• Home
  • Articles
  • 100% Free 312-50v13 Exam Dumps to Pass Exam Easily from ActualCollection [Q106-Q125]

100% Free 312-50v13 Exam Dumps to Pass Exam Easily from ActualCollection [Q106-Q125]

Share

100% Free 312-50v13 Exam Dumps to Pass Exam Easily from ActualCollection

Free 312-50v13 Exam Questions 312-50v13 Actual Free Exam Questions

NEW QUESTION # 106
As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security?

  • A. Restrict Zone transfers
  • B. Have subnet diversity between DNS servers
  • C. Use the same machines for DNS and other applications
  • D. Harden DNS servers
  • E. Use split-horizon operation for DNS servers

Answer: A,B,D,E


NEW QUESTION # 107
You are programming a buffer overflow exploit and you want to create a NOP sled of 200 bytes in the program exploit.c

What is the hexadecimal value of NOP instruction?

  • A. 0x80
  • B. 0x60
  • C. 0x90
  • D. 0x70

Answer: C


NEW QUESTION # 108
An ethical hacker is scanning a target network. They initiate a TCP connection by sending an SYN packet to a target machine and receiving a SYN/ACK packet in response. But instead of completing the three-way handshake with an ACK packet, they send an RST packet. What kind of scan is the ethical hacker likely performing and what is their goal?

  • A. They are performing an SYN scan to stealthily identify open ports without fully establishing a connection
  • B. They are performing a TCP connect scan to identify open ports on the target machine
  • C. They are performing a network scan to identify live hosts and their IP addresses
  • D. They are performing a vulnerability scan to identify any weaknesses in the target system

Answer: A

Explanation:
The ethical hacker is likely performing an SYN scan to stealthily identify open ports without fully establishing a connection. An SYN scan, also known as a half-open scan or a stealth scan, is a type of port scanning technique that exploits the TCP three-way handshake process. The hacker sends an SYN packet to a target port and waits for a response. If the target responds with an SYN/ACK packet, it means the port is open and listening for connections. If the target responds with an RST packet, it means the port is closed and not accepting connections. However, instead of completing the handshake with an ACK packet, the hacker sends an RST packet to abort the connection. This way, the hacker avoids creating a full connection and logging an entry in the target's system, making the scan less detectable and intrusive. The hacker can repeat this process for different ports and identify which ones are open and potentially vulnerable to exploitation12.
The other options are not correct for the following reasons:
* B. They are performing a TCP connect scan to identify open ports on the target machine: This option is incorrect because a TCP connect scan involves establishing a full connection with the target port by completing the TCP three-way handshake. The hacker sends an SYN packet, receives an SYN/ACK packet, and then sends an ACK packet to finalize the connection. Then, the hacker terminates the connection with an RST or FIN packet. A TCP connect scan is more reliable and compatible than an SYN scan, but also more noisy and slow, as it creates more traffic and logs on the target system12.
* C. They are performing a vulnerability scan to identify any weaknesses in the target system: This option is incorrect because a vulnerability scan is a broader and deeper process than a port scan. A vulnerability scan involves identifying and assessing the security flaws and risks in a system or network, such as missing patches, misconfigurations, outdated software, or weak passwords. A vulnerability scan may use port scanning as one of its techniques, but it also uses other methods, such as banner grabbing, service enumeration, or exploit testing. A vulnerability scan usually requires more time, resources, and permissions than a port scan34.
* D. They are performing a network scan to identify live hosts and their IP addresses: This option is incorrect because a network scan is a different process than a port scan. A network scan involves discovering and mapping the devices and hosts connected to a network, such as routers, switches, servers, or workstations. A network scan may use ping, traceroute, or ARP requests to identify the IP addresses, MAC addresses, and hostnames of the live hosts. A network scan usually precedes a port scan, as it provides the target range and scope for the port scan56.
References:
* 1: Port Scanning Techniques - an overview | ScienceDirect Topics
* 2: nmap Host Discovery Techniques
* 3: Vulnerability Scanning Tools | OWASP Foundation
* 4: What Is Vulnerability Scanning? Types, Tools and Best Practices | Splunk
* 5: Network Scanning - an overview | ScienceDirect Topics
* 6: Network Scanning - Nmap


NEW QUESTION # 109
Which technique is commonly used by attackers to evade firewall detection?

