EC-Council 312-50v11 Certified Ethical Hacker Exam – C|EH v11 Online Training

EC-Council 312-50v11 Online Training

The questions for 312-50v11 were last updated at May 10,2025.

Exam Code: 312-50v11
Exam Name: Certified Ethical Hacker Exam - C|EH v11
Certification Provider: EC-Council
Latest update: May 10,2025

Question #51

DNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed.

What command is used to determine if the entry is present in DNS cache?

A . nslookup -fullrecursive update.antivirus.com
B . dnsnooping Crt update.antivirus.com
C . nslookup -norecursive update.antivirus.com
D . dns –snoop update.antivirus.com

Reveal Solution Hide Solution

Question #52

What is the purpose of DNS AAAA record?

A . Authorization, Authentication and Auditing record
B . Address prefix record
C . Address database record
D . IPv6 address resolution record

Reveal Solution Hide Solution

Question #53

Log monitoring tools performing behavioral analysis have alerted several suspicious logins on a Linux server occurring during non-business hours. After further examination of all login activities, it is noticed that none of the logins have occurred during typical work hours. A Linux administrator who is investigating this problem realizes the system time on the Linux server is wrong by more than twelve hours .

What protocol used on Linux servers to synchronize the time has stopped working?

A . Time Keeper
B . NTP
C . PPP
D . OSPP

Reveal Solution Hide Solution

Question #54

What does a firewall check to prevent particular ports and applications from getting packets into an organization?

A . Transport layer port numbers and application layer headers
B . Presentation layer headers and the session layer port numbers
C . Network layer headers and the session layer port numbers
D . Application layer port numbers and the transport layer headers

Reveal Solution Hide Solution

Question #55

An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.

What is the most likely cause?

A . The network devices are not all synchronized.
B . Proper chain of custody was not observed while collecting the logs.
C . The attacker altered or erased events from the logs.
D . The security breach was a false positive.

Reveal Solution Hide Solution

Question #56

To create a botnet. the attacker can use several techniques to scan vulnerable machines. The attacker first collects Information about a large number of vulnerable machines to create a list. Subsequently, they infect the machines. The list Is divided by assigning half of the list to the newly compromised machines. The scanning process runs simultaneously. This technique ensures the spreading and installation of malicious code in little time.

Which technique is discussed here?

A . Hit-list-scanning technique
B . Topological scanning technique
C . Subnet scanning technique
D . Permutation scanning technique

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

One of the biggest problems a worm faces in achieving a very fast rate of infection is “getting off the ground.” although a worm spreads exponentially throughout the early stages of infection, the time needed to infect say the first 10,000 hosts dominates the infection time.

There is a straightforward way for an active worm a simple this obstacle, that we term hit-list scanning. Before the worm is free, the worm author collects a listing of say ten,000 to 50,000 potentially vulnerable machines, ideally ones with sensible network connections.

The worm, when released onto an initial machine on this hit-list, begins scanning down the list. once it infects a machine, it divides the hit-list in half, communicating half to the recipient worm, keeping the other half.

This fast division ensures that even if only 10-20% of the machines on the hit-list are actually vulnerable, an active worm can quickly bear the hit-list and establish itself on all vulnerable machines in only some seconds. though the hit-list could begin at 200 kilobytes, it quickly shrinks to nothing during the partitioning. This provides a great benefit in constructing a quick worm by speeding the initial infection.

The hit-list needn’t be perfect: a simple list of machines running a selected server sort could serve, though larger accuracy can improve the unfold. The hit-list itself is generated victimization one or many of the following techniques, ready well before, typically with very little concern of detection.

✑ Stealthy scans. Portscans are so common and then wide ignored that even a quick scan of the whole net would be unlikely to attract law enforcement attention or over gentle comment within the incident response community. However, for attackers wish to be particularly careful, a randomised sneaky scan taking many months would be not possible to attract much attention, as most intrusion detection systems are not currently capable of detecting such low-profile scans. Some portion of the scan would be out of date by the time it had been used, however abundant of it’d not.

✑ Distributed scanning. an assailant might scan the web using a few dozen to some thousand already-compromised “zombies,” the same as what DDOS attackers assemble in a very fairly routine fashion. Such distributed scanning has already been seen within the wildCLawrence Berkeley National Laboratory received ten throughout the past year.

✑ DNS searches. Assemble a list of domains (for example, by using wide offered spam mail lists, or trolling the address registries). The DNS will then be searched for the science addresses of mail-servers (via mx records) or net servers (by looking for www.domain.com).

✑ Spiders. For net server worms (like Code Red), use Web-crawling techniques the same as search engines so as to produce a list of most Internet-connected web sites. this would be unlikely to draw in serious attention.

✑ Public surveys. for many potential targets there may be surveys available listing them, like the Netcraft survey.

✑ Just listen. Some applications, like peer-to-peer networks, wind up advertising many of their servers. Similarly, many previous worms effectively broadcast that the infected machine is vulnerable to further attack. easy, because of its widespread scanning, during the Code Red I infection it was easy to select up the addresses of upwards of 300,000 vulnerable IIS serversCbecause each came knock on everyone’s door!

Question #57

Henry is a penetration tester who works for XYZ organization. While performing enumeration on a client organization, he queries the DNS server for a specific cached DNS record. Further, by using this cached record, he determines the sites recently visited by the organization’s user .

What is the enumeration technique used by Henry on the organization?

A . DNS zone walking
B . DNS cache snooping
C . DNS SEC zone walking
D . DNS cache poisoning

Reveal Solution Hide Solution

Question #58

Alice needs to send a confidential document to her coworker. Bryan. Their company has public key infrastructure set up. Therefore. Alice both encrypts the message and digitally signs it. Alice uses_______to encrypt the message, and Bryan uses__________to confirm the digital signature.

A . Bryan’s public key; Bryan’s public key
B . Alice’s public key; Alice’s public key
C . Bryan’s private key; Alice’s public key
D . Bryan’s public key; Alice’s public key

Reveal Solution Hide Solution

Question #59

You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine .

What Wireshark filter will show the connections from the snort machine to kiwi syslog machine?