EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 751:

  A friend of yours tells you that he downloaded and executed a file that was sent to him by a coworker. Since the file did nothing when executed, he asks you for help because he suspects that he may have installed a Trojan on his computer.

  What tests would you perform to determine whether his computer is infected?

  A. Use ExifTool and check for malicious content.
  B. You do not check; rather, you immediately restore a previous snapshot of the operating system.
  C. Upload the file to VirusTotal.
  D. Use netstat and check for outgoing connections to strange IP addresses or domains.
  D. Use netstat and check for outgoing connections to strange IP addresses or domains.

  ---

  Explanation

  According to CEH v13 Module 06: Malware Threats, when analyzing suspicious system behavior or investigating a suspected Trojan infection, a common and effective approach is to:

  Monitor system activity and network behavior using tools like netstat, Wireshark, and TCPView.

  Trojans often create covert channels or backdoors for remote access, which can be identified through unexpected or unauthorized outgoing connections to remote IP addresses or domains.

  Using netstat -an or netstat -ano helps identify open ports and active connections, and checking these against known IPs can indicate whether a Trojan is communicating with a Command and Control (CandC) server.

  Analysis of Each Option:

  A. Use ExifTool and check for malicious content

  Incorrect. ExifTool is primarily used for extracting metadata from files, especially images and documents. It is not effective for analyzing executable malware or system behavior post-execution.

  B. You do not check; rather, you immediately restore a previous snapshot of the operating system Incorrect. While restoring from a snapshot might eventually be required, immediate restoration without diagnosis is not a recommended or forensically sound first step. It also prevents root cause analysis.

  C. Upload the file to VirusTotal

  Partially correct but not sufficient. While uploading the file to VirusTotal is a good step to confirm if the file is known malware, it does not identify whether the machine is currently infected or actively compromised.

  D. Use netstat and check for outgoing connections to strange IP addresses or domains

  Correct. This method helps detect if the system is making suspicious external connections that are common in Trojan infections.

  Reference from CEH v13 Study Guide and Course Materials:

  CEH v13 Official Module 06 - Malware Threats, Section: Types of Malware - Trojans, and System Monitoring Tools

  CEH v13 eCourseware Lab Manual: "Detecting Trojan Activity using netstat and TCPView"

  CEH Engage Range: Malware Investigation Phase - Trojan Behavior Detection

• Question 752:

  The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access- list.

  You successfully brute-force the SNMP community string using a SNMP crack tool.

  The access-list prevents you from establishing a successful connection.

  You want to retrieve the Cisco configuration from the router. How would you proceed?

  A. Use the Cisco's TFTP default password to connect and download the configuration file
  B. Run a network sniffer and capture the returned traffic with the configuration file from the router
  C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
  D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
  D. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0

  ---

  Explanation

  If SNMP access is restricted to specific IP addresses (e.g., 192.168.1.0/24), you can bypass access controls by:

  Spoofing the source IP to fall within that allowed range.

  Using a SNMP set request to instruct the device (e.g., to copy its configuration to a TFTP server).

  This is a classic SNMP spoofing attack.

  From CEH v13 Courseware:

  Module 4: Enumeration # SNMP Enumeration Attacks

  CEH v13 Study Guide - Module 4: SNMP Attacks and Access ControlsCVE-1999-0517 - SNMP Default Community String Vulnerability

• Question 753:

  As a newly appointed network security analyst, you are tasked with ensuring that the organization's network can detect and prevent evasion techniques used by attackers. One commonly used evasion technique is packet fragmentation , which is designed to bypass intrusion detection systems (IDS). Which IDS configuration should be implemented to effectively counter this technique?

  A. Implementing an anomaly-based IDS that can detect irregular traffic patterns caused by packet fragmentation.
  B. Adjusting the IDS to recognize regular intervals at which fragmented packets are sent.
  C. Configuring the IDS to reject all fragmented packets to eliminate the risk.
  D. Employing a signature-based IDS that recognizes the specific signature of fragmented packets.
  A. Implementing an anomaly-based IDS that can detect irregular traffic patterns caused by packet fragmentation.

  ---

  Explanation

  According to the Certified Ethical Hacker (CEH) IDS/IPS and Evasion Techniques module, packet fragmentation is a technique attackers use to split malicious payloads into smaller fragments so that signature-based IDS sensors may fail to reassemble and inspect the complete packet.

  CEH explains that anomaly-based IDS systems are more effective against fragmentation evasion because they analyze behavioral deviations rather than relying solely on known signatures. Fragmented traffic often deviates from baseline network behavior in terms of packet size, sequencing, and reassembly anomalies.

  Option A is correct because anomaly-based detection can identify abnormal fragmentation behavior even if the payload itself does not match known signatures.

  Option B is unreliable, as attackers do not use consistent intervals.

  Option C is impractical, since legitimate traffic may be fragmented.

  Option D is less effective because signature-based IDS systems can be bypassed by fragmentation techniques.

  CEH recommends packet normalization and anomaly-based detection as effective countermeasures.

• Question 754:

  What type of virus is most likely to remain undetected by antivirus software?

  A. Cavity virus
  B. Stealth virus
  C. File-extension virus
  D. Macro virus
  B. Stealth virus

  ---

  Explanation

  In CEH v13 Module 06: Malware Threats, stealth viruses are covered as advanced malware that can evade detection by:

  Intercepting system calls related to file access.

  Masking their presence in files, memory, or on disk.

  Restoring original code temporarily to fool signature-based scanners.

  These capabilities allow stealth viruses to:

  Avoid detection by antivirus scanners.

  Operate undisturbed until triggered.

  Option Clarification:

  A. Cavity virus: Hides in unused file space but doesn't evade as effectively.

  C. File-extension virus: Exploits deceptive file names but is often detected.

  D. Macro virus: Targets office documents, not highly evasive.

  Correct answer is B. Stealth virus.

  Module 06 Types of Malware # Stealth Techniques

  CEH iLabs: Simulating Stealth Malware and Evasion Tactics

• Question 755:

  Dorian Is sending a digitally signed email to Polly, with which key is Dorian signing this message and how is Poly validating It?

  A. Dorian is signing the message with his public key. and Poly will verify that the message came from Dorian by using Dorian's private key.
  B. Dorian Is signing the message with Polys public key. and Poly will verify that the message came from Dorian by using Dorian's public key.
  C. Dorian is signing the message with his private key. and Poly will verify that the message came from Dorian by using Dorian's public key.
  D. Dorian is signing the message with Polys private key. and Poly will verify mat the message came from Dorian by using Dorian's public key.
  C. Dorian is signing the message with his private key. and Poly will verify that the message came from Dorian by using Dorian's public key.

  ---

  Explanation

  https://blog.mailfence.com/how-do-digital-signatures-work/

  https://en.wikipedia.org/wiki/Digital_signature

  A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

  Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or digital messages. Signers can also use them to acknowledge informed consent.

  Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private and one public.

  Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.

• Question 756:

  jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password. However. Jane has a long, complex password on her router. What attack has likely occurred?

  A. Wireless sniffing
  B. Piggybacking
  C. Evil twin
  D. Wardriving
  C. Evil twin

  ---

  Explanation

  An evil twin may be a fraudulent Wi-Fi access point that appears to be legitimate but is about up to pay attention to wireless communications.[1] The evil twin is that the wireless LAN equivalent of the phishing scam.

  This type of attack could also be wont to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves fixing a fraudulent internet site and luring people there.

  The attacker snoops on Internet traffic employing a bogus wireless access point. Unwitting web users could also be invited to log into the attacker's server, prompting them to enter sensitive information like usernames and passwords. Often, users are unaware they need been duped until well after the incident has occurred.

  When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it's sent through their equipment. The attacker is additionally ready to hook up with other networks related to the users' credentials.

  Fake access points are found out by configuring a wireless card to act as an access point (known as HostAP). they're hard to trace since they will be shut off instantly. The counterfeit access point could also be given an equivalent SSID and BSSID as a close-by Wi-Fi network. The evil twin are often configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

• Question 757:

  George is a security professional working for iTech Solutions. He was tasked with securely transferring sensitive data of the organization between industrial systems. In this process, he used a short-range communication protocol based on the IEEE 203.15.4 standard. This protocol is used in devices that transfer data infrequently at a low rate in a restricted area, within a range of 10-100 m. What is the short-range wireless communication technology George employed in the above scenario?

  A. MQTT
  B. LPWAN
  C. Zigbee
  D. NB-IoT
  C. Zigbee

  ---

  Explanation

  Zigbee could be a wireless technology developed as associate open international normal to deal with the unique desires of affordable, low-power wireless IoT networks. The Zigbee normal operates on the IEEE 802.15.4 physical radio specification and operates in unauthorised bands as well as a pair of.4 GHz, 900 MHz and 868 MHz. The 802.15.4 specification upon that the Zigbee stack operates gained confirmation by the Institute of Electrical and physical science Engineers (IEEE) in 2003. The specification could be a packet-based radio protocol supposed for affordable, battery-operated devices. The protocol permits devices to speak in an exceedingly kind of network topologies and may have battery life lasting many years.

  The Zigbee three.0 Protocol

  The Zigbee protocol has been created and ratified by member corporations of the Zigbee Alliance.Over three hundred leading semiconductor makers, technology corporations, OEMs and repair corporations comprise the Zigbee Alliance membership. The Zigbee protocol was designed to supply associate easy-to-use wireless information answer characterised by secure, reliable wireless network architectures.

  THE ZIGBEE ADVANTAGE

  The Zigbee 3.0 protocol is intended to speak information through rip-roaring RF environments that area unit common in business and industrial applications. Version 3.0 builds on the prevailing Zigbee normal however unifies the market-specific application profiles to permit all devices to be wirelessly connected within the same network, no matter their market designation and performance. what is more, a Zigbee 3.0 certification theme ensures the ability of product from completely different makers.

  Connecting Zigbee three.0 networks to the information science domain unveil observance and management from devices like smartphones and tablets on a local area network or WAN, as well as the web, and brings verity net of Things to fruition.

  Zigbee protocol options include:

  Support for multiple network topologies like point-to-point, point-to-multipoint and mesh networks

  Low duty cycle - provides long battery life

  Low latency

  Direct Sequence unfold Spectrum (DSSS)

  Up to 65,000 nodes per network

  128-bit AES encryption for secure information connections

  Collision avoidance, retries and acknowledgements

  This is another short-range communication protocol based on the IEEE 203.15.4 standard. Zig-Bee is used in devices that transfer data infrequently at a low rate in a restricted area and within a range of 10?00 m.

• Question 758:

  Shiela is an information security analyst working at HiTech Security Solutions. She is performing service version discovery using Nmap to obtain information about the running services and their versions on a target system.

  Which of the following Nmap options must she use to perform service version discovery on the target host?

  A. -SN
  B. -SX
  C. -sV
  D. -SF
  C. -sV

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, service version detection is achieved using the -sV option in Nmap.

  -sV: Enables version detection of open ports by sending probes to determine the service name and version (e.

  g., Apache 2.4.49).

  Helps identify potential vulnerabilities in specific software versions.

  Option Clarification:

  A. -SN: Ping scan (host discovery only).

  B. -SX: Invalid/undefined option.

  C. -sV: Correct option for service version detection.

  D. -SF: Sends FIN packets (used in stealth scans), not for version discovery.

  Module 03 - Nmap Scan Types and Parameters

  CEH Labs: Version Scanning with Nmap (-sV option)

  Nmap Manual: https://nmap.org/book/man-version-detection.html

• Question 759:

  You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement?

  A. All three servers need to be placed internally
  B. A web server facing the Internet, an application server on the internal network, a database server on the internal network
  C. A web server and the database server facing the Internet, an application server on the internal network
  D. All three servers need to face the Internet so that they can communicate between themselves
  B. A web server facing the Internet, an application server on the internal network, a database server on the internal network

  ---

  Explanation

  The recommended architecture for secure web application deployment is a multi-tiered setup:

  Web server in the DMZ (public-facing)

  Application server on the internal network

  Database server on the internal network

  This design limits the exposure of critical components. Only the web server is exposed to the internet, while application and database servers are shielded by firewalls and only accessible internally.

  CEH v13 Official Study Guide:

  Module 10: Hacking Web Servers

  Quote:

  "Place the web server in the DMZ and keep the application and database servers within the internal network. This reduces the attack surface and provides layered security."

  Incorrect Options Explained:

  A. Internal placement makes them inaccessible externally.

  C and D. Exposing the database or all servers to the internet introduces significant risk.

• Question 760:

  Which technique is least useful during passive reconnaissance -

  A. WHOIS lookup
  B. Search engines
  C. Social media monitoring
  D. Nmap scanning
  D. Nmap scanning

  ---

  Explanation

  Passive reconnaissance involves gathering information without directly interacting with the target. WHOIS, search engines, and social media are all passive techniques highlighted in CEH v13 Reconnaissance .

  Nmap scanning, however, actively probes target systems and generates traffic that can be logged and detected. This makes it an active reconnaissance technique.