EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 781:

  A Certified Ethical Hacker (CEH) is given the task to perform an LDAP enumeration on a target system. The system is secured and accepts connections only on secure LDAP. The CEH uses Python for the enumeration process. After successfully installing LDAP and establishing a connection with the target, he attempts to fetch details like the domain name and naming context but is unable to receive the expected response. Considering the circumstances, which of the following is the most plausible reason

  for this situation?

  A. The Python version installed on the CEH's machine is incompatible with the Idap3 library
  B. The secure LDAP connection was not properly initialized due to a lack of 'use_ssl True' in the server object creation
  C. The enumeration process was blocked by the target system's intrusion detection system
  D. The system failed to establish a connection due to an incorrect port number
  B. The secure LDAP connection was not properly initialized due to a lack of 'use_ssl True' in the server object creation

  ---

  Explanation

  The most plausible reason for the situation is that the secure LDAP connection was not properly initialized due to a lack of `use_ssl True' in the server object creation. To use secure LDAP (LDAPS), the CEH needs to specify the use_ssl parameter as True when creating the server object with the ldap3 library in Python. This parameter tells the library to use SSL/TLS encryption for the LDAP communication. If the parameter is omitted or set to False, the library will use plain LDAP, which may not be accepted by the target system that only allows secure LDAP connections12. For example, the CEH can use the following code to create a secure LDAP server object:

  from ldap3 import Server, Connection, ALL

  server Server('ldaps://', use_sslTrue, get_infoALL)

  connection Connection(server, user'', password'')

  connection.bind()

  The other options are not as plausible as option B for the following reasons:

  A. The Python version installed on the CEH's machine is incompatible with the ldap3 library: This option is unlikely because the ldap3 library supports Python versions from 2.6 to 3.9, which covers most of the commonly used Python versions3. Moreover, if the Python version was incompatible, the CEH would not be able to install the library or import it in the code, and would encounter errors before establishing the connection.

  C. The enumeration process was blocked by the target system's intrusion detection system: This option is possible but not very plausible because the CEH was able to establish a connection with the target, which means the intrusion detection system did not block the initial handshake. Moreover, the enumeration process would not affect the response of the target system, but rather the visibility of the results. If the intrusion detection system detected and blocked the enumeration, the CEH would receive an

  error message or a blank response, not an unexpected response.

  D. The system failed to establish a connection due to an incorrect port number: This option is incorrect because the CEH was able to establish a connection with the target, which means the port number was correct. If the port number was incorrect, the CEH would not be able to connect to the target system at all, and would receive a connection refused error.

  References:

  1: ldap3 - LDAP library for Python

  2: How to use LDAPS with Python - Stack Overflow

  3: ldap3 2.9 documentation

• Question 782:

  Sam, a professional hacker. targeted an organization with intention of compromising AWS IAM credentials. He attempted to lure one of the employees of the organization by initiating fake calls while posing as a legitimate employee. Moreover, he sent phishing emails to steal the AWS 1AM credentials and further compromise the employee's account. What is the technique used by Sam to compromise the AWS IAM credentials?

  A. Social engineering
  B. insider threat
  C. Password reuse
  D. Reverse engineering
  A. Social engineering

  ---

  Explanation

  Just like any other service that accepts usernames and passwords for logging in, AWS users are vulnerable to social engineering attacks from attackers. fake emails, calls, or any other method of social engineering, may find yourself with an AWS users' credentials within the hands of an attacker.

  If a user only uses API keys for accessing AWS, general phishing techniques could still use to gain access to other accounts or their pc itself, where the attacker may then pull the API keys for aforementioned AWS user.

  With basic opensource intelligence (OSINT), it's usually simple to collect a list of workers of an organization that use AWS on a regular basis. This list will then be targeted with spear phishing to do and gather credentials. an easy technique may include an email that says your bill has spiked 500th within the past 24 hours, "click here for additional information", and when they click the link, they're forwarded to a malicious copy of the AWS login page designed to steal their credentials.

  An example of such an email will be seen within the screenshot below. it's exactly like an email that AWS would send to you if you were to exceed the free tier limits, except for a few little changes. If you clicked on any of the highlighted regions within the screenshot, you'd not be taken to the official AWS web site and you' d instead be forwarded to a pretend login page setup to steal your credentials.

  These emails will get even more specific by playing a touch bit additional OSINT before causing them out. If an attacker was ready to discover your AWS account ID on-line somewhere, they could use methods we at rhino have free previously to enumerate what users and roles exist in your account with none logs contact on your side. they could use this list to more refine their target list, further as their emails to reference services they will know that you often use.

  For reference, the journal post for using AWS account IDs for role enumeration will be found here and the journal post for using AWS account IDs for user enumeration will be found here.

  During engagements at rhino, we find that phishing is one in all the fastest ways for us to achieve access to an AWS environment.

• Question 783:

  _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

  A. Trojan
  B. RootKit
  C. DoS tool
  D. Scanner
  E. Backdoor
  B. RootKit

  ---

  Explanation

  A rootkit is a type of stealth malware designed to hide the existence of certain processes or programs from normal detection methods. It can:

  Hide itself and other processes

  Conceal files and registry entries

  Intercept system calls or keystrokes (keylogging)

  Maintain persistent access

  From CEH v13 Courseware:

  Module 6: Malware Threats # Rootkits

  Incorrect Options:

  A: A Trojan may offer remote access but doesn't necessarily hide itself.

  C: DoS tools are used to overload systems, not hide.

  D: Scanners detect vulnerabilities, not conceal activities.

  E: A backdoor may provide unauthorized access, but rootkits focus on hiding.

  CEH v13 Study Guide -Module 6: Malware Types # RootkitsNIST SP 800-83 -Malware Handling Guide

• Question 784:

  During a high-stakes engagement, a penetration tester abuses MS-EFSRPC to force a domain controller to authenticate to an attacker-controlled server. The tester captures the NTLM hash and relays it to AD CS to obtain a certificate granting domain admin privileges. Which network-level hijacking technique is illustrated?

  A. Hijacking sessions using a PetitPotam relay attack
  B. Exploiting vulnerabilities in TLS compression via a CRIME attack
  C. Stealing session tokens using browser-based exploits
  D. Employing a session donation method to transfer tokens
  A. Hijacking sessions using a PetitPotam relay attack

  ---

  Explanation

  CEH v13 describes relay attacks as credential forwarding techniques where attackers trick systems into authenticating to malicious servers, capturing hashes, and relaying them to privileged services. The described scenario aligns exactly with the PetitPotam attack , a known MS-EFSRPC abuse method that forces Windows domain controllers to perform NTLM authentication to attacker-controlled hosts. CEH discusses how relay attacks combined with Active Directory Certificate Services (AD CS) misconfigurations can allow attackers to request privileged certificates, effectively gaining domain administrator privileges without cracking hashes or accessing LSASS. CRIME (Option B) targets TLS compression and is unrelated. Browser token theft (Option C) applies to web sessions, not domain controllers. Session donation (Option D) is not part of Windows authentication hijacking. Thus, the scenario clearly represents a PetitPotam NTLM relay attack .

• Question 785:

  Which of the following DoS tools is used to attack target web applications by starvation of available sessions on the web server? The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.

  A. My Doom
  B. Astacheldraht
  C. R-U-Dead-Yet? (RUDY)
  D. LOIC
  C. R-U-Dead-Yet? (RUDY)

  ---

  Explanation

  Comprehensive and Detailed Explanation From CEH v13 Guide:

  R-U-Dead-Yet? (RUDY) is a DoS tool that targets web applications by sending slow HTTP POST requests with large Content-Length headers. This consumes server resources, leading to a denial of service.

  CEH v13 Reference:

  Module 9: Denial-of-Service - DoS Tools

  "R-U-Dead-Yet? (RUDY) sends long-form POST requests to consume server-side sessions and exhaust resources without completing the transaction."

• Question 786:

  An attacker identified that a user and an access point are both compatible with WPA2 and WPA3 encryption. The attacker installed a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to get connected. After the connection was established, the attacker used automated tools to crack WPA2-encrypted messages. What is the attack performed in the above scenario?

  A. Timing-based attack
  B. Side-channel attack
  C. Downgrade security attack
  D. Cache-based attack
  C. Downgrade security attack

  ---

  Explanation

  The described attack is a Downgrade Security Attack. In this scenario:

  The legitimate client and access point support both WPA2 and WPA3.

  The attacker introduces a rogue AP that only supports WPA2.

  The victim connects to this rogue AP using WPA2 (less secure) instead of WPA3.

  Once downgraded, the attacker captures the handshake and attempts to crack the WPA2 encryption. This is known as a "Downgrade Attack" or "Downgrade Negotiation Attack," which exploits backward compatibility in security protocols.

  Incorrect Options:

  A. Timing-based attacks usually refer to side-channel analysis, not protocol downgrading.

  B. Side-channel attacks extract info via timing, power usage, etc., not protocol negotiation.

  D. Cache-based attacks exploit memory caching behavior.

  CEH v13 Official Courseware:

  Module 16: Hacking Wireless Networks

  Section: "Wireless Encryption Attacks"

  Subsection: "Downgrade Attacks (WPA3 to WPA2) and Rogue Access Points"

• Question 787:

  You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you discover that the company's wireless network is using WEP encryption. You understand the vulnerabilities associated with WEP and plan to recommend a more secure encryption method. Which of the following would you recommend as a Suitable replacement to enhance the security of the company's wireless network?

  A. MAC address filtering
  B. WPA2-PSK with AES encryption
  C. Open System authentication
  D. SSID broadcast disabling
  B. WPA2-PSK with AES encryption

  ---

  Explanation

  WEP encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping. WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm1. Therefore, you should recommend a more secure encryption method to enhance the security of the company's wireless network.

