ECCouncil Updated 312-50v13 Exam Questions and Answers by azlan

The command that best matches “directly interact with the NTP daemon and query its internal state,” enabling monitoring and retrieval of statistics, is ntpdc. Option C is correct because ntpdc is designed as a control/query utility for NTP that communicates with the NTP daemon using control messages. It can be used to request internal variables, statistics, and status information and to perform certain monitoring-style checks related to NTP daemon operation.

The scenario also gives a strong exclusion clue: Bob’s goal is not primarily to list peers with delay, offset, and jitter values. That peer listing is most closely associated with ntpq -p (option A), which prints peer relationships and timing metrics. Similarly, ntptrace (option B) is used to trace the chain of NTP servers (who is syncing from whom), which is not what Bob is seeking. Option D (ntpq with -c command) can query certain runtime details, but the question emphasizes a diagnostic command focused on controlling/checking daemon operation and retrieving internal stats—this description aligns more closely with ntpdc in many NTP administration and diagnostic workflows.

In practice, an assessor might use ntpdc to query items like system status, clock variables, and monitoring statistics from the daemon, which can help diagnose synchronization irregularities and understand how the NTP service is behaving internally. That aligns with “query its internal state” and “retrieve statistics.”

Therefore, the correct command is C. ntpdc [-ilnps] [-c command] [host].

According to the CEH System Hacking and Web Application Security modules, Man-in-the-Browser (MitB) attacks are among the most sophisticated and difficult session-hijacking techniques to detect. In MitB attacks, malware operates inside the victim’s browser, allowing attackers to intercept, modify, or inject transactions after authentication has occurred.

CEH documentation highlights that MitB attacks bypass:

Multi-factor authentication

Encrypted cookies

HTTPS/TLS protections

Because the malicious activity occurs at the browser level, security controls perceive transactions as legitimate.

Option B is correct.

Option A (XSS) is detectable via content security policies.

Option C is mitigated by regenerating session IDs.

Option D is ineffective against encrypted sessions.

CEH emphasizes MitB attacks as a critical threat to online banking systems.

CEH v13 identifies kernel-level rootkits as among the most dangerous malware types. Because they operate at the lowest OS level, they can hide processes, files, and system calls.

CEH v13 states that the only guaranteed remediation is a complete system wipe and clean OS reinstallation from a trusted source. Attempting removal risks incomplete eradication.

Powering down alone does not remove the rootkit. Honeypots are for detection, not remediation. Tailored removal tools may fail at kernel depth.

Thus, Option C is correct.

This scenario represents a classic baiting attack, a social engineering technique explicitly described in CEH v13 Social Engineering. In baiting, attackers exploit human curiosity or greed by leaving behind a malicious physical device—most commonly a USB drive—with an enticing label. When the victim plugs the device into a system, malware is automatically executed, leading to compromise.

Option A precisely captures this behavior. The label “Employee Salary Info 2024” is intentionally designed to entice the victim into interacting with the device. CEH v13 highlights USB baiting as particularly dangerous because it bypasses technical controls and relies solely on human behavior.

Option B describes pretexting, which involves impersonation. Option C refers to dumpster diving. Option D describes tailgating, a physical access attack. None of these match the USB-based lure described.

CEH v13 emphasizes that baiting attacks are highly effective in corporate environments and recommends strong security awareness training and disabling USB autorun features as mitigation.