EC-Council 312-50V13 CEH V13 Exam Questions 2025

GINA stands for Graphical Identification and Authentication. It is a core component of the interactive logon architecture in Microsoft Windows operating systems prior to Windows Vista (e.g., Windows NT, 2000, XP, Server 2003). GINA is implemented as a replaceable Dynamic-Link Library (DLL) that is loaded by the Winlogon process. Its primary function is to manage all user identification and authentication tasks, presenting the user interface for logon and handling the communication with the Local Security Authority (LSA) to verify credentials. This model allowed third-party developers to create custom authentication mechanisms, such as biometric scanners or smart card readers, by replacing the default GINA DLL (msgina.dll).

A. Gateway Interface Network Application is an incorrect expansion of the acronym and does not describe any standard Windows authentication component.

B. GUI Installed Network Application CLASS is a fabricated term with no relevance to the GINA architecture or Windows security.

C. Global Internet National Authority (G-USA) is an incorrect and irrelevant term, describing a fictitious organization, not a technical component.

1. Microsoft Corporation. (n.d.). Winlogon and GINA. Microsoft Docs. Retrieved from https://learn.microsoft.com/en-us/windows/win32/secauthn/winlogon-and-gina. In the first paragraph

it states

"The GINA is a replaceable dynamic-link library (DLL) that is loaded by the Winlogon process. The GINA implements the authentication policy of the interactive logon model."

2. Pato

J. N. (1999). GINA and the Windows NT Logon Process. Hewlett-Packard Laboratories Technical Report

HPL-1999-12. This report details the architecture and states on page 1

"The component that controls the user interaction is called the GINA

for Graphical Identification and Authentication."

3. Purdue University. (n.d.). CS 42600: Computer Security - Lecture 18: Windows Security. Courseware. In slides discussing Windows NT/2000/XP authentication

GINA is defined as "Graphical Identification and Authentication" and its role in the logon process is explained.

The LAN Manager (LM) hash algorithm has a significant structural weakness. It converts a password to uppercase, pads it with null characters to 14 bytes, and then splits it into two 7-byte halves. Each half is used as a DES key to encrypt a fixed string. If the original password is less than 8 characters (i.e., 1 to 7 characters), the second 7-byte half will consist entirely of null characters after padding. Using this all-null 7-byte block as a DES key always produces the same constant 8-byte ciphertext: AAD3B435B51404EE. Therefore, any LM hash where the second half matches this value corresponds to a password of fewer than 8 characters.

Note: Option B contains a 'Q', which is not a valid hexadecimal digit. This is a common typographical error in question banks. The answer is correct based on the matching second half, which is the sole indicator.

A. The second half of this hash, 17306D272A9441BB, does not match the known constant for a short password's LM hash.

C. The second half of this hash, 36077A718CCDF409, does not match the known constant for a short password's LM hash.

D. The second half of this hash, C2265B23734E0DAC, does not match the known constant for a short password's LM hash.

F. The second half of this hash, 4A3B108F3FA6CB6D, does not match the known constant for a short password's LM hash.

---

1. Van Assche

B. (2006). Security of the LAN Manager Hash. In Section 2

"The LAN Manager Hash

" the paper states: "If the password is shorter than 8 characters

the second half of the padded password will be all-zero. The DES encryption of the magic constant with an all-zero key is always 0xAAD3B435B51404EE."

2. Microsoft Corporation. (2021). [MS-SAMR]: Security Account Manager (SAM) Remote Protocol. Section 2.2.11.1.1

Generate-LM-Hash( Password ). The official protocol documentation describes the padding mechanism: "The 14-byte string is created by converting the password to uppercase... and then padding with NULLs to a total of 14 bytes." This padding is the direct cause of the predictable second half for short passwords.

3. Wagner

D. (2017). CS 161: Computer Security

Lecture 8: Web Security. University of California

Berkeley. Lecture notes on password security detail the flaws of the LM hash

including the fact that passwords under 8 characters result in a second half that is always the same constant value (AAD3B435B51404EE).

