EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 731:

  A multinational organization is implementing a security upgrade for its corporate wireless infrastructure. The current WPA2-Personal configuration relies on a shared passphrase, which the IT team finds difficult to rotate and manage securely across hundreds of employee devices. To enhance security and scalability, the organization decides to migrate to WPA2-Enterprise. The new setup must allow for centralized control of user authentication, support certificate-based identity verification, and ensure that each authenticated client is assigned a unique session encryption key to prevent key reuse and limit the blast radius of potential breaches.

  Which component is essential for enabling this centralized, certificate-based authentication with unique key generation per session in a WPA2-Enterprise environment?

  A. Opportunistic Wireless Encryption (OWE)
  B. Pre-Shared Key (PSK)
  C. Temporal Key Integrity Protocol (TKIP)
  D. RADIUS with Extensible Authentication Protocol (EAP)
  D. RADIUS with Extensible Authentication Protocol (EAP)

  ---

  Explanation

  CEH v13 explains that WPA2-Enterprise replaces the static, shared password model of WPA2-Personal with a centralized authentication system that relies on the 802.1X framework. The essential component of this architecture is RADIUS integrated with EAP , which manages user authentication, device identity verification, and dynamic session key generation. RADIUS acts as the backend authentication server, while EAP provides a flexible authentication framework supporting certificates, smartcards, or credentials. This combination allows organizations to enforce per-user access control policies, revoke individual users without changing network-wide passwords, and generate unique Pairwise Master Keys (PMKs) for every authenticated session. CEH highlights that one of the major advantages of WPA2-Enterprise is its ability to produce unique encryption keys for each client, preventing key reuse and mitigating lateral movement if one device is compromised. Certificate-based EAP types such as EAP-TLS introduce mutual authentication, ensuring both client and server validate each other's identity before allowing network access. This significantly increases security posture compared to PSK networks, which cannot scale securely for large enterprise deployments.

• Question 732:

  A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the software vendor for several months prior 10 the Intrusion. This Is likely a failure in which of the following security processes?

  A. vendor risk management
  B. Security awareness training
  C. Secure deployment lifecycle
  D. Patch management
  D. Patch management

  ---

  Explanation

  Patch management is that the method that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a pc, enabling systems to remain updated on existing patches and determining that patches are the suitable ones. Managing patches so becomes simple and simple.

  Patch Management is usually done by software system firms as a part of their internal efforts to mend problems with the various versions of software system programs and also to assist analyze existing software system programs and discover any potential lack of security features or different upgrades.

  Software patches help fix those problems that exist and are detected solely once the software's initial unharness. Patches mostly concern security while there are some patches that concern the particular practicality of programs as well.

• Question 733:

  Attacker Lauren has gained the credentials of an organization's internal server system, and she was often logging in during irregular times to monitor the network activities. The organization was skeptical about the login times and appointed security professional Robert to determine the issue. Robert analyzed the compromised device to find incident details such as the type of attack, its severity, target, impact, method of propagation, and vulnerabilities exploited. What is the incident handling and response (IHandR) phase, in which Robert has determined these issues?

  A. Preparation
  B. Eradication
  C. Incident recording and assignment
  D. Incident triage
  D. Incident triage

  ---

  Explanation

  Incident Handling and Response Incident handling and response (IHandR) is the process of taking organized and careful steps when reacting to a security incident or cyberattack. Steps involved in the IHandR process: 3. Incident Triage - The IHandR team further analyzes the compromised device to find incident details such as the type of attack, its severity, target, impact, and method of propagation, and any vulnerabilities it exploited. (P.84/68)

• Question 734:

  Bob wants to ensure that Alice can check whether his message has been tampered with. He creates a checksum of the message and encrypts it using asymmetric cryptography. What key does Bob use to encrypt the checksum for accomplishing this goal?

  A. Alice's private key
  B. Alice's public key
  C. His own private key
  D. His own public key
  C. His own private key

  ---

  Explanation

  Bob wants Alice to verify that the message hasn't been tampered with. This is a use case for ensuring data integrity and authenticity. The process described matches the creation of a digital signature:

  Bob computes a checksum (typically a cryptographic hash) of the message.