  One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard. AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks2.

  WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2. PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack3.

  WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as:

  It uses a dynamic key that changes with each session, instead of a static key that remains the same.

  It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks.

  It uses a longer key that provides more security, instead of a shorter key that provides less security.

  It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed.

  Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company's wireless network.

  References:

  Wireless Security - Encryption - Online Tutorials Library

  WiFi Security: WEP, WPA, WPA2, WPA3 And Their Differences - NetSpot

  WPA2-PSK (Wi-Fi Protected Access 2 Pre-Shared Key)

• Question 788:

  A penetration tester is evaluating a secure web application that uses HTTPS, secure cookie flags, and regenerates session IDs only during specific user actions. To hijack a legitimate user's session without triggering security alerts, which advanced session hijacking technique should the tester employ?

  A. Perform a man-in-the-middle attack by exploiting certificate vulnerabilities
  B. Use a session fixation attack by setting a known session ID before the user logs in
  C. Conduct a session token prediction attack by analyzing session ID patterns
  D. Implement a Cross-Site Scripting (XSS) attack to steal session tokens
  C. Conduct a session token prediction attack by analyzing session ID patterns

  ---

  Explanation

  CEH v13 emphasizes that well-secured applications use HTTPS, secure cookies, and session regeneration to defend against common session hijacking techniques. In such hardened environments, traditional attacks like session fixation or simple XSS-based token theft often fail because session IDs change at login and secure flags prevent exposure. The remaining viable approach is session token prediction , an advanced attack that analyzes statistical patterns, entropy weaknesses, or timing issues in session ID generation algorithms. CEH discusses that weak pseudorandom number generators (PRNGs) or predictable sequences can allow attackers to compute a valid session ID without intercepting traffic. This method bypasses cookie security and does not rely on manipulating user input, making it suitable for environments with strong defenses. MITM attacks (Option A) require certificate compromise, which is impractical. Session fixation (Option B) fails because the application regenerates tokens. XSS (Option D) is ineffective when secure flags prevent JavaScript access to cookies. Thus, token prediction is the correct answer.

• Question 789:

  An Android device has an unpatched permission-handling flaw and updated antivirus. What is the most effective undetected exploitation approach?

  A. SMS phishing
  B. Rootkit installation
  C. Custom exploit with obfuscation
  D. Metasploit payload
  C. Custom exploit with obfuscation

  ---

  Explanation

  CEH v13 explains that mobile antivirus solutions rely heavily on signatures and known exploit patterns . A custom exploit using obfuscation is far more likely to evade detection.

  Metasploit payloads and rootkits are commonly flagged, and SMS phishing relies on user interaction. Therefore, custom obfuscated exploit code is the most stealthy and effective method.

• Question 790:

  During an investigation, an ethical hacker discovers that a web application's API has been compromised, leading to unauthorized access and data manipulation. The attacker is using webhooks and a webshell. To prevent further exploitation, which of the following actions should be taken?

  A. Implement a Web Application Firewall (WAF) with rules to block webshell traffic and increase the logging verbosity of webhooks.
  B. Perform regular code reviews for the webhooks and modify the API to block connections from unknown IP addresses.
  C. Harden the web server security, add multi-factor authentication for API users, and restrict the execution of scripts server-side.
  D. Implement input validation on all API endpoints, review webhook payloads, and schedule regular scanning for webshells.
  D. Implement input validation on all API endpoints, review webhook payloads, and schedule regular scanning for webshells.

  ---

  Explanation

  This question focuses on API Security, Webhooks abuse, and Webshell mitigation , all of which are addressed in the CEH v13 Web Application Hacking and Security Operations modules. The most appropriate corrective action is Option D , as it directly addresses the root causes and persistence mechanisms of the compromise.

  According to CEH v13, attackers frequently exploit improper input validation in APIs and insecure webhook implementations to inject malicious payloads or gain remote command execution. Webhooks, when not properly validated, can accept malicious requests that trigger backend processes, making them a common vector for API abuse.

  Input validation on all API endpoints is critical to prevent injection attacks, including command injection and SQL injection. CEH v13 explicitly emphasizes validating request parameters, headers, and payload structures to prevent malicious manipulation.

  Reviewing webhook payloads ensures that only trusted sources can trigger automated actions, preventing attackers from abusing webhook functionality. This includes validating signatures, enforcing authentication, and restricting allowed payload formats.

  Finally, regular scanning for webshells is essential because webshells provide persistent backdoor access. CEH v13 identifies webshell detection as a key defensive measure during incident response and post- exploitation containment.

  Other options are incomplete:

  A WAF alone cannot detect all webshells.

  IP blocking is ineffective against spoofed or cloud-based attacks.

  MFA and server hardening are valuable but do not directly address webhook abuse or existing webshells.

  Therefore, Option D provides the most comprehensive, CEH v13ligned mitigation strategy .