The primary mechanism for synchronizing DNS zone data between a primary and a secondary name server relies on the Start of Authority (SOA) record's serial number. The secondary server periodically polls the primary server to check this serial number. If the serial number on the primary server is arithmetically higher than the serial number on the secondary server, it signifies that the zone file has been updated. This condition triggers the secondary server to initiate a zone transfer request (either a full AXFR or an incremental IXFR) to download the updated zone information and synchronize its records with the primary server.

B. When a secondary SOA is higher that a primary SOA: This indicates a configuration error, as the secondary server should not have a more recent version of the zone than the primary. It would not trigger a transfer.

C. When a primary name server has had its service restarted: Restarting the primary server's service does not inherently change the zone data or the SOA serial number, so it does not trigger a transfer.

D. When a secondary name server has had its service restarted: A restart may cause the secondary to check the primary's SOA, but the transfer is only triggered if the primary's SOA is higher, not by the restart itself.

E. When the TTL falls to zero: Time to Live (TTL) values dictate caching duration for individual DNS records by resolvers, not the zone transfer process between authoritative servers.

1. Mockapetris

P. (1987). RFC 1035: Domain Names - Implementation and Specification. Internet Engineering Task Force (IETF). Section 4.3.5

"Zone maintenance

" describes the process where a secondary server checks the SOA serial number to determine if its copy of the zone is outdated.

2. Ohta

M. (1996). RFC 1995: Incremental Zone Transfer in DNS. Internet Engineering Task Force (IETF). Section 3 explicitly states

"An IXFR request is a standard DNS query with a QTYPE of IXFR... The slave's current SOA is included in the authority section to tell the master which version of the zone the slave thinks is current." This confirms the SOA comparison is central to the process.

3. Internet Systems Consortium (ISC). (2023). BIND 9.18 Administrator Reference Manual. Chapter 4

"Zones

" in the section "Primary and Secondary Servers." The documentation details that a secondary server will transfer a zone from a primary server when it starts up and "when the zone's serial number on the primary is higher than the secondary's."

4. Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. In Chapter 2

Section 2.5

"The Domain Name System (DNS)

" the textbook

widely used in university curricula

explains that secondary servers "periodically poll" the primary to see if the original zone has been updated by checking the SOA serial number.

Untethered jailbreaking is a persistent exploitation method that modifies the device's core boot process. It installs an exploit that automatically patches the kernel every time the device starts up. This ensures the device remains in a jailbroken state after any reboot, without requiring any connection to a computer or manual intervention from the user. The exploit is self-contained on the device and executes during the boot sequence, making it the most seamless but also the most complex type of jailbreak to achieve.

A. Tethered jailbreaking: This method requires the device to be connected to a computer each time it is rebooted to re-apply the kernel patch and boot into a jailbroken state.

B. Semi-tethered jailbreaking: The device can boot on its own, but only into a non-jailbroken state. A computer is required to re-run the exploit and re-jailbreak the device.

D. Semi-Untethered jailbreaking: The device reboots into a non-jailbroken state, but the user can re-jailbreak it by running an application on the device itself, without needing a computer.

1. Yeo

S.

Kim

H.

& Lee

H. (2017). A Survey on iOS Jailbreaking. Journal of The Korea Institute of Information Security and Cryptology

27(4)

85-98.

Page 88

Section 3.1.3: "Untethered jailbreak is a method of jailbreaking without connecting to a PC after rebooting. The exploit code is stored in the device and the kernel patch is automatically executed when booting." This directly defines the correct answer. The same section also defines tethered and semi-untethered methods

supporting the reasoning for incorrect options.

2. Zheng

X.

et al. (2013). A Survey on Security of iOS. Tsinghua Science and Technology

18(1)

84-95. https://doi.org/10.1109/TST.2013.6449404

Page 89

Section 4.1: The paper describes untethered jailbreaking as a process where "the exploit is triggered automatically during the boot process without any user interaction

" which allows the device to "reboot into a jailbroken state."

