[Q203-Q227] Verified 312-50v13 dumps Q&As - Pass Guarantee or Full Refund [Feb-2026]

Share

Verified 312-50v13 dumps Q&As - Pass Guarantee or Full Refund [Feb-2026]

312-50v13 PDF Dumps | Feb 08, 2026 Recently Updated Questions 

NEW QUESTION # 203
What useful information is gathered during a successful Simple Mail Transfer Protocol (SMTP) enumeration?

  • A. The two internal commands VRFY and EXPN provide a confirmation of valid users, email addresses, aliases, and mailing lists.
  • B. A list of all mail proxy server addresses used by the targeted host
  • C. The internal command RCPT provides a list of ports open to message traffic.
  • D. Reveals the daily outgoing message limits before mailboxes are locked

Answer: A

Explanation:
SMTP enumeration involves probing a mail server to gather information about users and configurations. Two important SMTP commands used in enumeration are:
* VRFY: Verifies whether a particular email address or user ID exists on the mail server.
* EXPN: Reveals the actual addresses behind a mailing list or alias.
These commands allow attackers or penetration testers to enumerate valid user accounts or group memberships, which can later be targeted for phishing, spam, or brute-force attacks.
Incorrect Options:
* B. Daily outgoing message limits are not typically disclosed via SMTP.
* C. RCPT TO is used to designate a message recipient, but it doesn't enumerate open ports.
* D. Mail proxy addresses are not revealed directly via SMTP enumeration.
Reference - CEH v13 Official Courseware:
Module 04: Enumeration
Section: "SMTP Enumeration Techniques"
Tool Reference: smtp-user-enum, Netcat


NEW QUESTION # 204
Peter is surfing the internet looking for information about DX Company. Which hacking process is Peter doing?

  • A. Scanning
  • B. Enumeration
  • C. Footprinting
  • D. System Hacking

Answer: C


NEW QUESTION # 205
An attacker with access to the inside network of a small company launches a successful STP manipulation attack. What will he do next?

  • A. He will create a SPAN entry on the spoofed root bridge and redirect traffic to his computer.
  • B. He will activate OSPF on the spoofed root bridge.
  • C. He will repeat the same attack against all L2 switches of the network.
  • D. He will repeat this action so that it escalates to a DoS attack.

Answer: A


NEW QUESTION # 206
John, a professional hacker, targeted CyberSol Inc., an MNC. He decided to discover the IoT devices connected in the target network that are using default credentials and are vulnerable to various hijacking attacks. For this purpose, he used an automated tool to scan the target network for specific types of IoT devices and detect whether they are using the default, factory-set credentials. What is the tool employed by John in the above scenario?

  • A. IoT Inspector
  • B. AT&T IoT Platform
  • C. IoTSeeker
  • D. Azure IoT Central

Answer: C

Explanation:
IoTSeeker is a specialized tool used to identify Internet of Things (IoT) devices that are accessible over a network and are still configured with their default factory credentials. These devices often ship with insecure settings, which attackers can exploit.
From CEH v13 Official Courseware:
* IoTSeeker:
* Automatically scans for common IoT devices
* Uses a database of known default usernames and passwords
* Flags insecure devices for further investigation or exploitation
* The tool is commonly used in the reconnaissance phase for identifying low-hanging vulnerabilities in IoT environments.
Incorrect options:
* B. IoT Inspector monitors network traffic for smart devices but is more focused on behavior monitoring than credential scanning.
* C. AT&T IoT Platform and D. Azure IoT Central are legitimate enterprise platforms for IoT device management and are not penetration testing tools.
Reference - CEH v13 Official Courseware:
Module 18: IoT and OT Hacking
Section: "IoT Attack Surface"
Tool Reference: "IoTSeeker"
Practical Lab: CEH Engage IoT Device Discovery


NEW QUESTION # 207
Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered.
John decided to perform a TCP SYN ping scan on the target network. Which of the following Nmap commands must John use to perform the TCP SYN ping scan?

