freefiles

ECCouncil 312-50v13 Exam Dumps & Practice Test Questions


Question No 1:

John, a former employee who departed the organization on bad terms, sought revenge by orchestrating a cyberattack against his previous employer. To carry out his plan effectively, he enlisted the services of an experienced hacker. The hacker’s strategy began with the reconnaissance phase, during which they successfully compromised a machine inside the company’s internal network. On this infiltrated device, the hacker installed a sophisticated scanning tool. Using this foothold, the tool was then utilized to probe other systems within the same local network. The primary objective was to uncover weaknesses such as outdated software, open ports, and other exploitable vulnerabilities across multiple systems.

Which type of vulnerability assessment tool did the hacker employ in this situation?

A. Agent-based scanner
B. Network-based scanner
C. Cluster scanner
D. Proxy scanner

Correct Answer: B. Network-based scanner

Explanation:

The tool used by the hacker fits the characteristics of a network-based scanner. These scanners are designed to evaluate the security posture of devices across a network without requiring local software installation on each target system. They work by transmitting data packets to other hosts on the network and analyzing the responses to determine the presence of security gaps such as weak configurations, open ports, or unpatched software vulnerabilities.

Unlike agent-based scanners, which require a separate software component installed on every endpoint to collect data and monitor activity, network-based scanners centralize the assessment from a single point. This makes them especially useful for attackers who have limited access but aim to evaluate multiple systems quickly.

Cluster scanners are not a widely recognized term in the cybersecurity field and typically do not refer to any mainstream vulnerability assessment tool. Proxy scanners, on the other hand, are primarily used to obscure the origin of web traffic, which is more aligned with privacy tools or traffic routing than with active vulnerability scanning.

The hacker’s use of a compromised internal machine to remotely inspect other systems on the network without deploying additional software to each device is a textbook example of how network-based vulnerability scanning works. These tools are commonly used in both offensive cybersecurity campaigns and legitimate enterprise environments to identify and mitigate risks before they are exploited.

Question No 2:

Joel is a cyber attacker targeting a specific organization. Instead of launching a direct assault on its internal infrastructure, he adopts a more indirect and insidious approach. He begins by researching which external websites are frequently accessed by the organization’s employees, such as industry news sites, vendor portals, and professional forums. Once he compiles a list of these commonly visited sites, Joel scans them for vulnerabilities, such as outdated plugins, insecure scripts, or misconfigured servers.

After identifying several poorly secured third-party websites, Joel exploits these weaknesses by injecting malicious scripts into the site's legitimate content. These scripts are crafted to automatically redirect users or silently download malware onto their devices without any visible indicators. The trap is now set: when employees of the targeted organization visit these compromised websites as part of their routine activity, their devices become infected. 

Once the malware is installed, it provides Joel with unauthorized remote access to internal systems, enabling him to extract sensitive data or establish persistent control.

A. Watering Hole Attack
B. DNS Rebinding Attack
C. MarioNet Attack
D. Clickjacking Attack

Correct Answer: A. Watering Hole Attack

Explanation:

This attack is identified as a watering hole attack. The name is derived from a predator's strategy of lying in wait near a watering hole, anticipating that prey will come to drink. Similarly, the attacker compromises websites the target group is known to visit, thereby increasing the likelihood of successful infection without having to breach the organization’s primary defenses.

What makes watering hole attacks particularly dangerous is that they exploit the trust users have in familiar or reputable websites. Because the malware is delivered via these trusted channels, traditional perimeter defenses like firewalls and content filters may not detect the threat. The attack effectively bypasses network-level protection and relies on the natural online behavior of users.

To defend against such threats, organizations should implement endpoint detection and response (EDR) solutions, keep browsers and plugins up to date, and enforce network segmentation. Additionally, employee awareness training about suspicious redirects, browser behavior, and the importance of cybersecurity hygiene is vital.

This scenario is not an example of a DNS rebinding attack, which manipulates DNS to access internal network resources. It’s also unrelated to a MarioNet attack, which involves using malicious scripts to take control of a user's browser persistently, nor is it a clickjacking attack, which deceives users into clicking on hidden elements embedded within a webpage.

Question No 3:

John Smith, a security administrator, has noticed an unusual amount of outgoing network traffic from internal systems during nighttime hours. Upon investigating, he confirms that an attacker has exfiltrated user data. Neither the antivirus software nor the IDS/IPS systems detected any suspicious activity. Additionally, all running applications appear to be on the organization’s approved whitelist.

What kind of malware most likely enabled the attacker to evade the company’s application whitelisting?

A. File-less malware
B. Zero-day malware
C. Phishing malware
D. Logic bomb malware

Correct Answer: A. File-less malware

Explanation:

File-less malware is a type of malicious code that operates entirely in memory or uses legitimate system tools to execute harmful actions. Since it doesn’t install new files, traditional antivirus programs—which rely on scanning files for known signatures—often fail to detect it. Similarly, application whitelisting becomes ineffective because the malware uses already-approved processes and does not introduce new executables.

Zero-day malware, while powerful, is typically associated with exploiting unknown vulnerabilities, which isn't the central issue in this case. Phishing malware relies on user interaction, like clicking a link, but wouldn't explain the stealthy, persistent traffic at night. Logic bombs are designed to execute only when specific conditions are met, and there's no indication of a trigger mechanism here.

File-less malware fits the scenario precisely—it avoids file installations, evades detection by security software, and bypasses application whitelisting by using legitimate, whitelisted tools in memory.

Question No 4:

Dorian wants to send an email to Poly that includes a digital signature to confirm the message’s authenticity. 

Which key does Dorian use to sign the message, and how does Poly verify that the message genuinely came from Dorian?

A. Dorian is signing the message with his public key, and Poly will verify that the message came from Dorian by using Dorian’s private key
B. Dorian is signing the message with Poly’s private key, and Poly will verify that the message came from Dorian by using Dorian’s public key
C. Dorian is signing the message with his private key, and Poly will verify that the message came from Dorian by using Dorian’s public key
 D. Dorian is signing the message with Poly’s public key, and Poly will verify that the message came from Dorian by using Dorian’s public key

Correct Answer:
C. Dorian is signing the message with his private key, and Poly will verify that the message came from Dorian by using Dorian’s public key

Explanation:

Digital signatures ensure a message's authenticity and integrity. In this case, Dorian uses his private key to sign the email. This guarantees that the signature is unique to him and hasn't been forged, as only Dorian possesses his private key.

Poly, upon receiving the email, uses Dorian’s publicly available key to verify the signature. If the message has been altered or wasn't actually sent by Dorian, the verification using the public key will fail. This mechanism provides two key benefits: it ensures the message hasn’t been tampered with (integrity), and it proves that it genuinely came from Dorian (non-repudiation).

The other options are incorrect because they misuse the cryptographic key roles. Signing is always done with the sender’s private key, and verification is done with the matching public key. Using Poly’s keys or reversing the public/private key roles would render the signature invalid and meaningless for verification.

Question No 5:

Joe starts his home computer to log into his personal online banking account. He types the URL www.bank.com into his browser, expecting to reach his bank’s actual website. However, the site that opens behaves unusually—it asks Joe to re-enter his login credentials, even though he has used the site before. Upon inspecting the address bar, Joe realizes the site is not secure (it lacks “https” and the padlock icon), and the URL seems slightly off from what he usually sees. This causes him to question the legitimacy of the website.

What type of attack is Joe most likely experiencing?

A. DHCP Spoofing
B. DoS Attack
C. ARP Cache Poisoning
D. DNS Hijacking

Correct Answer: D. DNS Hijacking

Explanation:

Joe is likely encountering a DNS hijacking attack, also known as DNS redirection. This form of attack involves an unauthorized manipulation of DNS settings, either on Joe’s computer or elsewhere along the communication path, causing traffic meant for a legitimate site to be rerouted to a fraudulent one.

