Free Practice Questions for ECCouncil 312-50v13 Exam

CHNTPW (Change NT Password) is a Linux-based utility that allows attackers or administrators to:

Reset Windows user account passwords

Unlock disabled or locked user accounts

Remove password protection without knowing the original password

It works by editing the Windows SAM (Security Account Manager) file located in the Windows system directory.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Quote:

“CHNTPW is a tool that can reset or change passwords on Windows systems by directly editing the SAM database. It is commonly run from a Linux LiveCD.”

Incorrect Options:

A. John the Ripper is for cracking passwords, not resetting them directly.

B. SET (Social Engineering Toolkit) is for phishing and payloads, not password resets.

D. Cain & Abel is a password recovery tool for Windows but runs on Windows, not Linux.

===========

The given command is used to establish a null session connection with the IPC$ share on a Windows machine. IPC$ (Inter-Process Communication) is a special hidden share used for Windows inter-process communication, and when connected with blank credentials, it allows anonymous access to certain system information — a common step in enumeration.

Command breakdown:

net use \target\ipc$ "" /u:""

→ Initiates a connection using a blank username and password (null session).

From CEH v13 Courseware:

Module 04: Enumeration

Topic: Null Sessions and SMB Enumeration

CEH v13 Study Guide states:

“A null session allows unauthorized users to connect to a Windows machine and extract information like usernames, shares, and policies. Null sessions exploit the default settings of the IPC$ share and are typically initiated using net use commands.”

Incorrect Options:

A/B: Accessing the etc/passwd or SAM directly is not the function of this command.

C: Samba uses SMB, but this is targeting a Windows system.

E: Cisco router enumeration involves SNMP, not Windows IPC$.

https://www.eccouncil.org/what-is-social-engineering/

This Social Engineering scam involves an exchange of information that can benefit both the victim and the trickster. Scammers would make the prey believe that a fair exchange will be present between both sides, but in reality, only the fraudster stands to benefit, leaving the victim hanging on to nothing. An example of a Quid Pro Quo is a scammer pretending to be an IT support technician. The con artist asks for the login credentials of the company’s computer saying that the company is going to receive technical support in return. Once the victim has provided the credentials, the scammer now has control over the company’s computer and may possibly load malware or steal personal information that can be a motive to commit identity theft.

"A quid pro quo attack (aka something for something” attack) is a variant of baiting. Instead of baiting a target with the promise of a good, a quid pro quo attack promises a service or a benefit based on the execution of a specific action." https://resources.infosecinstitute.com/topic/common-social-engineering-attacks/#:~:text=A%20quid%20pro%20quo%20attack,execution%20of%20a%20specific%20action.

MAC flooding is a Layer 2 attack in which an attacker sends a large number of fake MAC addresses to a switch, filling up its CAM (Content Addressable Memory) table. Once the table is full:

The switch enters “fail-open” mode and broadcasts traffic to all ports

The attacker can then sniff sensitive traffic

This attack effectively turns a switch into a hub, facilitating data sniffing.

Incorrect Options:

A. Evil twin is a wireless attack using rogue access points.

B. DNS cache flooding corrupts DNS entries, unrelated to Ethernet.

D. DDoS attacks are about overwhelming systems/services, not Layer 2 memory overflows.

Reference – CEH v13 Official Courseware:

Module 11: Sniffing

Section: “Switch Port Stealing and MAC Flooding”

Subsection: “Layer 2 Attacks and CAM Table Poisoning”

===========

This is a classic example of Web Parameter Tampering. This occurs when attackers manipulate parameters exchanged between client and server to exploit vulnerabilities in the application logic. In this case:

Damount and Camount are passed via URL parameters.

The web application is not validating or sanitizing the values.

Altering the values affects the transaction outcome.

This is not an SQL Injection (no SQL code shown), nor is it XSS (no script injection), and it is unrelated to Cookie Tampering (which involves browser-stored cookies).

In CEH v13 Module 03: Scanning Networks, the behavior of firewalls in response to ACK scans is described in detail, especially regarding stateful vs. stateless firewalls.

