EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 691:

  A city's power management system relies on SCADA infrastructure. Recent anomalies include inconsistent sensor readings and intermittent outages. Security analysts suspect a side-channel attack designed to extract sensitive information covertly from SCADA devices. Which investigative technique would best confirm this type of attack?

  A. Measuring unusual physical or electrical fluctuations during device operation at the hardware level.
  B. Identifying weak cryptographic configurations in device communications.
  C. Assessing SCADA user interfaces for unauthorized access or misuse.
  A. Measuring unusual physical or electrical fluctuations during device operation at the hardware level.

  ---

  Explanation

  According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

  Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side- channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

  Option B relates to cryptographic weaknesses, not side-channel analysis.

  Option C addresses interface misuse, not covert data leakage.

  CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

• Question 692:

  John, a security analyst working for an organization, found a critical vulnerability on the organization's LAN that allows him to view financial and personal information about the rest of the employees. Before reporting the vulnerability, he examines the information shown by the vulnerability for two days without disclosing any information to third parties or other internal employees. He does so out of curiosity about the other employees and may take advantage of this information later.

  What would John be considered as?

  A. Cybercriminal
  B. Black hat
  C. White hat
  D. Gray hat
  D. Gray hat

  ---

  Explanation

  In CEH v13 Module 01: Introduction to Ethical Hacking, Gray Hat hackers are described as those who operate between ethical and unethical lines:

  Gray Hat Characteristics:

  Discover vulnerabilities without permission.

  May explore or exploit them without malicious intent, but also without authorization.

  May or may not disclose them after exploration.

  Not fully black hat (malicious), nor white hat (authorized and ethical).

  In this case, John explored sensitive employee data without authorization, even though he worked for the organization. That behavior places him in the gray hat category.

  Option Clarification:

  A. Cybercriminal: Generally linked to criminal activities for gain.

  B. Black hat: Unauthorized access with malicious or financial intent.

  C. White hat: Authorized ethical hackers.

  D. Gray hat: Correct Unauthorized, curious access without immediate harm.

  Module 01 Hacker Types: Black Hat, White Hat, and Gray Hat CEH eBook: Case Examples of Gray Hat Behavior

• Question 693:

  An attacker examines differences in ciphertext outputs resulting from small changes in the input to deduce key patterns in a symmetric algorithm. What method is being employed?

  A. Differential cryptanalysis on input-output differences
  B. Timing attack to infer key bits based on processing time
  C. Brute-force attack to try every possible key
  D. Chosen-ciphertext attack to decrypt arbitrary ciphertexts
  A. Differential cryptanalysis on input-output differences

  ---

  Explanation

  This scenario describes Differential Cryptanalysis , a powerful cryptanalytic technique covered in CEH v13 Cryptography . Differential cryptanalysis focuses on analyzing how small changes in plaintext input affect the resulting ciphertext output , with the goal of uncovering patterns related to the secret encryption key.

  CEH v13 explains that symmetric algorithms rely on complex transformations--such as substitution and permutation--to obscure relationships between plaintext and ciphertext. However, in some algorithms, predictable differences may propagate through encryption rounds in a way that reveals statistical biases. By carefully selecting pairs of plaintext inputs with controlled differences and comparing the resulting ciphertexts, attackers can infer information about intermediate states and eventually the encryption key.

  This method does not attempt every possible key (brute force), nor does it rely on execution timing or system performance metrics (timing attacks). It also differs from chosen-ciphertext attacks, which involve submitting chosen ciphertexts for decryption rather than observing encryption behavior.

  Differential cryptanalysis was instrumental in breaking early block ciphers and is a key reason why modern algorithms like AES are designed with resistance to differential attacks. CEH v13 emphasizes that understanding this attack is critical for evaluating the strength of symmetric encryption algorithms and their internal structure.

  Therefore, Option A accurately describes the technique being employed.

• Question 694:

  You receive an e-mail like the one shown below. When you click on the link contained in the mail, you are redirected to a website seeking you to download free Anti-Virus software.

