ECCouncil Updated 312-50v13 Exam Questions and Answers by ren

The Certified Ethical Hacker (CEH) Social Engineering module defines whaling as a highly targeted phishing attack aimed specifically at senior executives or high-ranking personnel.

This scenario exhibits all whaling characteristics: personalization, impersonation of leadership, business-themed content, and tailored malware delivery.

Option D is correct.

Option A involves copying legitimate emails, but does not necessarily target executives.

Option B lacks targeting.

Option C is unrelated to email-based attacks.

CEH stresses executive awareness training to counter whaling attacks.

The correct answer is B. hashdump because the output described—“a long list of alphanumeric strings representing LM and NTLM values”—matches the Windows password hash formats typically extracted from the local Security Account Manager (SAM) database (with supporting data from the SYSTEM hive). In CEH-aligned post-exploitation and credential access concepts, attackers frequently target LM/NTLM hashes rather than plaintext passwords. Hashes can be taken offline for password recovery attempts (e.g., dictionary/brute-force and rule-based cracking), which aligns with the scenario where the values are transferred to a cracking rig.

Within a Meterpreter context, hashdump is the command commonly associated with dumping local account password hashes from a compromised Windows host. The hashes are useful for simulating credential compromise across an environment because recovered passwords may be reused on other systems, and even without recovery, hashes can sometimes be leveraged in authentication abuse scenarios depending on controls in place.

Why the other options are incorrect:

keyscan_start initiates keystroke logging in Meterpreter; it would not output LM/NTLM hash strings.

getsystem attempts privilege escalation to SYSTEM-level (or equivalent). While higher privileges may be required before successfully dumping hashes, getsystem itself does not produce a list of hashes; it changes/attempts to change the privilege context.

screenshot captures the user’s screen and has no relationship to credential hash extraction.

The “post-exploitation phase” detail is important: credential dumping is a classic activity after gaining a foothold, used to expand access (pivoting/lateral movement) and assess the impact of poor password hygiene. From a defensive perspective, this highlights the need for least privilege, credential protection controls, restricted local admin, strong password policies, and monitoring for suspicious credential-access behaviors.

The correct answer is B. Known-plaintext attack because the scenario explicitly provides paired samples of plaintext and ciphertext for the same underlying data. In a known-plaintext attack, the analyst possesses one or more examples where the original message (plaintext) is known and the corresponding encrypted output (ciphertext) is also available. These pairs can be used to analyze the cipher’s behavior, validate hypotheses about modes/parameters, and—depending on the algorithm, implementation weaknesses, and key management—attempt to recover the encryption key or decrypt other ciphertexts encrypted under the same key.

Here, Evelyn has “original template records (standard headers and form fields)” and their “encrypted counterparts” in the stolen backup set. Medical record formats commonly contain predictable structures (fixed headers, repeated field names, standardized forms), which increases the likelihood of having accurate known plaintext segments. With enough known plaintext/ciphertext pairs, an attacker may identify patterns caused by weak encryption choices, reused keys, reused IVs/nonces, insecure modes (e.g., ECB revealing structure), or flawed custom crypto. Even when strong algorithms are used, known-plaintext material can still be valuable for confirming the encryption scheme and detecting implementation errors.

Why the other options are not correct: Ciphertext-only assumes the attacker has only encrypted data and no plaintext examples—contradicted by the templates. Chosen-plaintext requires the ability to submit arbitrary plaintexts to an encryption oracle and receive ciphertexts, which the scenario does not indicate. Chosen-ciphertext requires the ability to submit ciphertexts to a decryption oracle and observe outputs, also not described.

Because Evelyn has real, matching plaintext-ciphertext pairs from the same dataset, the most appropriate cryptanalytic approach is a known-plaintext attack.

The correct answer is C. Whois lookup because the scenario describes retrieving publicly available domain registration records using an online service without directly interacting with the target organization’s infrastructure. In CEH-aligned reconnaissance (footprinting) techniques, WHOIS is a foundational passive information-gathering method used to identify details tied to a domain name, such as the registrant/organization, administrative and technical contacts, registration and expiration dates, and the authoritative name servers associated with the domain. These details are commonly used to establish ownership context, map the organization’s external footprint, and identify potential points of contact for administrative or security coordination.

The prompt emphasizes that the ethical hacker wants “details about the organization’s domain ownership” and “points of contact.” That is precisely the kind of information WHOIS is intended to provide. It also explicitly notes “without direct interaction with the target,” which aligns with WHOIS being passive: queries are made to registries/registrars or WHOIS aggregation services rather than probing the target’s servers.

Why the other options are less correct: Email footprinting focuses on collecting email addresses, formats, mail servers, and potentially related metadata, but it is not the primary method for domain ownership/registrant contact records. Network footprinting is broader and often involves identifying IP ranges, network blocks, technologies, and topology—potentially including active probing. DNS interrogation (such as querying A, MX, NS, TXT records) can reveal technical DNS data and infrastructure mapping, but it typically does not provide the domain’s registrant ownership details and formal contact records; that role is handled by WHOIS and registry data.

Therefore, the method most likely used here is a WHOIS lookup to obtain public domain registration and contact information.