Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 2

Tautology-based SQL injection tests, such as using ' OR '1'='1, are safe and effective methods to verify whether SQL queries are being manipulated by user input. CEH emphasizes avoiding destructive queries and using logical expressions that return all rows if injection is successful.

The recommended architecture for secure web application deployment is a multi-tiered setup:

Web server in the DMZ (public-facing)

Application server on the internal network

Database server on the internal network

This design limits the exposure of critical components. Only the web server is exposed to the internet, while application and database servers are shielded by firewalls and only accessible internally.

Reference – CEH v13 Official Study Guide:

Module 10: Hacking Web Servers

Quote:

“Place the web server in the DMZ and keep the application and database servers within the internal network. This reduces the attack surface and provides layered security.”

Incorrect Options Explained:

A. Internal placement makes them inaccessible externally.

C & D. Exposing the database or all servers to the internet introduces significant risk.

===========

In CEH v13 Module 11: Hacking Wireless Networks, Kismet is introduced as a passive wireless sniffer and network detector used primarily on Linux systems.

Kismet passively listens for wireless beacons and data frames.

Can detect hidden SSIDs, rogue APs, and even wireless client behaviors.

Does not transmit any packets, making it stealthy and ideal for wireless reconnaissance.

Option Analysis:

A. Burp Suite: Used for web application testing, not wireless.

B. OpenVAS: Vulnerability scanner, not a packet sniffer.

C. tshark: CLI version of Wireshark, can analyze wired and wireless packets, but not wireless-specific or passive by default.

D. Kismet: Correct wireless packet analyzer for Linux.

One of the most common Nmap usage scenarios is scanning an Ethernet LAN. Most LANs, especially those that use the private address range granted by RFC 1918, do not always use the overwhelming majority of IP addresses. When Nmap attempts to send a raw IP packet, such as an ICMP echo request, the OS must determine a destination hardware (ARP) address, such as the target IP, so that the Ethernet frame can be properly addressed. .. This is required to issue a series of ARP requests. This is best illustrated by an example where a ping scan is attempted against an Area Ethernet host. The –send-ip option tells Nmap to send IP-level packets (rather than raw Ethernet), even on area networks. The Wireshark output of the three ARP requests and their timing have been pasted into the session.

Raw IP ping scan example for offline targets

This example took quite a couple of seconds to finish because the (Linux) OS sent three ARP requests at 1 second intervals before abandoning the host. Waiting for a few seconds is excessive, as long as the ARP response usually arrives within a few milliseconds. Reducing this timeout period is not a priority for OS vendors, as the overwhelming majority of packets are sent to the host that actually exists. Nmap, on the other hand, needs to send packets to 16 million IP s given a target like 10.0.0.0/8. Many targets are pinged in parallel, but waiting 2 seconds each is very delayed.

There is another problem with raw IP ping scans on the LAN. If the destination host turns out to be unresponsive, as in the previous example, the source host usually adds an incomplete entry for that destination IP to the kernel ARP table. ARP tablespaces are finite and some operating systems become unresponsive when full. If Nmap is used in rawIP mode (–send-ip), Nmap may have to wait a few minutes for the ARP cache entry to expire before continuing host discovery.

ARP scans solve both problems by giving Nmap the highest priority. Nmap issues raw ARP requests and handles retransmissions and timeout periods in its sole discretion. The system ARP cache is bypassed. The example shows the difference. This ARP scan takes just over a tenth of the time it takes for an equivalent IP.

Example b ARP ping scan of offline target

In example b, neither the -PR option nor the -send-eth option has any effect. This is often because ARP has a default scan type on the Area Ethernet network when scanning Ethernet hosts that Nmap discovers. This includes traditional wired Ethernet as 802.11 wireless networks. As mentioned above, ARP scanning is not only more efficient, but also more accurate. Hosts frequently block IP-based ping packets, but usually cannot block ARP requests or responses and communicate over the network.Nmap uses ARP instead of all targets on equivalent targets, even if different ping types (such as -PE and -PS) are specified. LAN.. If you do not need to attempt an ARP scan at all, specify –send-ip as shown in Example a “Raw IP Ping Scan for Offline Targets”.

If you give Nmap control to send raw Ethernet frames, Nmap can also adjust the source MAC address. If you have the only PowerBook in your security conference room and a large ARP scan is initiated from an Apple-registered MAC address, your head may turn to you. Use the –spoof-mac option to spoof the MAC address as described in the MAC Address Spoofing section.

Gathering Information using Reverse Image Search Reverse image search helps an attacker in tracking the original source and details of images, such as photographs, profile pictures, and memes Attackers can use online tools such as Google Image Search, TinEye Reverse Image Search, and Yahoo Image Search to perform reverse

A multihomed firewall refers to a firewall with two or more network interfaces (NICs), each connected to different network segments. The purpose of a multihomed firewall is to allow filtering and segmentation of traffic between multiple network zones, such as:

External network (e.g., Internet)

Internal network (e.g., LAN)

To qualify as multihomed, the system must have at least two network interfaces. This allows it to sit between two networks and inspect/filter traffic passing through it.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Section: Firewall Architecture

Quote:

“A multihomed firewall is a system with two or more NICs connected to different networks, typically used to control traffic between internal and external networks. The minimum number of interfaces is two.”

Incorrect Options Explained:

A. 3 interfaces may be used in advanced setups (e.g., with a DMZ), but not the minimum.

B & C. 4 or 5 connections are not required unless designing more complex segmentation.

===========

A cryptographic hash function is used to ensure data integrity. It generates a fixed-length output (digest) from any size of input data. If the data is modified in any way, the resulting hash will change. This allows systems to detect data tampering, ensuring that the data remains unaltered from its original form.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Hash functions are used to ensure the integrity of a message or file by producing a unique digest that changes if the data is modified.”

Incorrect Options:

A. Authentication ensures identity, not data integrity.

B. Confidentiality is achieved via encryption, not hashing.

C. Availability pertains to system uptime and accessibility, not hashes.

===========

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

The given command is used to establish a null session connection with the IPC$ share on a Windows machine. IPC$ (Inter-Process Communication) is a special hidden share used for Windows inter-process communication, and when connected with blank credentials, it allows anonymous access to certain system information — a common step in enumeration.

Command breakdown:

net use \target\ipc$ "" /u:""

→ Initiates a connection using a blank username and password (null session).

From CEH v13 Courseware:

Module 04: Enumeration

Topic: Null Sessions and SMB Enumeration

CEH v13 Study Guide states:

“A null session allows unauthorized users to connect to a Windows machine and extract information like usernames, shares, and policies. Null sessions exploit the default settings of the IPC$ share and are typically initiated using net use commands.”

Incorrect Options:

A/B: Accessing the etc/passwd or SAM directly is not the function of this command.

C: Samba uses SMB, but this is targeting a Windows system.

E: Cisco router enumeration involves SNMP, not Windows IPC$.

CEH v13 describes Cross-Site Request Forgery (CSRF) as an attack in which an authenticated user's browser is tricked into submitting unauthorized actions to a trusted application without the user's intent. CSRF exploits the fact that browsers automatically include stored session cookies when sending requests to a domain the user is logged into. In this scenario, the attacker creates a malicious form that triggers an unwanted funds transfer. Since the application does not validate request origin, enforce CSRF tokens, or require secondary verification, it processes the attacker's forged request as if it came legitimately from the victim. CEH emphasizes that CSRF differs from XSS because no malicious script executes on the target website; instead, the attacker leverages the victim’s authenticated session. This is distinct from session fixation (Option A), replay attacks (Option B), and XSS (Option D). The described behavior aligns precisely with CSRF exploitation.

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

DNS zone transfers occur when a secondary name server (slave) checks the Start of Authority (SOA) record from the primary server. The serial number in the SOA indicates the version of the zone file.

If:

Primary SOA serial > Secondary SOA serial

→ Zone transfer is initiated by the secondary server to update its data.

From CEH v13:

Module 3: DNS Enumeration

Topic: Zone Transfers and SOA Logic

CEH v13 Study Guide states:

“A secondary name server periodically queries the primary name server for changes. If the serial number in the SOA record is higher on the primary, it indicates a zone update, and a zone transfer is triggered.”

Incorrect Options:

B: Reversed condition

C/D: Restarting services doesn’t necessarily trigger a transfer

E: TTL expiration affects caching, not zone transfer logic

A Denial of Service (DoS) attack is a type of cyberattack that aims to make a machine or network resource unavailable to its intended users by flooding it with traffic or requests that consume its resources. A TCP SYN flood attack is a type of DoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. A UDP flood attack is a type of DoS attack that sends a large number of UDP packets to random ports on the target server, forcing it to check for the application listening at that port and reply with an ICMP packet. An ICMP flood attack is a type of DoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity.

The attacker’s strategy involves a unique mixture of TCP SYN, UDP, and ICMP floods, using ‘r’ packets per second. The server can handle ‘h’ packets per second before it starts showing signs of strain. If ‘r’ surpasses ‘h’, it overwhelms the server, causing it to become unresponsive. The attacker selects ‘r’ as a composite number and ‘h’ as a prime number, making the attack detection more challenging. This is because prime numbers are less predictable and more difficult to factorize than composite numbers, which may hinder the analysis of the attack pattern.

Considering ‘r=2010’ and different values for ‘h’, the scenario that would potentially cause the server to falter is the one where ‘h=1987’ (prime). This is because ‘r’ is greater than ‘h’ by 23 packets per second, which means the server cannot handle the incoming traffic and will eventually run out of resources. The other scenarios would not cause the server to falter, as ‘h’ is either greater than or very close to ‘r’, which means the server can either manage or barely cope with the incoming traffic. References:

What is a denial-of-service (DoS) attack? | Cloudflare

Denial-of-Service (DoS) Attack: Examples and Common Targets - Investopedia

DDoS Attack Types: Glossary of Terms

What is a Denial of Service (DoS) Attack? | Webopedia

A NOP (No Operation) instruction tells the CPU to do nothing for one instruction cycle. In exploit development:

A NOP sled is a long sequence of NOPs (0x90) that increases the chance of the instruction pointer landing before the shellcode.

0x90 is the x86 opcode for the NOP instruction.

From CEH v13 Courseware:

Module 6: Malware Threats → Shellcode and Buffer Overflow

CEH v13 defines a penetration tester as an authorized security professional whose responsibility is to identify, exploit, and report vulnerabilities within an organization’s systems, networks, applications, and processes. Unlike malicious hackers, penetration testers operate strictly within legal boundaries, under documented Rules of Engagement (RoE), and with explicit written permission from the organization. Their goal is not to harm systems but to simulate real-world cyberattacks to help organizations strengthen their defenses. CEH emphasizes the ethical responsibilities of penetration testers, including maintaining confidentiality, avoiding unauthorized data exposure, ensuring minimal operational impact, and providing actionable recommendations. Options B, C, and D describe malicious actors, malware authors, or unauthorized attackers—roles opposite to that of an ethical penetration tester. CEH makes a strong distinction between white-hat ethical hackers and black-hat attackers, with penetration testers firmly falling under the ethical, lawful category. Therefore, Option A accurately reflects CEH’s definition of a penetration tester.