  Then, he encrypts this checksum (hash) using his own private key.

  Alice receives the message and decrypts the checksum using Bob's public key.

  If the decrypted checksum matches the hash she computes from the received message, she confirms the message's integrity and authenticity.

  This is a fundamental principle of digital signatures.

  Incorrect Options:

  A. Alice's private key is never used by others; it's confidential.

  B. Encrypting with Alice's public key ensures confidentiality, not authenticity.

  D. Bob's public key is used by the receiver to verify authenticity, not for encryption in this context.

  CEH v13 Official Courseware:

  Module 20: Cryptography

  Section: "Digital Signatures"

  Subsection: "Using Private Keys to Sign and Public Keys to Verify"

  CEH Engage Lab: Email Signing and Verification

• Question 735:

  Samuel a security administrator, is assessing the configuration of a web server. He noticed that the server permits SSlv2 connections, and the same private key certificate is used on a different server that allows SSLv2 connections. This vulnerability makes the web server vulnerable to attacks as the SSLv2 server can leak key information.

  Which of the following attacks can be performed by exploiting the above vulnerability?

  A. DROWN attack
  B. Padding oracle attack
  C. Side-channel attack
  D. DUHK attack
  A. DROWN attack

  ---

  Explanation

  DROWN is a serious vulnerability that affects HTTPS and other services that deem SSL and TLS, some of the essential cryptographic protocols for net security. These protocols allow everyone on the net to browse the net, use email, look on-line, and send instant messages while not third-parties being able to browse the communication.

  DROWN allows attackers to break the encryption and read or steal sensitive communications, as well as passwords, credit card numbers, trade secrets, or financial data. At the time of public disclosure on March 2016, our measurements indicated thirty third of all HTTPS servers were vulnerable to the attack. fortuitously, the vulnerability is much less prevalent currently. As of 2019, SSL Labs estimates that one.2% of HTTPS servers are vulnerable.

  What will the attackers gain?

  Any communication between users and the server. This typically includes, however isn't limited to, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. under some common scenarios, an attacker can also impersonate a secure web site and intercept or change the content the user sees.

  Who is vulnerable?

  Websites, mail servers, and other TLS-dependent services are in danger for the DROWN attack. At the time of public disclosure, many popular sites were affected. we used Internet-wide scanning to live how many sites are vulnerable:

  Operators of vulnerable servers got to take action. there's nothing practical that browsers or end-users will do on their own to protect against this attack.

  Is my site vulnerable?

  Modern servers and shoppers use the TLS encryption protocol. However, because of misconfigurations, several servers also still support SSLv2, a 1990s-era precursor to TLS. This support did not matter in practice, since no up-to-date clients really use SSLv2. Therefore, despite the fact that SSLv2 is thought to be badly insecure, until now, simply supporting SSLv2 wasn't thought of a security problem, is a clients never used it.

  DROWN shows that merely supporting SSLv2 may be a threat to fashionable servers and clients. It modern associate degree attacker to modern fashionable TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.

  A server is vulnerable to DROWN if:

  It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings.

  Its private key is used on any other serverthat allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server.

  How do I protect my server?

  To protect against DROWN, server operators need to ensure that their private keys software used anyplace with server computer code that enables SSLv2 connections. This includes net servers, SMTP servers, IMAP and POP servers, and the other software that supports SSL/TLS.

  Disabling SSLv2 is difficult and depends on the particular server software. we offer instructions here for many common products:

  OpenSSL: OpenSSL may be a science library employed in several server merchandise. For users of OpenSSL, the simplest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users ought to upgrade to 1.0.2g. OpenSSL 1.0.1 users ought to upgrade to one.0.1s. Users of older OpenSSL versions ought to upgrade to either one in every of these versions. (Updated March thirteenth, 16:00 UTC) Microsoft IIS (Windows Server): Support for SSLv2 on the server aspect is enabled by default only on the OS versions that correspond to IIS 7.0 and IIS seven.5, particularly Windows scene, Windows Server 2008, Windows seven and Windows Server 2008R2. This support is disabled within the appropriate SSLv2 subkey for `Server', as outlined in KB245030. albeit users haven't taken the steps to disable SSLv2, the export-grade and 56-bit ciphers that build DROWN possible don't seem to be supported by default.

  Network Security Services (NSS): NSS may be a common science library designed into several server merchandise. NSS versions three.13 (released back in 2012) and higher than ought to have SSLv2 disabled by default. (A little variety of users might have enabled SSLv2 manually and can got to take steps to disable it.) Users of older versions ought to upgrade to a more moderen version. we tend to still advocate checking whether or not your non-public secret is exposed elsewhere

  Other affected software and in operation systems:

  Instructions and data for: Apache, Postfix, Nginx, Debian, Red Hat

  Browsers and other consumers: practical nothing practical that net browsers or different client computer code will do to stop DROWN. only server operators ar ready to take action to guard against the attack.

• Question 736:

  #!/usr/bin/python import socket buffer=["A"] counter=50

  while len(buffer)<=100:

  buffer.append("A"*counter) counter=counter+50 commands=["HELP","STATS","RTIME","LTIME","SRUN","TRUN","GMON","GDOG","KSTET"," GTER","HTER","LTER","KSTAN"]

  for command in commands:

  for buffstring in buffer:

  print "Exploiting " + command + ": " + str(len(buffstring)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s .connect(('127.0.0.1', 9999)) s .recv(50) s .send(command + buffstring) s .close() What is the code written for?

  A. connect(('127.0.0.1', 9999))
  B. Buffer Overflow
  C. Bruteforce
  D. Encryption
  B. Buffer Overflow

  ---

  Explanation

  In CEH v13 Module 05: System Hacking, and in lab-based exploitation exercises, this is a classic fuzzer for buffer overflow testing.

  The script creates increasingly larger strings of "A" (50, 100, 150...).

  These are passed as arguments to different vulnerable commands on the target service (127.0.0.1:9999).

  The goal is to trigger a crash, typically when input exceeds buffer limits (i.e., buffer overflow).

  This is part of exploit development to identify the offset and locate the instruction pointer overwrite (EIP overwrite).

  CEH v13 Module 05 - Buffer Overflow Concepts

  CEH iLabs: Exploitation with Custom Fuzzers in Python

  EC-Council Exploit Development Lab Manual

• Question 737:

  During a penetration testing assignment, a Certified Ethical Hacker (CEH) used a set of scanning tools to create a profile of the target organization. The CEH wanted to scan for live hosts, open ports, and services on a target network. He used Nmap for network inventory and Hping3 for network security auditing. However, he wanted to spoof IP addresses for anonymity during probing. Which command should the CEH use to perform this task?

  A. Hping3 -110.0.0.25 --ICMP
  B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4
  C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood
  D. Hping3-210.0.0.25-p 80
  C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood

  ---

  Explanation

  The command C. Hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 -flood is the correct one to spoof IP addresses for anonymity during probing. This command sends SYN packets (-S) to the target IP 192.168.1.1 with a spoofed source IP (-a) 192.168.1.254 on port 22 (-p) and floods the target with packets (-flood). This way, the CEH can hide his real IP address and avoid detection by the target's firewall or IDS12.

  The other commands are incorrect for the following reasons:

  A. Hping3 -110.0.0.25 --ICMP: This command sends ICMP packets (-ICMP) to the target IP 10.0.0.25, but does not spoof the source IP. Therefore, the CEH's real IP address will be exposed to the target.

  B. Nmap -sS -Pn -n -vw --packet-trace -p- --script discovery -T4: This command performs a stealthy SYN scan (-sS) on all ports (-p-) of the target without pinging it (-Pn) or resolving DNS names (-n). It also enables verbose output (-v), packet tracing (-packet-trace), and discovery scripts (-script discovery) with an aggressive timing (-T4). However, this command does not spoof the source IP, and in fact, reveals more information about the scan to the target by using packet tracing and discovery scripts. D.

  Hping3-210.0.0.25-p 80: This command sends TCP packets (default) to the target IP 10.0.0.25 on port 80 (- p), but does not spoof the source IP. Therefore, the CEH's real IP address will be exposed to the target.

  References:

  1: Master hping3 and Enhance Your Network Strength | GoLinuxCloud

  2: Spoofing Packets with Hping3 - YouTube

• Question 738:

  A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0 /24. Which of the following has occurred?

  A. The computer is not using a private IP address.
  B. The gateway is not routing to a public IP address.
  C. The gateway and the computer are not on the same network.
  D. The computer is using an invalid IP address.
  B. The gateway is not routing to a public IP address.

  ---

  Explanation

  https://en.wikipedia.org/wiki/Private_network

  In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments.

  Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet.

  The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

  10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255

  Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

  1. Mediation servers like IRC, Usenet, SMTP and Proxy server 2. Network address translation (NAT) 3. Tunneling protocol

  NOTE: So, the problem is just one of these technologies.

• Question 739:

  Which advanced session hijacking technique is the most difficult to detect and mitigate?

  A. Credential stuffing
  B. Clickjacking
  C. CSRF
  D. Session replay attack
  D. Session replay attack

  ---

  Explanation

  Session Replay Attacks are highlighted in CEH v13 Web Application Hacking as one of the most sophisticated and difficult-to-detect session hijacking techniques. In this attack, adversaries capture valid session tokens or encrypted session identifiers and replay them to impersonate legitimate users.

  Unlike credential stuffing, which relies on login attempts and can be detected through authentication anomalies, session replay occurs after authentication , using legitimate session artifacts. Clickjacking and CSRF manipulate user interactions but do not directly hijack session tokens.

  CEH v13 explains that session replay attacks are especially dangerous in environments where session tokens are predictable, long-lived, or improperly bound to client attributes such as IP address or device fingerprint. Because the attacker reuses valid session data, traditional detection mechanisms often fail.

  The replayed session appears legitimate to the server, making fraud detection extremely difficult without advanced behavioral analytics. This makes session replay attacks particularly effective in online retail environments where transactions are frequent and time-sensitive. Thus, Option D correctly identifies the most challenging attack.

• Question 740:

  Calvin, a software developer, uses a feature that helps him auto-generate the content of a web page without manual involvement and is integrated with SSI directives. This leads to a vulnerability in the developed web application as this feature accepts remote user inputs and uses them on the page. Hackers can exploit this feature and pass malicious SSI directives as input values to perform malicious activities such as modifying and erasing server files. What is the type of injection attack Calvin's web application is susceptible to?

  A. Server-side template injection
  B. Server-side JS injection
  C. CRLF injection
  D. Server-side includes injection
  D. Server-side includes injection

  ---

  Explanation

  The scenario describes an injection attack involving Server Side Includes (SSI). SSI directives are instructions placed in web pages that are executed by the web server before the page is sent to the user. If user input is improperly validated and directly used in an SSI-enabled environment, attackers can inject malicious SSI directives (such as file manipulation commands).

  From CEH v13 Official Courseware:

  Server-Side Includes (SSI) Injection occurs when attackers submit specially crafted input that is included in server responses and interpreted as SSI directives.

  These directives can perform dangerous actions like:

  Reading sensitive files (e.g., /etc/passwd)

  Deleting or modifying files

  Running shell commands via #exec directive

  Incorrect options:

  A. Server-side template injection is related to template engines like Jinja2 or Twig.

  B. Server-side JS injection applies to environments like Node.js.

  C. CRLF injection manipulates HTTP headers, not SSI parsing.

  CEH v13 Official Courseware:

  Module 14: Hacking Web Applications

  Section: "Injection Flaws"

  Subsection: "SSI Injection"

  Lab Reference: CEH iLabs - Web Application Exploitation