EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 761:

  The change of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF 1(100%). What is the closest approximate cost of this replacement and recovery operation per year?

  A. $1320
  B. $440
  C. $100
  D. $146
  D. $146

  ---

  Explanation

  1. AV (Asset value) $300 + (14 * $10) $440 - the cost of a hard drive plus the work of a recovery person, i.e.how much would it take to replace 1 asset? 10 hours for resorting the OS and soft + 4 hours for DB restore multiplies by hourly rate of the recovery person.

  2. SLE (Single Loss Expectancy) AV * EF (Exposure Factor) $440 * 1 $440 3. ARO (Annual rate of occurrence) 1/3 (every three years, meaning the probability of occurring during 1 years is 1/3) 4. ALE (Annual Loss Expectancy) SLE * ARO 0.33 * $440 $145.2

• Question 762:

  What information security law or standard aims at protecting stakeholders and the general public from accounting errors and fraudulent activities within organizations?

  A. PCI-DSS
  B. FISMA
  C. SOX
  D. ISO/IEC 27001:2013
  C. SOX

  ---

  Explanation

  SOX stands for Sarbanes-Oxley Act of 2002. It is a U.S. federal law enacted to protect shareholders and the general public from accounting errors and corporate fraud.

  Key points:

  Requires strict internal controls and financial disclosures in publicly traded companies.

  Mandates regular audits and IT security controls related to financial data.

  Applies especially to accounting systems, databases, access controls, and IT procedures related to financial reporting.

  Incorrect Options:

  A. PCI-DSS relates to securing credit card data.

  B. FISMA pertains to federal agency cybersecurity standards.

  D. ISO/IEC 27001:2013 is an international information security standard, not a legal requirement for financial integrity.

  CEH v13 Official Courseware:

  Module 01: Introduction to Ethical Hacking

  Section: "Compliance and Legal Concepts"

  Table: "Major Laws and Regulations in Information Security"

• Question 763:

  ViruXine.W32 virus hides their presence by changing the underlying executable code.

  This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.

  

  Here is a section of the Virus code:

  

  What is this technique called?

  A. Polymorphic Virus
  B. Metamorphic Virus
  C. Dravidic Virus
  D. Stealth Virus
  B. Metamorphic Virus

  ---

  Explanation

  The virus described changes its own code with each execution but still performs the same actions. This is the hallmark of a Metamorphic Virus. Unlike polymorphic viruses (which use encrypted code with a changing decryptor), metamorphic viruses rewrite their own code entirely - including their decryption and execution routines - to avoid pattern detection by antivirus software.

  Key characteristics of metamorphic viruses seen in the scenario:

  Mutates completely on every execution.

  Keeps overall functionality identical (semantics intact).

  Alters its appearance and logic flow.

  From CEH v13 Courseware:

  Module 6: Malware Threats # Types of Viruses and Obfuscation Techniques

  CEH v13 Study Guide states:

  "Metamorphic viruses modify their own code structure and appearance with each iteration, without altering their underlying behavior. This makes them more difficult to detect through signature-based mechanisms."

  Incorrect Options:

  A: Polymorphic viruses encrypt themselves with a changing decryptor stub but do not change their core logic.

  C: "Dravidic Virus" is not a recognized term in cybersecurity.

  D: Stealth viruses hide their presence (e.g., by intercepting system calls), but do not change their code structure.

  CEH v13 Study Guide Module 6: Malware Types # Metamorphic and Polymorphic VirusesNIST SP 800-83r1 - Guide to Malware Incident Prevention and Handling

  Let me know if you'd like to continue with more malware-related questions or other CEH topics.

• Question 764:

  A penetration tester performs a vulnerability scan on a company's network and identifies a critical vulnerability related to an outdated version of a database server. What should the tester prioritize as the next step?

  A. Attempt to exploit the vulnerability using publicly available tools or exploits
  B. Conduct a brute-force attack on the database login page
  C. Ignore the vulnerability and move on to testing other systems
  D. Perform a denial-of-service (DoS) attack on the database server
  A. Attempt to exploit the vulnerability using publicly available tools or exploits

  ---

  Explanation

  CEH v13 details the standard penetration testing workflow, where confirmed critical vulnerabilities- especially those affecting core systems like database servers-should be prioritized for exploitation only after verification and when explicitly permitted by the rules of engagement. Exploiting a known vulnerability using vetted tools (e.g., Metasploit, CVE-specific exploits) provides evidence of real-world risk and validates the severity rating. Brute-forcing logins (Option B) is inefficient and often outside scope.

  Ignoring a critical vulnerability (Option C) violates CEH's prioritization guidelines. A DoS attack (Option D) is never appropriate unless the engagement explicitly authorizes destructive testing, which is rare. CEH stresses that high-impact vulnerabilities should be exploited to demonstrate business risk, privilege escalation potential, data exposure, or lateral movement possibilities-making Option A fully aligned with CEH methodology.

• Question 765:

  Scenario1:

  1.Victim opens the attacker's web site.

  2.Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'.

  3.Victim clicks to the interesting and attractive content URL.

  4.Attacker creates a transparent 'iframe' in front of the URL which victim attempts to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' URL but actually he/she clicks to the content or URL that exists in the transparent 'iframe' which is setup by the attacker.

  What is the name of the attack which is mentioned in the scenario?

