers discover alternate domains, competitors, or similar content that may be vulnerable or poorly secured.

  Example: related:example.com

  Will return a list of sites Google deems related to example.com.

  Option Clarification:

  A. inurl: - Searches for a keyword in the URL.

  B. related: - Correct - Finds similar or related websites.

  C. info: - Provides Google's cached and indexed data about a URL.

  D. site: - Restricts search to a specific domain or site.

  Module 02 - Google Hacking Techniques CEH iLabs: Google Dorking with Advanced Operators

• Question 630:

  Jack, a disgruntled ex-employee of Incalsol Ltd., decided to inject fileless malware into Incalsol's systems. To deliver the malware, he used the current employees' email IDs to send fraudulent emails embedded with malicious links that seem to be legitimate. When a victim employee clicks on the link, they are directed to a fraudulent website that automatically loads Flash and triggers the exploit. What is the technique used byjack to launch the fileless malware on the target systems?

  A. In-memory exploits
  B. Phishing
  C. Legitimate applications
  D. Script-based injection
  B. Phishing

  ---

  Explanation

  Launching Fileless Malware through Phishing Attackers commonly use social engineering techniques such as phishing to spread fileless malware to the target systems. Fileless malware exploits vulnerabilities in system tools to load and run malicious payloads on the victim's machine to compromise the sensitive information stored in the process memory. (P.978/962)