  • A. nmap -sn -PS <target IP address>
  • B. nmap -sn -PA <target IP address>
  • C. nmap -sn -pp <target IP address>
  • D. nmap -sn -PO <target IP address>

Answer: A

Explanation:
In CEH v13 Module 03: Scanning Networks, under the Nmap Host Discovery Techniques, TCP SYN ping scan is explained as one of the methods used to determine whether a host is online by sending SYN packets to specified TCP ports.
When using Nmap:
* -PS specifies a TCP SYN ping scan. It sends SYN packets to a given port (by default port 80, unless specified) to check whether a host is up and whether the port is open.
* The response type to this SYN packet determines the host status:
* If a SYN/ACK is received, it indicates the port is open, and the host is up.
* If RST is received, the port is closed, but the host is still considered online.
* If no response or ICMP unreachable is received, the host may be down or filtered.
Clarification of options:
* A. -pp: This is not a valid Nmap option.
* B. -PO: This sends IP Protocol Ping, used less frequently and not the same as SYN ping.
* C. -PS: Correct. Performs a TCP SYN Ping Scan.
* D. -PA: Sends TCP ACK Ping, used to determine firewall presence but not the same as SYN scan.
Reference from CEH v13 Study Guide and Course Material:
* CEH v13 Official Module 03 - Scanning Networks, Slide: Nmap Host Discovery Techniques
* EC-Council iLabs - Scanning Networks Practical Lab Guide: Section on nmap -sn -PS
* Nmap Official Documentation (also referenced in CEH): https://nmap.org/book/man-host-discovery.
html


NEW QUESTION # 208
You just set up a security system in your network. In what kind of system would you find the following string of characters used as a rule within its configuration? alert tcp any any -> 192.168.100.0/24 21 (msg: ""FTP on the network!"";)

  • A. A Router IPTable
  • B. An Intrusion Detection System
  • C. FTP Server rule
  • D. A firewall IPTable

Answer: B


NEW QUESTION # 209
MX record priority increases as the number increases. (True/False.)

  • A. False
  • B. True

Answer: A

Explanation:
MX (Mail Exchange) records in DNS define the mail servers responsible for receiving email for a domain.
Each MX record has a priority value.
Important concept:
* A lower number indicates a higher priority.
* Email servers attempt delivery to the mail server with the lowest priority first.
For example:
If MX records are:
* 10 mail1.example.com
* 20 mail2.example.com
Then mail1 will be tried first. If it fails, mail2 will be used.
So the statement "MX record priority increases as the number increases" is false.
Reference:CEH v13 Study Guide - Module 3: DNS Records # MX Record Priority ExplanationRFC 974 - Mail Routing and the Domain System


NEW QUESTION # 210
To create a botnet. the attacker can use several techniques to scan vulnerable machines. The attacker first collects Information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list Is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensures the spreading and installation of malicious code in little time.
Which technique is discussed here?

  • A. Hit-list-scanning technique
  • B. Permutation scanning technique
  • C. Subnet scanning technique
  • D. Topological scanning technique

Answer: A

Explanation:
One of the biggest problems a worm faces in achieving a very fast rate of infection is "getting off the ground." although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.
There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning.
Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections. The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.
This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds.
though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.
The hit-list needn't be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.
* Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it'd not.
* Distributed scanning. an assailant might scan the web using a few dozen to some thousand already- compromised "zombies," the same as what DDOS attackers assemble in a very fairly routine fashion.
Such distributed scanning has already been seen within the wild-Lawrence Berkeley National Laboratory received ten throughout the past year.
* DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).
* Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.
* Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.
* Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers.
Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS servers-because each came knock on everyone's door!


NEW QUESTION # 211
Why are containers less secure than virtual machines?

  • A. Containers may fulfill disk space of the host.
  • B. Containers are attached to the same virtual network.
  • C. A compromised container may cause a CPU starvation of the host.
  • D. Host OS on containers has a larger surface attack.