  • A. Using open-source operating systems
  • B. Social engineering employees
  • C. Spoofing source IP addresses to appear trusted
  • D. Using encrypted communication channels

Answer: D

Explanation:
CEH v13 identifies encrypted communication channels as one of the most common and effective firewall evasion techniques. Firewalls that rely on packet inspection or signature-based filtering often cannot inspect encrypted payloads without SSL/TLS interception capabilities.
By encrypting malicious traffic-using HTTPS, VPN tunnels, or encrypted C2 channels-attackers can bypass firewall rules that inspect packet contents. CEH v13 emphasizes that this technique is widely used in malware communication, data exfiltration, and command-and-control operations.
IP spoofing (Option A) is limited by ingress and egress filtering and is less effective against modern firewalls.
Open-source operating systems (Option B) do not inherently evade firewalls. Social engineering (Option D) targets users, not firewalls.
Therefore, Option C is the correct and CEH-aligned answer.


NEW QUESTION # 110
During an internal security assessment of a medium-sized enterprise network, a security analyst notices an unusual spike in ARP traffic. Closer inspection reveals that one particular MAC address is associated with multiple IP addresses across different subnets. The ARP packets were unsolicited replies rather than requests, and several employees from different departments have reported intermittent connection drops, failed logins, and broken intranet sessions. The analyst suspects an intentional interference on the local network segment.
What is the most likely cause of this abnormal behavior?

  • A. Port security restricting all outbound MAC responses
  • B. Legitimate ARP table refresh on all clients
  • C. DHCP snooping improperly configured
  • D. ARP poisoning causing routing inconsistencies

Answer: D

Explanation:
CEH v13 explains that ARP poisoning (also known as ARP spoofing) occurs when an attacker sends forged ARP replies across the network to associate their MAC address with multiple IP addresses, tricking hosts into sending traffic through the attacker's machine. This results in routing inconsistencies, intermittent connectivity, failed logins, and degraded intranet performance-exactly the symptoms described. ARP poisoning typically involves unsolicited ARP replies, which overwrite legitimate ARP cache entries. CEH emphasizes that ARP-based attacks are common on LANs because ARP lacks authentication, allowing attackers to impersonate gateways or key hosts. DHCP snooping misconfigurations (Option B) affect IP allocation, not ARP mappings. Legitimate ARP refreshes (Option C) are request-based and do not involve flooding unsolicited replies. Port security restrictions (Option D) block MAC anomalies, not create them.
Therefore, ARP poisoning is the correct root cause.


NEW QUESTION # 111
The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access- list.
You successfully brute-force the SNMP community string using a SNMP crack tool.
The access-list prevents you from establishing a successful connection.
You want to retrieve the Cisco configuration from the router. How would you proceed?

  • A. Run a network sniffer and capture the returned traffic with the configuration file from the router
  • B. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
  • C. Send a customized SNMP set request with a spoofed source IP address in the range -192.168.1.0
  • D. Use the Cisco's TFTP default password to connect and download the configuration file

Answer: C

Explanation:
If SNMP access is restricted to specific IP addresses (e.g., 192.168.1.0/24), you can bypass access controls by:
* Spoofing the source IP to fall within that allowed range.
* Using a SNMP set request to instruct the device (e.g., to copy its configuration to a TFTP server).
This is a classic SNMP spoofing attack.
From CEH v13 Courseware:
* Module 4: Enumeration # SNMP Enumeration Attacks
Reference:CEH v13 Study Guide - Module 4: SNMP Attacks and Access ControlsCVE-1999-0517 - SNMP Default Community String Vulnerability


NEW QUESTION # 112
Which of the following allows attackers to draw a map or outline the target organization's network infrastructure to know about the actual environment that they are going to hack.

