EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 791:

  Multiple internal workstations and IoT devices are compromised and transmitting large volumes of traffic to numerous external targets under botnet control. Which type of denial-of-service attack best describes this situation?

  A. An attack where compromised internal devices participate in a botnet and flood external targets
  B. An attack relying on spoofed IP addresses to trick external servers
  C. A direct botnet flood without spoofing intermediary services
  D. An internal amplification attack using spoofed DNS responses
  A. An attack where compromised internal devices participate in a botnet and flood external targets

  ---

  Explanation

  This scenario represents a Botnet-Based Distributed Denial-of-Service (DDoS) attack , as described in CEH v13 Network Attacks . Compromised internal devices become part of a botnet and are used to launch attacks against external targets.

  CEH v13 notes that botnets frequently include IoT devices and employee workstations, making insider-originated DDoS activity a serious concern.

• Question 792:

  A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.

  The engineer receives this output:

  HTTP/1.1 200 OK

  Server: Microsoft-IIS/6

  Expires: Tue, 17 Jan 2011 01:41:33 GMT

  Date: Mon, 16 Jan 2011 01:41:33 GMT

  Content-Type: text/html

  Accept-Ranges: bytes

  Last Modified: Wed, 28 Dec 2010 15:32:21 GMT

  ETag:"b0aac0542e25c31:89d"

  Content-Length: 7369

  Which of the following is an example of what the engineer performed?

  A. Banner grabbing
  B. SQL injection
  C. Whois database query
  D. Cross-site scripting
  A. Banner grabbing

  ---

  Explanation

  In CEH v13 Module 03: Scanning Networks, banner grabbing is defined as a technique used during reconnaissance to capture service banners that provide information about:

  Web server version

  Operating system

  Service details

  In This Case:

  The engineer used Netcat to connect to port 80 (HTTP).

  The response reveals the web server software (Microsoft-IIS/6), which is typical of a banner returned in the server's HTTP response headers.

  This technique helps identify vulnerable versions of services.

  Other Options:

  B. SQL injection: Involves sending SQL payloads - unrelated here.

  C. Whois query: Provides domain registration info - unrelated.

  D. Cross-site scripting: Requires injecting scripts into a web app - not relevant here.

  Module 03 - Banner Grabbing and Service Identification Techniques

  CEH Labs: Using Netcat and Telnet for Manual Banner Grabbing

• Question 793:

  During network analysis, clients are receiving incorrect gateway and DNS settings due to a rogue DHCP server. What security feature should the administrator enable to prevent this in the future?

  A. DHCP snooping on trusted interfaces
  B. ARP inspection across VLANs
  C. Port security on all trunk ports
  D. Static DHCP reservations for clients
  A. DHCP snooping on trusted interfaces

  ---

  Explanation

  According to CEH v13, one of the most effective defenses against rogue DHCP servers is DHCP snooping , a Layer 2 security feature that classifies switch ports as either trusted or untrusted . DHCP responses are permitted only on trusted ports, typically those connected to legitimate DHCP servers. Any DHCP OFFER or ACK originating from an untrusted port is dropped automatically. In the scenario, the rogue DHCP server is sending unauthorized configuration settings because the switch is forwarding DHCP messages from all ports without restriction. CEH specifically warns that unmanaged or misconfigured switches allow rogue DHCP servers to assign malicious DNS, gateway, or IP configurations, enabling traffic redirection, interception, or man-in-the-middle attacks. ARP inspection (Option B) protects against ARP spoofing but not DHCP abuses. Port security (Option C) prevents MAC flooding, not DHCP impersonation. Static reservations (Option D) do not scale and do not stop rogue DHCP servers.

  DHCP snooping directly mitigates this threat.

• Question 794:

  During the process of encryption and decryption, what keys are shared?

