EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 721:

  Attempting an injection attack on a web server based on responses to True/False QUESTION NO:s is called which of the following?

  A. Compound SQLi
  B. Blind SQLi
  C. Classic SQLi
  D. DMS-specific SQLi
  B. Blind SQLi

  ---

  Explanation

  https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

  Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction.

• Question 722:

  The network in ABC company is using the network address 192.168.1.64 with mask 255.255.255.192. In the network the servers are in the addresses 192.168.1.122, 192.168.1.123 and 192.168.1.124. An attacker is trying to find those servers but he cannot see them in his scanning. The command he is using is: nmap 192.168.1.64/28.

  Why he cannot see the servers?

  A. He needs to add the command ""ip address"" just before the IP address
  B. He needs to change the address to 192.168.1.0 with the same mask
  C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range
  D. The network must be dawn and the nmap command and IP address are ok
  C. He is scanning from 192.168.1.64 to 192.168.1.78 because of the mask /28 and the servers are not in that range

  ---

  Explanation

  https://en.wikipedia.org/wiki/Subnetwork

  This is a fairly simple question. You must to understand what a subnet mask is and how it works.

  A subnetwork or subnet is a logical subdivision of an IP network.The practice of dividing a network into two or more networks is called subnetting.

  Computers that belong to the same subnet are addressed with an identical most-significant bit-group in their IP addresses. This results in the logical division of an IP address into two fields: the network number or routing prefix and the rest field or host identifier. The rest field is an identifier for a specific host or network interface.

  The routing prefix may be expressed in Classless Inter-Domain Routing (CIDR) notation written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For example, 198.51.100.0/24 is the prefix of the Internet Protocol version 4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. Addresses in the range 198.51.100.0 to 198.51.100.255 belong to this network. The IPv6 address specification 2001:db8::/32 is a large address block with 296 addresses, having a 32-bit routing prefix.

  For IPv4, a network may also be characterized by its subnet mask or netmask, which is the bitmask that when applied by a bitwise AND operation to any IP address in the network, yields the routing prefix. Subnet masks are also expressed in dot-decimal notation like an address. For example, 255.255.255.0 is the subnet mask for the prefix 198.51.100.0/24.

• Question 723:

  John, a professional hacker, targeted an organization that uses LDAP for accessing distributed directory services. He used an automated tool to anonymously query the IDAP service for sensitive information such as usernames. addresses, departmental details, and server names to launch further attacks on the target organization.

  What is the tool employed by John to gather information from the IDAP service?

  A. jxplorer
  B. Zabasearch
  C. EarthExplorer
  D. Ike-scan
  A. jxplorer

  ---

  Explanation

  JXplorer could be a cross platform LDAP browser and editor. it's a standards compliant general purpose LDAP client which will be used to search, scan and edit any commonplace LDAP directory, or any directory service with an LDAP or DSML interface.

  It is extremely flexible and can be extended and custom in a very number of the way. JXplorer is written in java, and also the source code and source code build system ar obtainable via svn or as a packaged build for users who wish to experiment or any develop the program.

  JX is is available in 2 versions; the free open source version under an OSI Apache two style licence, or within the JXWorkBench Enterprise bundle with inbuilt reporting, administrative and security tools. JX has been through a number of different versions since its creation in 1999; the foremost recent stable release is version 3.3.1, the August 2013 release.

  JXplorer could be a absolutely useful LDAP consumer with advanced security integration and support for the harder and obscure elements of the LDAP protocol. it's been tested on Windows, Solaris, linux and OSX, packages are obtainable for HPUX, AIX, BSD and it should run on any java supporting OS.

• Question 724:

  You are a penetration tester working to test the user awareness of the employees of the client xyz. You harvested two employees' emails from some public sources and are creating a client-side backdoor to send it to the employees via email. Which stage of the cyber kill chain are you at?

