EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 671:

  Yancey is a network security administrator for a large electric company. He becomes disgruntled after learning that he will be laid off and decides to sabotage the company by placing logic bombs, backdoors, and other malware in the system. He does not care if his actions lead to jail time.

  What would Yancey be considered?

  A. Yancey would be considered a Suicide Hacker
  B. Since he does not care about going to jail, he would be considered a Black Hat
  C. Because Yancey works for the company currently; he would be a White Hat
  D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing
  A. Yancey would be considered a Suicide Hacker

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  A Suicide Hacker is someone who launches a cyberattack without regard for the consequences, such as being caught or imprisoned. Yancey's actions fit this profile because:

  He is knowingly committing illegal acts.

  He is fully aware of and indifferent to the consequences.

  His motive is revenge, not ideology or personal gain.

  From CEH v13 Courseware:

  Module 1: Introduction to Ethical Hacking # Types of Hackers

  CEH v13 Study Guide - Module 1: Hacker ClassificationsNIST SP 800-12 - Classification of Threat Actors

• Question 672:

  A security analyst is investigating a potential network-level session hijacking incident. During the investigation, the analyst finds that the attacker has been using a technique in which they injected an authentic- looking reset packet using a spoofed source IP address and a guessed acknowledgment number. As a result, the victim's connection was reset. Which of the following hijacking techniques has the attacker most likely used?

  A. TCP/IP hijacking
  B. UDP hijacking
  C. RST hijacking
  D. Blind hijacking
  C. RST hijacking

  ---

  Explanation

  The attacker has most likely used RST hijacking, which is a type of network-level session hijacking technique that exploits the TCP reset (RST) mechanism. TCP reset is a way of terminating an established TCP connection by sending a packet with the RST flag set, indicating that the sender does not want to continue the communication. RST hijacking involves sending a forged RST packet to one or both ends of a TCP connection, using a spoofed source IP address and a guessed acknowledgment number, to trick them into believing that the other end has closed the connection. As a result, the victim's connection is reset and the attacker can take over the session or launch a denial-of-service attack12.

  The other options are not correct for the following reasons:

  A. TCP/IP hijacking: This option is a general term that refers to any type of network-level session hijacking technique that targets TCP/IP connections. RST hijacking is a specific type of TCP/IP hijacking, but not the only one. Other types of TCP/IP hijacking include SYN hijacking, source routing, and sequence prediction3.

  B. UDP hijacking: This option is not applicable because UDP is a connectionless protocol that does not use TCP reset mechanism. UDP hijacking is a type of network-level session hijacking technique that targets UDP connections, such as DNS or VoIP. UDP hijacking involves intercepting and modifying UDP packets to redirect or manipulate the communication between the sender and the receiver4.

  D. Blind hijacking: This option is not accurate because blind hijacking is a type of network-level session hijacking technique that does not require injecting RST packets. Blind hijacking involves guessing the sequence and acknowledgment numbers of a TCP connection without being able to see the responses from the target. Blind hijacking can be used to inject malicious data or commands into an active TCP session, but not to reset the connection5.

  References:

  1: RST Hijacking - an overview | ScienceDirect Topics 2: TCP Reset Attack - an overview | ScienceDirect Topics 3: TCP/IP Hijacking - an overview | ScienceDirect Topics 4: UDP Hijacking - an overview | ScienceDirect Topics 5: Blind Hijacking - an overview | ScienceDirect Topics

• Question 673:

  A penetration tester is conducting an assessment of a web application for a financial institution. The application uses form-based authentication and does not implement account lockout policies after multiple failed login attempts. Interestingly, the application displays detailed error messages that disclose whether the username or password entered is incorrect. The tester also notices that the application uses HTTP headers to prevent clickjacking attacks but does not implement Content Security Policy (CSP).

  With these observations, which of the following attack methods would likely be the most effective for the penetration tester to exploit these vulnerabilities and attempt unauthorized access?

  A. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials
  B. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database
  C. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection
  D. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack
  A. The tester could execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials

  ---

  Explanation

  The most effective attack method for the penetration tester to exploit these vulnerabilities and attempt unauthorized access would be to execute a Brute Force attack, leveraging the lack of account lockout policy and the verbose error messages to guess the correct credentials. A Brute Force attack is a hacking method that uses trial and error to crack passwords, login credentials, or encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations' systems and networks1. In this scenario, the tester can take advantage of the fact that the application does not lock out users after multiple failed login attempts, which means the tester can try as many combinations as possible without being blocked. The tester can also use the detailed error messages that disclose whether the username or password entered is incorrect, which can help narrow down the search space and reduce the number of guesses needed. For example, if the tester enters a wrong username and a wrong password, and the application responds with "Invalid username", the tester can eliminate that username from the list of candidates and focus on finding the correct one. Similarly, if the tester enters a correct username and a wrong password, and the application responds with "Invalid password", the tester can confirm that username and focus on finding the correct password. By using automated tools or scripts, the tester can perform a Brute Force attack faster and more efficiently.