  A. Private keys
  B. User passwords
  C. Public keys
  D. Public and private keys
  C. Public keys

  ---

  Explanation

  Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys:

  public keys (which may be known to others), and private keys (which may never be known by any except the owner). The generation of such key pairs depends on cryptographic algorithms which are based on mathematical problems termed one-way functions. Effective security requires keeping the private key private; the public key can be openly distributed without compromising security.

  In such a system, any person can encrypt a message using the intended receiver's public key, but that encrypted message can only be decrypted with the receiver's private key. This allows, for instance, a server program to generate a cryptographic key intended for a suitable symmetric-key cryptography, then to use a client's openly-shared public key to encrypt that newly generated symmetric key. The server can then send this encrypted symmetric key over an insecure channel to the client; only the client can decrypt it using the client's private key (which pairs with the public key used by the server to encrypt the message). With the client and server both having the same symmetric key, they can safely use symmetric key encryption (likely much faster) to communicate over otherwise-insecure channels. This scheme has the advantage of not having to manually pre-share symmetric keys (a fundamentally difficult problem) while gaining the higher data throughput advantage of symmetric-key cryptography.

  With public-key cryptography, robust authentication is also possible. A sender can combine a message with a private key to create a short digital signature on the message. Anyone with the sender's corresponding public key can combine that message with a claimed digital signature; if the signature matches the message, the origin of the message is verified (i.e., it must have been made by the owner of the corresponding private key).

  Public key algorithms are fundamental security primitives in modern cryptosystems, including applications and protocols which offer assurance of the confidentiality, authenticity and non-repudiability of electronic communications and data storage. They underpin numerous Internet standards, such as Transport Layer Security (TLS), S/MIME, PGP, and GPG. Some public key algorithms provide key distribution and secrecy (e. g., Diffieellman key exchange), some provide digital signatures (e.g., Digital Signature Algorithm), and some provide both (e.g., RSA). Compared to symmetric encryption, asymmetric encryption is rather slower than good symmetric encryption, too slow for many purposes. Today's cryptosystems (such as TLS, Secure Shell) use both symmetric encryption and asymmetric encryption.

• Question 795:

  An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", the user is directed to a phishing site.

  Which file does the attacker need to modify?

  A. Boot.ini
  B. Sudoers
  C. Networks
  D. Hosts
  D. Hosts

  ---

  Explanation

  The hosts file on a computer maps domain names to IP addresses locally. By modifying this file, an attacker can redirect traffic destined for legitimate sites (e.g., www.MyPersonalBank.com) to malicious IP addresses (e.g., a phishing server).

  The hosts file takes precedence over DNS queries, making it a simple but powerful tool for local redirection. Windows hosts file location: C:\Windows\System32\drivers\etc\hosts

  Linux/Unix hosts file location: /etc/hosts

  CEH v13 Official Study Guide:

  Module 6: Malware Threats

  Quote:

  "Attackers can redirect users to phishing or malware sites by altering the local hosts file, bypassing DNS resolution."

  Incorrect Options:

  A. boot.ini is for boot configuration, not DNS resolution.

  B. sudoers controls administrative privileges in Linux.

  C. networks is for defining network names, not URL resolution.

• Question 796:

  Vlady wants to improve security awareness among non-technical employees who demonstrate poor security practices. What should be his first step?

  A. Warning to those who write passwords on post-it notes
  B. Developing a strict information security policy
  C. Information security awareness training
  D. Conducting one-to-one discussions with employees
  C. Information security awareness training

  ---

  Explanation

  Before enforcing policies or issuing warnings, the most effective first step is to educate employees. Awareness training helps build a foundational understanding of risks and best practices, especially in low- security cultures.

• Question 797:

  A hacker is an intelligent individual with excellent computer skills and the ability to explore a computer's software and hardware without the owner's permission. Their intention can either be to simply gain knowledge or to illegally make changes.

  Which of the following class of hacker refers to an individual who works both offensively and defensively at various times?