An ACK scan (nmap -sA) is primarily used for firewall rule analysis. Here’s how it works:

When you send a TCP ACK segment:

If the port is closed and no firewall is present, the target should respond with a TCP RST packet.

If a stateless (non-stateful) firewall is used, it typically allows or blocks packets based only on rules about IP addresses, ports, and protocol type, without tracking session state.

If a stateful firewall is used, it keeps track of connection states. Therefore:

An unsolicited ACK packet (not part of any established session) will be silently dropped, because it doesn’t correspond to any active connection.

No RST is sent back because the firewall suppresses it, recognizing it as potentially malicious or out of context.

Therefore:

No RST response = packet was silently dropped.

Silent dropping of unsolicited ACK packets = Stateful Firewall Behavior.

Option Analysis:

A. There is no firewall in place

❌ Incorrect. If there were no firewall, an RST would be sent from the closed port.

B. This event does not tell you anything about the firewall

❌ Incorrect. The lack of a response is actually meaningful and implies stateful filtering behavior.

C. It is a stateful firewall

Correct. A stateful firewall inspects the packet, sees no valid session, and drops it silently.

D. It is a non-stateful firewall

❌ Incorrect. A non-stateful firewall would typically not inspect session state, and you'd still expect to see a response (likely an RST).

Reference from CEH v13 Study Guide and Courseware:

Module 03 – Scanning Networks, Section: Nmap Scanning Techniques → TCP ACK Scan

CEH Engage Labs – Network Scanning Phase: Firewall Rule Detection using ACK Scans

In CEH v13 Module 01: Introduction to Ethical Hacking, Gray Hat hackers are described as those who operate between ethical and unethical lines:

Gray Hat Characteristics:

Discover vulnerabilities without permission.

May explore or exploit them without malicious intent, but also without authorization.

May or may not disclose them after exploration.

Not fully black hat (malicious), nor white hat (authorized and ethical).

In this case, John explored sensitive employee data without authorization, even though he worked for the organization. That behavior places him in the gray hat category.

Option Clarification:

A. Cybercriminal: Generally linked to criminal activities for gain.

B. Black hat: Unauthorized access with malicious or financial intent.

C. White hat: Authorized ethical hackers.

D. Gray hat: Correct – Unauthorized, curious access without immediate harm.

snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent’s MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework.

The other options are not as effective or suitable as snmp-check for the ethical hacker’s task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker’s task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent’s MIB and affect its functionality or security. References:

snmp-check - The SNMP enumerator

SNMP Enumeration | Ethical Hacking - GreyCampus

SNMP Enumeration - GeeksforGeeks

Nmap - the Network Mapper - Free Security Scanner

OpUtils - Network Monitoring & Management Toolset

SnmpWalk - SNMP MIB Browser

In CEH v13 Module 16: Cloud Computing and Container Security, Kubernetes components are explained for understanding container orchestration risks.

Kube-scheduler is the master node component responsible for:

Assigning newly created pods to available nodes.

Evaluating each pod’s resource requirements.

Considering node affinity/anti-affinity, data locality, hardware restrictions, etc.

Ensuring workload balancing across nodes.

Other Options:

A. Kube-controller-manager: Manages control loops for replication and status.

C. Kube-apiserver: Acts as the entry point for all REST commands.

D. Etcd: A key-value store used to save configuration data.

Before implementing auditing, it is crucial to assess how enabling this feature will impact system resources, performance, and storage. Auditing can generate significant logs and place additional load on systems, especially in environments handling sensitive data such as banking.

Understanding the impact helps determine if the current infrastructure can handle the overhead or if optimizations or upgrades are needed beforehand.

Reference – CEH v13 Official Study Guide:

Module 5: System Hacking

Section: Enabling Auditing and Logging

Quote:

“Before enabling auditing, organizations must assess the performance and storage impact. Improper implementation can result in performance degradation or missed logs.”

Incorrect Options Explained:

A. Vulnerability scanning is important but not directly related to audit implementation.

C. Cost-benefit analysis comes after understanding operational impact.

D. Staffing is a planning step, not the first technical action.

===========

A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

Shoulder surfing is a social engineering technique that involves looking over someone’s shoulder to observe sensitive information, such as passwords, PINs, or credit card numbers, that they enter on their computer, phone, or ATM. It is the least likely method of social engineering to yield beneficial information based on the data collected by Maltego, because it requires physical proximity and access to the target’s devices, which may not be feasible or safe for the hacker. Moreover, shoulder surfing does not leverage the information obtained by Maltego, such as domains, DNS names, Netblocks, or IP addresses, which are more relevant for network-based attacks.

The other options are more likely to yield beneficial information based on the data collected by Maltego, because they involve exploiting the target’s trust, curiosity, or negligence, and using the information obtained by Maltego to craft convincing scenarios or messages. Impersonating an ISP technical support agent to trick the target into providing further network details is a form of pretexting, where the hacker creates a false identity and scenario to obtain information or access from the target. Dumpster diving in the target company’s trash bins for valuable printouts is a technique that relies on the target’s negligence or lack of proper disposal of sensitive documents, such as network diagrams, passwords, or confidential reports. Eavesdropping on internal corporate conversations to understand key topics is a technique that exploits the target’s curiosity or lack of awareness, and allows the hacker to gather information about the target’s projects, plans, or problems, which can be used for further attacks or extortion. References:

Social Engineering: Definition & 5 Attack Types

How to Use Maltego Transforms to Map Network Infrastructure: An In-Depth Guide

Social engineering: Definition, examples, and techniques

The Snort rule in the image is detecting suspicious bind attempts over DCERPC (Distributed Computing Environment/Remote Procedure Call), specifically targeting ports 135 (RPC) and 445 (SMB) with crafted content. The rule references CVE CAN-2003-0352.

CVE-2003-0352 is associated with the DCOM RPC vulnerability in Microsoft Windows that was exploited by the MS Blaster (also known as Lovsan) worm in 2003.

Key Indicators from the Snort Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135

content includes DCERPC binding pattern (|05| and |0b| with specific binary patterns)

Reference to CVE-2003-0352

Class type: attempted-admin

The MS Blaster worm exploited this vulnerability by sending a specially crafted RPC request to port 135, allowing remote code execution.

From CEH v13 Courseware:

Module 6: Malware Threats

Module 11: Session Hijacking

Discussion of historic worms and their exploit signatures, including MS Blaster.

Incorrect Options:

A. WebDav: Typically uses HTTP/HTTPS and was exploited by Nimda.

B. SQL Slammer: Targeted UDP port 1434 (SQL Server), not TCP 135/445.

D. MyDoom: Spread via email and exploited Windows file-sharing mechanisms (port 3127), not DCERPC.

Whitelist validation (also known as allowlist validation) is a robust defensive strategy where only pre-approved input formats are accepted. This includes:

Restricting input to specific data types (e.g., integer, string)

Limiting size, format, or allowed characters

Accepting only expected values (e.g., country codes, age ranges)

This practice is highly effective in mitigating SQL injection and other input-based attacks.

Incorrect Options:

A. Output encoding prevents XSS by encoding output but doesn't validate input.

B. Enforcing least privilege is an access control principle.

D. Blacklist validation is less secure and attempts to block known bad inputs, which may be bypassed.

Reference – CEH v13 Official Courseware:

Module 14: Hacking Web Applications

Section: “Input Validation and SQL Injection Mitigation”

Subsection: “Whitelist vs Blacklist Input Validation”

===========

Comprehensive and Detailed Explanation:

A TCP SYN flood is a type of Denial of Service (DoS) attack. The attacker sends a barrage of SYN packets with spoofed (random or unreachable) source IP addresses. The victim server replies with SYN/ACK, but the final ACK never arrives.

This results in:

The victim keeping the half-open connections in the queue.

The queue filling up, leading to new, legitimate requests being dropped.

From CEH v13 Courseware:

Module 9: Denial-of-Service Attacks → TCP SYN Flood