EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 191:

  What is the disadvantage of an automated vulnerability assessment tool?

  A. Ineffective
  B. Slow
  C. Prone to false positives
  D. Prone to false negatives
  E. Noisy
  E. Noisy

  ---

  Vulnerability assessment tools perform a good analysis of system vulnerabilities; however, they are noisy and will quickly trip IDS systems.

• Question 192:

  A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.

  A. Use port security on his switches.
  B. Use a tool like ARPwatch to monitor for strange ARP activity.
  C. Use a firewall between all LAN segments.
  D. If you have a small network, use static ARP entries.
  E. Use only static IP addresses on all PC's.
  A. Use port security on his switches.
  B. Use a tool like ARPwatch to monitor for strange ARP activity.
  D. If you have a small network, use static ARP entries.

  ---

  By using port security on his switches, the switches will only allow the first MAC address that is connected to the switch to use that port, thus preventing ARP spoofing. ARPWatch is a tool that monitors for strange ARP activity. This may help identify ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help, but is usually pretty unrealistic. On a very small network, static ARP entries are a possibility. However, on a large network, this is not an realistic option. ARP spoofing doesn't have anything to do with static or dynamic IP addresses. Thus, this option won't help you.

• Question 193:

  The SYN Flood attack sends TCP connections requests faster than a machine can process them.

  Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server

  How do you protect your network against SYN Flood attacks?

  A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first.
  B. RST cookies The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
  C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16- bytes for the incoming SYN object.
  D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.
  A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first.
  B. RST cookies The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
  C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16- bytes for the incoming SYN object.
  D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

  ---

  All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target.

• Question 194:

  Which of the following is not considered to be a part of active sniffing?

  A. MAC Flooding
  B. ARP Spoofing
  C. SMAC Fueling
  D. MAC Duplicating
  C. SMAC Fueling

• Question 195:

  Name two software tools used for OS guessing.(Choose two.

  A. Nmap
  B. Snadboy
  C. Queso
  D. UserInfo
  E. NetBus
  A. Nmap
  C. Queso

  ---

  Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user.

• Question 196:

  Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position.

  Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer's manual but can't find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency's network is a switched network, which can't be sniffed by some programs without some tweaking.

  What technique could Harold use to sniff agency's switched network?

  A. ARP spoof the default gateway
  B. Conduct MiTM against the switch
  C. Launch smurf attack against the switch
  D. Flood switch with ICMP packets
  A. ARP spoof the default gateway

  ---

  ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

• Question 197:

  How do you defend against DHCP Starvation attack?

  

  A. Enable ARP-Block on the switch
  B. Enable DHCP snooping on the switch
  C. Configure DHCP-BLOCK to 1 on the switch
  D. Install DHCP filters on the switch to block this attack
  B. Enable DHCP snooping on the switch

• Question 198:

  What techniques would you use to evade IDS during a Port Scan? (Select 4 answers)

  A. Use fragmented IP packets
  B. Spoof your IP address when launching attacks and sniff responses from the server
  C. Overload the IDS with Junk traffic to mask your scan
  D. Use source routing (if possible)
  E. Connect to proxy servers or compromised Trojaned machines to launch attacks
  A. Use fragmented IP packets
  B. Spoof your IP address when launching attacks and sniff responses from the server
  D. Use source routing (if possible)
  E. Connect to proxy servers or compromised Trojaned machines to launch attacks

• Question 199:

  Hampton is the senior security analyst for the city of Columbus in Ohio. His primary responsibility is to ensure that all physical and logical aspects of the city's computer network are secure from all angles. Bill is an IT technician that works with Hampton in the same IT department. Bill's primary responsibility is to keep PC's and servers up to date and to keep track of all the agency laptops that the company owns and lends out to its employees. After Bill setup a wireless network for the agency, Hampton made sure that everything was secure. He instituted encryption, rotating keys, turned off SSID broadcasting, and enabled MAC filtering. According to agency policy, only company laptops are allowed to use the wireless network, so Hampton entered all the MAC addresses for those laptops into the wireless security utility so that only those laptops should be able to access the wireless network.

  Hampton does not keep track of all the laptops, but he is pretty certain that the agency only purchases Dell laptops. Hampton is curious about this because he notices Bill working on a Toshiba laptop one day and saw that he was on the Internet. Instead of jumping to conclusions, Hampton decides to talk to Bill's boss and see if they had purchased a Toshiba laptop instead of the usual Dell. Bill's boss said no, so now Hampton is very curious to see how Bill is accessing the Internet. Hampton does site surveys every couple of days, and has yet to see any outside wireless network signals inside the company's building.

  How was Bill able to get Internet access without using an agency laptop?

  A. Bill spoofed the MAC address of Dell laptop
  B. Bill connected to a Rogue access point
  C. Toshiba and Dell laptops share the same hardware address
  D. Bill brute forced the Mac address ACLs
  B. Bill connected to a Rogue access point

• Question 200:

  What sequence of packets is sent during the initial TCP three-way handshake?

  A. SYN, URG, ACK
  B. FIN, FIN-ACK, ACK
  C. SYN, ACK, SYN-ACK
  D. SYN, SYN-ACK, ACK
  D. SYN, SYN-ACK, ACK

  ---

  This is referred to as a "three way handshake." The "SYN" flags are requests by the TCP stack at one end of a socket to synchronize themselves to the sequence numbering for this new sessions. The ACK flags acknowlege earlier packets in this session. Obviously only the initial packet has no ACK flag, since there are no previous packets to acknowlege. Only the second packet (the first response from a server to a client) has both the SYN and the ACK bits set.