Exactprep 312-50v13 Questions

The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods12:

Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time.

Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information.

The other options are not as suitable as option D for the following reasons:

A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario3.

B. Attempt to compromise the system through OS-level command shell execution: This option is not relevant because it is not a SQL injection technique, but a post-exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files, or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario4.

C. Try to insert a string value where a number is expected in the input field: This option is not effective because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application does not return any detailed error messages from the database, as in this scenario5.

Well-known and widely used password-cracking tools include:

A. L0phtcrack – Windows password auditing tool that can crack LM and NTLM hashes.

E. John the Ripper – Versatile password cracker that supports many hash types on Unix, Windows, etc.

Incorrect Options:

B. NetCat – A network tool used for port scanning and data transfer.

C. “Jack the Ripper” is likely a mistaken reference to John the Ripper.

D. Netbus – A remote access Trojan, not a password cracker.

From CEH v13 Courseware:

Module 6: Password Cracking Tools

According to CEH v13 Module 06: Malware Threats, when analyzing suspicious system behavior or investigating a suspected Trojan infection, a common and effective approach is to:

Monitor system activity and network behavior using tools like netstat, Wireshark, and TCPView.

Trojans often create covert channels or backdoors for remote access, which can be identified through unexpected or unauthorized outgoing connections to remote IP addresses or domains.

Using netstat -an or netstat -ano helps identify open ports and active connections, and checking these against known IPs can indicate whether a Trojan is communicating with a Command and Control (C&C) server.

Analysis of Each Option:

A. Use ExifTool and check for malicious content

Incorrect. ExifTool is primarily used for extracting metadata from files, especially images and documents. It is not effective for analyzing executable malware or system behavior post-execution.

B. You do not check; rather, you immediately restore a previous snapshot of the operating system

Incorrect. While restoring from a snapshot might eventually be required, immediate restoration without diagnosis is not a recommended or forensically sound first step. It also prevents root cause analysis.

C. Upload the file to VirusTotal

Partially correct but not sufficient. While uploading the file to VirusTotal is a good step to confirm if the file is known malware, it does not identify whether the machine is currently infected or actively compromised.

D. Use netstat and check for outgoing connections to strange IP addresses or domains

Correct. This method helps detect if the system is making suspicious external connections that are common in Trojan infections.

Reference from CEH v13 Study Guide and Course Materials:

CEH v13 Official Module 06 – Malware Threats, Section: Types of Malware – Trojans, and System Monitoring Tools

CEH v13 eCourseware Lab Manual: "Detecting Trojan Activity using netstat and TCPView"

CEH Engage Range: Malware Investigation Phase – Trojan Behavior Detection

If the token itself (e.g., hardware key or smartcard) performs offline verification of the PIN, it can be physically attacked. An attacker can:

Steal the token

Try all possible PIN combinations (0000–9999)

Bypass limits if no lockout mechanisms exist

This is a brute-force attack — the attacker tries every combination until the correct one is found.

From CEH v13 Courseware:

Module 6: Malware and Authentication

Module 20: Identity and Access Management

Incorrect Options:

A: Birthday attacks are related to hash collisions.

C: MITM involves intercepting communication, not offline brute-force.

D: Smurf is a DoS attack, not related to token/PIN systems.