3. Enck

W. (2020). CSC 495/591: Mobile and IoT Security Courseware. North Carolina State University.

Lecture 10: iOS Security

Slide 32 ("Jailbreaking"): The lecture notes categorize jailbreaks and define "Untethered" as a method where the "Device is permanently jailbroken. Exploit automatically runs on boot." This contrasts with "Tethered" and "Semi-tethered" which require external assistance post-reboot.

To prevent NetBIOS and related Server Message Block (SMB) traffic from traversing a firewall for a network with Windows NT, 2000, and XP systems, specific ports must be blocked. Port 139/TCP is used for the NetBIOS Session Service. With the introduction of Windows 2000, Microsoft enabled SMB to run directly over TCP/IP on port 445/TCP, bypassing NetBIOS. Port 135/TCP is used by the RPC Endpoint Mapper, a service that is tightly integrated with and often a precursor to attacks on NetBIOS/SMB services. Blocking these three ports is a fundamental security practice to protect against legacy Windows file-sharing vulnerabilities from external networks.

A. 110: This port is used for Post Office Protocol v3 (POP3), an email retrieval protocol, and is not associated with NetBIOS.

D. 161: This port is used for Simple Network Management Protocol (SNMP) for managing network devices and is unrelated to NetBIOS.

F. 1024: This port number marks the beginning of the registered port range and is not a specific port assigned to NetBIOS services.

1. Microsoft Corporation. (2023

October 12). Service overview and network port requirements for Windows. Microsoft Learn. In the "System services ports" table

the document lists:

RPC endpoint mapper: TCP 135

NetBIOS Session Service: TCP 139

Server message block (SMB) over TCP: TCP 445

This official documentation confirms the ports used by the services in question.

2. University of Michigan. (2023). Filtering Network Traffic. Safe Computing

Information and Technology Services. In the section "Recommended Network Traffic to Block

" the guidelines explicitly recommend blocking inbound traffic to "TCP/UDP ports 135-139 (NetBIOS)" and "TCP/UDP port 445 (Microsoft-DS)." This demonstrates that blocking these ports is a standard security recommendation from a reputable academic institution.

3. Cheswick

W. R.

Bellovin

S. M.

& Rubin

A. D. (2003). Firewalls and Internet Security: Repelling the Wily Hacker (2nd ed.). Addison-Wesley Professional. In Chapter 20

"Services and Protocols

" the authors discuss filtering strategies

noting the high risk associated with NetBIOS (ports 137-139) and the related RPC services (port 135) and direct SMB (port 445)

recommending they be blocked at the perimeter.

The LAN Manager (LM) hash, used in legacy Windows systems like Windows 2000, is fundamentally based on the Data Encryption Standard (DES) algorithm. The hashing process involves converting the password to uppercase, splitting it into two 7-byte halves, and using each half as a key to perform a DES encryption on a fixed, constant string. Therefore, a brute-force tool attempting to crack an LM hash is effectively trying to reverse or discover the original DES keys (the password halves) that produced the hash value.

A. MD4: This hashing algorithm is used for the NTLM (NT LAN Manager) hash, which is a separate and more secure password hashing scheme than LM.

C. SHA: The Secure Hash Algorithm (SHA) family (e.g., SHA-1, SHA-256) are modern cryptographic hash functions not used in the legacy LM hashing scheme.

D. SSL: Secure Sockets Layer (SSL) is a cryptographic protocol designed to provide secure communication over a computer network, not a password hashing algorithm.

1. Microsoft Corporation. (2017). [MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server). Section A.1

ComputeLmHash. The official documentation states

"The user's password is used to create two DES keys... Each of these keys is used to DES-encrypt a well-known constant." This explicitly confirms the use of DES.

2. Wagner

D.

& Song

D. (n.d.). CS 161: Computer Security

Lecture 10: Passwords. University of California

Berkeley. Slide 15

"Windows LM Hash

" details the step-by-step process

including the step: "Encrypt the string KGS!@#$% with DES using the 7-byte password half as the key."

3. Bellovin

S. M.

& Merritt

M. (1992). Encrypted key exchange: Password-based protocols secure against dictionary attacks. Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy

72-84. https://doi.org/10.1109/RISP.1992.213269. This foundational paper discusses the DES-based password schemes in Microsoft LAN Manager (Section 5.1)

which is the basis for the LM hash.

