EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 121:

  Why do you need to capture five to ten million packets in order to crack WEP with AirSnort?

  A. All IVs are vulnerable to attack
  B. Air Snort uses a cache of packets
  C. Air Snort implements the FMS attack and only encrypted packets are counted
  D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers
  C. Air Snort implements the FMS attack and only encrypted packets are counted

  ---

  Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

• Question 122:

  Bob reads an article about how insecure wireless networks can be. He gets approval from his management to implement a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.)

  A. Train users in the new policy.
  B. Disable all wireless protocols at the firewall.
  C. Disable SNMP on the network so that wireless devices cannot be configured.
  D. Continuously survey the area for wireless devices.
  A. Train users in the new policy.
  D. Continuously survey the area for wireless devices.

  ---

  If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installation of wireless devices on the corporate network.

• Question 123:

  Exhibit: Given the following extract from the snort log on a honeypot, what do you infer from the attack?

  

  A. A new port was opened
  B. A new user id was created
  C. The exploit was successful
  D. The exploit was not successful
  D. The exploit was not successful

  ---

  The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.

• Question 124:

  In the context of Windows Security, what is a 'null' user?

  A. A user that has no skills
  B. An account that has been suspended by the admin
  C. A pseudo account that has no username and password
  D. A pseudo account that was created for security administration purpose
  C. A pseudo account that has no username and password

  ---

  NULL sessions take advantage of "features" in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password.

  Using these NULL connections allows you to gather the following information from the host:* List of users and groups * List of machines * List of shares * Users and host SID' (Security Identifiers) NULL sessions exist in windows networking to

  allow: * Trusted domains to enumerate resources * Computers outside the domain to authenticate and enumerate users * The SYSTEM account to authenticate and enumerate resources

  NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts.

• Question 125:

  An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system.

  What is the most probable reason?

  A. The firewall is blocking port 23 to that system.
  B. He cannot spoof his IP and successfully use TCP.
  C. He needs to use an automated tool to telnet in.
  D. He is attacking an operating system that does not reply to telnet even when open.
  B. He cannot spoof his IP and successfully use TCP.

  ---

  Spoofing your IP will only work if you don't need to get an answer from the target system. In this case the answer (login prompt) from the telnet session will be sent to the "real" location of the IP address that you are showing as the connection initiator.

• Question 126:

  What is the proper response for a NULL scan if the port is closed?

  A. SYN
  B. ACK
  C. FIN
  D. PSH
  E. RST
  F. No response
  E. RST

  ---

  Closed ports respond to a NULL scan with a reset.

• Question 127:

  Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management?

  A. Rebecca should make a recommendation to disable the () system call
  B. Rebecca should make a recommendation to upgrade the Linux kernel promptly
  C. Rebecca should make a recommendation to set all child-process to sleep within the execve()
  D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege
  B. Rebecca should make a recommendation to upgrade the Linux kernel promptly

• Question 128:

  What type of Virus is shown here?

  

  A. Cavity Virus
  B. Macro Virus
  C. Boot Sector Virus
  D. Metamorphic Virus
  E. Sparse Infector Virus
  E. Sparse Infector Virus

• Question 129:

  Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organization. Her colleague Jason told her in confidence that he was able to see confidential corporate information posted on the external website http://www.jeansclothesman.com. He tries random URLs on the company's website and finds confidential information leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensitive information posted on the website.

  Where can Stephanie go to see past versions and pages of a website?

  A. She should go to the web page Samspade.org to see web pages that might no longer be on the website
  B. If Stephanie navigates to Search.com; she will see old versions of the company website
  C. Stephanie can go to Archive.org to see past versions of the company website
  D. AddressPast.com would have any web pages that are no longer hosted on the company's website
  C. Stephanie can go to Archive.org to see past versions of the company website

• Question 130:

  Sniffing is considered an active attack.

  A. True
  B. False
  B. False

  ---

  Sniffing is considered a passive attack.