  • A. Scanning networks
  • B. Vulnerability analysis
  • C. Enumeration
  • D. Malware analysis

Answer: A

Explanation:
Objectives of Footprinting Draw Network Map - Combining footprinting techniques with tools such as Tracert allows the attacker to create diagrammatic representations of the target organization's network presence. Specficially, it allows attackers to draw a map or outline of the target organization's network infrastructure to know about the actual environment that they are going to break into. These network diagrams can guide the attacker in performing an attack. (P.114/98)


NEW QUESTION # 113
Fleet vehicles with smart locking systems were compromised after attackers captured unique signals from key fobs. What should the security team prioritize to confirm and prevent this attack?

  • A. Secure firmware updates
  • B. Deploy anti-malware on smartphones
  • C. Monitor wireless signals for jamming or interference
  • D. Increase physical surveillance

Answer: C

Explanation:
This scenario aligns with a Replay Attack against RF-based smart key systems, covered in CEH v13 IoT and OT Hacking. Attackers capture radio-frequency signals transmitted by key fobs and replay them to unlock vehicles.
CEH v13 emphasizes that detecting and preventing such attacks requires monitoring wireless RF signals for anomalies such as signal replay, interference, or jamming patterns. RF analysis helps confirm unauthorized signal capture and retransmission.
Firmware updates may mitigate future vulnerabilities, but confirmation requires RF monitoring. Physical surveillance and smartphone malware controls are unrelated to RF replay attacks. Therefore, option D is correct.


NEW QUESTION # 114
You are Maya, a security engineer at HarborPoint Cloud Services in Chicago, Illinois, performing a post- incident hardening review after an internal audit flagged multiple services that rely on legacy public-key algorithms. The engineering team must prioritize actions company-wide to reduce long-term risk from future quantum-capable adversaries while development continues on a large refactor of several services. Which proactive control should Maya recommend as the highest-priority change to embed into the organization's development lifecycle to improve future resistance to quantum-based attacks?

  • A. Encrypt stored data with quantum-resistant algorithms
  • B. Use quantum-specific firewalls to protect quantum communication channels
  • C. Break data into fragments and distribute it across multiple locations
  • D. Include quantum-resistance checks in SDLC and code review processes

Answer: D

Explanation:
The highest-priority proactive control "to embed into the organization's development lifecycle" is including quantum-resistance checks in the SDLC and code review processes. The scenario emphasizes a company- wide, long-term risk reduction strategy while development continues on a major refactor. In that context, the most scalable and durable control is governance and engineering hygiene: ensuring that new features and refactored components do not reintroduce weak or legacy cryptography and that teams consistently select algorithms and key sizes aligned with modern guidance and future migration plans.
Embedding checks into the SDLC means instituting standards and guardrails such as approved cryptographic libraries, banned algorithm lists (e.g., legacy RSA key sizes, deprecated curves, weak hashes), cryptography design reviews, automated dependency scanning for crypto usage, and CI/CD policy gates that flag noncompliant implementations. This approach reduces "crypto sprawl," prevents new technical debt, and creates a structured path to transition toward post-quantum or quantum-resistant approaches as the organization modernizes systems.
Why the other choices are not the best "highest priority" SDLC-embedded control:
Encrypt stored data with quantum-resistant algorithms (B) may be appropriate for protecting long-lived sensitive data ("harvest now, decrypt later"), but it is a targeted technical control and may not be feasible immediately across many services during refactoring. It also does not by itself prevent developers from continuing to implement legacy public-key schemes elsewhere.
Quantum-specific firewalls (C) is not a realistic or standard control for post-quantum readiness in typical enterprise environments.
Fragmenting data across locations (D) can help resilience/confidentiality in some designs but does not address the core issue: preventing continued reliance on weak public-key cryptography.
Therefore, the best answer is A. Include quantum-resistance checks in SDLC and code review processes.


