Visit here for our full ECCouncil 312-50v13 exam dumps and practice test questions.
Question 1
An ethical hacker is performing a black-box penetration test on a corporate network. They want to identify the operating system of a target server without injecting raw packets that might trigger the intrusion detection system (IDS). Which of the following passive footprinting techniques should they employ to achieve this?
A)Banner Grabbing via Telnet
B)TCP/IP Stack Fingerprinting using Nmap
C)Analyzing the Time-to-Live (TTL) values from captured ICMP packets
D)Sending a specialized probe using Xprobe2
Correct Answer: C
Explanation:
The correct answer is C)Analyzing Time-to-Live (TTL) values from captured network traffic is a passive fingerprinting methoD)Different operating systems use different default initial TTL values (e.g., Windows often uses 128, while Linux often uses 64). By sniffing existing traffic without sending new packets, the hacker avoids engaging with the target directly, thus bypassing IDS triggers that look for active scanning behavior.
Why A is incorrect: Banner grabbing via Telnet is an active technique. It requires establishing a connection to the target service, which creates log entries and can be easily detected by an IDS.
Why B is incorrect: Nmap OS fingerprinting works by sending a series of probes (packets) to the target and analyzing the responses. This is an active scanning method that is noisy and likely to be flagged by security monitoring tools.
Why D is incorrect: Xprobe2 is an active OS fingerprinting tool that sends ICMP probes to the remote system. Like Nmap, this involves direct interaction with the target, making it unsuitable for a purely passive approach.
Question 2
During a security audit, a CEH utilizes an AI-powered tool to automate the generation of phishing emails that mimic the CEO’s writing style. The goal is to test the employees’ resilience against Business Email Compromise (BEC). Which specific category of AI threat is the auditor simulating?
A)Model Inversion
B)Deepfake Text Generation
C)Data Poisoning
D)AI Hallucination
Correct Answer: B
Explanation:
The correct answer is B)Deepfake Text Generation involves using Large Language Models (LLMs) to synthetically generate text that mimics a specific persona or tone. In the context of CEH v13, understanding how attackers use Generative AI (GenAI) to craft highly convincing phishing campaigns is critical. This simulation tests if employees can distinguish between authentic executive communications and AI-generated forgeries.
Why A is incorrect: Model Inversion is an attack against the AI model itself, attempting to reconstruct the training data used to build the model. It is not a technique used to generate phishing content.
Why C is incorrect: Data Poisoning involves corrupting the training dataset of an AI model to compromise its behavior or integrity. It targets the machine learning pipeline, not the human element of a BEC attack.
Why D is incorrect: AI Hallucination refers to an AI confidentially generating false or nonsensical information. While a risk in using AI, it is an error state rather than a deliberate attack vector used by a hacker to impersonate a user.
Question 3
A penetration tester is using Nmap to scan a subnet for live hosts. The network administrator has blocked ICMP Echo Requests at the firewall. Which Nmap switch should the tester use to bypass this block and perform a TCP SYN discovery scan on port 443?
A)-sP
B)-PS443
C)-PU443
D)-sU
Correct Answer: B
Explanation:
The correct answer is B)The -PS flag in Nmap initiates a TCP SYN discovery scan. By appending 443 (e.g., -PS443), the tester tells Nmap to send a TCP SYN packet to port 443. If the host is up, it will respond with a SYN/ACK or RST packet. This method is effective for bypassing firewalls that block standard ICMP ping (Echo Requests) but allow traffic on common ports like HTTPS (443).
Why A is incorrect: The -sP flag (now often -sn in newer versions) performs a ping scan. If ICMP is blocked by the firewall and no specific port probes are defined, this scan will likely fail to identify the live hosts.
Why C is incorrect: The -PU flag sends UDP packets to the specified port. While this is a valid discovery method, the question specifically asks for a TCP SYN discovery scan, not a UDP discovery scan.
Why D is incorrect: The -sU flag performs a UDP port scan, which identifies open UDP ports. It is not primarily a host discovery switch and is significantly slower than a TCP SYN probe for identifying live hosts.