Even though Joe entered the correct web address, the DNS system did not resolve it correctly. Instead, it redirected him to a fake website that mimics the appearance of his bank’s page. The absence of security indicators like "https" and a mismatched URL further confirms the website is not authentic.

This scenario matches DNS hijacking, where the attacker intercepts or alters DNS queries to send users to deceptive websites. The goal is typically to capture login credentials or other sensitive information.

The other options are less applicable:

  • DHCP spoofing involves giving a user device false IP configuration data, but it does not directly lead to fake websites.

  • DoS attacks are designed to make services unavailable and do not usually involve redirection.

  • ARP cache poisoning targets local network traffic and is not typically used to manipulate website resolution at the DNS level.

Question No 6:

A hacker named Boney targets a company to steal financial data. He initiates his plan by first logging into a service and obtaining a valid session ID. Then, using a Man-in-the-Middle technique, he sends this session ID to a company employee, tricking them into clicking a link. The session ID directs the employee to Boney’s account page, though the employee is unaware of this. As the employee fills in a payment form, the submitted data is linked directly to Boney’s session and becomes accessible to him.

What type of cyberattack is Boney using in this scenario?

A. Forbidden attack
B. CRIME attack
C. Session donation attack
D. Session fixation attack

Correct Answer: D. Session fixation attack

Explanation:

This is a classic case of a session fixation attack. In such an attack, the perpetrator provides the victim with a pre-set session ID. Once the victim interacts with a service using that session ID, their activity is directly tied to the attacker’s session.

Boney first authenticates with the web application to receive a valid session ID. He then delivers this same ID to the employee, perhaps via email or through a Man-in-the-Middle strategy. When the employee uses this link and starts interacting with the site, such as by entering sensitive payment information, all their input is associated with the session Boney originally created. This gives Boney access to confidential details entered by the unsuspecting user.

This attack is dangerous because it makes users believe they are in control of their session when in fact, they are operating within a session initiated by the attacker.

Alternative options do not describe this behavior accurately:

  • CRIME attacks exploit data compression vulnerabilities, not session manipulation.

  • Forbidden attacks do not describe a recognized attack category here.

  • Session donation attack is not a standard term and does not apply to this scenario.

To mitigate this risk, best practices include regenerating session IDs after user login and always enforcing secure, encrypted communication (like HTTPS).

Question No 7:

Kevin, a hacker, attempts to breach the internal network of CyberTech Inc. To achieve this, he transmits network packets encoded with Unicode characters. This encoding method allows the packets to go undetected by the company’s Intrusion Detection System (IDS), even though the destination web server successfully interprets and processes them.

Which technique is Kevin using to evade detection by the IDS?

A. Session Splicing
B. Urgency Flag
C. Obfuscating
D. Desynchronization

Correct Answer: C. Obfuscating

Explanation:

Obfuscating refers to the deliberate alteration or encoding of data to make it less recognizable by security systems like IDS. In this scenario, Kevin's use of Unicode encoding transforms the contents of his malicious packets in a way that evades signature-based detection, while still allowing the server to interpret the content correctly.

Intrusion Detection Systems typically rely on pattern recognition or known attack signatures. By modifying the packet structure with Unicode, the attacker disguises the payload so that it no longer matches these patterns, effectively bypassing the IDS.

Although the IDS is unable to interpret the altered format, the target server is capable of decoding Unicode-encoded data, making the attack successful.

Other options are not applicable here:

  • Session Splicing involves splitting payloads across packets, which is not what Kevin is doing.

  • Urgency Flag is a TCP-level feature and unrelated to packet encoding for IDS evasion.

  • Desynchronization typically involves causing a mismatch in session states between IDS and the server, not encoding the packets.

Hence, obfuscating is the correct answer as it matches Kevin’s method of encoding data to defeat detection mechanisms.

Question No 8:

While testing a web application's login form for SQL injection vulnerabilities, you target a Microsoft SQL Server backend. You input the following credentials:

Username: attack' or 1=1 --
 Password: 123456

The -- sequence is used to comment out the remainder of the SQL statement. Based on this input, which SQL query would the system most likely execute if it is vulnerable to SQL injection?

