Free Practice Questions for ECCouncil 312-50v13 Exam

Comprehensive and Detailed Explanation:

The OpenSSL command-line utility s_client is used to test SSL/TLS connections.

Correct syntax:

openssl s_client -connect www.website.com:443

This command will initiate a TLS connection to port 443 on the given domain and allow you to inspect certificates, cipher suites, and server responses.

From CEH v13 Courseware:

Module 12: Cryptography → SSL/TLS Testing Tools

https://en.wikipedia.org/wiki/IPsec

Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. It supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection.

The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above layer 3, such as Transport Layer Security (TLS) that operates at the Transport Layer and Secure Shell (SSH) that operates at the Application layer, IPsec can automatically secure applications at the IP layer.

A brute-force attack is the most exhaustive password-cracking method. It tries every possible combination of characters (letters, numbers, and symbols) until the correct password is found.

From CEH v13 Courseware:

Module 6: Password Cracking Techniques

CEH v13 Study Guide states:

“Brute-force attacks try every possible combination until the correct password is discovered. It’s resource-intensive but guarantees success if enough time and processing power is available.”

Incorrect Options:

B: Refers to social engineering or coercion.

C: Describes a dictionary attack.

D: Refers to a rainbow table attack.

E: Not a cracking method.

Enterprise, governments, and financial institutions have greater security with WPA3-Enterprise. WPA3-Enterprise builds upon WPA2 and ensures the consistent application of security protocol across the network.

WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to raised protect sensitive data:

• Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)

• Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)

• Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) employing a 384-bit elliptic curve

• Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)

The 192-bit security mode offered by WPA3-Enterprise ensures the proper combination of cryptographic tools are used and sets a uniform baseline of security within a WPA3 network.

It protects sensitive data using many cryptographic algorithms It provides authenticated encryption using GCMP-256 It uses HMAC-SHA-384 to generate cryptographic keys It uses ECDSA-384 for exchanging keys

A multihomed firewall refers to a firewall with two or more network interfaces (NICs), each connected to different network segments. The purpose of a multihomed firewall is to allow filtering and segmentation of traffic between multiple network zones, such as:

External network (e.g., Internet)

Internal network (e.g., LAN)

To qualify as multihomed, the system must have at least two network interfaces. This allows it to sit between two networks and inspect/filter traffic passing through it.

Reference – CEH v13 Official Study Guide:

Module 13: Evading IDS, Firewalls, and Honeypots

Section: Firewall Architecture

Quote:

“A multihomed firewall is a system with two or more NICs connected to different networks, typically used to control traffic between internal and external networks. The minimum number of interfaces is two.”

Incorrect Options Explained:

A. 3 interfaces may be used in advanced setups (e.g., with a DMZ), but not the minimum.

B & C. 4 or 5 connections are not required unless designing more complex segmentation.

===========

The Security Account Manager (SAM) file on Windows contains user account information, including password hashes. Hackers target this file to extract credentials for offline cracking using tools like L0phtCrack or Cain & Abel.

From CEH v13 Official Courseware:

Module 6: Malware Threats

Module 4: Enumeration

CEH v13 Study Guide states:

“The SAM file stores hashed user credentials. If attackers gain access to it, they can extract password hashes and perform brute-force or dictionary attacks offline.”

Common locations:

C:\Windows\System32\config\SAM

C:\Windows\Repair\SAM

Trident is a highly sophisticated spyware tool used in mobile surveillance operations. It exploits multiple zero-day vulnerabilities to jailbreak iPhones remotely and grant full control to the attacker. It is famously associated with the Pegasus spyware, which was able to:

Record calls and ambient sound

Capture screenshots

Read SMS, emails, and contacts

Monitor GPS and application use

As per CEH v13:

Trident uses a chain of exploits to compromise iOS devices without physical access.

It was used in highly targeted attacks against journalists, activists, and government officials.

Incorrect Options:

A. DroidSheep is an Android tool for session hijacking on unsecured Wi-Fi.

B. Androrat is a RAT for Android devices.

C. Zscaler is a cloud security platform, not malware.

Reference – CEH v13 Official Courseware:

Module 17: Hacking Mobile Platforms

Section: “iOS Malware”

Subsection: “Spyware like Trident and Pegasus”

===========

The protocol that you would recommend to the team to achieve the secure exchange of the symmetric key is the Diffie-Hellman protocol. The Diffie-Hellman protocol is a key agreement protocol that allows two or more parties to establish a shared secret key over an unsecured communication channel, without having to exchange the key itself. The Diffie-Hellman protocol works as follows12:

The parties agree on a large prime number p and a generator g, which are public parameters that can be known by anyone.

Each party chooses a random private number a or b, which are kept secret from anyone else.

Each party computes a public value A or B, by raising g to the power of a or b modulo p, i.e., A = g^a mod p and B = g^b mod p.

Each party sends their public value A or B to the other party over the unsecured channel.

Each party computes the shared secret key K, by raising the received public value to the power of their own private number modulo p, i.e., K = A^b mod p = B^a mod p.

The parties can now use the shared secret key K to encrypt and decrypt the data using a symmetric key encryption algorithm, such as AES or 3DES.

The Diffie-Hellman protocol can ensure the secure exchange of the symmetric key because it relies on the mathematical difficulty of computing discrete logarithms, which means that it is hard to find the private numbers a or b given the public values A or B, g, and p. Therefore, an attacker who intercepts the public values A or B cannot easily compute the shared secret key K, and thus cannot decrypt the data encrypted with K12.

The other options are not as appropriate as option B for the following reasons:

A. Implementing SSL certificates on your company’s web servers: This option is not relevant because SSL certificates are not used to exchange symmetric keys, but to authenticate the identity of the web servers and to establish a secure connection using public key encryption. SSL certificates are digital certificates that contain the public key and the identity information of the web server, and are issued and signed by a trusted certificate authority (CA). When a client connects to a web server, the web server sends its SSL certificate to the client, who verifies it with the CA. If the verification is successful, the client and the web server use the public key in the certificate to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or SSL certificates34.

C. Switching all data transmission to the HTTPS protocol: This option is not sufficient because HTTPS protocol is not a protocol for exchanging symmetric keys, but a protocol for securing web traffic using SSL or TLS encryption. HTTPS protocol is a combination of HTTP protocol and SSL or TLS protocol, which means that it uses HTTP for the application layer communication and SSL or TLS for the transport layer encryption. When a client requests a web page from a web server using HTTPS protocol, the client and the web server establish a secure connection using SSL or TLS protocol, which involves the exchange of SSL certificates and a symmetric key, as explained in option A. Then, the client and the web server use the symmetric key to encrypt and decrypt the HTTP data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve web servers or HTTPS protocol5 .

D. Utilizing SSH for secure remote logins to the servers: This option is not applicable because SSH is not a protocol for exchanging symmetric keys, but a protocol for securing remote access to servers using public key authentication and encryption. SSH is a protocol that allows a client to securely connect to a server and execute commands or transfer files over an encrypted channel. SSH uses public key cryptography to authenticate the identity of the server and the client, and to exchange a symmetric key, which is then used to encrypt and decrypt the data. However, this option does not address the scenario of transmitting data over an unsecured communication channel, which may not involve remote logins or SSH protocol .

Comprehensive and Detailed Explanation:

Cryptographic hash functions provide:

Integrity: Any change in the input changes the output hash.

Collision Resistance: It is computationally infeasible to find two inputs that produce the same hash.

This ensures data is not altered during transmission.

From CEH v13 Courseware:

Module 10: Cryptography → Hashing Functions (e.g., SHA-256, MD5)

One may append the comment “–” operator along with the String for the username and whole avoid executing the password segment of the SQL query. Everything when the — operator would be considered as comment and not dead.

To launch such an attack, the value passed for name could be ’OR ‘1’=‘1’ ; —

Statement = “SELECT * FROM ‘CustomerDB’ WHERE ‘name’ = ‘ ”+ userName + “ ‘ AND ‘password’ = ‘ ” + passwd + “ ‘ ; ”

Statement = “SELECT * FROM ‘CustomerDB’ WHERE ‘name’ = ‘ ’ OR ‘1’=‘1‘;– + “ ‘ AND ‘password’ = ‘ ” + passwd + “ ‘ ; ”

All the records from the customer database would be listed.

Yet, another variation of the SQL Injection Attack can be conducted in dbms systems that allow multiple SQL injection statements. Here, we will also create use of the vulnerability in sure dbms whereby a user provided field isn’t strongly used in or isn’t checked for sort constraints.

This could take place once a numeric field is to be employed in a SQL statement; but, the programmer makes no checks to validate that the user supplied input is numeric.

Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as “' or '1'='1'” in any basic injection statement such as “or 1=1” or with other accepted SQL comments.

Evasion Technique: Variation Variation is an evasion technique whereby the attacker can easily evade any comparison statement. The attacker does this by placing characters such as “' or '1'='1'” in any basic injection statement such as “or 1=1” or with other accepted SQL comments. The SQL interprets this as a comparison between two strings or characters instead of two numeric values. As the evaluation of two strings yields a true statement, similarly, the evaluation of two numeric values yields a true statement, thus rendering the evaluation of the complete query unaffected. It is also possible to write many other signatures; thus, there are infinite possibilities of variation as well. The main aim of the attacker is to have a WHERE statement that is always evaluated as “true” so that any mathematical or string comparison can be used, where the SQL can perform the same.

Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises.

Whois footprinting is a reconnaissance technique used by attackers and penetration testers to gather publicly available information about domain names. By performing a Whois lookup, one can retrieve:

Domain registrant details (name, email, phone, and address)

Domain registration and expiry dates

Name servers and registrar information

Administrative and technical contact data

According to CEH v13:

Whois databases are maintained by Internet registrars and can be queried through tools like whois lookup or websites such as https://whois.domaintools.com.

This information helps attackers build a profile of the organization, identify potential social engineering targets, and even understand domain structure for further attacks.

Incorrect Options:

A. VPN footprinting refers to identifying VPN gateways or configurations — not related to domain data.

B. Email footprinting involves gathering information from or about email systems.

C. VoIP footprinting targets IP-based telephony systems, such as SIP endpoints.

Reference – CEH v13 Official Courseware:

Module 02: Footprinting and Reconnaissance

Section: “WHOIS Footprinting”

Tools: Whois lookup tools, ICANN WHOIS, DomainTools

When a NULL scan is sent to a port on a UNIX-based system:

If the port is OPEN: The system does not respond at all.

If the port is CLOSED: The system responds with a RST packet.

This behavior is based on how the TCP stack processes unexpected packets.

From CEH v13 Courseware:

Module 3: Scanning Networks

Topic: Stealth Scanning Techniques → NULL Scan

CEH v13 Official Guide states:

“A NULL scan sends a TCP packet with no flags set. On systems following RFC 793 (like many Unix/Linux), open ports silently drop such packets (no response), while closed ports respond with a TCP RST.”

Incorrect Options:

A–E: Not standard responses for an open port in a NULL scan scenario.

The TPM is a chip that's part of your computer's motherboard — if you bought an off-the-shelf PC, it's soldered onto the motherboard. If you built your own computer, you can buy one as an add-on module if your motherboard supports it. The TPM generates encryption keys, keeping part of the key to itself

The command shown is a Windows batch loop that attempts to mount a hidden administrative share (c$) on a remote machine (\10.1.2.3) using the username "Administrator" and a list of passwords from the file hackfile.txt.

for /f "tokens=1 %%a in (hackfile.txt) → Reads one password per line from the file

do net use * \10.1.2.3\c$ /user:"Administrator" %%a → Tries to authenticate to the share using the Administrator account and each password

This is a classic brute-force password attack attempting to crack the Administrator account using a wordlist.

From CEH v13 Official Courseware:

Module 4: Enumeration

Module 6: Malware and Password Cracking Techniques

CEH v13 Study Guide states:

“Tools and scripts that automate login attempts using SMB shares and administrative credentials can be used to brute force user accounts. An attacker attempts access using a list of passwords (dictionary attack).”

Incorrect Options:

A: The connection attempt is made, but the success is dependent on password cracking.

B: This command does not enumerate users.

D: No null session involved; this is a brute-force attempt, not privilege escalation.