Question 4
An attacker has successfully gained access to a Windows Server and wants to dump the password hashes from the Security Account Manager (SAM) database. They are attempting to use the Mimikatz tool but are blocked by Windows Defender. Which technique describes the method of running the malicious code solely in the system’s volatile memory to evade antivirus detection?
A)Directory Traversal
B)Fileless Malware
C)Steganography
D)Alternate Data Streams
Correct Answer: B
Explanation:
The correct answer is B)Fileless malware refers to malicious software that exists only in the computer’s Random Access Memory (RAM) and does not write any files to the hard drive. Attackers often use tools like PowerShell or WMI to inject code directly into memory. Since traditional antivirus software typically scans files written to the disk, fileless techniques are highly effective at evading detection during the “Gaining Access” or “Maintaining Access” phases.
Why A is incorrect: Directory traversal is a web vulnerability that allows an attacker to access files and directories that are stored outside the web root folder. It is not a technique for hiding malware execution in memory.
Why C is incorrect: Steganography is the art of hiding data within other files, such as images or audio, to conceal its existence. While it hides data, it does not necessarily execute code in memory to bypass antivirus real-time protection.
Why D is incorrect: Alternate Data Streams (ADS) is a confusing NTFS file system feature that allows data to be hidden behind a file name. While used for concealment, ADS still relies on the file system and does not inherently imply memory-only execution.
Question 5
A security analyst observes a spike in traffic on port 1883 coming from a smart thermostat in the corporate lobby. The device appears to be sending telemetry data to an unknown foreign IP address. Which protocol is likely being exploited or misused in this IoT attack scenario?
A)CoAP
B)MQTT
C)Zigbee
D)Modbus
Correct Answer: B
Explanation:
The correct answer is B)MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol widely used in Internet of Things (IoT) devices. It runs on top of TCP/IP and typically uses port 1883 for unencrypted communication (and port 8883 for encrypted). An attack on port 1883 suggests the exploitation of the MQTT broker or the device’s implementation of this protocol to exfiltrate data or command the device.
Why A is incorrect: CoAP (Constrained Application Protocol) is a web transfer protocol for use with constrained nodes and constrained networks. It runs over UDP, not TCP, and typically uses port 5683.
Why C is incorrect: Zigbee is a wireless protocol used for low-power, low-data rate, close-proximity wireless ad hoc networks (PANs). It operates on the IEEE 802.15.4 standard and does not use TCP ports like 1883 directly over the internet; it requires a gateway to bridge to IP networks.
Why D is incorrect: Modbus is an industrial communication protocol used for transmitting information over serial lines or Ethernet. It is typically used in SCADA/OT environments and uses port 502, not 1883.
Question 6
You are performing a vulnerability assessment on a web application and discover that the input field for “User Comments” does not sanitize input. You successfully inject the following script: <script>alert(document.cookie)</script>. What type of attack have you demonstrated?
A)Reflected Cross-Site Scripting (XSS)
B)Stored Cross-Site Scripting (XSS)
C)DOM-based Cross-Site Scripting (XSS)
D)SQL Injection (SQLi)
Correct Answer: B
Explanation:
The correct answer is B)Stored Cross-Site Scripting (Persistent XSS) occurs when the malicious script injected by the attacker is permanently stored on the target server, such as in a database, forum post, or comment fielD)When other users view the comment, the script executes in their browser. Since the question specifies a “User Comments” field where the input remains for others to see, it is Stored XSS.
Why A is incorrect: Reflected XSS occurs when the malicious script is reflected off the web server, such as in an error message or search result, and is executed immediately. It is not stored on the server itself and usually requires a social engineering link.
Why C is incorrect: DOM-based XSS occurs entirely on the client side (in the browser) where the JavaScript modifies the Document Object Model environment. The payload is not sent to the server in the same way as stored or reflected attacks.
Why D is incorrect: SQL Injection targets the backend database by manipulating SQL queries. While the input validation failure is similar, the payload <script> is specific to JavaScript execution in a browser, not database manipulation.
