Free ECCouncil 312-50v13 Practice Exam with Questions & Answers | Set: 7

The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity for a vulnerability. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A vector string represents the values of all the metrics as a block of text1

The Base metrics measure the intrinsic characteristics of a vulnerability, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. The Base score reflects the severity of a vulnerability assuming that there is no temporal information or context available1

The Temporal metrics measure the characteristics of a vulnerability that change over time, such as the exploit code maturity, the remediation level, and the report confidence. The Temporal score reflects the current state of a vulnerability and its likelihood of being exploited1

The Environmental metrics measure the characteristics of a vulnerability that depend on a specific implementation or environment, such as the security requirements, the modified base metrics, and the collateral damage potential. The Environmental score reflects the impact of a vulnerability on a particular organization or system1

In this scenario, the vulnerability has a Base score of 7, a Temporal score of 8, and an Environmental score of 5. This means that:

The vulnerability has a high severity based on its intrinsic characteristics, such as the attack vector, the attack complexity, the required privileges, the user interaction, the scope, and the impact on confidentiality, integrity, and availability. A Base score of 7 corresponds to a high severity rating according to the CVSS v3.0 specification1

The vulnerability has an increasing likelihood of exploitability over time based on its current state, such as the exploit code maturity, the remediation level, and the report confidence. A Temporal score of 8 is higher than the Base score of 7, which indicates that the vulnerability is more likely to be exploited as time passes1

The vulnerability has a medium impact on the specific environment or implementation based on the security requirements, the modified base metrics, and the collateral damage potential. An Environmental score of 5 is lower than the Base score of 7, which indicates that the vulnerability is less impactful in the particular context of the organization or system1

Therefore, the statement that best describes this scenario is: The vulnerability has an overall high severity, the likelihood of exploitability is increasing over time, and it has a medium impact in their specific environment.

An HTTP Flood attack is an Application Layer (Layer 7) DDoS attack, as defined in CEH v13. In this attack, the adversary sends a massive number of seemingly legitimate HTTP GET or POST requests to exhaust server resources such as CPU, memory, and application threads.

CEH v13 emphasizes that HTTP floods are difficult to detect because they mimic normal user behavior and often bypass traditional network-layer defenses.

Other attacks operate at lower layers:

ICMP, UDP, and SYN floods target network and transport layers.

A Network-based Intrusion Detection System (NIDS) monitors all network traffic for signs of suspicious activity across multiple hosts. In large environments with critical assets (e.g., financial or healthcare networks), NIDS is ideal because it provides visibility into entire network segments, not just individual systems.

NIDS can be deployed at strategic points (e.g., DMZs, VLANs, subnets) to detect unauthorized access, malware activity, or policy violations.

Reference – CEH v13 Official Courseware:

Module 13: Evading IDS, Firewalls, and Honeypots

Quote:

“Network-based IDS monitors traffic across an entire subnet or segment and is most effective in large environments to detect malicious activity before it reaches critical assets.”

Incorrect Options Explained:

A. Honeypots attract and log attacker behavior, but do not provide network-wide detection.

B. Firewalls filter traffic but are not detection systems.

D. HIDS monitors activity on a single host only.

=

The File Transfer Protocol (FTP) is a standard organization convention utilized for the exchange of PC records from a worker to a customer on a PC organization. FTP is based on a customer worker model engineering utilizing separate control and information associations between the customer and the server.[1] FTP clients may validate themselves with an unmistakable book sign-in convention, ordinarily as a username and secret key, however can interface namelessly if the worker is designed to permit it. For secure transmission that ensures the username and secret phrase, and scrambles the substance, FTP is frequently made sure about with SSL/TLS (FTPS) or supplanted with SSH File Transfer Protocol (SFTP).

The primary FTP customer applications were order line programs created prior to working frameworks had graphical UIs, are as yet dispatched with most Windows, Unix, and Linux working systems.[2][3] Many FTP customers and mechanization utilities have since been created for working areas, workers, cell phones, and equipment, and FTP has been fused into profitability applications, for example, HTML editors.

Using default settings on a web server is considered a security risk because it can reveal the server software type and version, which can help attackers identify potential vulnerabilities and launch targeted attacks. For example, if the default settings include a server signature that displays the name and version of the web server software, such as Apache 2.4.46, an attacker can search for known exploits or bugs that affect that specific software and version. Additionally, default settings may also include other insecure configurations, such as weak passwords, unnecessary services, or open ports, that can expose the web server to unauthorized access or compromise.

The best initial step to mitigate this risk is to change the default settings to hide or obscure the server software type and version, as well as to disable or remove any unnecessary or insecure features. For example, to hide the server signature, one can modify the ServerTokens and ServerSignature directives in the Apache configuration file1. Alternatively, one can use a web application firewall or a reverse proxy to mask the server information from the client requests2. Changing the default settings can reduce the attack surface and make it harder for attackers to exploit the web server.

Gathering Wordlist from the Target Website An attacker uses the CeWL tool to gather a list of words from the target website and perform a brute-force attack on the email addresses gathered earlier. # Cewl www.certifiedhacker.com (P.200/184)

CEH describes FIN scans as stealthy scans that send packets with the FIN flag without initiating a TCP handshake. According to TCP RFC behavior, closed ports respond with RST packets while open ports ignore the probe, producing no response. This allows enumeration of port states while evading IDS systems that typically monitor SYN-based scans.

According to the CEH Vulnerability Assessment and Incident Response modules, vulnerabilities with high CVSS scores and potential RCE must be treated as active threats.

CEH best practices recommend:

Immediate containment (network isolation)

Investigation and impact analysis

Patch application

Recovery

Option D follows the CEH incident response lifecycle precisely.

Option C is incomplete without containment.

Options A and B are unsafe.

CEH emphasizes containment before remediation.

https://nmap.org/book/man-port-specification.html

NOTE: In my opinion, this is an absolutely wrong statement of the question. But you may come across a question with a similar wording on the exam. What does "fast" mean? If we want to increase the speed and intensity of the scan we can select the mode using the -T flag (0/1/2/3/4/5). At high -T values, we will sacrifice stealth and gain speed, but we will not limit functionality.

«nmap -T4 -F 10.10.0.0/24» This option is "correct" because of the -F flag.

-F (Fast (limited port) scan)

Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.

Technically, scanning will be faster, but just because we have reduced the number of ports by 10 times, we are just doing 10 times less work, not faster.

A digital certificate, issued by a trusted Certificate Authority (CA), binds a public key to the identity of an entity (e.g., user, organization). This provides a means to validate ownership of the public key.

CEH v13 Reference:

Module 17: Cryptography

"A digital certificate ensures the authenticity of the public key through a trusted third party known as a Certificate Authority."

━━━━━━━━━━━━━━━━━━━━━━

CEH v13 explains that directory traversal (also called path traversal) occurs when an application improperly handles user-supplied input used for file path generation. Attackers exploit this by inserting traversal sequences such as ../ beyond the intended directories, gaining access to sensitive files like /etc/passwd, configuration data, or source code. The vulnerability arises from missing input validation and failure to restrict file access to safe directories. CEH stresses that directory traversal is common in file handling functions such as view, download, or include operations. Brute-forcing credentials (Option A) is unrelated. XSS (Option C) targets script injection into web pages, not file access. Buffer overflow (Option D) manipulates memory, not file paths. Therefore, the scenario represents classic directory traversal exploitation.

False Positives occur when a scanner, Web Application Firewall (WAF), or Intrusion Prevention System (IPS) flags a security vulnerability that you do not have. A false negative is the opposite of a false positive, telling you that you don't have a vulnerability when, in fact, you do.

A false positive is like a false alarm; your house alarm goes off, but there is no burglar. In web application security, a false positive is when a web application security scanner indicates that there is a vulnerability on your website, such as SQL Injection, when, in reality, there is not. Web security experts and penetration testers use automated web application security scanners to ease the penetration testing process. These tools help them ensure that all web application attack surfaces are correctly tested in a reasonable amount of time. But many false positives tend to break down this process. If the first 20 variants are false, the penetration tester assumes that all the others are false positives and ignore the rest. By doing so, there is a good chance that real web application vulnerabilities will be left undetected.

When checking for false positives, you want to ensure that they are indeed false. By nature, we humans tend to start ignoring false positives rather quickly. For example, suppose a web application security scanner detects 100 SQL Injection vulnerabilities. If the first 20 variants are false positives, the penetration tester assumes that all the others are false positives and ignore all the rest. By doing so, there are chances that real web application vulnerabilities are left undetected. This is why it is crucial to check every vulnerability and deal with each false positive separately to ensure false positives.

The scenario describes a situation where a hacker infects an internet-facing server and leverages it to perform malicious activities such as sending spam emails, participating in distributed denial-of-service (DDoS) attacks, or hosting spam content. This behavior is characteristic of a Botnet Trojan.

According to the CEH v13 Official Courseware and Study Guide:

A Botnet Trojan is a type of malware that transforms infected machines into bots (also called zombies), which can be remotely controlled by an attacker (bot herder or bot master).

These bots become part of a botnet — a network of compromised machines used for coordinated cyberattacks including:

Sending unsolicited spam emails (junk mail)

Participating in DDoS attacks

Hosting or distributing malware and phishing content

The infected machine can receive commands from a command-and-control (C&C) server and act in concert with other infected machines to amplify attacks or spread malware.

Incorrect Options:

B. Banking Trojans are designed specifically to steal financial data such as online banking credentials.

C. Turtle Trojans is not a valid classification in CEH v13 or cybersecurity literature (may be a distractor).

D. Ransomware Trojans encrypt data and demand a ransom for decryption, not typically used for junk mail or botnet activities.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Trojans”

Subsection: “Botnet Trojans”

CEH v13 eBook or Study Guide — usually found under “Trojan Classifications by Payload”

Practical labs in CEH Engage and iLabs also demonstrate botnet functionality using tools like Zeus and Emotet in real-world botnet infection scenarios.

https://en.wikipedia.org/wiki/RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service.

RADIUS is a client/server protocol that runs in the application layer, and can use either TCP or UDP. Network access servers, which control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. RADIUS is often the back-end of choice for 802.1X authentication. A RADIUS server is usually a background process running on UNIX or Microsoft Windows.

Authentication and authorization

The user or machine sends a request to a Network Access Server (NAS) to gain access to a particular network resource using access credentials. The credentials are passed to the NAS device via the link-layer protocol—for example, Point-to-Point Protocol (PPP) in the case of many dialup or DSL providers or posted in an HTTPS secure web form.

In turn, the NAS sends a RADIUS Access Request message to the RADIUS server, requesting authorization to grant access via the RADIUS protocol.

This request includes access credentials, typically in the form of username and password or security certificate provided by the user. Additionally, the request may contain other information which the NAS knows about the user, such as its network address or phone number, and information regarding the user's physical point of attachment to the NAS.

The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status, and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat-file database. Modern RADIUS servers can do this or can refer to external sources—commonly SQL, Kerberos, LDAP, or Active Directory servers—to verify the user's credentials.

The RADIUS server then returns one of three responses to the NAS:

1) Access-Reject,

2) Access-Challenge,

3) Access-Accept.

Access-Reject

The user is unconditionally denied access to all requested network resources. Reasons may include failure to provide proof of identification or an unknown or inactive user account.

Access-Challenge

Requests additional information from the user such as a secondary password, PIN, token, or card. Access-Challenge is also used in more complex authentication dialogs where a secure tunnel is established between the user machine and the Radius Server in a way that the access credentials are hidden from the NAS.

Access-Accept

The user is granted access. Once the user is authenticated, the RADIUS server will often check that the user is authorized to use the network service requested. A given user may be allowed to use a company's wireless network, but not its VPN service, for example. Again, this information may be stored locally on the RADIUS server or may be looked up in an external source such as LDAP or Active Directory.

https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.

In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.

Several counter-measures could be in place to avoid this vulnerability. Common defenses:

- SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.

- Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.

- Ask for the password user to authorise the action.

- Resolve a captcha

- Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with:

http://mal.net?orig=http://example.com (ends with the url)

http://example.com.mal.net (starts with the url)

- Modify the name of the parameters of the Post or Get request

- Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

Zero Trust Networks The Zero Trust model is a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network.It strictly follows the principle, “Trust no one and validate before providing a cloud service or granting access permission.”It also allows companies to impose conditions, such as allowing employees to only access the appropriate resources required for their work role. (P.2997/2981)

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.

Comprehensive and Detailed Explanation:

An Information Security Policy (ISP) is a high-level document that defines:

What employees can and cannot do with IT systems.

What data is protected and how.

The consequences of policy violations.

The company's commitment to security.

It must be signed by users to enforce compliance and protect organizational assets.

From CEH v13 Courseware:

Module 20: Information Security Policies

Module 1: Governance, Risk, and Compliance

PGP (Pretty Good Privacy), SSL (Secure Sockets Layer), and IKE (Internet Key Exchange) use Public Key Cryptography for secure communication. They utilize:

Public and private key pairs

Asymmetric encryption for key exchange

Symmetric encryption for data confidentiality (after key exchange)

These protocols ensure secure data transfer over insecure networks.

Reference – CEH v13 Official Study Guide:

Module 20: Cryptography

Quote:

“Public key cryptography uses asymmetric key pairs for encryption and authentication. Protocols like PGP, SSL/TLS, and IKE rely on this to exchange keys and establish trust.”

Incorrect Options:

A & D. Digest/hash algorithms (e.g., MD5, SHA) ensure integrity, not encryption

B. Secret key refers to symmetric encryption, which is used after the public key exchange, not as the basis for these protocols

In CEH v13 Module 02: Footprinting and Reconnaissance, Dark Web Footprinting is discussed as an advanced form of reconnaissance where attackers access hidden services and data using anonymity networks such as Tor (The Onion Router), I2P, or Freenet. These networks enable access to the deep web and dark web, where unindexed, and often illicit, content resides.

Key points relevant to this scenario:

The attacker encrypted browsing traffic and navigated anonymously, which strongly implies the use of tools like Tor or VPNs to mask identity.

The attacker used specialized tools/search engines like:

Torch

Ahmia

DarkSearch

Candle

The goal was to find sensitive or hidden information in government or federal systems — a common dark web footprinting objective.

The final step involved an attack that left no trace, which aligns with using the dark web for anonymity and obfuscation.

Option Analysis:

A. Dark web footprinting

Correct. This matches the behavior described: encrypted, anonymous access to sensitive information through dark web tools.

B. VoIP footprinting ❌

Incorrect. VoIP footprinting relates to identifying vulnerabilities or metadata in Voice over IP systems, not anonymous browsing or dark web activities.

C. VPN footprinting ❌

Incorrect. While VPNs may be used as part of anonymity, VPN footprinting refers to identifying systems using VPNs — not the act of gathering data anonymously.

D. Website footprinting ❌

Incorrect. Website footprinting involves gathering information from public-facing websites, like WHOIS data, robots.txt, and HTML metadata — not hidden dark web content.

Reference from CEH v13 Study Guide and Courseware:

Module 02 – Footprinting and Reconnaissance, Section: Footprinting through Dark Web and Deep Web

CEH v13 iLabs: Using Tor and Dark Web Search Engines for Reconnaissance

CEH Engage – Phase 1 (Reconnaissance): Dark Web Intelligence Gathering

We have various articles already in our documentation for setting up SNMPv2 trap handling in Opsview, but SNMPv3 traps are a whole new ballgame. They can be quite confusing and complicated to set up the first time you go through the process, but when you understand what is going on, everything should make more sense.

SNMP has gone through several revisions to improve performance and security (version 1, 2c and 3). By default, it is a UDP port based protocol where communication is based on a ‘fire and forget’ methodology in which network packets are sent to another device, but there is no check for receipt of that packet (versus TCP port when a network packet must be acknowledged by the other end of the communication link). 

There are two modes of operation with SNMP – get requests (or polling) where one device requests information from an SNMP enabled device on a regular basis (normally using UDP port 161), and traps where the SNMP enabled device sends a message to another device when an event occurs (normally using UDP port 162). The latter includes instances such as someone logging on, the device powering up or down, or a wide variety of other problems that would need this type of investigation.

This blog covers SNMPv3 traps, as polling and version 2c traps are covered elsewhere in our documentation.

SNMP traps

Since SNMP is primarily a UDP port based system, traps may be ‘lost’ when sending between devices; the sending device does not wait to see if the receiver got the trap. This means if the configuration on the sending device is wrong (using the wrong receiver IP address or port) or the receiver isn’t listening for traps or rejecting them out of hand due to misconfiguration, the sender will never know.

The SNMP v2c specification introduced the idea of splitting traps into two types; the original ‘hope it gets there’ trap and the newer ‘INFORM’ traps. Upon receipt of an INFORM, the receiver must send an acknowledgement back. If the sender doesn’t get the acknowledgement back, then it knows there is an existing problem and can log it for sysadmins to find when they interrogate the device.