Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. EC-Council
  5. 312-50v13

EC-Council 312-50v13 Exam Questions
Certified Ethical Hacker v13 (Page 19 )

Updated On: 12-May-2026
Page 19 of 105
PDF with 862 Questions

A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?

  1. Perform a system reboot to clear the memory
  2. Delete the compromised user's account
  3. Change the NTLM password hash used to encrypt the ST
  4. Invalidate the TGS the attacker acquired

Answer(s): D

Explanation:

The immediate step is to invalidate the TGS the attacker acquired to cut off the offline cracking possibility and prevent further abuse of stolen tickets. It directly neutralizes the Kerberos service ticket the attacker possesses without altering unrelated credentials.
A) Rebooting the system does not guarantee memory cleared securely or revoke the captured TGS; Kerberos tickets in memory may persist and.resume after reboot, and attacker could re-acquire tokens.
B) Deleting the compromised user account interrupts future logins but does not revoke the already issued TGS or associated tickets in circulation.
C) Changing NTLM password hash is irrelevant to Kerberos ticket usage and ST encryption, and does not address the compromised TGS.



You are a cybersecurity consultant for a healthcare organization that utilizes Internet of Medical Things (IoMT) devices, such as connected insulin pumps and heart rate monitors, to provide improved patientcare. Recently, the organization has been targeted by ransomware attacks. While the IT infrastructure was unaffected due to robust security measures, they are worried that the IoMT devices could be potential entry points for future attacks. What would be your main recommendation to protect these devices from such threats?

  1. Disable all wireless connectivity on IoMT devices.
  2. Regularly change the IP addresses of all IoMT devices.
  3. Use network segmentation to isolate IoMT devices from the main network.
  4. Implement multi-factor authentication for all IoMT devices.

Answer(s): C

Explanation:

IoMT network segmentation limits lateral movement and contains breaches, reducing exposure of medical devices to ransomware spread.
A) Disabling all wireless connectivity is impractical and can degrade patient care; many IoMT devices require wireless interfaces to function.
B) Regularly changing IPs offers no real security benefit and can disrupt device management and monitoring.
C) Network segmentation isolates IoMT devices from the main network, containing compromises and limiting infection paths.
D) MFA for IoMT devices is often not feasible or scalable and may not address device-to-device trust or network-level containment.



You are a cybersecurity consultant for a global organization. The organization has adopted a Bring Your Own Device (BYOD)policy, but they have recently experienced a phishing incident where an employee's device was compromised. In the investigation, you discovered that the phishing attack occurred through a third-party email app that the employee had installed. Given the need to balance security and user autonomy under the BYOD policy, how should the organization mitigate the risk of such incidents? Moreover, consider a measure that would prevent similar attacks without overly restricting the use of personal devices.

  1. Provide employees with corporate-owned devices for work-related tasks.
  2. Require all employee devices to use a company-provided VPN for internet access.
  3. Implement a mobile device management solution that restricts the installation of non-approved applications.
  4. Conduct regular cybersecurity awareness training, focusing on phishing attacks.

Answer(s): C

Explanation:

Implementing a mobile device management solution that restricts non-approved apps directly reduces risk from third-party, potentially malicious apps while preserving BYOD autonomy through policy enforcement.
A) Corporate-owned devices undermine BYOD by replacing personal devices with organization-owned assets, conflicting with BYOD policy. B) Requiring a company VPN on all devices addresses network access but does not prevent malicious apps or phishing vectors from third-party apps. D) Phishing awareness training is important but does not prevent the initial compromise from a malicious app installation; it complements controls but not as a preventive enforcement. C) MDM enforces app whitelisting and control over installed software, limiting attack surfaces without fully restricting user-owned devices.



XYZ company recently discovered a potential vulnerability on their network, originating from misconfigurations. It was found that some of their host servers had enabled debugging functions and unknown users were granted administrative permissions. As a Certified Ethical Hacker, what would be the most potent risk associated with this misconfiguration?

  1. An attacker may be able to inject a malicious DLL into the current running process
  2. Weak encryption might be allowing man-in-the-middle attacks, leading to data tampering
  3. Unauthorized users may perform privilege escalation using unnecessarily created accounts
  4. An attacker may carry out a Denial-of-Service assault draining the resources of the server in the process

Answer(s): C

Explanation:

Misconfigurations that grant unknown users administrative permissions enable privilege escalation, making C the most potent risk because attackers can gain full control and bypass least-privilege safeguards.
A) DLL injection relies on running processes and code execution paths, not directly on misconfigured admin accounts. B) Weak encryption concerns confidentiality but not the direct impact of unauthorized admin accounts. C) Correct: unauthorized elevated privileges directly compromise integrity and security by enabling broad control. D) DoS stems from resource exhaustion, not from privilege misconfigurations or unauthorized admin access.



