EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 651:

  Jake, a professional hacker, installed spyware on a target iPhone to spy on the target user's activities. He can take complete control of the target mobile device by jailbreaking the device remotely and record audio, capture screenshots, and monitor all phone calls and SMS messages. What is the type of spyware that Jake used to infect the target device?

  A. DroidSheep
  B. Androrat
  C. Zscaler
  D. Trident
  D. Trident

  ---

  Explanation

  Trident is a highly sophisticated spyware tool used in mobile surveillance operations. It exploits multiple zero- day vulnerabilities to jailbreak iPhones remotely and grant full control to the attacker. It is famously associated with the Pegasus spyware, which was able to:

  Record calls and ambient sound

  Capture screenshots

  Read SMS, emails, and contacts

  Monitor GPS and application use

  As per CEH v13:

  Trident uses a chain of exploits to compromise iOS devices without physical access.

  It was used in highly targeted attacks against journalists, activists, and government officials.

  Incorrect Options:

  A. DroidSheep is an Android tool for session hijacking on unsecured Wi-Fi.

  B. Androrat is a RAT for Android devices.

  C. Zscaler is a cloud security platform, not malware.

  CEH v13 Official Courseware:

  Module 17: Hacking Mobile Platforms

  Section: "iOS Malware"

  Subsection: "Spyware like Trident and Pegasus"

• Question 652:

  A company's customer data in a cloud environment has been exposed due to an unknown vulnerability.

  Which type of issue most likely led to the incident?

  A. Side-channel attack on the hypervisor
  B. Denial-of-Service (DoS) attack on cloud servers
  C. Brute-force attack on user passwords
  D. Exploitation of misconfigured security groups
  D. Exploitation of misconfigured security groups

  ---

  Explanation

  In CEH's Cloud Computing module, one of the most common real-world causes of cloud data exposure is misconfiguration , especially overly permissive network access controls. Cloud platforms commonly use constructs like security groups / firewall rules / network ACLs to define inbound and outbound access. CEH highlights that exposing sensitive services (databases, storage endpoints, admin panels) to the public internet-whether by "0.0.0.0/0" rules, overly broad ports, or unintended administrative access-frequently results in unauthorized access and data leakage even without sophisticated exploit chains. Option D is therefore the most likely, because misconfigured security groups can directly expose customer data stores or management interfaces, enabling data theft through normal connectivity rather than exploiting a rare hypervisor flaw.

  Option A (hypervisor side-channel attack) is advanced and less common; it typically requires high attacker capability and conditions not implied here. Option B (DoS) impacts availability, not confidentiality, so it doesn't best explain data exposure. Option C (brute force passwords) is possible, but the question emphasizes an "unknown vulnerability" in the cloud environment-CEH teaching often frames "unknown vulnerability" in cloud incidents as misconfiguration or uncontrolled exposure rather than authentication guessing alone.

  CEH countermeasures include least-privilege security group rules, segmentation, continuous configuration monitoring, cloud security posture management, and auditing publicly exposed resources.

• Question 653:

  While testing a web application in development, you notice that the web server does not properly ignore the "dot dot slash" (../) character string and instead returns the file listing of a folder structure of the server.

  What kind of attack is possible in this scenario?

  A. Cross-site scripting
  B. Denial of service
  C. SQL injection
  D. Directory traversal
  D. Directory traversal

  ---

  Explanation

  Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker's root registry.

  Web workers give two primary degrees of security instruments

  Access Control Lists (ACLs)

  Root index

  An Access Control List is utilized in the approval cycle. It is a rundown which the web worker's manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

  The root registry is a particular index on the worker record framework in which the clients are kept. Clients can't get to anything over this root.

  For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn't approach C:\Windows yet approaches C:\Inetpub\wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

  The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS /system32/win.ini on Windows stages and the/and so on/passwd record on Linux/UNIX stages.

  This weakness can exist either in the web worker programming itself or in the web application code.

