312-50v11 ECCouncil Certified Ethical Hacker Exam (CEH v11) exact Exam Questions

Certified Ethical Hacker Exam (CEH v11)

Last Update 3 hours ago Total Questions : 528

The Certified Ethical Hacker Exam (CEH v11) content is now fully updated, with all current exam questions added 3 hours ago. Deciding to include 312-50v11 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our 312-50v11 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these 312-50v11 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any Certified Ethical Hacker Exam (CEH v11) practice test comfortably within the allotted time.

Question # 16

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing.

What document describes the specifics of the testing, the associated violations, and essentially protects both the organization’s interest and your liabilities as a tester?

Service Level Agreement

Project Scope

Rules of Engagement

Non-Disclosure Agreement

Question # 17

While testing a web application in development, you notice that the web server does not properly ignore the “dot dot slash” (../) character string and instead returns the file listing of a folder structure of the server.

What kind of attack is possible in this scenario?

Cross-site scripting

Denial of service

SQL injection

Directory traversal

Answer:

Explanation:

Appropriately controlling admittance to web content is significant for running a safe web worker. Index crossing or Path Traversal is a HTTP assault which permits aggressors to get to limited catalogs and execute orders outside of the web worker’s root registry.

Web workers give two primary degrees of security instruments

Access Control Lists (ACLs)

Root index

An Access Control List is utilized in the approval cycle. It is a rundown which the web worker’s manager uses to show which clients or gatherings can get to, change or execute specific records on the worker, just as other access rights.

The root registry is a particular index on the worker record framework in which the clients are kept. Clients can’t get to anything over this root.

For instance: the default root registry of IIS on Windows is C:\Inetpub\wwwroot and with this arrangement, a client doesn’t approach C:\Windows yet approaches C:\Inetpub \wwwroot\news and some other indexes and documents under the root catalog (given that the client is confirmed by means of the ACLs).

The root index keeps clients from getting to any documents on the worker, for example, C:\WINDOWS/system32/win.ini on Windo ws stages and the/and so on/passwd record on Linux/UNIX stages.

This weakness can exist either in the web worker programming itself or in the web application code.

To play out a registry crossing assault, all an assailant requires is an internet browser an d some information on where to aimlessly discover any default documents and registries on the framework.

What an assailant can do if your site is defenseless With a framework defenseless against index crossing, an aggressor can utilize this weakness to ven ture out of the root catalog and access different pieces of the record framework. This may enable the assailant to see confined documents, which could give the aggressor more data needed to additional trade off the framework.

Contingent upon how the site a ccess is set up, the aggressor will execute orders by mimicking himself as the client which is related with “the site”. Along these lines everything relies upon what the site client has been offered admittance to in the framework.

Illustration of a Directo ry Traversal assault by means of web application code In web applications with dynamic pages, input is generally gotten from programs through GET or POST solicitation techniques. Here is an illustration of a HTTP GET demand URL

GET http://test.webarticles. com/show.asp?view=oldarchive.html HTTP/1.1

Host: test.webarticles.com

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter view with the value of oldarchive.html. When this request is executed o n the web server, show.asp retrieves the file oldarchive.html from the server’s file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends the following custom URL.

GET http://test.webarticles.com/show.asp?view=../../../../../Windows/system.ini HTTP/1.1

Host: test.webarticles.com

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal attack via web server Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web server software, but there are web servers online which are still using older versions of IIS and Apache which might be open to di rectory traversal attacks. Even though you might be using a web server software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be

GET http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:\ HTTP/1.1

Host: server.com

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command dir c:\ in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c re presents the character \.

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute su ch commands.

Question # 18

Which of the following represents the initial two commands that an IRC client sends to join an IRC network?

USER, NICK

USER, PASS

Question # 19

What is the file that determines the basic configuration (specifically activities, services, broadcast receivers, etc.) in an Android application?

AndroidManifest.xml

APK.info

resources.asrc

classes.dex

Question # 20

Which of the following tactics uses malicious code to redirect users ' web traffic?

Spimming

Pharming

Phishing

Spear-phishing

Question # 21

What is the most common method to exploit the “Bash Bug” or “Shellshock” vulnerability?

SYN Flood

SSH

Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed environment variable to a vulnerable Web server

Manipulate format strings in text fields

Question # 22

Stephen, an attacker, targeted the industrial control systems of an organization. He generated a fraudulent email with a malicious attachment and sent it to employees of the target organization. An employee who manages the sales software of the operational plant opened the fraudulent email and clicked on the malicious attachment. This resulted in the malicious attachment being downloaded and malware being injected into the sales software maintained in the victim ' s system. Further, the malware propagated itself to other networked systems, finally damaging the industrial automation components. What is the attack technique used by Stephen to damage the industrial systems?

Spear-phishing attack

SMishing attack

Reconnaissance attack

HMI-based attack

Question # 23

Jason, an attacker, targeted an organization to perform an attack on its Internet-facing web server with the intention of gaining access to backend servers, which are protected by a firewall. In this process, he used a URL https://xyz.com/feed.php?url:externaIsile.com/feed/to to obtain a remote feed and altered the URL input to the local host to view all the local resources on the target server. What is the type of attack Jason performed In the above scenario?

website defacement

Server-side request forgery (SSRF) attack

Web server misconfiguration

web cache poisoning attack

Question # 24

What is the main security service a cryptographic hash provides?

Integrity and ease of computation

Message authentication and collision resistance

Integrity and collision resistance

Integrity and computational in-feasibility

Question # 25

Elliot is in the process of exploiting a web application that uses SQL as a back-end database. He’s determined that the application is vulnerable to SQL injection, and has introduced conditional timing delays into injected queries to determine whether they are successful. What type of SQL injection is Elliot most likely performing?

Error-based SQL injection

Blind SQL injection

Union-based SQL injection

NoSQL injection

Question # 26

What would you enter if you wanted to perform a stealth scan using Nmap?

nmap -sM

nmap -sU

nmap -sS

nmap -sT

Question # 27

The “Gray-box testing” methodology enforces what kind of restriction?

Only the external operation of a system is accessible to the tester.

The internal operation of a system in only partly accessible to the tester.

Only the internal operation of a system is known to the tester.

The internal operation of a system is completely known to the tester.

Question # 28

Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet?

ACK flag probe scanning

ICMP Echo scanning

SYN/FIN scanning using IP fragments

IPID scanning

Question # 29

While performing an Nmap scan against a host, Paola determines the existence of a firewall. In an attempt to determine whether the firewall is stateful or stateless, which of the following options would be best to use?

-sA

-sX

-sT

-sF

Question # 30

Jude, a pen tester working in Keiltech Ltd., performs sophisticated security testing on his company ' s network infrastructure to identify security loopholes. In this process, he started to circumvent the network protection tools and firewalls used in the company. He employed a technique that can create forged TCP sessions by carrying out multiple SYN, ACK, and RST or FIN packets. Further, this process allowed Jude to execute DDoS attacks that can exhaust the network resources. What is the attack technique used by Jude for finding loopholes in the above scenario?

UDP flood attack

Ping-of-death attack

Spoofed session flood attack

Peer-to-peer attack