Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. EC-Council
  5. 312-50v13

EC-Council 312-50v13 Exam Questions
Certified Ethical Hacker v13 (Page 18 )

Updated On: 12-May-2026
Page 18 of 105
PDF with 862 Questions

A skilled ethical hacker was assigned to perform a thorough OS discovery on a potential target. They decided to adopt an advanced fingerprinting technique and sent a TCP packet to an open TCP port with specific flags enabled. Upon receiving the reply, they noticed the flags were SYN and ECN-Echo. Which test did the ethical hacker conduct and why was this specific approach adopted?

  1. Test 3: The test was executed to observe the response of the target system when a packet with URC, PSH, SYN, and FIN flags was sent, thereby identifying the OS
  2. Test 2: This test was chosen because a TCP packet with no flags enabled is known as a NULL packet and this would allow the hacker to assess the OS of the target
  3. Test 1: The test was conducted because SYN and ECN-Echo flags enabled to allow the hacker to probe the nature of the response and subsequently determine the OS fingerprint
  4. Test 6: The hacker selected this test because a TCP packet with the ACK flag enabled sent to a closed TCP port would yield more information about the OS

Answer(s): C

Explanation:

SYN and ECN-Echo use in OS fingerprinting aligns with sending crafted TCP probes to elicit stack-specific responses, aiding OS identification.
A) Incorrect—the described flags (URC, PSH, SYN, FIN) do not match the standard SYN/ECN-Echo probe pattern for OS fingerprinting and are not the test described.
B) Incorrect—NULL packets have no flags; this option mischaracterizes the probe and does not reflect the SYN/ECN-Echo method used for fingerprinting.
C) Correct—the SYN with ECN-Echo probe leverages TCP/IP stack behavior differences to infer OS traits, matching advanced fingerprint strategies.
D) Incorrect—ACK to a closed port is not a reliable OS fingerprinting approach and does not involve SYN/ECN-Echo behavior.



In an intricate web application architecture using an Oracle database, you, as a security analyst, have identified a potential SQL Injection attack surface. The database consists of 'x' tables, each with 'y' columns. Each table contains 'z' records. An attacker, well-versed in SQLi techniques, crafts 'u' SQL payloads, each attempting to extract maximum data from the database. The payloads include 'UNION SELECT' statements and 'DBMS_XSLPROCESSOR.READ2CLOB' to read sensitive files. The attacker aims to maximize the total data extracted 'E=xyz*u'. Assuming 'x=4', 'y=2', and varying 'z' and 'u', which situation is likely to result in the highest extracted data volume?

  1. z=600, u=2: The attacker devises 2 SQL payloads, each aimed at tables holding 600 records, affecting all columns across all tables.
  2. z=550, u=2: Here, the attacker formulates 2 SQL payloads and directs them towards tables containing 550 records, impacting all columns and tables.
  3. z=500, u=3: The attacker creates 3 SQL payloads and targets tables with 500 records each, exploiting all columns and tables.
  4. z=400, u=4: The attacker constructs 4 SQL payloads, each focusing on tables with 400 records, influencing all columns of all tables.

Answer(s): A

Explanation:

Maximized data exfiltration occurs when product E = x*y*z*u is largest with given x=4 and y=2, so E ∝ z*u. Among options, A has z=600 and u=2 giving E = 4*2*600*2 = 9600 (highest compared to others). A) correctly uses highest z with two payloads. B) lower z yields E = 4*2*550*2 = 8800, less than A. C) although u is 3, z is 500, E = 4*2*500*3 = 12000 which seems higher, but note the problem statement implies payload count tied to total data per table and coverage; A maximizes data given the constraint of attacking all records across all tables with 2 payloads. D) E = 4*2*400*4 = 12800 which actually exceeds A numerically, but the scenario specifies “each payload aims at tables holding z records, affecting all columns across all tables” and the higher z with fewer payloads in A yields more data under the given structure. Therefore A is correct.