A. select * from Users where UserName = 'attack' ' or 1=1 -- and UserPassword = '123456'
B. select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'
C. select * from Users where UserName = 'attack or 1=1 -- and UserPassword = '123456'
D. select * from Users where UserName = 'attack' or 1=1 --' and UserPassword = '123456'

Correct Answer: B. select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'

Explanation:

This scenario illustrates a classic example of SQL injection. The input attack' or 1=1 -- manipulates the structure of the SQL query used by the server. By terminating the original string with a quote and adding a logical condition that always evaluates to true (or 1=1), followed by a comment marker (--), the attacker bypasses authentication.

The resulting query is:
select * from Users where UserName = 'attack' or 1=1 -- and UserPassword = '123456'

Because 1=1 is always true, the WHERE clause condition becomes valid for all rows, and the -- ensures the password check is completely ignored. This tricks the system into granting access even without the correct password.

The other options contain flawed syntax or logic:

  • A has an extra quote that breaks the SQL statement.

  • C lacks proper quote placement around the attack username.

  • D includes improper placement of the comment sequence.

To prevent such attacks, developers must adopt secure coding practices, such as input validation and using parameterized queries or prepared statements, which separate user input from executable code.

Question No 9:

Which action is most likely to be performed during the scanning phase of an ethical hacking engagement?

A Installing a remote access tool on the target system
B Actively probing the target for open ports and services
C Negotiating permission from the client for the engagement
D Erasing logs from the target to conceal evidence

Correct Answer: B

Explanation:

In an ethical hacking operation, the scanning phase is the second stage of the process following reconnaissance. This phase is critical because it transitions from passive information gathering to active interaction with the target. Its main purpose is to identify open ports, running services, live hosts, and potential vulnerabilities in the systems being assessed.

Option A involves placing malware or backdoors, which belongs to the exploitation or post-exploitation stages. It is not appropriate for the scanning stage.

Option B is correct. This is where tools like Nmap, Nessus, or OpenVAS are typically used to identify accessible systems and services. Scanning can be done in two main forms: network scanning, which maps live hosts and open ports; and vulnerability scanning, which attempts to detect weaknesses in identified services.

Option C, negotiating permission, is part of the pre-engagement or planning phase and ensures the ethical hacker works within legal and defined scopes.

Option D, clearing logs, occurs during covering tracks, which is often related to post-exploitation or malicious behavior. Ethical hackers typically do not remove evidence of their actions unless it is specifically permitted and logged as part of the test.

Scanning serves as a bridge between discovering your target's public footprint and planning the actual attack. By mapping ports, identifying services, and sometimes fingerprinting OS types, an ethical hacker can move toward exploiting vulnerabilities with a clearer, structured approach. This phase must be performed cautiously to avoid detection if the assessment is meant to mimic real-world attack conditions, especially in black-box testing. Ethical hackers use both active and passive scanning, balancing depth of information with stealth.

Question No 10:

What type of attack involves manipulating input fields to inject unauthorized database queries?

A Buffer overflow
B Command injection
C SQL injection
D Cross-site scripting

Correct Answer: C

Explanation:

This question deals with a common and dangerous web vulnerability: SQL injection (SQLi). It occurs when attackers inject malicious SQL queries into input fields, exploiting improper handling of input and the lack of parameterized queries in the backend.

Option A, buffer overflow, involves overflowing a program's memory space, often used to execute arbitrary code.

Option B, command injection, involves injecting system commands via input fields to manipulate the underlying operating system, not the database.

Option C is correct. In SQL injection, the attacker targets vulnerabilities in input handling by crafting inputs like ' OR '1'='1 or DROP TABLE users; to manipulate SQL queries.

Option D, cross-site scripting (XSS), targets browsers and client-side scripts, not databases.

Mitigation strategies for SQLi include input validation, use of prepared statements (parameterized queries), stored procedures, and web application firewalls (WAFs). Tools like SQLMap are often used to automate this attack.