Answer: D

Explanation:
Comprehensive and Detailed Explanation:
Containers share the same host operating system kernel, unlike VMs which run isolated kernels. This shared kernel increases the attack surface - a compromise in one container can potentially affect the entire host if kernel-level access is obtained.
From CEH v13 Courseware:
* Module 14: Hacking Web Applications # Container Security
* "Containers are less secure because they share the host kernel. Attackers compromising the container can exploit vulnerabilities in the shared OS." Reference: OWASP Container Security Guide


NEW QUESTION # 212
Which of the following is assured by the use of a hash?

  • A. Confidentiality
  • B. Availability
  • C. Integrity
  • D. Authentication

Answer: C


NEW QUESTION # 213
What port number is used by LDAP protocol?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: B


NEW QUESTION # 214
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network.
What are some things he can do to prevent it? Select the best answers.

  • A. Use a tool like ARPwatch to monitor for strange ARP activity.
  • B. Use only static IP addresses on all PC's.
  • C. If you have a small network, use static ARP entries.
  • D. Use port security on his switches.
  • E. Use a firewall between all LAN segments.

Answer: A,C,D


NEW QUESTION # 215
These hackers have limited or no training and know how to use only basic techniques or tools. What kind of hackers are we talking about?

  • A. Black-Hat Hackers
  • B. Gray-Hat Hackers
  • C. Script Kiddies
  • D. White-Hat Hackers

Answer: C

Explanation:
Comprehensive and Detailed Explanation:
Script Kiddies are individuals with minimal technical skills who use existing tools or scripts developed by others to perform attacks. They generally do not understand the underlying mechanisms and rely on publicly available hacking tools.
From CEH v13 Official Study Guide:
* Module 1: Introduction to Ethical Hacking # Hacker Types
* "Script kiddies are unskilled attackers who use tools created by others." Reference: CEH v13 Courseware - Hacker Classification


NEW QUESTION # 216
An attacker identified that a user and an access point are both compatible with WPA2 and WPA3 encryption.
The attacker installed a rogue access point with only WPA2 compatibility in the vicinity and forced the victim to go through the WPA2 four-way handshake to get connected. After the connection was established, the attacker used automated tools to crack WPA2-encrypted messages. What is the attack performed in the above scenario?

  • A. Cache-based attack
  • B. Side-channel attack
  • C. Downgrade security attack
  • D. Timing-based attack

Answer: C

Explanation:
The described attack is a Downgrade Security Attack. In this scenario:
* The legitimate client and access point support both WPA2 and WPA3.
* The attacker introduces a rogue AP that only supports WPA2.
* The victim connects to this rogue AP using WPA2 (less secure) instead of WPA3.
* Once downgraded, the attacker captures the handshake and attempts to crack the WPA2 encryption.
This is known as a "Downgrade Attack" or "Downgrade Negotiation Attack," which exploits backward compatibility in security protocols.
Incorrect Options:
* A. Timing-based attacks usually refer to side-channel analysis, not protocol downgrading.
* B. Side-channel attacks extract info via timing, power usage, etc., not protocol negotiation.
* D. Cache-based attacks exploit memory caching behavior.
Reference - CEH v13 Official Courseware:
Module 16: Hacking Wireless Networks
Section: "Wireless Encryption Attacks"
Subsection: "Downgrade Attacks (WPA3 to WPA2) and Rogue Access Points"


NEW QUESTION # 217
Which Nmap switch helps evade IDS or firewalls?

  • A. -D
  • B. -n/-R
  • C. -T
  • D. -0N/-0X/-0G

Answer: A

Explanation:
In CEH v13 Module 03: Scanning Networks, Nmap's evasion techniques are discussed for bypassing or confusing Intrusion Detection Systems (IDS) and firewalls.
The -D option in Nmap is used to enable decoy scanning. It inserts false IP addresses in the scan to obfuscate the true origin of the scan.
This technique helps in masking the attacker's IP and can confuse IDS logs.
Option Clarification:
A: -n/-R: Disables DNS resolution (-n) or uses reverse DNS (-R), does not evade detection.
B: -0N/-0X/-0G: Output formats (normal, XML, grepable), not related to evasion.
C: -T: Controls timing (e.g., -T0 is stealthy, -T5 is aggressive), but not explicitly for IDS evasion.
D: Correct. Used for IDS/firewall evasion by using decoy IPs.
Reference:
Module 03 - Scanning with Evasion Options
Nmap Official Docs: https://nmap.org/book/man-bypass-firewalls-ids.html


NEW QUESTION # 218
Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

  • A. Parabolic grid antenna
  • B. Yagi antenna
  • C. Omnidirectional antenna
  • D. Dipole antenna

Answer: B


NEW QUESTION # 219
Study the snort rule given below:

From the options below, choose the exploit against which this rule applies.