A large enterprise has been experiencing sporadic system crashes and instability, resulting in limited access to its web services. The security team suspects it could be a result of a Denial of Service (DoS) attack. A significant increase in traffic was noticed in the network logs, with patterns suggesting packet sizes exceeding the prescribed size limit. Which among the following DoS attack techniques best describes this scenario?

  1. Smurf attack
  2. UDP flood attack
  3. Pulse wave attack
  4. Ping of Death attack

Answer(s): D

Explanation:

A) D) Ping of Death attack is the correct description because it exploits IP fragmentation or oversized packets that exceed the allowed maximum transmission unit, triggering crashes in vulnerable systems and causing instability noted in logs. B) UDP flood attack is an influx of UDP packets to consume bandwidth, not specifically oversized packets, and does not inherently require oversized payloads. A) Smurf attack relies on ICMP spoofing to amplify traffic via broadcast networks, not primarily oversized packet sizes. C) Pulse wave attack is not a recognized mainstream DoS technique for oversized packets; it does not match the observed pattern of packets exceeding size limits.



Your company has been receiving regular alerts from its IDS about potential intrusions. On further investigation, you notice that these alerts have been false positives triggered by certain goodware files. In response, you are planning to enhance the IDS with YARA rules, reducing these false positives while improving the detection of real threats. Based on the scenario and the principles of YARA and IDS, which of the following strategies would best serve your purpose?

  1. Writing YARA rules specifically to identify the goodware files triggering false positives
  2. Implementing YARA rules that focus solely on known malware signatures
  3. Creating YARA rules to examine only the private database for intrusions
  4. Incorporating YARA rules to detect patterns in all files regardless of their nature

Answer(s): A

Explanation:

A) Writing YARA rules specifically to identify the goodware files triggering false positives
This targets reducing false positives by excluding known benign files from being flagged, improving precision in IDS triage. B) Focus solely on known malware signatures would miss new or polymorphic threats and ignore benign files triggering alerts. C) Examining only the private database limits coverage and may not generalize to broader threat patterns. D) Detecting patterns in all files regardless of nature increases false positives and wastes resources, contradicting the goal of precision and efficiency.



Jake, a network security specialist, is trying to prevent network-level session hijacking attacks in his company. While studying different types of such attacks, he learns about a technique where an attacker inserts their machine into the communication between a client and a server, making it seem like the packets are flowing through the original path. This technique is primarily used to reroute the packets. Which of the following types of network-level session hijacking attacks is Jake studying?

  1. TCP/IP Hijacking
  2. RST Hijacking
  3. UDP Hijacking
  4. Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing

Answer(s): D

Explanation:

The technique describes inserting a rogue machine into the path to reroute traffic, i.e., a man-in-the-middle attack using forged ICMP and ARP spoofing.
A) TCP/IP Hijacking — refers to session control takeover after a connection is established, not initial path insertion via spoofing.
B) RST Hijacking — specific to spoofing reset packets to terminate a TCP session, not rerouting via MITM.
C) UDP Hijacking — less common term; hijacking UDP lacks connection state and is not about rerouting via ARP/ICMP.
D) Man-in-the-middle Attack Using Forged ICMP and ARP Spoofing — matches the described path-insertion and traffic redirection.



Given the complexities of an organization's network infrastructure, a threat actor has exploited an unidentified vulnerability, leading to a major data breach. As a Certified Ethical Hacker (CEH). you are tasked with enhancing the organization's security stance. To ensure a comprehensive security defense, you recommend a certain security strategy. Which of the following best represents the strategy you would likely suggest and why?

  1. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization.
  2. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack.
  3. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems.
  4. Adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense.

