Free Practice Questions for ECCouncil 312-50v13 Exam

DNS uses Ports 53 which is almost always open on systems, firewalls, and clients to transmit DNS queries. instead of the more familiar Transmission Control Protocol (TCP) these queries use User Datagram Protocol (UDP) due to its low-latency, bandwidth and resource usage compared TCP-equivalent queries. UDP has no error or flow-control capabilities, nor does it have any integrity checking to make sure the info arrived intact.

How is internet use (browsing, apps, chat etc) so reliable then? If the UDP DNS query fails (it’s a best-effort protocol after all) within the first instance, most systems will retry variety of times and only after multiple failures, potentially switch to TCP before trying again; TCP is additionally used if the DNS query exceeds the restrictions of the UDP datagram size – typically 512 bytes for DNS but can depend upon system settings.

Figure 1 below illustrates the essential process of how DNS operates: the client sends a question string (for example, mail.google[.]com during this case) with a particular type – typically A for a number address. I’ve skipped the part whereby intermediate DNS systems may need to establish where ‘.com’ exists, before checking out where ‘google[.]com’ are often found, and so on.

Many worms and scanners are created to seek out and exploit systems running telnet. Given these facts, it’s really no surprise that telnet is usually seen on the highest Ten Target Ports list. Several of the vulnerabilities of telnet are fixed. They require only an upgrade to the foremost current version of the telnet Daemon or OS upgrade. As is usually the case, this upgrade has not been performed on variety of devices. this might flow from to the very fact that a lot of systems administrators and users don’t fully understand the risks involved using telnet. Unfortunately, the sole solution for a few of telnets vulnerabilities is to completely discontinue its use. the well-liked method of mitigating all of telnets vulnerabilities is replacing it with alternate protocols like ssh. Ssh is capable of providing many of an equivalent functions as telnet and a number of other additional services typical handled by other protocols like FTP and Xwindows. Ssh does still have several drawbacks to beat before it can completely replace telnet. it’s typically only supported on newer equipment. It requires processor and memory resources to perform the info encryption and decryption. It also requires greater bandwidth than telnet thanks to the encryption of the info . This paper was written to assist clarify how dangerous the utilization of telnet are often and to supply solutions to alleviate the main known threats so as to enhance the general security of the web

Once a reputation is resolved to an IP caching also helps: the resolved name-to-IP is usually cached on the local system (and possibly on intermediate DNS servers) for a period of your time . Subsequent queries for an equivalent name from an equivalent client then don’t leave the local system until said cache expires. Of course, once the IP address of the remote service is understood , applications can use that information to enable other TCP-based protocols, like HTTP, to try to to their actual work, for instance ensuring internet cat GIFs are often reliably shared together with your colleagues.

So, beat all, a couple of dozen extra UDP DNS queries from an organization’s network would be fairly inconspicuous and will leave a malicious payload to beacon bent an adversary; commands could even be received to the requesting application for processing with little difficulty.

The described method is a classic example of a Side-Channel Attack, specifically a Timing Attack.

Key characteristics:

It exploits variations in response time from a system to infer sensitive information, such as the correct number of characters in a password.

In this scenario, if a correct character causes a longer processing time, the attacker can deduce the correct sequence iteratively.

According to CEH v13:

Side-channel attacks do not directly break encryption but rely on observing system behavior like timing, power consumption, or electromagnetic leaks.

These attacks are effective against poorly implemented authentication mechanisms or embedded systems like ICS/SCADA.

Incorrect Options:

B. Denial-of-service is aimed at making systems unavailable, not extracting credentials.

C. HMI-based attacks involve manipulating the human-machine interface of ICS systems.

D. Buffer overflow exploits memory handling flaws, not timing behavior.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Cryptanalysis and Side-Channel Attacks”

Subsection: “Timing Attacks and Password Recovery”

In the Windows security model, SID ending in -500 is reserved for the built-in Administrator account. The SID seen in the image:

S-1-5-21-343818398-789336058-1343024091-500 → maps to user Joe

This proves that Joe is the true built-in administrator account on the domain EARTH.

From CEH v13 Courseware:

Module 4: Enumeration

Topic: SID Enumeration and Account Discovery

CEH v13 Study Guide states:

“In Windows, the account with RID 500 is always the default Administrator account. Even if renamed, its SID remains ending in -500. Enumeration of this SID allows attackers to identify privileged accounts.”

Incorrect Options:

A: Incomplete — it is not just that Joe has SID 500, but that SID 500 means Joe is the administrator.

B/C: These commands don’t validate Guest account status.

E: Incorrect — these commands explicitly prove administrator identity.

A macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application (e.g., word processors and spreadsheet applications). Some applications, such as Microsoft Office, allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. (Wikipedia)

NB: The virus Melissa is a well-known macro virus we could find attached to word documents.

https://en.wikipedia.org/wiki/Residual_risk

The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.

· Residual risk = (Inherent risk) – (impact of risk controls)

Bob wants Alice to verify that the message hasn’t been tampered with. This is a use case for ensuring data integrity and authenticity. The process described matches the creation of a digital signature:

Bob computes a checksum (typically a cryptographic hash) of the message.

Then, he encrypts this checksum (hash) using his own private key.

Alice receives the message and decrypts the checksum using Bob’s public key.

If the decrypted checksum matches the hash she computes from the received message, she confirms the message’s integrity and authenticity.

This is a fundamental principle of digital signatures.

Incorrect Options:

A. Alice's private key is never used by others; it's confidential.

B. Encrypting with Alice’s public key ensures confidentiality, not authenticity.

D. Bob’s public key is used by the receiver to verify authenticity, not for encryption in this context.

Reference – CEH v13 Official Courseware:

Module 20: Cryptography

Section: “Digital Signatures”

Subsection: “Using Private Keys to Sign and Public Keys to Verify”

CEH Engage Lab: Email Signing and Verification

===========

Ettercap is a comprehensive MITM attack tool that supports live traffic interception and content injection. It can modify HTTP streams in real time and inject malicious payloads, such as JavaScript or applets, into web traffic.

Reference – CEH v13 Official Study Guide:

Module 8: Sniffing

Quote:

“Ettercap allows attackers to intercept, analyze, and alter data on the fly, including injecting malicious content like Java applets in HTTP sessions during MITM attacks.”

Incorrect Options Explained:

A & D. Wireshark and Tcpdump are passive sniffers with no injection capability.

C. Aircrack-ng is for Wi-Fi key cracking, not traffic manipulation.

===========

Comprehensive and Detailed Explanation:

The code shown in the image is indicative of a Cross-Site Scripting (XSS) attack, where malicious JavaScript is injected into a web page via user input. In this case, the attacker includes:

%3Cscript%20src=...%3E — URL-encoded JavaScript tag to load a malicious script from an external source.

If the web application echoes this input back without sanitization, the script will execute in the context of the victim’s browser.

This allows the attacker to:

Steal cookies/session tokens

Perform actions on behalf of the victim

Redirect the victim to malicious websites

From CEH v13 Courseware:

Module 10: Web Application Hacking → Cross-Site Scripting (XSS)

PHI stands for Protected Health info. The HIPAA Privacy Rule provides federal protections for private health info held by lined entities and provides patients an array of rights with regard to that info. under HIPAA phi is considered to be any identifiable health info that’s used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a aid clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the availability of aid or payment for aid services.

It is not only past and current medical info that’s considered letter under HIPAA Rules, however also future info concerning medical conditions or physical and mental health related to the provision of care or payment for care. phi is health info in any kind, together with physical records, electronic records, or spoken info.

Therefore, letter includes health records, medical histories, lab check results, and medical bills. basically, all health info is considered letter once it includes individual identifiers. Demographic info is additionally thought of phi underneath HIPAA Rules, as square measure several common identifiers like patient names, Social Security numbers, Driver’s license numbers, insurance details, and birth dates, once they square measure connected with health info.

The eighteen identifiers that create health info letter are:

Names

Dates, except year

phonephone numbers

Geographic information

FAX numbers

Social Security numbers

Email addresses

case history numbers

Account numbers

Health arrange beneficiary numbers

Certificate/license numbers

Vehicle identifiers and serial numbers together with license plates

Web URLs

Device identifiers and serial numbers

net protocol addresses

Full face photos and comparable pictures

Biometric identifiers (i.e. retinal scan, fingerprints)

Any distinctive identifying variety or code

One or a lot of of those identifiers turns health info into letter, and phi HIPAA Privacy Rule restrictions can then apply that limit uses and disclosures of the data. HIPAA lined entities and their business associates will ought to guarantee applicable technical, physical, and body safeguards are enforced to make sure the confidentiality, integrity, and availability of phi as stipulated within the HIPAA Security Rule.

Docker uses a client-server design. The docker client talks to the docker daemon, that will the work of building, running, and distributing your docker containers. The docker client and daemon will run on the same system, otherwise you will connect a docker consumer to a remote docker daemon. The docker consumer and daemon communicate using a REST API, over OS sockets or a network interface.

The docker daemon (dockerd) listens for docker API requests and manages docker objects like pictures, containers, networks, and volumes. A daemon may communicate with other daemons to manage docker services.

Footprinting techniques are used to collect basic information about the target IoT and OT platforms to exploit them. Information collected through footprinting techniques ncludes IP address, hostname, ISP, device location, banner of the target IoT device, FCC ID information, certification granted to the device, etc. pg. 5052 ECHv11 manual

https://en.wikipedia.org/wiki/FCC_mark

An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission. For legal sale of wireless deices in the US, manufacturers must:

· Have the device evaluated by an independent lab to ensure it conforms to FCC standards

· Provide documentation to the FCC of the lab results

· Provide User Manuals, Documentation, and Photos relating to the device

· Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application)

The FCC gets its authourity from Title 47 of the Code of Federal Regulations (47 CFR). FCC IDs are required for all wireless emitting devices sold in the USA. By searching an FCC ID, you can find details on the wireless operating frequency (including strength), photos of the device, user manuals for the device, and SAR reports on the wireless emissions

ARIN (American Registry for Internet Numbers) is a Regional Internet Registry (RIR) that provides information about IP address allocations and autonomous systems in North America. It’s used for WHOIS lookups and footprinting in reconnaissance.

https://www.infocyte.com/blog/2019/02/16/cybersecurity-101-what-you-need-to-know-about-false-positives-and-false-negatives/

False positives are mislabeled security alerts, indicating there is a threat when in actuality, there isn’t. These false/non-malicious alerts (SIEM events) increase noise for already over-worked security teams and can include software bugs, poorly written software, or unrecognized network traffic.

False negatives are uncaught cyber threats — overlooked by security tooling because they’re dormant, highly sophisticated (i.e. file-less or capable of lateral movement) or the security infrastructure in place lacks the technological ability to detect these attacks.

The scenario describes a situation where a hacker infects an internet-facing server and leverages it to perform malicious activities such as sending spam emails, participating in distributed denial-of-service (DDoS) attacks, or hosting spam content. This behavior is characteristic of a Botnet Trojan.

According to the CEH v13 Official Courseware and Study Guide:

A Botnet Trojan is a type of malware that transforms infected machines into bots (also called zombies), which can be remotely controlled by an attacker (bot herder or bot master).

These bots become part of a botnet — a network of compromised machines used for coordinated cyberattacks including:

Sending unsolicited spam emails (junk mail)

Participating in DDoS attacks

Hosting or distributing malware and phishing content

The infected machine can receive commands from a command-and-control (C&C) server and act in concert with other infected machines to amplify attacks or spread malware.

Incorrect Options:

B. Banking Trojans are designed specifically to steal financial data such as online banking credentials.

C. Turtle Trojans is not a valid classification in CEH v13 or cybersecurity literature (may be a distractor).

D. Ransomware Trojans encrypt data and demand a ransom for decryption, not typically used for junk mail or botnet activities.

Reference – CEH v13 Official Courseware:

Module 06: Malware Threats

Section: “Types of Trojans”

Subsection: “Botnet Trojans”

CEH v13 eBook or Study Guide — usually found under “Trojan Classifications by Payload”

Practical labs in CEH Engage and iLabs also demonstrate botnet functionality using tools like Zeus and Emotet in real-world botnet infection scenarios.

Snort is an open-source Network Intrusion Detection and Prevention System (NIDS/NIPS) capable of real-time traffic analysis and packet logging. It functions as a sniffer and can detect various forms of attacks using signature-based rules.

CEH v13 Reference:

Module 10: Evading IDS, Firewalls, and Honeypots

"Snort can operate as a sniffer, logger, or full NIDS capable of real-time traffic analysis."

━━━━━━━━━━━━━━━━━━━━━━