An organization suspects a persistent threat from a cybercriminal. They hire an ethical hacker, John, to evaluate their system security. John identifies several vulnerabilities and advises the organization on preventive measures. However, the organization has limited resources and opts to fix only the most severe vulnerability. Subsequently, a data breach occurs exploiting a different vulnerability. Which of the following statements best describes this scenario?

  1. The organization is at fault because it did not fix all identified vulnerabilities.
  2. Both the organization and John share responsibility because they did not adequately manage the vulnerabilities.
  3. John is at fault because he did not emphasize the necessity of patching all vulnerabilities.
  4. The organization is not at fault because they used their resources as per their understanding.

Answer(s): B

Explanation:

The shared responsibility model applies: both the organization and the assessor bear liability for risk management, not just one party. A) Incorrect because fixing all vulnerabilities is impractical; acceptable risk remains. B) Correct: inadequate risk governance and prioritization by the organization, combined with the assessment’s findings, led to exploitable exposure; both parties contributed to the outcome. C) Incorrect: John provides findings and guidance but cannot guarantee patching; fault lies in risk management decisions, not solely the assessor. D) Incorrect: outsourcing does not absolve the organization of responsibility for risk decisions and resource allocation.



An ethical hacker is attempting to crack NTLM hashed passwords from a Windows SAM file using a rainbow table attack. He has dumped the on-disk contents of the SAM file successfully and noticed that all LM hashes are blank. Given this scenario, which of the following would be the most likely reason for the blank LM hashes?

  1. The SAM file has been encrypted using the SYSKEY function.
  2. The passwords exceeded 14 characters in length and therefore, the LM hashes were set to a "dummy" value.
  3. The Windows system is Vista or a later version, where LM hashes are disabled by default.
  4. The Windows system is using the Kerberos authentication protocol as the default method.

Answer(s): C

Explanation:

Windows LM hashes are disabled by default on modern Windows versions (Vista and later), making LM fields blank in the SAM. This aligns with option C.
A) SYSKEY-encrypted SAM would not inherently blank LM hashes; it protects the SAM, not the LM value.
B) LM hashes are not generated for passwords longer than 14 characters; but blank LM fields in modern systems are due to disabled LM, not length-based dummy values.
D) Kerberos being the default protocol does not affect the presence of LM hashes in the SAM; LM hashes can be disabled regardless of Kerberos.



A Certified Ethical Hacker (CEH) is given the task to perform an LDAP enumeration on a target system. The system is secured and accepts connections only on secure LDAP. The CEH uses Python for the enumeration process. After successfully installing LDAP and establishing a connection with the target, he attempts to fetch details like the domain name and naming context but is unable to receive the expected response. Considering the circumstances, which of the following is the most plausible reason for this situation?

  1. The system failed to establish a connection due to an incorrect port number.
  2. The enumeration process was blocked by the target system's intrusion detection system.
  3. The secure LDAP connection was not properly initialized due to a lack of 'use_ssl = True' in the server object creation.
  4. The Python version installed on the CEH's machine is incompatible with the Idap3 library.

Answer(s): C

Explanation:

LDAP over SSL requires initializing the server connection with SSL enabled; without use_ssl = True, the secure session will not be properly established, preventing retrieval of domain and naming context data. A) Port mismatch would affect connectivity, but the scenario states a connection was established. B) IDS blocking could hinder results, but the question points to initialization of secure LDAP. D) Idap3 compatibility is less likely the immediate cause given a direct mention of missing SSL initialization rather than library incompatibility. A) incorrect port number would typically break the initial connection rather than simply prevent data retrieval within a secured session. C) use_ssl = True correctly enables and initializes the secure LDAP channel, making schema and naming context queries possible.



You are a cybersecurity consultant for a major airport that offers free Wi-Fi to travelers. The management is concerned about the possibility of "Evil Twin" attacks, where a malicious actor sets up a rogue access point that mimics the legitimate one. They are looking for a solution that would not significantly impact the user experience or require travelers to install additional software. What is the most effective security measure you could recommend that fits these constraints, considering the airport's unique operational environment?

  1. Regularly change the SSID of the airport's Wi-Fi network
  2. Use MAC address filtering on the airport's Wi-Fi network
  3. Implement WPA3 encryption for the airport's Wi-Fi network
  4. Display a captive portal page that warns users about the possibility of Evil Twin attacks

Answer(s): D

Explanation:

The captive portal approach directly informs users of the threat and guides them to trusted access, addressing Evil Twin risks without requiring user-side software or significant UX disruption.
A) Regularly changing the SSID is impractical for travelers and can cause confusion; it also does not verify legitimate APs.
B) MAC filtering is easily bypassed via MAC spoofing and provides weak security for guest Wi‑Fi.
C) WPA3 strengthens encryption but does not help users identify rogue APs or prevent Evil Twin deception.
D) Captive portal alerts users, reinforces trusted access, and aligns with airport operational dynamics.



Viewing page 19 of 105
Viewing questions 145 - 152 out of 862 questions


312-50v13 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!