  A. Session Fixation
  B. HTML Injection
  C. HTTP Parameter Pollution
  D. Clickjacking Attack
  D. Clickjacking Attack

  ---

  Explanation

  https://en.wikipedia.org/wiki/Clickjacking

  Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

  Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

• Question 766:

  A group of hackers were roaming around a bank office building in a city, driving a luxury car. They were using hacking tools on their laptop with the intention to find a free-access wireless network.

  What is this hacking process known as?

  A. GPS mapping
  B. Spectrum analysis
  C. Wardriving
  D. Wireless sniffing
  C. Wardriving

  ---

  Explanation

  In CEH v13 Module 11: Hacking Wireless Networks, Wardriving is explained as the practice of driving around with a Wi-Fi-enabled device to detect open or vulnerable wireless networks.

  Key Characteristics of Wardriving:

  Involves using laptops, smartphones, or specialized devices with Wi-Fi antennas.

  Tools like NetStumbler, Kismet, or WiGLE may be used.

  Often includes GPS tagging of discovered networks.

  Used to identify unsecured access points for later exploitation.

  Option Clarification:

  A. GPS mapping: May be used with wardriving, but not the act itself.

  B. Spectrum analysis: Measures RF spectrum usage; not network discovery.

  C. Wardriving: Correct - searching for Wi-Fi networks while driving.

  D. Wireless sniffing: Captures traffic; can happen during wardriving, but broader in scope.

  Module 11 - Wireless Attack Techniques # Wardriving Explained

  CEH iLabs: Wi-Fi Network Discovery with Kismet

• Question 767:

  Leverox Solutions hired Arnold, a security professional, for the threat intelligence process. Arnold collected information about specific threats against the organization. From this information, he retrieved contextual information about security events and incidents that helped him disclose potential risks and gain insight into attacker methodologies. He collected the information from sources such as humans, social media, and chat rooms as well as from events that resulted in cyberattacks. In this process, he also prepared a report that includes identified malicious activities, recommended courses of action, and warnings for emerging attacks. What is the type of threat intelligence collected by Arnold in the above scenario?

  A. Strategic threat intelligence
  B. Tactical threat intelligence
  C. Operational threat intelligence
  D. Technical threat intelligence
  C. Operational threat intelligence

  ---

  Explanation

  Operational Threat Intelligence provides insights into specific attacker methodologies, motivations, and campaigns. It involves gathering contextual information from real-world attacks, open-source intelligence (OSINT), social media, dark web forums, chat rooms, and human intelligence (HUMINT).

  As per CEH v13 Official Courseware:

  Operational intelligence is primarily used by security teams to anticipate specific incoming attacks.

  It helps provide actionable information such as:

  Who is attacking?

  Why are they attacking?

  What methods are they using?

  What infrastructure is involved?

  Incorrect Options:

  A. Strategic Threat Intelligence is high-level, focusing on long-term trends and business risks.

  B. Tactical Threat Intelligence is focused on TTPs (Tactics, Techniques, and Procedures) of known threats, primarily for defenders and analysts.

  D. Technical Threat Intelligence includes IoCs like IPs, hashes, and URLs, often short-lived and used for detection systems.

  CEH v13 Official Courseware:

  Module 01: Introduction to Ethical Hacking

  Section: "Types of Threat Intelligence"

  Table: "Strategic vs Tactical vs Operational vs Technical Intelligence"

• Question 768:

  Juliet, a security researcher in an organization, was tasked with checking for the authenticity of images to be used in the organization's magazines. She used these images as a search query and tracked the original source and details of the images, which included photographs, profile pictures, and memes.

  Which of the following footprinting techniques did Rachel use to finish her task?

  A. Reverse image search
  B. Meta search engines
  C. Advanced image search
  D. Google advanced search
  A. Reverse image search

  ---

  Explanation

  Gathering Information using Reverse Image Search Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse

• Question 769:

  Which of the following commands checks for valid users on an SMTP server?

  A. RCPT
  B. CHK
  C. VRFY
  D. EXPN
  C. VRFY

  ---

  Explanation

  The VRFY commands enables SMTP clients to send an invitation to an SMTP server to verify that mail for a selected user name resides on the server. The VRFY command is defined in RFC 821.

  The server sends a response indicating whether the user is local or not, whether mail are going to be forwarded, and so on. A response of 250 indicates that the user name is local; a response of 251 indicates that the user name isn't local, but the server can forward the message. The server response includes the mailbox name.

• Question 770:

  When discussing passwords, what is considered a brute force attack?

  A. You attempt every single possibility until you exhaust all possible combinations or discover the password
  B. You threaten to use the rubber hose on someone unless they reveal their password
  C. You load a dictionary of words into your cracking program
  D. You create hashes of a large number of words and compare it with the encrypted passwords
  E. You wait until the password expires
  A. You attempt every single possibility until you exhaust all possible combinations or discover the password

  ---

  Explanation

  A brute-force attack is the most exhaustive password-cracking method. It tries every possible combination of characters (letters, numbers, and symbols) until the correct password is found.

  From CEH v13 Courseware:

  Module 6: Password Cracking Techniques

  CEH v13 Study Guide states: "Brute-force attacks try every possible combination until the correct password is discovered. It's resource- intensive but guarantees success if enough time and processing power is available."

  Incorrect Options:

  B: Refers to social engineering or coercion.

  C: Describes a dictionary attack.

  D: Refers to a rainbow table attack.

  E: Not a cracking method.

  CEH v13 Study Guide - Module 6: Brute-Force vs. Dictionary Attacks