The router's Access Control List (ACL) is configured to permit SNMP requests only from the trusted internal network (192.168.1.0/24). The attacker, being external to this network, must bypass this filter. The correct procedure involves two steps. First, the attacker sends an SNMP request with a spoofed source IP address that falls within the permitted 192.168.1.0 range (D). Because SNMP typically uses the connectionless UDP protocol, the router accepts the request without a handshake to verify the source. Second, the router sends the response containing the configuration file to the spoofed IP address. The attacker, positioned on the same network segment, must use a network sniffer to capture this traffic and retrieve the configuration file (B).

A. Use the Cisco's TFTP default password to connect and download the configuration file

The Trivial File Transfer Protocol (TFTP) is a simple protocol that does not support user authentication or passwords. This option describes a non-existent feature.

C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

Establishing a GRE tunnel requires configuration access on both endpoints (the attacker's machine and the target router), which the attacker does not have.

1. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). In Chapter 3

Section 3.3

"Connectionless Transport: UDP

" the text explains that UDP is a connectionless protocol without a handshake mechanism. This fundamental property is what allows an attacker to easily spoof the source IP address in a datagram

as the receiver has no initial process to validate the sender's identity before processing the packet.

2. Cisco Systems

Inc. (2022). SNMP Configuration Guide

Cisco IOS XE Amsterdam 17.3.x. In the chapter "Configuring SNMP Support

" the section on "SNMP Security" strongly recommends using an access list to restrict SNMP access to known

trusted management stations. This official documentation confirms the scenario's premise and highlights that bypassing this IP-based control is a primary attack vector. The guide implicitly relies on the network administrator understanding the risks of spoofing against UDP-based services.

3. Forouzan

B. A. (2013). Data Communications and Networking (5th ed.). In Chapter 20

"Network Layer: IP Addresses

" the concept of IP spoofing is detailed. The text explains how an attacker can create a packet with a forged source address. When this technique is applied to a connectionless protocol like UDP

the receiving device sends its reply to the forged address

not the actual source. This requires the attacker to be in a position to intercept the reply

for example

by sniffing traffic on the target's local network.

L0phtcrack is a password auditing and recovery application renowned for its ability to crack Windows passwords. A key feature of the tool is its integrated network sniffer, which can passively monitor network traffic for SMB authentication handshakes. During this process, it captures the NTLM challenge-response hashes exchanged between a client and a server. Once a hash is captured, L0phtcrack can perform offline dictionary, hybrid, or brute-force attacks to recover the original password. This combination of sniffing and cracking capabilities in a single tool directly matches the scenario described in the question.

A. This is incorrect. Passively sniffing authentication hashes (like NTLM) from network traffic and cracking them offline is a classic and well-documented attack vector against Windows environments.

B. Netbus is a Remote Access Trojan (RAT) designed for remote administration and control of a compromised machine, not for passive network sniffing and password cracking.

C. NTFSDOS is a file system driver utility that allows operating systems like MS-DOS to read data from NTFS-formatted drives. It has no networking or password cracking capabilities.

1. Mudge. (1997). L0phtCrack: A Password Auditing Tool. L0pht Heavy Industries. (This foundational whitepaper

widely cited in academic security courses

details the tool's functionality). Section "Sniffing Passwords off the Wire" describes how the tool captures NTLM challenge/response pairs for cracking.

2. Thompson

H. H. (2002). Why Security Fails. IEEE Security & Privacy

1(1)

78-81. https://doi.org/10.1109/MSECP.2003.1193213. (This article discusses common security failures

referencing L0phtCrack on page 79 as a tool that automates the process of sniffing and cracking passwords from the network.)

3. University of California

Berkeley. (2004). CS 161: Computer Security

Lecture 15: Network Security. [Courseware]. On slide 23

L0phtCrack is explicitly mentioned as a tool that "sniffs passwords off the network" and performs dictionary attacks on the captured NTLM hashes.