Question 7
Which of the following cloud computing security responsibilities falls solely on the customer in an Infrastructure as a Service (IaaS) model?
A)Physical security of the data center
B)Patching the hypervisor
C)Patching the guest operating system
D)Maintaining the host network infrastructure
Correct Answer: C
Explanation:
The correct answer is C)In the Shared Responsibility Model for IaaS (Infrastructure as a Service), the cloud provider manages the physical hardware, network infrastructure, and the virtualization layer (hypervisor). The customer is responsible for everything they run on top of that infrastructure. This includes the guest operating system, applications, data, and applying security patches to that OS.
Why A is incorrect: Physical security of the data center is always the responsibility of the cloud provider (e.g., AWS, Azure, Google Cloud) in an IaaS model.
Why B is incorrect: The hypervisor is the underlying software that creates and runs virtual machines. It is managed and patched by the cloud provider.
Why D is incorrect: The physical networking equipment and the core network infrastructure are the responsibility of the cloud provider. The customer manages their own virtual network configuration (VPCs, Security Groups) but not the host infrastructure.
Question 8
A hacker wants to crack a WPA2-encrypted wireless network. They have captured the 4-way handshake. Which tool would be most effective for performing a dictionary attack against this captured handshake to recover the pre-shared key?
A)Kismet
B)Aircrack-ng
C)Wireshark
D)NetStumbler
Correct Answer: B
Explanation:
The correct answer is B)Aircrack-ng is a comprehensive suite of tools to assess WiFi network security. Specifically, the aircrack-ng binary is designed to crack WEP and WPA-PSK keys once enough data packets (for WEP) or the 4-way handshake (for WPA2) have been captureD)It uses wordlists to perform dictionary attacks against the handshake.
Why A is incorrect: Kismet is a wireless network detector, sniffer, and intrusion detection system. While it can capture the handshake, its primary function is discovery and monitoring, not offline cracking of keys.
Why C is incorrect: Wireshark is a network protocol analyzer. It can capture and analyze packets, and even decrypt traffic if the key is known, but it does not have built-in functionality to perform brute-force or dictionary attacks to recover an unknown WPA2 key.
Why D is incorrect: NetStumbler is an outdated Windows tool used for finding open wireless access points (wardriving). It does not support packet injection or key cracking and is largely ineffective against modern WPA2 networks.
Question 9
To maintain persistence on a compromised Linux server, an attacker creates a cron job that establishes a reverse shell back to their machine every hour. This activity corresponds to which phase of the ethical hacking methodology?
A)Scanning and Enumeration
B)Gaining Access
C)Maintaining Access
D)Covering Tracks
Correct Answer: C
Explanation:
The correct answer is C)Maintaining Access is the phase where the attacker tries to retain their ownership of the system. Creating a cron job (a scheduled task in Linux) ensures that even if the current connection is severed or the computer is rebooted, the malicious connection (reverse shell) will re-establish itself automatically. This persistence is the defining characteristic of this phase.
Why A is incorrect: Scanning and Enumeration is the pre-attack phase involved in identifying live hosts, ports, and services. It happens before access is gained.
Why B is incorrect: Gaining Access is the phase where the attacker actively exploits a vulnerability to break into the system. Once the shell is established initially, the phase shifts to maintaining that access.
Why D is incorrect: Covering Tracks involves hiding evidence of the compromise, such as deleting logs or modifying timestamps. Creating a cron job actually creates more evidence (a file modification), so it is not a covering tracks activity.
Question 10
An organization has implemented a strict password policy. To bypass this, an attacker uses a tool to try a single common password (e.g., “Summer2025!”) against every user account in the Active Directory. This technique is designed to avoid account lockouts. What is this attack called?
A)Rainbow Table Attack
B)Brute Force Attack
C)Password Spraying
D)Dictionary Attack
Correct Answer: C
Explanation:
The correct answer is C)Password Spraying is a specific type of brute force attack where the attacker tests a single password against many accounts before moving on to a second passworD)This is done to avoid account lockout policies, which are typically triggered when multiple failed attempts are made against a single account in a short perioD)By “spraying” one password across all users, the attacker resets the lockout counter for each user.