NEW QUESTION # 115
You receive an email prompting you to download "Antivirus 2010" software using a suspicious link. The software claims to provide protection but redirects you to an unknown site.

How will you determine if this is a Real or Fake Antivirus website?

  • A. Search using the URL and Antivirus product name into Google and look out for suspicious warnings against this site
  • B. Connect to the site using SSL, if you are successful then the website is genuine
  • C. Download and install Antivirus software from this suspicious looking site, your Windows 7 will prompt you and stop the installation if the downloaded file is a malware
  • D. Look at the website design, if it looks professional then it is a Real Antivirus website
  • E. Same as D (duplicated)

Answer: A

Explanation:
Comprehensive and Detailed Explanation:
Fake antivirus (also known as scareware) tricks users into downloading malware disguised as legitimate antivirus software.
The best approach:
* Google the product name and URL.
* Check reputable forums, antivirus vendors, or security advisories.
* Look for phishing warnings or reports of malware.
From CEH v13 Courseware:
* Module 7: Social Engineering and Phishing Scams
* Module 6: Malware Threats # Rogue Software
Reference:CEH v13 Study Guide - Module 6: Fake Antivirus and ScarewareUS-CERT Alert TA13-112A - Detecting Fake Antivirus Software


NEW QUESTION # 116
An energy infrastructure company in Tulsa, Oklahoma initiated a controlled phishing simulation targeting multiple operational departments. The test email claimed to originate from the corporate compliance office and instructed employees to "complete a mandatory regulatory update within the next 30 minutes to avoid account suspension." The message used a broad salutation instead of employee names and lacked the standard corporate signature footer normally appended to official communications. Additionally, security analysts observed that the embedded hyperlink displayed the organization ' s domain in the message body; however, when examined more closely, the actual destination resolved to a shortened external URL redirecting to an unrelated host. From a defensive analysis standpoint, which indicator provides the strongest technical validation that the message is malicious?

  • A. AThe strongest technical indicator is the hover mismatch URL. CEH social engineering and email- phishing guidance treats deceptive links as one of the clearest validation points because the visible text shown to the user can be made to look trustworthy while the actual hyperlink target leads somewhere completely different. In this scenario, the email imitates an internal compliance notice and uses urgency, generic greetings, and a missing corporate signature, all of which are suspicious. However, those signals are still contextual and behavioral. The most technically reliable evidence is that the displayed organization domain does not match the true destination, which resolves through a shortened external URL to an unrelated host. CEH materials consistently explain that phishing messages frequently redirect victims to fake login pages or malicious sites through disguised links, and verifying the real destination is a core defensive step. This is more conclusive than style-based clues because branding mistakes or greetings alone may vary in legitimate communications. A mismatch between displayed and actual URL directly shows intentional deception in message construction, making it the best technical validation that the message is malicious.
  • B. Use of generic greetings rather than individualized addressing
  • C. Identification of Hover Mismatch URLs in the embedded link
  • D. Absence of a formal corporate signature
  • E. Presence of aggressive urgency language

Answer: A,B,C,D,E


NEW QUESTION # 117
infecting a system with malware and using phishing to gain credentials to a system or web application are examples of which phase of the ethical hacking methodology?

  • A. Scanning
  • B. Reconnaissance
  • C. Gaining access
  • D. Maintaining access

Answer: C

Explanation:
This phase having the hacker uses different techniques and tools to realize maximum data from the system.
they're -
* Password cracking - Methods like Bruteforce, dictionary attack, rule-based attack, rainbow table are used.
Bruteforce is trying all combinations of the password. Dictionary attack is trying an inventory of meaningful words until the password matches. Rainbow table takes the hash value of the password and compares with pre- computed hash values until a match is discovered.
* Password attacks - Passive attacks like wire sniffing, replay attack. Active online attack like Trojans, keyloggers, hash injection, phishing. Offline attacks like pre-computed hash, distributed network and rainbow. Non electronic attack like shoulder surfing, social engineering and dumpster diving.


NEW QUESTION # 118
What would be the purpose of running "wget 192.168.0.15 -q -S" against a web server?

  • A. Flooding the web server with requests to perform a DoS attack
  • B. Downloading all the contents of the web page locally for further examination
  • C. Performing content enumeration on the web server to discover hidden folders
  • D. Using wget to perform banner grabbing on the webserver

Answer: D

Explanation:
-q, --quiet quiet (no output)
-S, --server-response print server response


NEW QUESTION # 119
What is GINA?

  • A. GUI Installed Network Application CLASS
  • B. Gateway Interface Network Application
  • C. Global Internet National Authority (G-USA)
  • D. Graphical Identification and Authentication DLL

Answer: D

Explanation:
GINA stands for Graphical Identification and Authentication. It is a Windows component (a DLL) that provides the user interface for logging into a Windows system.
Located in msgina.dll (in legacy Windows)
Handles the Ctrl+Alt+Del screen
Collects credentials (username/password) and passes them to the Local Security Authority (LSA) From CEH v13 Courseware:
Module 6: Malware Threats
Module 4: Windows Authentication Internals
CEH v13 Study Guide states:
"The Graphical Identification and Authentication (GINA) is a DLL that implements the authentication UI for Windows systems. Malicious actors can create custom GINA DLLs to capture login credentials." Reference:Microsoft MSDN - GINA Architecture (legacy documentation)
======


NEW QUESTION # 120
in this form of encryption algorithm, every Individual block contains 64-bit data, and three keys are used, where each key consists of 56 bits. Which is this encryption algorithm?

  • A. AES
  • B. MDS encryption algorithm
  • C. IDEA
  • D. Triple Data Encryption standard

Answer: D

Explanation:
Triple DES is another mode of DES operation. It takes three 64-bit keys, for an overall key length of 192 bits.
In Stealth, you merely type within the entire 192-bit (24 character) key instead of entering each of the three keys individually. The Triple DES DLL then breaks the user-provided key into three subkeys, padding the keys if necessary in order that they are each 64 bits long. The procedure for encryption is strictly an equivalent as regular DES, but it's repeated 3 times , hence the name Triple DES. the info is encrypted with the primary key, decrypted with the second key, and eventually encrypted again with the third key.Triple DES runs 3 times slower than DES, but is far safer if used properly. The procedure for decrypting something is that the same because the procedure for encryption, except it's executed in reverse. Like DES, data is encrypted and decrypted in 64-bit chunks. Although the input key for DES is 64 bits long, the particular key employed by DES is merely 56 bits long . the smallest amount significant (right-most) bit in each byte may be a parity , and will be set in order that there are always an odd number of 1s in every byte. These parity bits are ignored, so only the seven most vital bits of every byte are used, leading to a key length of 56 bits. this suggests that the effective key strength for Triple DES is really 168 bits because each of the three keys contains 8 parity bits that aren't used during the encryption process.Triple DES ModesTriple ECB (Electronic Code Book)* This variant of Triple DES works precisely the same way because the ECB mode of DES.* this is often the foremost commonly used mode of operation.Triple CBC (Cipher Block Chaining)* This method is extremely almost like the quality DES CBC mode.* like Triple ECB, the effective key length is 168 bits and keys are utilized in an equivalent manner, as described above, but the chaining features of CBC mode also are employed.* the primary 64-bit key acts because the Initialization Vector to DES.* Triple ECB is then executed for one 64-bit block of plaintext.* The resulting ciphertext is then XORed with subsequent plaintext block to be encrypted, and therefore the procedure is repeated.* This method adds an additional layer of security to Triple DES and is therefore safer than Triple ECB, although it's not used as widely as Triple ECB.


NEW QUESTION # 121
jane invites her friends Alice and John over for a LAN party. Alice and John access Jane's wireless network without a password. However. Jane has a long, complex password on her router. What attack has likely occurred?