  The other options are not as effective or feasible as option A for the following reasons:

  B. The tester could exploit a potential SQL Injection vulnerability to manipulate the application's database:

  This option is not feasible because there is no indication that the application is vulnerable to SQL Injection, which is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database2. The application uses form-based authentication, which does not necessarily involve SQL queries, and the error messages do not reveal any SQL syntax or structure. Moreover, even if the application was vulnerable to SQL Injection, the tester would need to craft a

  malicious SQL query that can bypass the authentication mechanism and grant access to the application, which may not be possible or easy depending on the database design and configuration.

  C. The tester could launch a Cross-Site Scripting (XSS) attack to steal authenticated session cookies, potentially bypassing the clickjacking protection: This option is not effective because there is no evidence that the application is vulnerable to XSS, which is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application by injecting malicious scripts3. The application uses HTTP headers to prevent clickjacking attacks, which are a type of attack

  that tricks a user into clicking on a hidden or disguised element on a web page4. However, this does not imply that the application is vulnerable to XSS, which requires a different type of injection point and payload. Moreover, even if the application was vulnerable to XSS, the tester would need to find a way to deliver the malicious script to a legitimate user who is already authenticated, and then capture the stolen session cookies from the user's browser, which may not be feasible or easy depending on the

  application's design and security measures.

  D. The tester could execute a Man-in-the-Middle (MitM) attack to intercept and modify the HTTP headers for a Clickjacking attack: This option is not feasible because a MitM attack is a type of attack that requires the attacker to insert themselves between two parties who believe that they are directly communicating with each other, and then relay or alter the communications between them5. In this scenario, the tester would need to intercept the HTTP traffic between the user and the application, and then

  modify the HTTP headers to remove or weaken the clickjacking protection. However, this would require the tester to have access to the network infrastructure or the user's device, which may not be possible or easy depending on the network security and encryption. Moreover, even if the tester could perform a MitM attack, the tester would still need to trick the user into clicking on a malicious element on a web page, which may not be possible or easy depending on the user's awareness and behavior.

  References:

  1: What is a Brute Force Attack? | Definition, Types and How It Works - Fortinet

  2: What is SQL Injection? Tutorial and Examples | Web Security Academy

  3: Cross Site Scripting (XSS) | OWASP Foundation

  4: What is Clickjacking? | Definition, Types and Examples - Fortinet

  5: Man-in-the-middle attack - Wikipedia

• Question 674:

  What hacking attack is challenge/response authentication used to prevent?

  A. Replay attacks
  B. Scanning attacks
  C. Session hijacking attacks
  D. Password cracking attacks
  A. Replay attacks

  ---

  Explanation

  Challenge/response authentication is designed to prevent replay attacks. In this mechanism:

  The server sends a random "challenge" string.

  The client uses its secret (like a password or private key) to generate a response.

  The server verifies that the response matches what it expected for that challenge.

  Since the challenge is random and changes each time, an attacker cannot simply capture and replay previous responses to gain unauthorized access.

  From CEH v13 Courseware:

  Module 11: Session Hijacking

  Module 6: Authentication Protocols

  CEH v13 Study Guide states:

  "Challenge-response authentication prevents replay attacks by using dynamically generated nonces or challenge tokens that change with each session."

  Incorrect Options:

  B: Scanning attacks are not related to authentication mechanisms.

  C: Session hijacking involves active takeovers, not replaying login attempts.

  D: Password cracking targets password hashes, not session tokens.

  CEH v13 Study Guide - Module 11: Authentication Mechanisms and Replay Attack MitigationRFC 2831 - Digest Access Authentication

• Question 675:

  Windows LAN Manager (LM) hashes are known to be weak.

  Which of the following are known weaknesses of LM? (Choose three.)

  A. Converts passwords to uppercase.
  B. Hashes are sent in clear text over the network.
  C. Makes use of only 32-bit encryption.
  D. Effective length is 7 characters.
  A. Converts passwords to uppercase.
  B. Hashes are sent in clear text over the network.
  D. Effective length is 7 characters.

  ---

  Explanation

  Weaknesses of LM hashes include:

  A. Passwords are converted to uppercase before hashing.

  B. In older Windows systems, LM hashes were transmitted over the network, sometimes in plaintext (or easily intercepted).

  D. Passwords are split into two 7-character chunks, which are hashed independently, reducing entropy.

  From CEH v13 Courseware:

  Module 6: Malware and Password Threats

  Module 4: Windows Enumeration

  Incorrect Option:

  C: LM uses DES encryption with 56-bit keys (not 32-bit).

  CEH v13 Study Guide - Module 6: Weaknesses in LM HashingMicrosoft Security Documentation - LM Hashing Vulnerabilities

• Question 676:

  A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.

  A. Use port security on his switches.
  B. Use a tool like ARPwatch to monitor for strange ARP activity.
  C. Use a firewall between all LAN segments.
  D. If you have a small network, use static ARP entries.
  E. Use only static IP addresses on all PC's.
  A. Use port security on his switches.
  B. Use a tool like ARPwatch to monitor for strange ARP activity.
  D. If you have a small network, use static ARP entries.

  ---

  Explanation

  ARP (Address Resolution Protocol) spoofing/poisoning is a common attack in which an attacker sends falsified ARP messages to associate their MAC address with the IP address of another host. To defend against ARP spoofing:

  A. Port Security: Limits the number of MAC addresses per port; prevents MAC flooding and spoofing.

  B. ARPwatch: Monitors ARP traffic and alerts on unusual changes.

  D. Static ARP Entries: Prevent ARP responses from overwriting MAC-IP mappings, effective in small networks.

  From CEH v13 Official Courseware:

  Module 8: Sniffing

  Module 11: Session Hijacking

  Module 20: Network Security

  Incorrect Options:

  C: Firewalls operate at Layer 3+; ARP is a Layer 2 protocol, so firewalls don't prevent ARP spoofing.

  E: Static IP addresses do not prevent ARP poisoning.

  CEH v13 Study Guide - Module 8: ARP Spoofing Mitigation TechniquesNIST SP 800-115 - Technical Guide to Information Security Testing and Assessment

• Question 677:

  Your company, Encryptor Corp, is developing a new application that will handle highly sensitive user information. As a cybersecurity specialist, you want to ensure this data is securely stored. The development team proposes a method where data is hashed and then encrypted before storage. However, you want an added layer of security to verify the integrity of the data upon retrieval. Which of the following cryptographic concepts should you propose to the team?

  A. Implement a block cipher mode of operation.
  B. a digital signature mechanism.
  C. Suggest using salt with hashing.
  D. Switch to elliptic curve cryptography.
  B. a digital signature mechanism.

  ---

  Explanation

  A digital signature mechanism is a cryptographic concept that you should propose to the team to verify the integrity of the data upon retrieval. A digital signature mechanism works as follows:

  A digital signature is a mathematical scheme that allows the sender of a message to sign the message with their private key, and allows the receiver of the message to verify the signature with the sender's public key. A digital signature provides two security services: authentication and non-repudiation. Authentication means that the receiver can confirm the identity of the sender, and non-repudiation means that the sender cannot deny sending the message12.

  A digital signature mechanism consists of three algorithms: key generation, signing, and verification. Key generation produces a pair of keys: a private key for the sender and a public key for the receiver. Signing takes the message and the private key as inputs, and outputs a signature. Verification takes the message, the signature, and the public key as inputs, and outputs a boolean value indicating whether the signature is valid or not12. A digital signature mechanism can be implemented using various cryptographic techniques, such as hash- based signatures, RSA signatures, or elliptic curve signatures. A common method is to use a hash function to compress the message into a fixed-length digest, and then use an asymmetric encryption algorithm to encrypt the digest with the private key. The encrypted digest is the signature, which can be decrypted with the public key and compared with the hash of the message to verify the integrity12.

  A digital signature mechanism can ensure the integrity of the data upon retrieval, because:

  A digital signature is unique to the message and the sender, and it cannot be forged or altered by anyone else. If the message or the signature is modified in any way, the verification will fail and the receiver will know that the data is corrupted or tampered with12.

  A digital signature is independent of the encryption or hashing of the data, and it can be applied to any type of data, regardless of its format or size. The encryption or hashing of the data can provide confidentiality and efficiency, but they cannot provide integrity or authentication by themselves. A digital signature can complement the encryption or hashing of the data by providing an additional layer of security12.

  The other options are not as suitable as option B for the following reasons:

  A. Implement a block cipher mode of operation: This option is not relevant because it does not address the integrity verification issue, but the encryption issue. A block cipher mode of operation is a method of applying a block cipher, which is a symmetric encryption algorithm that operates on fixed-length blocks of data, to a variable-length message. A block cipher mode of operation can provide different security properties, such as confidentiality, integrity, or authenticity, depending on the mode. However, a

  block cipher mode of operation cannot provide a digital signature, which is a form of asymmetric encryption that uses a pair of keys3 .

  C. Suggest using salt with hashing: This option is not sufficient because it does not provide a digital signature, but only a hash value. Salt is a random value that is added to the input of a hash function, which is a one-way function that maps any data to a fixed-length digest. Salt can enhance the security of hashing by making it harder to perform brute-force attacks or dictionary attacks, which are methods of finding the input that produces a given hash value. However, salt cannot provide a digital signature,

  which is a two-way function that uses a pair of keys to sign and verify a message .

  D. Switch to elliptic curve cryptography: This option is not specific because it does not specify a digital signature mechanism, but only a type of cryptography. Elliptic curve cryptography is a branch of cryptography that uses mathematical curves to generate keys and perform operations. Elliptic curve cryptography can be used to implement various cryptographic techniques, such as encryption, hashing, or digital signatures. However, elliptic curve cryptography is not a digital signature mechanism by itself, but

  rather a tool that can be used to create one .

  References:

  1: Digital signature - Wikipedia

  2: Digital Signature: What It Is and How It Works | Kaspersky

  3: Block cipher mode of operation - Wikipedia

  Block Cipher Modes of Operation - an overview | ScienceDirect Topics : Salt (cryptography) - Wikipedia What is Salt in Cryptography? | Cloudflare Elliptic-curve cryptography - Wikipedia Elliptic Curve Cryptography: What It Is and How It Works | Kaspersky

• Question 678:

  Lewis, a professional hacker, targeted the IoT cameras and devices used by a target venture-capital firm. He used an information-gathering tool to collect information about the IoT devices connected to a network, open ports and services, and the attack surface area. Using this tool, he also generated statistical reports on broad usage patterns and trends. This tool helped Lewis continually monitor every reachable server and device on the Internet, further allowing him to exploit these devices in the network.

  Which of the following tools was employed by Lewis in the above scenario?

  A. Censys
  B. Wapiti
  C. NeuVector
  D. Lacework
  A. Censys

  ---

  Explanation

  Censys is a powerful Internet-wide scanning tool that allows users to:

  Discover and analyze devices and services exposed to the public internet

  Enumerate connected IoT devices, open ports, software versions

  Provide structured and searchable reports for vulnerability analysis

  According to CEH v13:

  Censys continuously scans the IPv4 address space and maintains up-to-date databases of connected devices and their metadata.

  Incorrect Options:

  B. Wapiti is a web application vulnerability scanner.

  C. NeuVector is a container security solution.

  D. Lacework is a cloud workload protection platform, not focused on IoT enumeration.

  CEH v13 Official Courseware:

  Module 18: IoT and OT Hacking

  Section: "IoT Discovery Tools"

  Tool Focus: Censys, Shodan

• Question 679:

  While analyzing logs, you observe a large number of TCP SYN packets sent to various ports with no corresponding ACKs. What scanning technique was likely used?

  A. SYN scan (half-open scanning)
  B. XMAS scan
  C. SYN/ACK scan
  D. TCP Connect scan
  A. SYN scan (half-open scanning)

  ---

  Explanation

  This activity clearly indicates a TCP SYN scan , also known as a half-open scan , which is a commonly used stealth scanning technique discussed in CEH v13 Reconnaissance and Network Scanning . In a SYN scan, the attacker sends TCP SYN packets to target ports and observes the responses without completing the TCP three-way handshake.

  If the port is open , the target responds with a SYN/ACK packet. The scanner then immediately sends a RST packet instead of the final ACK, leaving the connection half-open. This behavior allows attackers to identify open ports while minimizing log entries and reducing detection by security monitoring tools.

  The absence of ACK packets in logs supports this explanation, as the handshake is never completed.

  Other options are incorrect because:

  XMAS scans send packets with multiple flags set.

  SYN/ACK scans are primarily used for firewall rule discovery.

  TCP Connect scans complete the full handshake and generate ACKs.

  CEH v13 emphasizes that SYN scans are widely used because they balance accuracy and stealth , making them a preferred reconnaissance method for attackers.

• Question 680:

  Bill is a network administrator. He wants to eliminate unencrypted traffic inside his company's network. He decides to setup a SPAN port and capture all traffic to the datacenter. He immediately discovers unencrypted traffic in port UDP 161. what protocol is this port using and how can he secure that traffic?

  A. it is not necessary to perform any actions, as SNMP is not carrying important information.
  B. SNMP and he should change it to SNMP V3
  C. RPC and the best practice is to disable RPC completely
  D. SNMP and he should change it to SNMP v2, which is encrypted
  B. SNMP and he should change it to SNMP V3

  ---

  Explanation

  We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

  SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a `fire and forget' methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link).

  There are two modes of operation with SNMP - get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

  This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

  SNMP traps

  Since SNMP is primarily a UDP port based system, traps may be `lost' when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn't listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know. The SNMP v2c specification introduced the idea of splitting traps into two types; the original `hope it gets there' trap and the newer `INFORM' traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn't get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.