  Dear valued customers,

  We are pleased to announce the newest version of Antivirus 2010 for Windows which will probe you with total security against the latest spyware, malware, viruses, Trojans and other online threats. Simply visit the link below and enter your antivirus code:

  

  or you may contact us at the following address:

  Media Internet Consultants, Edif. Neptuno, Planta

  Baja, Ave. Ricardo J. Alfaro, Tumba Muerto, n/a Panama

  How will you determine if this is Real Anti-Virus or Fake Anti-Virus website?

  A. Look at the website design, if it looks professional then it is a Real Anti-Virus website
  B. Connect to the site using SSL, if you are successful then the website is genuine
  C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site
  D. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
  E. Download and install Anti-Virus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
  C. Search using the URL and Anti-Virus product name into Google and lookout for suspicious warnings against this site

  ---

  Explanation

• Question 695:

  As part of a college project, you have set up a web server for hosting your team's application. Given your interest in cybersecurity, you have taken the lead in securing the server. You are aware that hackers often attempt to exploit server misconfigurations. Which of the following actions would best protect your web server from potential misconfiguration-based attacks?

  A. Performing regular server configuration audits
  B. Enabling multi-factor authentication for users
  C. Implementing a firewall to filter traffic
  D. Regularly backing up server data
  A. Performing regular server configuration audits

  ---

  Explanation

  The action that would best protect your web server from potential misconfiguration-based attacks is performing regular server configuration audits. A server configuration audit is a process of reviewing and verifying the security settings and parameters of the server, such as user accounts, permissions, services, ports, protocols, files, directories, logs, and patches. A server configuration audit can help you to identify and fix any security misconfigurations that may expose your server to attacks, such as using default credentials, enabling unnecessary services, leaving open ports, or missing security updates. A server configuration audit can also help you to comply with the security standards and best practices for your server, such as the CIS Benchmarks or the OWASP Secure Configuration Guide12.

  The other options are not as effective as option A for the following reasons:

  B. Enabling multi-factor authentication for users: This option is not relevant because it does not address the server misconfiguration issue, but the user authentication issue. Multi-factor authentication is a method of verifying the identity of the users by requiring them to provide two or more pieces of evidence, such as a password, a code, or a biometric factor. Multi-factor authentication can enhance the security of the user accounts and prevent unauthorized access, but it does not prevent the server from

  being attacked due to misconfigured settings or parameters3.

  C. Implementing a firewall to filter traffic: This option is not sufficient because it does not prevent the server from being misconfigured, but only limits the exposure of the server to the network. A firewall is a device or software that monitors and controls the incoming and outgoing network traffic based on predefined rules. A firewall can protect the server from external attacks by blocking or allowing certain ports, protocols, or IP addresses. However, a firewall cannot protect the server from internal attacks or

  from attacks that exploit the allowed traffic. Moreover, a firewall itself can be misconfigured and cause security issues4.

  D. Regularly backing up server data: This option is not preventive but reactive, as it does not protect the server from being attacked, but only helps to recover the data in case of an attack. Backing up server data is a process of creating and storing copies of the data on the server, such as files, databases, or configurations. Backing up server data can help you to restore the data in case of data loss, corruption, or deletion due to an attack. However, backing up server data does not prevent the server from

  being attacked in the first place, and it does not fix the security misconfigurations that may have caused the attack5.

  References:

  1: Server Configuration Audit - an overview | ScienceDirect Topics 2: Secure Configuration Guide - OWASP Foundation 3: Multi-factor authentication - Wikipedia 4: Firewall (computing) - Wikipedia 5: Backup - Wikipedia

• Question 696:

  Richard, an attacker, targets an MNC. In this process, he uses a footprinting technique to gather as much information as possible. Using this technique, he gathers domain information such as the target domain name, contact details of its owner, expiry date, and creation date. With this information, he creates a map of the organization's network and misleads domain owners with social engineering to obtain internal details of its network.

  What type of footprinting technique is employed by Richard?