  • A. MyDoom
  • B. SQL Slammer
  • C. MS Blaster
  • D. WebDav

Answer: C


NEW QUESTION # 220
Calvin, a grey-hat hacker, targets a web application that has design flaws in its authentication mechanism. He enumerates usernames from the login form of the web application, which requests users to feed data and specifies the incorrect field in case of invalid credentials. Later, Calvin uses this information to perform social engineering.
Which of the following design flaws in the authentication mechanism is exploited by Calvin?

  • A. Insecure transmission of credentials
  • B. User impersonation
  • C. Verbose failure messages
  • D. Password reset mechanism

Answer: C

Explanation:
Verbose failure messages are detailed error messages that reveal too much information about authentication failures. In the described scenario, the web application specifies whether the username or password is incorrect. This behavior enables attackers to:
* Enumerate valid usernames by submitting random inputs and observing which error message is returned.
* Use the valid usernames to conduct targeted attacks such as brute-force attempts or social engineering.
According to CEH v13:
* Authentication mechanisms should provide generic error messages such as "Invalid username or password" to avoid exposing system behavior.
* Verbose error messages violate the principle of "fail securely."
Incorrect Options:
* A. Insecure transmission relates to credentials being sent over unencrypted channels (e.g., HTTP instead of HTTPS).
* C. User impersonation involves taking on the identity of another user, not enumeration.
* D. Password reset mechanisms are a different component of authentication, not mentioned in this context.
Reference - CEH v13 Official Courseware:
Module 14: Hacking Web Applications
Section: "Authentication Bypass Techniques"
Subsection: "Enumeration via Verbose Error Messages"


NEW QUESTION # 221
Bob, your senior colleague, has sent you a mail regarding a deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bab denies that he had ever sent a mail. What do you want to
""know"" to prove yourself that it was Bob who had send a mail?

  • A. Non-Repudiation
  • B. Confidentiality
  • C. Integrity
  • D. Authentication

Answer: A

Explanation:
Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.


NEW QUESTION # 222
An attacker, using a rogue wireless AP, performed an MITM attack and injected an HTML code to embed a malicious applet in all HTTP connections.
When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code?

  • A. Aircrack-ng
  • B. Ettercap
  • C. Wireshark
  • D. Tcpdump

Answer: B


NEW QUESTION # 223
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two. What would you call this attack?

  • A. Man-in-the-middle
  • B. Poisoning Attack
  • C. ARP Proxy
  • D. Interceptor

Answer: A

Explanation:
The described scenario is a textbook example of a Man-in-the-Middle (MITM) attack. In such attacks, the attacker stealthily places themselves between two communicating systems, intercepts their communications, and may even modify the traffic. The communicating parties remain unaware that their traffic is being monitored or altered.
Eric is using the Dsniff toolset, which is well-known for enabling MITM attacks through techniques such as:
* ARP spoofing (to redirect traffic)
* Credential sniffing
* Packet manipulation
From CEH v13 Official Courseware:
* Module 8: Sniffing
* Module 11: Session Hijacking
CEH v13 Study Guide states:
"In a man-in-the-middle (MITM) attack, the attacker intercepts and potentially alters the communication between two systems without either party knowing. Tools like Dsniff, Cain & Abel, and Ettercap are commonly used to launch such attacks." Incorrect Options:
* A: "Interceptor" is not a technical term in cybersecurity.
* C: ARP Proxy is a network feature; while ARP spoofing can be part of a MITM attack, it's not the attack classification itself.
* D: Poisoning (like DNS or ARP poisoning) is often a technique used to initiate MITM but not the final classification.
Reference:CEH v13 Study Guide - Module 8: Sniffing # MITM Attacks Using DsniffRFC 4949 - Internet Security Glossary (Definition of MITM)


NEW QUESTION # 224
While browsing his Facebook teed, Matt sees a picture one of his friends posted with the caption. "Learn more about your friends!", as well as a number of personal questions. Matt is suspicious and texts his friend, who confirms that he did indeed post it. With assurance that the post is legitimate. Matt responds to the questions on the post, a few days later. Mates bank account has been accessed, and the password has been changed. What most likely happened?

  • A. Matt's computer was infected with a keylogger.
  • B. Matt's bank-account login information was brute forced.
  • C. Matt Inadvertently provided his password when responding to the post.
  • D. Matt inadvertently provided the answers to his security questions when responding to the post.

Answer: D


NEW QUESTION # 225
John, a professional hacker, performs a network attack on a renowned organization and gains unauthorized access to the target network. He remains in the network without being detected for a long time and obtains sensitive information without sabotaging the organization. Which of the following attack techniques is used by John?

  • A. Spear-phishing sites
  • B. threat Diversion theft
  • C. insider threat
  • D. Advanced persistent theft

Answer: D

Explanation:
An advanced persistent threat (APT) may be a broad term wont to describe AN attack campaign within which an intruder, or team of intruders, establishes a bootleg, long presence on a network so as to mine sensitive knowledge.
The targets of those assaults, that square measure terribly fastidiously chosen and researched, usually embrace massive enterprises or governmental networks. the implications of such intrusions square measure huge, and include:
* Intellectual property thieving (e.g., trade secrets or patents)
* Compromised sensitive info (e.g., worker and user personal data)
* The sabotaging of essential structure infrastructures (e.g., information deletion)
* Total website takeovers
Executing an APT assault needs additional resources than a regular internet application attack. The perpetrators square measure typically groups of intimate cybercriminals having substantial resource. Some APT attacks square measure government-funded and used as cyber warfare weapons.
APT attacks dissent from ancient internet application threats, in that:
* They're considerably additional advanced.
* They're not hit and run attacks-once a network is infiltrated, the culprit remains so as to realize the maximum amount info as potential.
* They're manually dead (not automated) against a selected mark and indiscriminately launched against an outsized pool of targets.
* They typically aim to infiltrate a complete network, as opposition one specific half.
More common attacks, like remote file inclusion (RFI), SQL injection and cross-site scripting (XSS), square measure oftentimes employed by perpetrators to ascertain a footing in a very targeted network. Next, Trojans and backdoor shells square measure typically wont to expand that foothold and make a persistent presence inside the targeted perimeter.


NEW QUESTION # 226
_________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

  • A. Backdoor
  • B. RootKit
  • C. DoS tool
  • D. Trojan
  • E. Scanner

Answer: B

Explanation:
A rootkit is a type of stealth malware designed to hide the existence of certain processes or programs from normal detection methods. It can:
* Hide itself and other processes
* Conceal files and registry entries
* Intercept system calls or keystrokes (keylogging)
* Maintain persistent access
From CEH v13 Courseware:
* Module 6: Malware Threats # Rootkits
Incorrect Options:
* A: A Trojan may offer remote access but doesn't necessarily hide itself.
* C: DoS tools are used to overload systems, not hide.
* D: Scanners detect vulnerabilities, not conceal activities.
* E: A backdoor may provide unauthorized access, but rootkits focus on hiding.
Reference:CEH v13 Study Guide - Module 6: Malware Types # RootkitsNIST SP 800-83 - Malware Handling Guide


NEW QUESTION # 227
......

312-50v13 Exam Questions – Valid 312-50v13 Dumps Pdf: https://www.topexamcollection.com/312-50v13-vce-collection.html

312-50v13 Practice Test Questions Answers Updated 569 Questions: https://drive.google.com/open?id=1eXOt-9WtRp0_zc3nSc8QkT2U3YvmQGen