In Windows, a 'null' user refers to the security context of an anonymous connection, known as a "null session." This is a pseudo-account that is not a real user listed in the Security Account Manager (SAM) database. It allows a connection to be established to a target system's Inter-Process Communication (IPC$) share without providing a username or a password. Historically, this was used by attackers for reconnaissance to enumerate system information such as usernames, group memberships, shares, and services.

A. A user that has no skills

This is a non-technical interpretation of the word 'null' and is irrelevant to Windows security concepts.

B. An account that has been suspended by the admin

This describes a disabled user account, which is a distinct, pre-existing account that has been intentionally deactivated, not an anonymous connection context.

D. A pseudo account that was created for security administration purpose

This describes a service account or a special administrative identity. A null user is unprivileged and used for anonymous access, not administration.

---

1. Microsoft Corporation. (2023). Network access: Restrict anonymous access to Named Pipes and Shares. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.

Reference Point: The "Vulnerability" section explains: "An anonymous user can use this vulnerability to list account names and shared resources and use the information to guess passwords or perform social engineering attacks." This directly links anonymous access (null sessions) to the enumeration capabilities associated with the null user.

2. Messier

R. (2014). Chapter 4 - Hacking the low-hanging fruit: NetBIOS

SMB

and anonymous enumeration. In Penetration Testing with the Bash shell. Syngress. pp. 57-74. (This textbook is widely used in university curricula).

Reference Point: Page 60

Section "Anonymous/Null Session Enumeration

" states: "Anonymous

or null session

enumeration is a classic technique for gathering information from Windows systems... This is accomplished by establishing a connection to the target system without a username or password."

3. SANS Institute. (2003). The Evolution of The Windows Null Session. SANS Institute InfoSec Reading Room.

Reference Point: Page 2

Paragraph 2

states: "A null session is an anonymous connection to the Inter-Process Communication (IPC$) share on a host... This connection is established by a client with a null username and a null password." This document

from a highly respected security training institution

explicitly defines the null session in the context of a null username and password.

The most prudent and secure method to verify the legitimacy of a suspicious email and the associated website is to conduct external research. By using a search engine to look up the URL, company name ("Media Internet Consultants"), and product name ("Antivirus 2010"), you can leverage open-source intelligence (OSINT). This action allows you to find potential warnings, user reviews, or reports from security firms that have already identified the site as malicious. This verification is performed in a safe environment without directly interacting with the potentially harmful website or downloading any files, thereby preventing any risk to your system.

A. Malicious actors can easily create professional-looking websites to deceive users; visual design is not a reliable indicator of trustworthiness.

B. An SSL/TLS certificate (HTTPS) only ensures the connection is encrypted; it does not validate the identity or integrity of the website's owner.

D. Downloading and installing software from an unverified source is extremely dangerous and is the primary way malware infections occur.

E. This is a duplicate of option D and is incorrect for the same reason; actively installing potential malware is never a valid verification method.

1. Stanford University

"Phishing & Suspicious Email." Stanford IT Security. This guide for students and faculty advises users on how to handle suspicious emails. In the section "How to spot a phishing attempt

" it recommends verifying legitimacy by non-email means

stating

"Search online for the company name or website

but don’t use the links in the email." This directly supports option C. (Available at: https://uit.stanford.edu/security/phishing)

2. Sivakorn

S.

Polakis

I.

& Keromytis

A. D. (2019). "I'm not a human: Breaking the Google reCAPTCHA." In Black Hat USA 2019. While the main topic is different

the context of web security research frequently highlights that the presence of TLS/SSL is no longer a reliable indicator of a site's legitimacy

as attackers can easily obtain free certificates to add a false sense of security to phishing sites. This principle invalidates the reasoning in option B.

3. University of California

Berkeley

"Top 10 Secure Computing Tips." Information Security Office. Tip #3

"Don't fall for phishing scams

" and Tip #5

"Use antivirus software and keep it up to date

" implicitly support the correct answer. The guidance warns against clicking suspicious links and emphasizes using legitimate

known antivirus software

not downloading unknown programs from unsolicited emails. This directly contradicts the actions suggested in options D and E. (Available at: https://security.berkeley.edu/education-awareness/top-10-secure-computing-tips)