  A. VPN footprinting
  B. Email footprinting
  C. VoIP footprinting
  D. Whois footprinting
  D. Whois footprinting

  ---

  Explanation

  Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

  Domain registrant details (name, email, phone, and address)

  Domain registration and expiry dates

  Name servers and registrar information

  Administrative and technical contact data

  According to CEH v13:

  Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

  This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

  Incorrect Options:

  A. VPN footprinting refers to identifying VPN gateways or configurations - not related to domain data.

  B. Email footprinting involves gathering information from or about email systems.

  C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

  CEH v13 Official Courseware:

  Module 02: Footprinting and Reconnaissance

  Section: "WHOIS Footprinting"

  Tools: Whois lookup tools, ICANN WHOIS, DomainTools

• Question 697:

  A payload drops a database table by injecting ; DROP TABLE users; --. What SQL injection method was used?

  A. Piggybacked queries
  B. UNION-based SQL injection
  C. Boolean-based SQL injection
  D. Error-based SQL injection
  A. Piggybacked queries

  ---

  Explanation

  This attack is a classic example of Piggybacked SQL Injection , covered in CEH v13 Web Application Hacking . Piggybacked queries allow attackers to append additional malicious SQL commands to an existing query using a delimiter such as a semicolon.

  The payload executes the original query followed by a destructive command (DROP TABLE). UNION-based injections retrieve data, Boolean-based injections infer logic, and error-based injections rely on error messages-not destructive execution.

  CEH v13 explicitly describes piggybacked queries as capable of data destruction and privilege escalation , making Option A correct.

• Question 698:

  Which wireless security protocol replaces the personal pre-shared key (PSK) authentication with Simultaneous Authentication of Equals (SAE) and is therefore resistant to offline dictionary attacks?

  A. WPA3-Personal
  B. WPA2-Enterprise
  C. Bluetooth
  D. ZigBee
  A. WPA3-Personal

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, WPA3-Personal is discussed as the latest wireless encryption standard designed to address the weaknesses of WPA2, particularly PSK brute-force vulnerabilities.

  Key Features of WPA3-Personal:

  Replaces the pre-shared key (PSK) with Simultaneous Authentication of Equals (SAE), also known as the Dragonfly Key Exchange.

  SAE performs a zero-knowledge proof which makes it resistant to offline dictionary attacks.

  Even if attackers capture the handshake, they cannot use it to brute-force passwords offline.

  Option Clarification:

  A. WPA3-Personal: Correct - uses SAE instead of PSK.

  B. WPA2-Enterprise: Uses 802.1X, not related to SAE.

  C. Bluetooth: Wireless protocol but unrelated to SAE or WPA.

  D. ZigBee: IoT protocol; unrelated to Wi-Fi security protocols.

  Module 11 - WPA3 and SAE (Simultaneous Authentication of Equals)

  CEH eBook: Wi-Fi Authentication Enhancements

• Question 699:

  A penetration tester finds that a web application does not properly validate user input and is vulnerable to reflected Cross-Site Scripting (XSS). What is the most appropriate approach to exploit this vulnerability?

  A. Perform a brute-force attack on the user login form to steal credentials
  B. Embed a malicious script in a URL and trick a user into clicking the link
  C. Inject a SQL query into the search form to attempt SQL injection
  D. Use directory traversal to access sensitive files on the server
  B. Embed a malicious script in a URL and trick a user into clicking the link

  ---

  Explanation

  CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user's session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

• Question 700:

  An IoT traffic light shows anomalous traffic to an external IP and has an open port. What should be your next step?

  A. Attempt reverse connections
  B. Isolate the device and investigate firmware
  C. Modify firewall rules only
  D. Conduct full network penetration testing
  B. Isolate the device and investigate firmware

  ---

  Explanation

  CEH v13 emphasizes that IoT and smart city environments are highly sensitive and safety-critical. When an IoT device shows anomalous outbound traffic and unauthorized open ports, this strongly indicates device compromise .

  The correct immediate response is to isolate the affected device to prevent lateral movement and protect public safety. CEH v13 further stresses the importance of firmware analysis , as IoT malware often resides at the firmware level to maintain persistence.

  Attempting reverse connections (Option A) is risky and may violate operational safety. Firewall changes alone (Option C) do not address an already compromised device. A full penetration test (Option D) is appropriate later but not as an immediate containment step.

  Therefore, Option B aligns with CEH v13 incident handling best practices for IoT and OT environments.