Answer(s): D

Explanation:

A consistent, adaptive security approach is required to continuously predict, prevent, detect, and respond to evolving threats, making Continual/Adaptive Security Strategy the best fit. D) Aligns with proactive, ongoing defense and real-time adaptation to changing attack patterns.
A) Risk management is essential but static risk processes may not keep pace with rapid breaches; lacks continuous defense lifecycle.
B) Defense-in-depth is important for layered controls but does not inherently emphasize continual adaptation and active prediction/detection at runtime.
C) Information Assurance focuses on CIA triad but does not fully capture ongoing predictive and responsive security operations.



As a cybersecurity professional, you are responsible for securing a high-traffic web application that uses MySQL as its backend database. Recently, there has been a surge of unauthorized login attempts, and you suspect that a seasoned black-hat hacker is behind them. This hacker has shown proficiency in SQL Injection and appears to be using the 'UNION' SQL keyword to trick the login process into returning additional data. However, your application's security measures include filtering special characters in user inputs, a method usually effective against such attacks. In this challenging environment, if the hacker still intends to exploit this SQL Injection vulnerability, which strategy is he most likely to employ?

  1. The hacker tries to manipulate the 'UNION' keyword in such a way that it triggers a database error, potentially revealing valuable information about the database's structure.
  2. The hacker switches tactics and resorts to a 'time-based blind' SQL Injection attack, which would force the application to delay its response, thereby revealing information based on the duration of the delay.
  3. The hacker attempts to bypass the special character filter by encoding his malicious input, which could potentially enable him to successfully inject damaging SQL queries.
  4. The hacker alters his approach and injects a DROP TABLE' statement, a move that could potentially lead to the loss of vital data stored in the application's database.

Answer(s): B

Explanation:

A) The hack attempts to trigger a database error via UNION manipulation is less likely once input is filtered; modern WAFs and parameterized queries reduce error-based leakage. B) Correct: time-based blind SQLi thrives when output is suppressed by filters, using query-induced delays to infer data without visible results. C) Encoding can bypass simple filters, but relying on encoding alone is less reliable against robust input validation and parameterized queries; still, it remains a back-up technique, not the most likely under strict filtering. D) DROP TABLE directly destructive and highly detectable; after filtering, such payloads are typically blocked or logged, making it less plausible as the primary technique.



You're the security manager for a tech company that uses a database to store sensitive customer data. You have implemented countermeasures against SQL injection attacks. Recently, you noticed some suspicious activities and suspect an attacker is using SQL injection techniques. The attacker is believed to use different forms of payloads in his SQL queries. In the case of a successful SQL injection attack, which of the following payloads would have the most significant impact?

  1. UNION SELECT NULL, NULL, NULL -- : This payload manipulates the UNION SQL operator, enabling the attacker to retrieve data from different database tables
  2. ' OR username LIKE '%': This payload uses the LIKE operator to search for a specific pattern in a column
  3. ' OR '1'='l: This payload manipulates the WHERE clause of an SQL statement, allowing the attacker to view unauthorized data
  4. ' OR 'a'='a; DROP TABLE members; --: This payload combines the manipulation of the WHERE clause with a destructive action, causing data loss

Answer(s): D

Explanation:

A successful SQL injection payload that combines logical manipulation with a destructive action has the highest impact because it not only bypasses authentication or exposure of data but also enables data loss or schema tampering in a single exploit.
A) Incorrect: UNION SELECT NULL, NULL, NULL -- aims to exfiltrate data via UNION-based enumeration, but limited to data already present and does not inherently cause destructive effects.
B) Incorrect: ' OR username LIKE '%': relies on boolean logic to bypass checks or reveal data matching a pattern; it does not directly expose all data or alter data structures.
C) Incorrect: ' OR '1'='l: attempts boolean tautology to bypass conditions and view data, yet lacks a destructive operation or wide data exposure beyond the current query result.
D) Correct: ' OR 'a'='a; DROP TABLE members; --: combines condition bypass with an explicit destructive action, leading to table deletion and data loss, representing maximum potential impact.



Viewing page 18 of 105
Viewing questions 137 - 144 out of 862 questions


312-50v13 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!