EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 201:

  _________ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

  A. Trojan

  B. RootKit

  C. DoS tool

  D. Scanner

  E. Backdoor

  Correct Answer: B

  Rootkits are tools that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.

• Question 202:

  Exhibit

  

  You receive an e-mail with the message displayed in the exhibit. From this e-mail you suspect that this message was sent by some hacker since you have using their e- mail services for the last 2 years and they never sent out an e-mail as

  this. You also observe the URL in the message and confirm your suspicion about 340590649. You immediately enter the following at the Windows 2000 command prompt.

  ping 340590649

  You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL?

  A. 192.34.5.9

  B. 10.0.3.4

  C. 203.2.4.5

  D. 199.23.43.4

  Correct Answer: C

  Convert the number in binary, then start from last 8 bits and convert them to decimal to get the last octet (in this case .5)

• Question 203:

  This kind of password cracking method uses word lists in combination with numbers and special characters:

  A. Hybrid

  B. Linear

  C. Symmetric

  D. Brute Force

  Correct Answer: A

  A Hybrid (or Hybrid Dictionary) Attack uses a word list that it modifies slightly to find passwords that are almost from a dictionary (like St0pid)

• Question 204:

  Which of the following is the primary objective of a rootkit?

  A. It opens a port to provide an unauthorized service

  B. It creates a buffer overflow

  C. It replaces legitimate programs

  D. It provides an undocumented opening in a program

  Correct Answer: C

  Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn't show the files and process implanted by the attacker.

• Question 205:

  Which of the following LM hashes represent a password of less than 8 characters? (Select 2)

  A. BA810DBA98995F1817306D272A9441BB

  B. 44EFCE164AB921CQAAD3B435B51404EE

  C. 0182BD0BD4444BF836077A718CCDF409

  D. CEC52EB9C8E3455DC2265B23734E0DAC

  E. B757BF5C0D87772FAAD3B435B51404EE

  F. E52CAC67419A9A224A3B108F3FA6CB6D

  Correct Answer: BE

  Notice the last 8 characters are the same

• Question 206:

  E-mail scams and mail fraud are regulated by which of the following?

  A. 18 U.S.C. par. 1030 Fraud and Related activity in connection with Computers

  B. 18 U.S.C. par. 1029 Fraud and Related activity in connection with Access Devices

  C. 18 U.S.C. par. 1362 Communication Lines, Stations, or Systems

  D. 18 U.S.C. par. 2510 Wire and Electronic Communications Interception and Interception of Oral Communication

  Correct Answer: A

  http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html

• Question 207:

  What is the algorithm used by LM for Windows2000 SAM ?

  A. MD4

  B. DES

  C. SHA

  D. SSL

  Correct Answer: B

  Okay, this is a tricky question. We say B, DES, but it could be A "MD4" depending on what their asking - Windows 2000/XP keeps users passwords not "apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into

  the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It's size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length, and hash used

  during the authentication of access to the common resources of other computers LanMan Hash, or simply LM Hash, of the same 16-byte length.

  Algorithms of the formation of these hashes are following:

  NT Hash formation:

  LM Hash formation:

• Question 208:

  In the context of password security, a simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as L0phtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is. The brute force method is the most inclusive, although slow. It usually tries every possible letter and number combination in its automated exploration.

  If you would use both brute force and dictionary methods combined together to have variation of words, what would you call such an attack?

  A. Full Blown

  B. Thorough

  C. Hybrid

  D. BruteDics

  Correct Answer: C

  A combination of Brute force and Dictionary attack is called a Hybrid attack or Hybrid dictionary attack.

• Question 209:

  You are attempting to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryption. What encryption algorithm will you be decrypting?

  A. MD4

  B. DES

  C. SHA

  D. SSL

  Correct Answer: B

  The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$ %", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

• Question 210:

  A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in.

  What do you think is the most likely reason behind this?

  A. There is a NIDS present on that segment.

  B. Kerberos is preventing it.

  C. Windows logons cannot be sniffed.

  D. L0phtcrack only sniffs logons to web servers.

  Correct Answer: B

  In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed.