EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 91:

  ViruXine.W32 virus hides their presence by changing the underlying executable code. This Virus code mutates while keeping the original algorithm intact, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all.

  

  Here is a section of the Virus code:

  

  What is this technique called?

  A. Polymorphic Virus
  B. Metamorphic Virus
  C. Dravidic Virus
  D. Stealth Virus
  A. Polymorphic Virus

• Question 92:

  Your company trainee Sandra asks you which are the four existing Regional Internet Registry (RIR's)?

  A. APNIC, PICNIC, ARIN, LACNIC
  B. RIPE NCC, LACNIC, ARIN, APNIC
  C. RIPE NCC, NANIC, ARIN, APNIC
  D. RIPE NCC, ARIN, APNIC, LATNIC
  B. RIPE NCC, LACNIC, ARIN, APNIC

  ---

  All other answers include non existing organizations (PICNIC, NANIC, LATNIC). See http://www.arin.net/library/internet_info/ripe.html

• Question 93:

  What is the proper response for a X-MAS scan if the port is closed?

  A. SYN
  B. ACK
  C. FIN
  D. PSH
  E. RST
  F. No response
  E. RST

  ---

  Closed ports respond to a X-MAS scan with a RST.

• Question 94:

  You are scanning the target network for the first time. You are able to detect few convention open ports. While attempting to perform conventional service identification by connecting to the open ports, the scan yields either bad or no result. As you are unsure of the protocols in use, you want to discover as many different protocols as possible. Which of the following scan options can help you achieve this?

  A. Nessus sacn with TCP based pings
  B. Netcat scan with the switches
  C. Nmap scan with the P (ping scan) switch
  D. Nmap with the O (Raw IP Packets switch
  D. Nmap with the O (Raw IP Packets switch

  ---

  -sO IP protocol scans: This method is used to determine which IP protocols are supported on a host. The technique is to send raw IP packets without any further protocol header to each specified protocol on the target machine. If we receive an ICMP protocol unreachable message, then the protocol is not in use. Otherwise we assume it is open. Note that some hosts (AIX, HP-UX, Digital UNIX) and firewalls may not send protocol unreachable messages.

• Question 95:

  Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable option?

  A. A half-scan
  B. A UDP scan
  C. A TCP Connect scan
  D. A FIN scan
  C. A TCP Connect scan

  ---

  A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. Example of a three-way handshake followed by a reset: Source Destination Summary ------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840 [192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210 LEN=0 WIN=65535 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840

• Question 96:

  What does the following command in "Ettercap" do? ettercap NCLzs quiet

  A. This command will provide you the entire list of hosts in the LAN
  B. This command will check if someone is poisoning you and will report its IP
  C. This command will detach ettercap from console and log all the sniffed passwords to a file
  D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs
  C. This command will detach ettercap from console and log all the sniffed passwords to a file

  ---

  -L specifies that logging will be done to a binary file and s tells us it is running in script mode.

• Question 97:

  One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out? Select the best answers.

  A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case.
  B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking.
  C. SYSKEY is an effective countermeasure.
  D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899.
  E. Enforcing Windows complex passwords is an effective countermeasure.
  A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case.
  C. SYSKEY is an effective countermeasure.
  E. Enforcing Windows complex passwords is an effective countermeasure.

  ---

  John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters: 0xAAD3B435B51404EE Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.

• Question 98:

  Destination unreachable administratively prohibited messages can inform the hacker to what?

  A. That a circuit level proxy has been installed and is filtering traffic
  B. That his/her scans are being blocked by a honeypot or jail
  C. That the packets are being malformed by the scanning software
  D. That a router or other packet-filtering device is blocking traffic
  E. That the network is functioning normally
  D. That a router or other packet-filtering device is blocking traffic

  ---

  Destination unreachable administratively prohibited messages are a good way to discover that a router or other low-level packet device is filtering traffic. Analysis of the ICMP message will reveal the IP address of the blocking device and the filtered port. This further adds the to the network map and information being discovered about the network and hosts.

• Question 99:

  If you perform a port scan with a TCP ACK packet, what should an OPEN port return?

  A. RST
  B. No Reply
  C. SYN/ACK
  D. FIN
  A. RST

  ---

  Open ports return RST to an ACK scan.

• Question 100:

  What is a sniffing performed on a switched network called?

  A. Spoofed sniffing
  B. Passive sniffing
  C. Direct sniffing
  D. Active sniffing
  D. Active sniffing