  To play out a registry crossing assault, all an assailant requires is an internet browser and some information on where to aimlessly discover any default documents and registries on the framework.

  What an assailant can do if your site is defenseless

  With a framework defenseless against index crossing, an aggressor can utilize this weakness to venture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

  Contingent upon how the site access is set up, the aggressor will execute orders by mimicking himself as the client which is related with "the site". Along these lines everything relies upon what the site client has been offered admittance to in the framework.

  Illustration of a Directory Traversal assault by means of web application code

  In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

  GET http://test.webarticles.com/show.asp?viewoldarchive.html HTTP/1.1

  Host: test.webarticles.com

  With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed on the web server, show. asp retrieves the file oldarchive.html from the server's file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

  GET http://test.webarticles.com/show.asp?view../../../../../Windows/system.ini HTTP/1.1

  Host: test.webarticles.com

  This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

  Example of a Directory Traversal attack via web server

  Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

  The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

  For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

  GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

  Host: server.com

  The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character \.

  Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

• Question 654:

  Which indicator most strongly confirms a MAC flooding attack?

  A. Multiple IPs to one MAC
  B. Multiple MACs to one IP
  C. Numerous MAC addresses on a single switch port
  D. Increased ARP requests
  C. Numerous MAC addresses on a single switch port

  ---

  Explanation

  MAC flooding is a Layer 2 attack described in CEH v13 Network and Perimeter Hacking , where attackers overwhelm a switch's CAM table with fake MAC addresses. Once the table is full, the switch behaves like a hub, forwarding traffic to all ports.

  The most definitive indicator of MAC flooding is numerous MAC addresses learned on a single switch port , which is abnormal behavior in a properly segmented network. CEH v13 identifies this condition as a key forensic indicator of CAM table exhaustion.

  ARP anomalies may occur, but they are more commonly associated with ARP spoofing attacks. IP-to-MAC inconsistencies indicate MITM attacks, not MAC flooding.

• Question 655:

  A penetration tester discovers that a web application uses unsanitized user input to dynamically generate file paths. The tester identifies that the application is vulnerable to Remote File Inclusion (RFI). Which action should the tester take to exploit this vulnerability?

  A. Inject a SQL query into the input field to perform SQL injection
  B. Use directory traversal to access sensitive system files on the server
  C. Provide a URL pointing to a remote malicious script to include it in the web application
  D. Upload a malicious shell to the server and execute commands remotely
  C. Provide a URL pointing to a remote malicious script to include it in the web application

  ---

  Explanation

  Remote File Inclusion occurs when an application allows external resources to be loaded from user-controlled input. CEH teaches that an attacker can supply a remote URL pointing to a malicious script (for example, a PHP shell). When the vulnerable application includes this external file, the attacker's code executes on the server. This can lead to full system compromise, remote command execution, or lateral movement.

• Question 656:

  Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer and the response of a honeypot to a manual SYN request.

  Which of the following techniques is employed by Dayn to detect honeypots?

  A. Detecting honeypots running on VMware
  B. Detecting the presence of Honeyd honeypots
  C. Detecting the presence of Snort_inline honeypots
  D. Detecting the presence of Sebek-based honeypots
  B. Detecting the presence of Honeyd honeypots

  ---

  Explanation

  In CEH v13 Module 07: Evading IDS, Firewalls, and Honeypots, various honeypot detection techniques are discussed. One such method is time-based TCP fingerprinting, which is effective against Honeyd-based honeypots.

  Honeyd Honeypots:

  Lightweight, low-interaction honeypots.

  Often respond with inconsistent or delayed TCP timestamps.

  Can be fingerprinted by comparing round-trip time and TTL values to real systems.

