EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 771:

  Which advanced mobile attack is hardest to detect and mitigate?

  A. Mobile MitM
  B. Jailbreaking/Rooting
  C. Mobile Remote Access Trojan (RAT)
  D. Clickjacking
  C. Mobile Remote Access Trojan (RAT)

  ---

  Explanation

  Mobile Remote Access Trojans (RATs) are highlighted in CEH v13 Mobile Platform Hacking as one of the most dangerous threats. Once installed, a mobile RAT provides attackers persistent, covert access to devices, allowing screen capture, keystroke logging, microphone activation, and data exfiltration.

  Unlike MitM or clickjacking, RATs operate post-compromise , often disguised as legitimate apps. Jailbreaking is detectable via integrity checks, but RATs can remain hidden even on non-rooted devices.

  CEH v13 emphasizes that RATs bypass traditional defenses, including antivirus and MDM, making them extremely difficult to detect. Hence, Option C is correct.

• Question 772:

  After a breach, investigators discover attackers used modified legitimate system utilities and a Windows service to persist undetected and harvest credentials. What key step would best protect against similar future attacks?

  A. Disable unused ports and restrict outbound firewall traffic
  B. Perform weekly backups and store them off-site
  C. Ensure antivirus and firewall software are up to date
  D. Monitor file hashes of critical executables for unauthorized changes
  D. Monitor file hashes of critical executables for unauthorized changes

  ---

  Explanation

  CEH materials describe this attack pattern as Living-off-the-Land (LotL) , where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

  CEH recommends file integrity monitoring (FIM) , which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

  Option D is correct.

  Options A and B support resilience but do not detect tampering.

  Option C alone is insufficient against LotL attacks.

• Question 773:

  A penetration tester is attacking a wireless network running WPA3 encryption. Since WPA3 handshake protections prevent offline brute-force cracking, what is the most effective approach?

  A. Downgrade the connection to WPA2 and capture the handshake to crack the key
  B. Execute a dictionary attack on the WPA3 handshake using common passwords
  C. Perform a brute-force attack directly on the WPA3 handshake
  D. Perform a SQL injection attack on the router's login page
  A. Downgrade the connection to WPA2 and capture the handshake to crack the key

  ---

  Explanation

  CEH v13 explains that WPA3 introduces SAE (Simultaneous Authentication of Equals), which resists traditional offline dictionary and brute-force attacks by removing crackable handshake material. Because WPA3 prevents attackers from capturing a reusable handshake, the most practical offensive method is to force a downgrade attack , tricking clients into associating using WPA2 instead of WPA3. Once the victim reconnects under WPA2-PSK, the attacker captures the standard 4-way handshake, which can then be cracked offline using dictionary or GPU-accelerated brute-force methods. CEH discusses downgrade attacks as a significant real-world threat when mixed-mode configurations are enabled or when access points fail to enforce strict WPA3-only operation. Options B and C are ineffective because WPA3 handshake materials cannot be brute-forced offline. Option D is unrelated to Wi-Fi encryption. Downgrading to WPA2 is the most effective and widely documented attack path.

• Question 774:

  While browsing his Facebook feed, Matt sees a picture one of his friends posted with the caption, "Learn more about your friends!", along with a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate, Matt responds to the questions in the post. A few days later, Matt's bank account has been accessed, and the password has been changed. What most likely happened?

  A. Matt inadvertently provided the answers to his security questions when responding to the post.
  B. Matt's bank account login information was brute forced.
  C. Matt inadvertently provided his password when responding to the post.
  D. Matt's computer was infected with a keylogger.
  A. Matt inadvertently provided the answers to his security questions when responding to the post.

  ---

  Explanation

  This scenario demonstrates a classic social engineering tactic often referred to as "social media quizzes" or "engagement bait", commonly used in open-source intelligence gathering (OSINT) and pretexting attacks.

  From CEH v13 Module 01: Introduction to Ethical Hacking and Module 09: Social Engineering, attackers may create seemingly innocent posts that ask users to share answers to common questions like:

  What was your first pet's name?

  What's your mother's maiden name?

  What city were you born in?

  What's your favorite food?

  These questions mirror the types of security questions used by banks and other services for account recovery or authentication. By answering these in public forums or comments, users unknowingly disclose data that can be used to:

  Bypass security questions

  Reset passwords

  Perform targeted account takeovers

  Why Other Options Are Incorrect:

  B. Matt's bank account login information was brute forced.

  Unlikely. Most banks implement account lockout policies and multi-factor authentication that would prevent brute force attempts.

  C. Matt inadvertently provided his password when responding to the post.

  Incorrect. Passwords are not usually asked in public-facing posts. Users are unlikely to provide literal passwords unless heavily tricked by phishing.

  D. Matt's computer was infected with a keylogger.

  Possible but less likely. The context suggests that the only suspicious behavior was responding to the Facebook post, which doesn't imply malware installation or downloading.

  Reference from CEH v13 Study Guide and Course Material:

  CEH v13 Official Module 09 - Social Engineering, Slide: Common Social Engineering Techniques (Quizzes, Pretexting)

  CEH Engage - Social Engineering Phase

  EC-Council iLabs - Performing Social Engineering Attacks Simulation

  CEH v13 Courseware Notes - Reconnaissance Using OSINT and Public Social Platforms

• Question 775:

  Alice, a professional hacker, targeted an organization's cloud services. She infiltrated the targets MSP provider by sending spear-phishing emails and distributed custom-made malware to compromise user accounts and gain remote access to the cloud service. Further, she accessed the target customer profiles with her MSP account, compressed the customer data, and stored them in the MSP. Then, she used this information to launch further attacks on the target organization. Which of the following cloud attacks did Alice perform in the above scenario?

  A. Cloud hopper attack
  B. Cloud cryptojacking
  C. Cloudborne attack
  D. Man-in-the-cloud (MITC) attack
  A. Cloud hopper attack

  ---

  Explanation

  Operation Cloud Hopper was an in depth attack and theft of data in 2017 directed at MSP within the uk (U. K.), us (U.S.), Japan, Canada, Brazil, France, Switzerland, Norway, Finland, Sweden, South Africa , India, Thailand, South Korea and Australia. The group used MSP as intermediaries to accumulate assets and trade secrets from MSP client engineering, MSP industrial manufacturing, retail, energy, pharmaceuticals, telecommunications, and government agencies.

  Operation Cloud Hopper used over 70 variants of backdoors, malware and trojans. These were delivered through spear-phishing emails. The attacks scheduled tasks or leveraged services/utilities to continue Microsoft Windows systems albeit the pc system was rebooted. It installed malware and hacking tools to access systems and steal data.

• Question 776:

  An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certified Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why?

  A. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files
  B. yarGen - Because it generates YARA rules from strings identified in malware files while removingstrings that also appear in goodware files
  C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules
  D. koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware
  B. yarGen - Because it generates YARA rules from strings identified in malware files while removingstrings that also appear in goodware files

  ---

  Explanation

  YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers.

  Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules.

  The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules.

  References:

  yarGen - A Tool to Generate YARA Rules

  YARA Rules: The Basics

  Why master YARA: from routine to extreme threat hunting cases

• Question 777:

  During a penetration test, you perform extensive DNS interrogation to gather intelligence about a target organization. Considering the inherent limitations of DNS-based reconnaissance, which of the following pieces of information cannot be directly obtained through DNS interrogation?

  A. The specific usernames and passwords used by the organization's employees.
  B. The estimated geographical location of the organization's servers derived from IP addresses.
  C. The subdomains associated with the organization's primary internet domain.
  D. The IP addresses associated with the organization's mail servers.
  A. The specific usernames and passwords used by the organization's employees.

  ---

  Explanation

  The CEH Footprinting and Reconnaissance module describes DNS interrogation as a valuable technique for extracting publicly available infrastructure information such as A records, MX records, NS records, and subdomains .

  DNS can reveal:

  Subdomains (via zone transfers, brute forcing, or enumeration)

  Mail server IP addresses (MX records)

  Server locations inferred from IP geolocation

  However, DNS does not store authentication credentials . Usernames and passwords are protected within authentication systems and directories, not DNS records.

  Therefore, option A is correct.

  CEH clearly states that DNS reconnaissance is limited to infrastructure metadata , not sensitive user credentials.

• Question 778:

  Fleet vehicles with smart locking systems were compromised after attackers captured unique signals from key fobs. What should the security team prioritize to confirm and prevent this attack?

  A. Secure firmware updates
  B. Increase physical surveillance
  C. Deploy anti-malware on smartphones
  D. Monitor wireless signals for jamming or interference
  D. Monitor wireless signals for jamming or interference

  ---

  Explanation

  This scenario aligns with a Replay Attack against RF-based smart key systems , covered in CEH v13 IoT and OT Hacking . Attackers capture radio-frequency signals transmitted by key fobs and replay them to unlock vehicles.

  CEH v13 emphasizes that detecting and preventing such attacks requires monitoring wireless RF signals for anomalies such as signal replay, interference, or jamming patterns. RF analysis helps confirm unauthorized signal capture and retransmission.

  Firmware updates may mitigate future vulnerabilities, but confirmation requires RF monitoring. Physical surveillance and smartphone malware controls are unrelated to RF replay attacks. Therefore, option D is correct.

• Question 779:

  By using a smart card and pin, you are using a two-factor authentication that satisfies

  A. Something you are and something you remember
  B. Something you have and something you know
  C. Something you know and something you are
  D. Something you have and something you are
  B. Something you have and something you know

  ---

  Explanation

  Two-factor Authentication or 2FA is a user identity verification method, where two of the three possible authentication factors are combined to grant access to a website or application.

  1) something the user knows, 2) something the user has, or 3) something the user is.

  The possible factors of authentication are:

  Something the User Knows:

  This is often a password, passphrase, PIN, or secret question. To satisfy this authentication challenge, the user must provide information that matches the answers previously provided to the organization by that user, such as "Name the town in which you were born."

  Something the User Has:

  This involves entering a one-time password generated by a hardware authenticator. Users carry around an authentication device that will generate a one-time password on command. Users then authenticate by providing this code to the organization. Today, many organizations offer software authenticators that can be installed on the user's mobile device.

  Something the User Is:

  This third authentication factor requires the user to authenticate using biometric data. This can include fingerprint scans, facial scans, behavioral biometrics, and more.

  For example: In internet security, the most used factors of authentication are: something the user has (e.g., a bank card) and something the user knows (e.g., a PIN code). This is two-factor authentication. Two-factor authentication is also sometimes referred to as strong authentication, Two-Step Verification, or 2FA.

  The key difference between Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) is that, as the term implies, Two-Factor Authentication utilizes a combination of two out of three possible authentication factors. In contrast, Multi-Factor Authentication could utilize two or more of these authentication factors.

• Question 780:

  During a reconnaissance mission, an ethical hacker uses Maltego, a popular footprinting tool, to collect information about a target organization.

  The information includes the target's Internet infrastructure details (domains, DNS names, Netblocks, IP address information).

  The hacker decides to use social engineering techniques to gain further information. Which of the following would be the least likely method of social engineering to yield beneficial information based on the data collected?

  A. Shoulder surfing to observe sensitive credentials input on the target's computers
  B. Impersonating an ISP technical support agent to trick the target into providing further network details
  C. Dumpster diving in the target company's trash bins for valuable printouts
  D. Eavesdropping on internal corporate conversations to understand key topics
  A. Shoulder surfing to observe sensitive credentials input on the target's computers

  ---

  Explanation

  Shoulder surfing is a social engineering technique that involves looking over someone's shoulder to observe sensitive information, such as passwords, PINs, or credit card numbers, that they enter on their computer, phone, or ATM. It is the least likely method of social engineering to yield beneficial information based on the data collected by Maltego, because it requires physical proximity and access to the target's devices, which may not be feasible or safe for the hacker. Moreover, shoulder surfing does not leverage the information obtained by Maltego, such as domains, DNS names, Netblocks, or IP addresses, which are more relevant for network-based attacks.

  The other options are more likely to yield beneficial information based on the data collected by Maltego, because they involve exploiting the target's trust, curiosity, or negligence, and using the information obtained by Maltego to craft convincing scenarios or messages. Impersonating an ISP technical support agent to trick the target into providing further network details is a form of pretexting, where the hacker creates a false identity and scenario to obtain information or access from the target. Dumpster diving in the target company's trash bins for valuable printouts is a technique that relies on the target's negligence or lack of proper disposal of sensitive documents, such as network diagrams, passwords, or confidential reports. Eavesdropping on internal corporate conversations to understand key topics is a technique that exploits the target's curiosity or lack of awareness, and allows the hacker to gather information about the target's projects, plans, or problems, which can be used for further attacks or extortion.

  References:

  Social Engineering: Definition and 5 Attack Types

  How to Use Maltego Transforms to Map Network Infrastructure: An In-Depth Guide

  Social engineering: Definition, examples, and techniques