  A. Reconnaissance
  B. Command and control
  C. Weaponization
  D. Exploitation
  C. Weaponization

  ---

  Explanation

  The adversary analyzes the data collected in the previous stage to identify the

  vulnerabilities and techniques that can exploit and gain unauthorized access to the

  target organization. Based on the vulnerabilities identified during analysis, the adversary

  selects or creates a tailored deliverable malicious payload (remote-access malware

  weapon) using an exploit and a backdoor to send it to the victim. An adversary may

  target specific network devices, operating systems, endpoint devices, or even

  individuals within the organization to carry out their attack. For example, the adversary

  may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: o Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability

  Creating a phishing email campaign o Leveraging exploit kits and botnets

  https://en.wikipedia.org/wiki/Kill_chain

  The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Below you can find detailed information on each.

  1. Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

  2. Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different vulnerabilities.

  3. Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different USB drives, e-mail attachments, and websites for this purpose.

  4. Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to exploit the target's vulnerability/vulnerabilities.

  5. Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

  6. Command and Control: The malware gives the intruder/attacker access to the network/system.

  7. Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even data destruction.

• Question 725:

  A penetration tester completes a vulnerability scan showing multiple low-risk findings and one high-risk vulnerability tied to outdated server software. What should the tester prioritize as the next step?

  A. Perform a brute-force attack on the server to gain access
  B. Ignore the high-risk vulnerability and proceed with testing other systems
  C. Focus on exploiting the low-risk vulnerabilities first
  D. Verify if the high-risk vulnerability is exploitable by checking for known exploits
  D. Verify if the high-risk vulnerability is exploitable by checking for known exploits

  ---

  Explanation

  CEH methodology stresses prioritization based on risk, exploitability, and business impact. High-severity vulnerabilities-especially those related to outdated or unsupported server software-are frequently associated with known, publicly documented exploits. The proper next step after identifying such vulnerabilities is to confirm exploitability safely, typically by researching available exploit code, validating version-specific weaknesses, and determining whether the vulnerability can be successfully leveraged under the defined scope of engagement. CEH highlights that exploitation attempts must be evidence-driven, not arbitrary, and focusing on high-risk vulnerabilities allows testers to demonstrate meaningful security impacts. Brute-forcing (Option A) is unnecessary and high-noise. Ignoring or deprioritizing the high-risk finding (Options B and C) contradicts CEH risk-based assessment principles. Therefore, verifying exploitability of the high-risk vulnerability is the correct step.

• Question 726:

  Customer data in a cloud environment was exposed due to an unknown vulnerability. What is the most likely cause?

  A. Misconfigured security groups
  B. Brute force attack
  C. DoS attack
  D. Side-channel attack
  A. Misconfigured security groups

  ---

  Explanation

  CEH v13 identifies misconfigured cloud security groups as the leading cause of cloud data exposure . Open ports, public storage buckets, and overly permissive firewall rules frequently expose sensitive data.

  Brute force and DoS do not directly expose stored data, and side-channel attacks are rare and advanced.

• Question 727:

  As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

  A. Use the same machines for DNS and other applications
  B. Harden DNS servers
  C. Use split-horizon operation for DNS servers
  D. Restrict Zone transfers
  E. Have subnet diversity between DNS servers
  B. Harden DNS servers
  C. Use split-horizon operation for DNS servers
  D. Restrict Zone transfers
  E. Have subnet diversity between DNS servers

  ---

  Explanation

  To secure DNS infrastructure, best practices include:

  B. Harden DNS Servers: Disable unused services, apply patches, implement secure configurations.

  C. Use Split-Horizon DNS: Present different DNS data to internal vs. external users to prevent data leakage.

  D. Restrict Zone Transfers: Prevent unauthorized replication of zone data using IP-based access control or TSIG.

  E. Subnet Diversity: Place DNS servers on different subnets or networks to enhance resilience.

  From CEH v13 Official Courseware:

  Module 3: Scanning Networks

  Module 20: Cryptography

  Incorrect Option:

  A: Hosting DNS on multi-purpose servers increases the attack surface and violates security best practices.

  CEH v13 Study Guide Module 3: DNS Hardeningand; Zone Transfer SecurityNIST SP 800-81r2 -Secure Domain Name System Deployment Guide

• Question 728:

  You are a cybersecurity analyst at a global banking corporation and suspect a backdoor attack due to abnormal outbound traffic during non-working hours, unexplained reboots, and modified system files. Which combination of measures would be most effective to accurately identify and neutralize the backdoor while ensuring system integrity?