  Option Clarification:

  A. VMware detection: Uses CPU/BIOS identifiers and MAC address patterns.

  B. Honeyd detection: Correct - uses time-based TCP fingerprinting.

  C. Snort_inline: A network-based IPS, not the context here.

  D. Sebek: Used to monitor user-level activity, not related to TCP response timing.

  Module 07 - Honeypot Detection Techniques

  CEH Labs: Timing Analysis for Detecting Honeyd Honeypots

• Question 657:

  joe works as an it administrator in an organization and has recently set up a cloud computing service for the organization. To implement this service, he reached out to a telecom company for providing Internet connectivity and transport services between the organization and the cloud service provider, in the NIST cloud deployment reference architecture, under which category does the telecom company fall in the above scenario?

  A. Cloud booker
  B. Cloud consumer
  C. Cloud carrier
  D. Cloud auditor
  C. Cloud carrier

  ---

  Explanation

  A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud consumers and cloud providers.

  Cloud carriers provide access to consumers through network, telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc.

  The distribution of cloud services is often provided by network and telecommunication carriers or a transport agent, wherever a transport agent refers to a business organization that provides physical transport of storage media like high-capacity hard drives.

  Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure connections between cloud consumers and cloud providers.

• Question 658:

  One customer's malicious activity impacts other tenants. Which control would best prevent this?

  A. Strong encryption
  B. Secure log management
  C. Multi-tenant isolation
  D. Strong authentication
  C. Multi-tenant isolation

  ---

  Explanation

  In CEH v13 Cloud Computing multi-tenancy , is a core cloud characteristic-but also a major risk if isolation controls are weak. When one tenant's actions affect others, the issue is almost always insufficient isolation between tenants.

  Multi-tenant isolation ensures that compute, storage, memory, and network resources are strictly separated.

  Without proper isolation, a malicious tenant can:

  Exhaust shared resources

  Access neighboring virtual machines

  Damage the provider's reputation

  Encryption and authentication protect data access but do not stop cross-tenant impact. Logging helps detect incidents but does not prevent them.

  CEH v13 emphasizes strong logical isolation mechanisms -such as hypervisor hardening and tenant segmentation-as essential cloud security controls. Therefore, Option C is the correct answer.

• Question 659:

  You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has Snort installed, and the second machine (192.168.0.150) has Kiwi Syslog installed. You perform a SYN scan in your network, and you notice that Kiwi Syslog is not receiving the alert message from Snort. You decide to run Wireshark on the Snort machine to check if the messages are going to the Kiwi Syslog machine. What Wireshark filter will show the connections from the Snort machine to Kiwi Syslog machine?

  A. tcp.srcport==514 andand ip.src==192.168.0.99
  B. tcp.srcport==514 andand ip.src==192.168.150
  C. tcp.dstport==514 andand ip.dst==192.168.0.99
  D. tcp.dstport==514 andand ip.dst==192.168.0.150
  D. tcp.dstport==514 andand ip.dst==192.168.0.150

  ---

  Explanation

  Syslog messages are typically sent over UDP or TCP port 514 to the Syslog server. In this case, Snort (192.168.0.99) should send alerts to Kiwi Syslog (192.168.0.150) using TCP/UDP port 514. The correct Wireshark filter to check if Snort is sending the messages to the Syslog server is:

  tcp.dstport==514 andand ip.dst==192.168.0.150

  CEH v13 Official Study Guide:

  Module 8: Sniffing

  Topic: Packet Sniffing and Analysis

  Quote:

  "Wireshark filters like tcp.dstport and ip.dst can be used to verify outbound logs and traffic from intrusion detection systems."

  Incorrect Options:

  A and B: Use incorrect IP addresses or direction

  C: Uses incorrect destination IP (should be the Syslog server)

• Question 660:

  Which tool is best for sniffing plaintext HTTP traffic?

  A. Nessus
  B. Nmap
  C. Netcat
  D. Wireshark
  D. Wireshark

  ---

  Explanation

  Wireshark is the primary packet-sniffing tool covered in CEH v13 Network Sniffing . It captures and analyzes live traffic, allowing analysts to view plaintext HTTP packets.

  Nessus is a vulnerability scanner, Nmap is for scanning, Netcat is a networking utility. None provide protocol- level inspection like Wireshark.