Free ECCouncil 312-50v13 Practice Exam with Questions & Answers

LAN Manager (LM) hashes are legacy password hashing methods used in older Windows systems (including Windows 2000 for backward compatibility). LM hashing works by:

Converting the password to uppercase.

Padding or truncating it to 14 characters.

Splitting it into two 7-character halves.

Using each half as a DES key to encrypt a known constant ("KGS!@#$%").

Therefore, LM hashing uses the DES (Data Encryption Standard) algorithm.

From CEH v13 Official Courseware:

Module 6: Malware Threats → Password Storage and LM Hash Structure

The hacker could have used the technique of manipulating white spaces in SQL queries to bypass signature detection. This technique involves inserting, removing, or replacing white spaces in SQL queries with other characters or symbols that are either ignored or interpreted as white spaces by the SQL engine, but not by the signature-based IDS. This way, the hacker can alter the appearance of the query and evade the pattern matching of the IDS, while preserving the functionality and logic of the query. For example, the hacker could replace the space character with a tab character, a newline character, a comment symbol, or a URL-encoded value, such as %2012.

The other options are not correct for the following reasons:

A. Utilizing the char encoding function to convert hexadecimal and decimal values into characters that pass-through SQL engine parsing: This option is not feasible because the char encoding function is not supported by all SQL engines, and it may not be able to convert all hexadecimal and decimal values into valid characters. Moreover, the char encoding function may not be able to bypass the signature detection of the IDS, as it may still match the keywords or syntax of the SQL query3.

B. Using the URL encoding method to replace characters with their ASCII codes in hexadecimal form: This option is not effective because the URL encoding method is not applicable to SQL queries, as it is designed for encoding special characters in URLs. The URL encoding method may not be able to replace all characters with their ASCII codes, and it may not be able to preserve the functionality and logic of the SQL query. Furthermore, the URL encoding method may not be able to evade the signature detection of the IDS, as it may still match the keywords or syntax of the SQL query4.

C. Implementing sophisticated matches such as “OR ‘john’ = john" in place of classical matches like “OR 1-1”: This option is not advanced because it is a common and basic SQL injection technique that does not involve any evasion or obfuscation. This technique involves injecting a logical expression that is always true, such as “OR ‘john’ = john” or “OR 1-1”, to bypass the authentication or authorization checks of the SQL query. However, this technique may not be able to bypass the signature detection of the IDS, as it may easily match the keywords or syntax of the SQL query.

Symmetric encryption is a method of encrypting and decrypting data using the same secret key. Symmetric encryption is fast and efficient, but it requires a secure way of managing and distributing the keys to the users who need them. If the keys are compromised, the data is no longer secure.

One of the strategies to securely manage and distribute symmetric keys is to use HTTPS protocol for secure key transfer. HTTPS is a protocol that uses SSL/TLS to encrypt the communication between a client and a server over the Internet. HTTPS can protect the symmetric keys from being intercepted or modified by an attacker during the key transfer process. HTTPS can also authenticate the server and the client using certificates, ensuring that the keys are sent to and received by the intended parties.

To use HTTPS protocol for secure key transfer, the development team needs to implement the following steps1:

Generate a symmetric key for each user who wants to store their files on the cloud storage platform. The symmetric key will be used to encrypt and decrypt the user’s files.

Generate a certificate for the cloud storage server. The certificate will contain the server’s public key and other information, such as the server’s domain name, the issuer, and the validity period. The certificate will be signed by a trusted certificate authority (CA), which is a third-party entity that verifies the identity and legitimacy of the server.

Install the certificate on the cloud storage server and configure the server to use HTTPS protocol for communication.

When a user wants to upload or download their files, the user’s client (such as a web browser or an app) will initiate a HTTPS connection with the cloud storage server. The client will verify the server’s certificate and establish a secure session with the server using SSL/TLS. The client and the server will negotiate a session key, which is a temporary symmetric key that will be used to encrypt the data exchanged during the session.

The cloud storage server will send the user’s symmetric key to the user’s client, encrypted with the session key. The user’s client will decrypt the symmetric key with the session key and use it to encrypt or decrypt the user’s files.

The user’s client will store the symmetric key securely on the user’s device, such as in a password-protected file or a hardware token. The user’s client will also delete the session key after the session is over.

Using HTTPS protocol for secure key transfer can ensure that the symmetric keys are protected from eavesdropping, tampering, or spoofing attacks. However, this strategy also has some challenges and limitations, such as:

The development team needs to obtain and maintain valid certificates for the cloud storage server from a trusted CA, which might incur costs and administrative overhead.

The users need to trust the CA that issued the certificates for the cloud storage server and verify the certificates before accepting them.

The users need to protect their symmetric keys from being lost, stolen, or corrupted on their devices. The development team needs to provide a mechanism for key backup, recovery, or revocation in case of such events.

The users need to update their symmetric keys periodically to prevent key exhaustion or reuse attacks. The development team needs to provide a mechanism for key rotation or renewal in a secure and efficient manner.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

===========

Comprehensive and Detailed Explanation:

The correct file name is /var/log/auth.log (not auth.fesg). “auth.fesg” is a typo or does not exist by default in Linux systems.

Linux login records include:

/var/log/auth.log – authentication logs

/var/log/wtmp – records login sessions

/var/log/btmp – records failed logins

/var/log/user.log – logs user-level messages (optional)

Therefore, B is not a valid log file.

From CEH v13 Courseware:

Module 6: System Hacking → Covering Tracks in Linux

ESP (Encapsulating Security Payload) in transport mode is used for end-to-end communication between hosts within the same LAN. It encrypts only the payload, not the header, ensuring confidentiality and integrity while maintaining efficient routing.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“In ESP transport mode, only the data payload is encrypted, making it ideal for secure communication within a LAN where the IP header must remain intact for routing.”

Incorrect Options Explained:

B & C. Not valid IPSec modes.

D. AH tunnel mode ensures integrity but does not provide encryption.

===========

18 U.S.C. §1030, also known as the Computer Fraud and Abuse Act (CFAA), is a broad federal statute that criminalizes unauthorized access to computers and related fraudulent activities—including phishing and email scams.

From CEH v13 Official Courseware:

Module 1: Introduction to Ethical Hacking

Topic: U.S. Laws Related to Cybercrime

CEH v13 Study Guide states:

“Email-based frauds such as phishing, spoofing, and other social engineering attacks fall under the Computer Fraud and Abuse Act (18 U.S.C. §1030), which criminalizes unauthorized access and fraudulent behavior in computing systems.”

Incorrect Options:

B: Relates to credit cards and access devices.

C: Covers interference with government communication systems.

D: Covers illegal wiretapping and eavesdropping.

A DNS zone file contains resource records (RRs) that define mappings and configurations for domains and subdomains. The standard records found in a zone file include:

SOA (Start of Authority): Indicates the beginning of the zone file.

NS (Name Server): Specifies the authoritative name servers.

A (Address): Maps hostnames to IPv4 addresses.

MX (Mail Exchange): Specifies mail servers.

These records are essential for the DNS resolution process and mail routing.

From CEH v13 Official Courseware:

Module 3: DNS Enumeration

Topic: DNS Record Types

CEH v13 Study Guide states:

“A zone file contains all the resource records including SOA, NS, A, and MX. These define name server authority, IP resolution, and mail server routing.”

Incorrect Options:

A: DNS is a protocol, not a resource record.

B: PTR is for reverse DNS, typically in a separate reverse zone file.

C: AXFR is a DNS transfer mechanism, not an RR in the zone file.

Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

Domain registrant details (name, email, phone, and address)

Domain registration and expiry dates

Name servers and registrar information

Administrative and technical contact data

According to CEH v13:

Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

Incorrect Options:

A. VPN footprinting refers to identifying VPN gateways or configurations — not related to domain data.

B. Email footprinting involves gathering information from or about email systems.

C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “WHOIS Footprinting”

Tools: Whois lookup tools, ICANN WHOIS, DomainTools

Union-based SQL injection is a technique that uses the UNION SQL operator to combine the results of the original query with the results of one or more additional queries. This allows attackers to:

Retrieve data from different database tables

Extend the result set returned to the web application

Exploit the application if both queries return the same number and type of columns

According to CEH v13:

UNION SELECT can be used to enumerate tables, extract user credentials, or display sensitive data.

It requires knowledge of the structure of the original query.

Incorrect Options:

A. Error-based injection extracts data from database error messages.

B. Boolean-based blind SQLi returns true/false results to infer data.

C. Blind SQLi (generic) relies on no visible output and uses inference techniques.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Types of SQL Injection Attacks”

Subsection: “Union-Based SQL Injection”

===========

Infrastructure as a Service (IaaS) provides virtualized computing infrastructure over the internet. In this model:

The cloud provider supplies the hardware (servers, storage, networking).

The client (your organization) is responsible for installing and managing the OS, applications, and all configurations.

This aligns with the question, where the organization must take full responsibility for maintenance.

Incorrect Options:

A. PaaS offers managed OS, middleware, and runtime, reducing customer responsibilities.

B. SaaS provides fully managed applications—users only access features.

C. Functions as a Service (FaaS) offers event-driven computing without server management, used in serverless environments.

Reference – CEH v13 Official Courseware:

Module 19: Cloud Computing

Section: “Cloud Service Models”

Table: “Responsibilities in IaaS vs PaaS vs SaaS”

===========

-A: Perform an aggressive scan which select most of the commonly used options within nmap

-Pn: Means Don't ping

-p:scan specific ports

-sT: TCP Connect scan

-O: Operating system detection

-T0: timing template (extremely slow- evade FW)0

Open-source intelligence (OSINT) refers to the process of collecting and analyzing information from publicly available sources. This can include social media, websites, press releases, job boards, government databases, and more.

OSINT is a crucial part of the reconnaissance phase in ethical hacking and penetration testing, where attackers or analysts gather intel without directly interacting with the target system.

Reference – CEH v13 Official Study Guide:

Module 2: Footprinting and Reconnaissance

Quote:

“OSINT is derived from public sources and includes blogs, websites, public records, and social networks. It helps attackers or analysts understand the target’s digital footprint.”

Incorrect Options Explained:

B. “Real intelligence” is not a cybersecurity term.

C. Social intelligence refers to interpersonal awareness, not cyber reconnaissance.

D. Human intelligence (HUMINT) involves person-to-person intel, not publicly available data.

===========

A DHCP starvation assault is a pernicious computerized assault that objectives DHCP workers. During a DHCP assault, an unfriendly entertainer floods a DHCP worker with false DISCOVER bundles until the DHCP worker debilitates its stock of IP addresses. When that occurs, the aggressor can deny genuine organization clients administration, or even stock an other DHCP association that prompts a Man-in-the-Middle (MITM) assault.

In a DHCP Starvation assault, a threatening entertainer sends a huge load of false DISCOVER parcels until the DHCP worker thinks they’ve used their accessible pool. Customers searching for IP tends to find that there are no IP addresses for them, and they’re refused assistance. Furthermore, they may search for an alternate DHCP worker, one which the unfriendly entertainer may give. What’s more, utilizing a threatening or sham IP address, that unfriendly entertainer would now be able to peruse all the traffic that customer sends and gets.

In an unfriendly climate, where we have a malevolent machine running some sort of an instrument like Yersinia, there could be a machine that sends DHCP DISCOVER bundles. This malevolent customer doesn’t send a modest bunch – it sends a great many vindictive DISCOVER bundles utilizing sham, made-up MAC addresses as the source MAC address for each solicitation.

In the event that the DHCP worker reacts to every one of these false DHCP DISCOVER parcels, the whole IP address pool could be exhausted, and that DHCP worker could trust it has no more IP delivers to bring to the table to legitimate DHCP demands.

When a DHCP worker has no more IP delivers to bring to the table, ordinarily the following thing to happen would be for the aggressor to get their own DHCP worker. This maverick DHCP worker at that point starts giving out IP addresses.

The advantage of that to the assailant is that if a false DHCP worker is distributing IP addresses, including default DNS and door data, customers who utilize those IP delivers and begin to utilize that default passage would now be able to be directed through the aggressor’s machine. That is all that an unfriendly entertainer requires to play out a man-in-the-center (MITM) assault.

 DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts

■ HOSTMIB.MIB: Monitors and manages host resources

■ LNMIB2.MIB: Contains object types for workstation and server services

■ MIBJI.MIB: Manages TCP/IP-based Internet using a simple architecture and system

■ WINS.MIB: For the Windows Internet Name Service (WINS)