Why A is incorrect: A Rainbow Table Attack uses pre-computed tables of hash chains to reverse cryptographic hash functions. It is an offline attack against a stolen hash database, not an online attack against an active directory login prompt.
Why B is incorrect: A traditional Brute Force Attack tries every possible combination of characters against a single account. This would almost certainly trigger the account lockout threshold immediately.
Why D is incorrect: A Dictionary Attack uses a predefined list of words to guess the password for a specific account. Like standard brute force, targeting a single account with a dictionary is likely to lock that account out.
Question 11
A security consultant is using the Google search operator filetype:xls site:example.com “username” “password” to find sensitive documents exposed on a client’s public web server. What is this reconnaissance technique known as?
A)Google Dorking
B)Website Mirroring
C)Whois Lookup
D)DNS Interrogation
Correct Answer: A
Explanation:
The correct answer is A)Google Dorking (or Google Hacking) involves using advanced search operators to find information that is not readily available through simple searches. In this scenario, the operator filetype:xls restricts results to Excel files, site:example.com restricts the search to the target domain, and the keywords look for credentials. This is a classic method for discovering sensitive data leaks during the reconnaissance phase.
Why B is incorrect: Website Mirroring involves downloading a complete local copy of a website for offline analysis. It does not use search engine operators to filter specific file types exposed on the live web.
Why C is incorrect: Whois Lookup is a protocol used to query databases that store the registered users or assignees of an Internet resource, such as a domain name or an IP address block. It does not search for file contents on the web server.
Why D is incorrect: DNS Interrogation involves querying the Domain Name System servers to find information about the domain’s infrastructure, such as mail servers or subdomains, not specific files or credentials exposed on the website.
Question 12
Which of the following tools is specifically designed to exploit the “Human” element of security by automating the creation of fake login pages and mass-mailing phishing campaigns?
A)Maltego
B)Social-Engineer Toolkit (SET)
C)Burp Suite
D)Nessus
Correct Answer: B
Explanation:
The correct answer is B)The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. It allows testers to automate attacks such as creating phishing websites that clone legitimate login pages, sending mass emails (Spear-Phishing Attack Vectors), and creating malicious media payloads.
Why A is incorrect: Maltego is a data mining tool used for Open Source Intelligence (OSINT) and forensics. It visualizes relationships between people, groups, and websites but does not directly automate the creation of phishing pages or campaigns.
Why C is incorrect: Burp Suite is a web vulnerability scanner and proxy tool used for testing web application security. While it can be used to modify traffic, it is not a social engineering framework.
Why D is incorrect: Nessus is a vulnerability scanner used to detect security flaws in software and networks. It identifies missing patches and misconfigurations, not human vulnerabilities.
Question 13
In the context of CEH v13, which term describes the use of Artificial Intelligence to analyze large datasets of code to identify potential zero-day vulnerabilities before they are discovered by human researchers?
A)Fuzzing
B)AI-Augmented Static Application Security Testing (SAST)
C)Dynamic Application Security Testing (DAST)
D)Reverse Engineering
Correct Answer: B
Explanation:
The correct answer is B)AI-Augmented Static Application Security Testing (SAST) involves using machine learning models to scan source code (static analysis) for security flaws. AI enhances traditional SAST by understanding context, reducing false positives, and identifying complex logic errors that might lead to zero-day vulnerabilities, which traditional pattern-matching tools might miss.
Why A is incorrect: Fuzzing is a dynamic testing technique that involves inputting massive amounts of random data (fuzz) to the system to make it crash. While AI can enhance fuzzing, the description of “analyzing datasets of code” points to static analysis.
Why C is incorrect: DAST involves testing the application while it is running. It interacts with the application from the outside, like a hacker would, rather than analyzing the source code directly.
Why D is incorrect: Reverse Engineering involves deconstructing software to understand its architecture. While it can be used to find vulnerabilities, the automated analysis of large code datasets is the primary function of SAST tools.
Question 14
A penetration tester has discovered a vulnerability in a corporate web server. To evade the signature-based Network Intrusion Detection System (NIDS), the tester fragments the malicious packets so that the NIDS cannot reassemble and inspect the payload, while the destination server can. What is this evasion technique called?
A)IP Address Spoofing
B)Session Splicing
C)Source Routing
D)Decoy Scanning
Correct Answer: B
Explanation:
The correct answer is B)Session Splicing (or IP Fragmentation) is an IDS evasion technique where the attacker splits the attack payload into small packets. If the IDS does not reassemble the stream or has a short timeout for reassembly, it will not recognize the attack signature across the multiple fragments. The target host, however, will reassemble the packets and execute the malicious payload.
Why A is incorrect: IP Address Spoofing involves changing the source IP address of a packet to impersonate another system. It hides the attacker’s identity but does not hide the malicious payload content from the NIDS.
Why C is incorrect: Source Routing is a technique where the sender specifies the route a packet should take through the network. While it can be used to bypass certain network controls, it is not primarily defined by fragmenting packets to hide signatures.
Why D is incorrect: Decoy Scanning involves sending packets from multiple spoofed IP addresses (decoys) along with the real attack traffiC)This confuses the network defender about which IP is the true attacker, but it doesn’t hide the attack signature itself from the IDS.
Question 15
Which component of the CIA triad is primarily compromised during a Denial of Service (DoS) attack?
A)Confidentiality
B)Integrity
C)Availability
D)Authenticity
Correct Answer: C
Explanation:
The correct answer is C)The primary goal of a Denial of Service (DoS) attack is to disrupt the services of a host or network, making it inaccessible to legitimate users. This directly impacts Availability, which ensures that systems and data are accessible when needed.
Why A is incorrect: Confidentiality ensures that information is not disclosed to unauthorized individuals. A DoS attack typically does not involve stealing or viewing data, only blocking access to it.
Why B is incorrect: Integrity ensures that data is not altered or tampered with. While a DoS attack stops the flow of data, it usually does not involve modifying the data at rest or in transit.
Why D is incorrect: Authenticity verifies the identity of a user or system. While DoS attacks might use spoofed IPs (faking authenticity), the victim’s loss is the availability of their service, not the validity of their credentials.
Question 16
An attacker exploits a vulnerability in the BGP (Border Gateway Protocol) to redirect traffic meant for a cryptocurrency exchange through a server they control. This allows them to intercept the traffic before forwarding it to the legitimate destination. What type of attack is this?
A)DNS Poisoning
B)BGP Hijacking
C)ARP Spoofing
D)DHCP Starvation
Correct Answer: B
Explanation:
The correct answer is B)BGP Hijacking occurs when an attacker maliciously advertises IP prefixes that they do not own via the Border Gateway Protocol. This alters the routing tables of the internet, causing traffic destined for a legitimate network (like a crypto exchange) to be routed through the attacker’s network. This is a high-level infrastructure attack often used for espionage or theft.
Why A is incorrect: DNS Poisoning corrupts the cache of a DNS resolver to point a domain name to a wrong IP address. While it redirects traffic, it happens at the application/naming layer, not the core routing protocol layer (BGP).
Why C is incorrect: ARP Spoofing occurs on a local area network (LAN) by associating the attacker’s MAC address with the IP address of the gateway or target. It cannot redirect traffic across the global internet like BGP hijacking can.
Why D is incorrect: DHCP Starvation is a DoS attack where an attacker requests all available IP addresses from a DHCP server, preventing legitimate new devices from connecting to the network.
Question 17
A security administrator is reviewing logs and notices a series of “404 Not Found” errors followed by a “200 OK” response for a URL containing ../../windows/system32/cmd.exe. What type of vulnerability has likely been successfully exploited?
A)Directory Traversal
B)Cross-Site Request Forgery (CSRF)
C)SQL Injection
D)Buffer Overflow
Correct Answer: A
Explanation:
The correct answer is A)The character sequence ../ is used to navigate up one directory level in a file system. This is the hallmark of a Directory Traversal (or Path Traversal) attack. The attacker is attempting to escape the web root directory to access system files like cmd.exe. The “200 OK” response indicates that the server successfully found and served the requested file, meaning the exploitation was successful.
Why B is incorrect: CSRF involves tricking a user into performing an unwanted action on a web application where they are authenticateD)It does not involve manipulating file paths in the URL to access system files.
Why C is incorrect: SQL Injection involves inserting SQL code into inputs to manipulate the database. It would typically involve characters like ‘ OR 1=1 –, not file path navigation like ../.
Why D is incorrect: A Buffer Overflow involves sending more data than a buffer can handle to crash the program or execute arbitrary code. It does not typically manifest as a directory navigation string in a URL log.
Question 18
Which cryptographic concept ensures that a sender cannot deny having sent a message, typically achieved using digital signatures?
A)Encryption
B)Non-repudiation
C)Hashing
D)Obfuscation
Correct Answer: B
Explanation:
The correct answer is B Non-repudiation is the security service that provides proof of the origin of data and the integrity of the datA)It prevents the sender from denying that they sent the message. This is technically achieved through public key cryptography (digital signatures), where a message signed with the sender’s private key can only have come from that sender.
Why A is incorrect: Encryption is designed to provide confidentiality (hiding the data) but does not inherently prove who sent it, especially in symmetric key systems.
Why C is incorrect: Hashing provides integrity (proving the data hasn’t changed) but does not prove the identity of the sender.
Why D is incorrect: Obfuscation involves making code or data difficult for humans to understand It provides no cryptographic guarantee of identity or origin.
Question 19
An ethical hacker is assessing a Kubernetes cluster. They discover that the etcd service is exposed to the internet without authentication. What is the critical risk associated with this misconfiguration?
A)The attacker can consume all CPU resources on the nodes. B)The attacker can gain full control over the cluster secrets and configuration. C)The attacker can only view the logs of the running pods. D)The attacker can spoof the IP address of the API server.
Correct Answer: B
Explanation:
The correct answer is B)In Kubernetes, etcd is the key-value store that holds all cluster data, including configuration details and, crucially, “secrets” (API keys, passwords, certificates). If etcd is exposed without authentication, an attacker can read these secrets or write new configurations to the cluster, effectively granting them full administrative control (root access) over the entire Kubernetes environment.
Why A is incorrect: While an attacker with control could launch workloads to consume CPU, the primary and most critical risk is the total loss of control over the cluster’s data and secrets, not just resource exhaustion.
Why C is incorrect: etcd contains far more than just logs. It contains the state of the entire cluster. Accessing it gives read/write access to the state, not just passive log viewing.
Why D is incorrect: Spoofing an IP address is a network-layer attack. While compromised cluster control might facilitate further attacks, the direct risk of exposed etcd is data theft and configuration manipulation, not IP spoofing.
Question 20
A mobile security analyst is reverse engineering an Android application. They find a hardcoded API key within the strings.xml file. This discovery falls under which category of the OWASP Mobile Top 10?
A)M1: Improper Credential Usage
B)M2: Inadequate Supply Chain Security
C)M5: Insecure Communication
D)M9: Insecure Data Storage
Correct Answer: A
Explanation:
The correct answer is A)According to the updated OWASP Mobile Top 10 (2024/2016 mappings), hardcoding credentials like API keys, passwords, or tokens directly into the application’s code or resource files (like strings.xml) constitutes “Improper Credential Usage” (formerly often categorized under Insecure Data Storage or Hardcoded Secrets). This practice allows any attacker who decompiles the app to easily retrieve the keys.
Why B is incorrect: Inadequate Supply Chain Security focuses on vulnerabilities introduced through third-party libraries or the build process, not the developer’s error of hardcoding their own keys.
Why C is incorrect: Insecure Communication refers to failing to use SSL/TLS or validating certificates during network transmission. It does not cover static secrets stored in the app binary.
Why D is incorrect: While technically “storing” data insecurely, hardcoded keys are specifically a credential management failure. “Insecure Data Storage” typically refers to how the app stores user data (like SQL databases or Shared Preferences) on the device file system.