  A. Review firewall logs, analyze traffic, and immediately reboot systems
  B. Monitor system and file activity, apply anomaly detection, and use advanced anti-malware tools
  C. Enforce strong passwords, MFA, and regular vulnerability assessments
  D. Apply ACLs, patch systems, and audit user privileges
  B. Monitor system and file activity, apply anomaly detection, and use advanced anti-malware tools

  ---

  Explanation

  According to CEH v13 Security Operations and Incident Response , backdoors are stealth mechanisms that allow attackers persistent access. Indicators such as unexplained outbound traffic, unauthorized file modifications, and irregular reboots strongly suggest post-compromise persistence mechanisms . CEH v13 recommends a behavioral and host-based detection approach for backdoor identification. Continuous monitoring of system and file activity helps detect unauthorized binaries, registry changes, and scheduled tasks. Anomaly detection identifies deviations from normal system behavior, which is critical for uncovering hidden backdoors that evade signature-based detection.

  Additionally, advanced anti-malware tools with heuristic and memory analysis capabilities are essential to identify sophisticated backdoors that traditional antivirus may miss. These tools can detect rootkits, fileless persistence, and covert communication channels.

  The other options are preventative but not investigative. Immediate reboots may destroy volatile evidence, while password policies and ACLs do not detect existing compromises. Therefore, option B provides the most effective and CEH-aligned response.

• Question 729:

  What does a firewall check to prevent particular ports and applications from getting packets into an organization?

  A. Transport layer port numbers and application layer headers
  B. Presentation layer headers and the session layer port numbers
  C. Network layer headers and the session layer port numbers
  D. Application layer port numbers and the transport layer headers
  A. Transport layer port numbers and application layer headers

  ---

  Explanation

  Firewalls primarily operate at Layer 3 (Network) and Layer 4 (Transport) of the OSI model. They inspect:

  IP headers (Layer 3)

  TCP/UDP port numbers (Layer 4)

  Application-specific data in Layer 7-aware firewalls (for application filtering)

  By examining transport layer port numbers and application layer headers, firewalls can block or allow traffic based on services like HTTP (port 80), FTP (port 21), and others.

  CEH v13 Official Study Guide:

  Module 13: Evading IDS, Firewalls, and Honeypots

  Quote:

  "Firewalls filter traffic based on IP addresses, transport-layer port numbers, and application protocol headers to control access to services and applications."

  Incorrect Options:

  B and C. Presentation and session layers are not relevant to firewall rule inspection.

  D. Application layer doesn't have port numbers; they are part of the transport layer.

• Question 730:

  The security team of Debry Inc. decided to upgrade Wi-Fi security to thwart attacks such as dictionary attacks and key recovery attacks. For this purpose, the security team started implementing cutting-edge technology that uses a modern key establishment protocol called the simultaneous authentication of equals (SAE), also known as dragonfly key exchange, which replaces the PSK concept.

  What is the Wi-Fi encryption technology implemented by Debry Inc.?

  A. WEP
  B. WPA
  C. WPA2
  D. WPA3
  D. WPA3

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, WPA3 is presented as the latest Wi-Fi security protocol, and it includes:

  Simultaneous Authentication of Equals (SAE) protocol -- a more secure key exchange mechanism.

  Replaces WPA2's Pre-Shared Key (PSK) method to prevent dictionary and key recovery attacks.

  SAE (a.k.a. Dragonfly) prevents attackers from capturing handshakes for offline cracking.

  Option Clarification:

  A. WEP: Obsolete and weak.

  B. WPA: Early improvement over WEP, still vulnerable.

  C. WPA2: Uses PSK and vulnerable to key reinstallation attacks (KRACK).

  D. WPA3: Correct - uses SAE/Dragonfly, resistant to known attacks.

  Module 11 - Wi-Fi Security Protocols: WPA3 and SAE

  CEH iLabs: WPA3 Setup and Dictionary Attack Prevention