  A. White Hat
  B. Suicide Hacker
  C. Gray Hat
  D. Black Hat
  C. Gray Hat

  ---

  Explanation

  A Gray Hat hacker operates between ethical (White Hat) and unethical (Black Hat) behavior. They might break into systems without permission but without malicious intent, often reporting vulnerabilities afterward.

  They perform both offensive and defensive activities.

  # Reference: CEH v13 Official Study Guide, Module 1: Introduction to Ethical Hacking

  "Gray Hat hackers may violate ethical standards but not necessarily for personal or financial gain. They typically operate without malicious intent."

  # Incorrect options:

  A. White Hats are ethical hackers.

  B. Suicide Hackers attack without regard for being caught.

  D. Black Hats are malicious hackers.

• Question 798:

  John is an incident handler at a financial institution. His steps in a recent incident are not up to the standards of the company. John frequently forgets some steps and procedures while handling responses as they are very stressful to perform. Which of the following actions should John take to overcome this problem with the least administrative effort?

  A. Create an incident checklist.
  B. Select someone else to check the procedures.
  C. Increase his technical skills.
  D. Read the incident manual every time it occurs.
  A. Create an incident checklist.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  An incident checklist is a low-overhead, high-impact solution to improve procedural consistency under pressure. It ensures critical steps are not forgotten during stressful incidents. The checklist can be reused and updated easily and is a recognized best practice in incident response processes.

  From CEH v13 Courseware:

  Module 19: Incident Response and Forensics # Incident Handling Procedures

  NIST SP 800-61 Rev.2 - Computer Security Incident Handling Guide

• Question 799:

  On performing a risk assessment, you need to determine the potential impacts when some of the critical business processes of the company interrupt its service.

  What is the name of the process by which you can determine those critical businesses?

  A. Emergency Plan Response (EPR)
  B. Business Impact Analysis (BIA)
  C. Risk Mitigation
  D. Disaster Recovery Planning (DRP)
  B. Business Impact Analysis (BIA)

  ---

  Explanation

  In CEH v13 Module 01: Introduction to Ethical Hacking, Business Impact Analysis (BIA) is defined as a core component of the risk management process that helps identify and evaluate critical business functions, their dependencies, and the impact of downtime.

  BIA is performed to:

  Identify critical services and resources.

  Determine the impact of their failure.

  Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).

  Prioritize systems for business continuity planning.

  Option Clarification:

  A. EPR: Emergency Plan Response - not a formal phase in BIA or risk analysis.

  C. Risk Mitigation: Involves taking actions to reduce risks, but doesn't identify business-critical services.

  D. DRP: Disaster Recovery Planning focuses on restoration, not impact assessment.

  Module 01 - Risk Management Concepts: Business Impact Analysis (BIA)

  CEH v13 eBook: Risk Assessment and Business Continuity Planning

• Question 800:

  You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?

  A. IDS log
  B. Event logs on domain controller
  C. Internet Firewall/Proxy log
  D. Event logs on the PC
  C. Internet Firewall/Proxy log

  ---

  Explanation

  In CEH v13 Module 04: Enumeration and Module 06: Malware Threats, when investigating Command-and- Control (C2) communication, it is important to determine whether the communication actually occurred and what data was sent.

  C. Internet Firewall/Proxy log

  Best source to confirm outbound connections to external IPs.

  Proxy logs show which internal host made the connection, the timestamp, and sometimes even URL and payload.

  Firewalls can indicate port usage, traffic volume, and connection duration.

  This data gives a direct view of how severe the incident is, whether data exfiltration occurred, and which internal system is affected.

  Why Other Options Are Less Effective Initially:

  A. IDS Log: Only tells you that an alert was generated. May be false positive or triggered by a failed connection.

  B. Event logs on Domain Controller: Useful for user account behavior, but not for network connections.

  D. Event logs on the PC: May lack detail or be tampered with by malware.

  Module 06 Incident Response Triageand; Forensics Logs

  CEH iLabs: Proxy Log Analysis and Malware C2 Detection