  • A. Wireless sniffing
  • B. Evil twin
  • C. Wardriving
  • D. Piggybacking

Answer: B

Explanation:
An evil twin may be a fraudulent Wi-Fi access point that appears to be legitimate but is about up to pay attention to wireless communications.[1] The evil twin is that the wireless LAN equivalent of the phishing scam.This type of attack could also be wont to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves fixing a fraudulent internet site and luring people there.The attacker snoops on Internet traffic employing a bogus wireless access point. Unwitting web users could also be invited to log into the attacker's server, prompting them to enter sensitive information like usernames and passwords. Often, users are unaware they need been duped until well after the incident has occurred.When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it' s sent through their equipment. The attacker is additionally ready to hook up with other networks related to the users' credentials.Fake access points are found out by configuring a wireless card to act as an access point (known as HostAP). they're hard to trace since they will be shut off instantly. The counterfeit access point could also be given an equivalent SSID and BSSID as a close-by Wi-Fi network. The evil twin are often configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.


NEW QUESTION # 122
Which DNS resource record can indicate how long any "DNS poisoning" could last?

  • A. TIMEOUT
  • B. NS
  • C. MX
  • D. SOA

Answer: D

Explanation:
DNS poisoning (also known as DNS cache poisoning) occurs when a malicious actor injects false DNS data into a DNS resolver's cache. The poisoned entry will persist for the duration of its TTL (Time To Live), which is defined in the DNS SOA (Start of Authority) record.
The SOA record contains several fields including:
Serial number
Refresh
Retry
Expire
Minimum TTL
The Minimum TTL value in the SOA record determines how long a DNS resolver should cache the DNS data
- including any potentially poisoned data.
From CEH v13 Official Courseware:
Module 3: Scanning Networks
Topic: DNS Enumeration & Poisoning
CEH v13 Study Guide states:
"The SOA record includes a minimum TTL value that dictates how long DNS information should be cached by other DNS servers. If DNS cache poisoning occurs, the false information will persist until the TTL expires." Incorrect Options:
A: MX (Mail Exchange) defines mail servers, not TTLs.
C: NS (Name Server) specifies authoritative servers, not caching durations.
D: TIMEOUT is not a valid DNS resource record.
Reference:CEH v13 Study Guide - Module 3: DNS Records # SOA Record Structure and TTLRFC 1035 - Domain Names: Implementation and Specification (Section 3.3.13)


NEW QUESTION # 123
A senior executive receives a personalized email titled "Annual Performance Review 2024." The email includes a malicious PDF that installs a backdoor when opened. The message appears to originate from the CEO and uses official company branding. Which phishing technique does this scenario best illustrate?

  • A. Broad phishing sent to all employees
  • B. Email clone attack with altered attachments
  • C. Whaling attack targeting high-ranking personnel
  • D. Pharming using DNS poisoning

Answer: C

Explanation:
The Certified Ethical Hacker (CEH) Social Engineering module defines whaling as a highly targeted phishing attack aimed specifically at senior executives or high-ranking personnel.
This scenario exhibits all whaling characteristics: personalization, impersonation of leadership, business- themed content, and tailored malware delivery.
Option D is correct.
Option A involves copying legitimate emails, but does not necessarily target executives.
Option B lacks targeting.
Option C is unrelated to email-based attacks.
CEH stresses executive awareness training to counter whaling attacks.


NEW QUESTION # 124
Harris is attempting to identify the OS running on his target machine. He inspected the initial TTL in the IP header and the related TCP window size and obtained the following results:
TTL: 64 Window Size: 5840
What is the OS running on the target machine?

  • A. Windows OS
  • B. Mac OS
  • C. Linux OS
  • D. Solaris OS

Answer: C


NEW QUESTION # 125
......

Latest 100% Passing Guarantee - Brilliant 312-50v13 Exam Questions PDF: https://www.actualcollection.com/312-50v13-exam-questions.html

Verified 312-50v13 dumps and 588 unique questions: https://drive.google.com/open?id=1CTVFcc4CGAkLjXUCD5EDDBmILiFFHYsl

Related Articles

more
ECCouncil 312-50v13 Certification Practice Exam

Copyright © 2026 ActualCollection NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy