EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 261:

  You have successfully gained access to a victim's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable auditing from the cmd?

  A. stoplog stoplog ?
  B. EnterPol /nolog
  C. EventViewer o service
  D. auditpol.exe /disable
  D. auditpol.exe /disable

• Question 262:

  You have been called to investigate a sudden increase in network traffic at company. It seems that the traffic generated was too heavy that normal business functions could no longer be rendered to external employees and clients. After a

  quick investigation, you find that the computer has services running attached to TFN2k and Trinoo software. What do you think was the most likely cause behind this sudden increase in traffic?

  A. A distributed denial of service attack.
  B. A network card that was jabbering.
  C. A bad route on the firewall.
  D. Invalid rules entry at the gateway.
  A. A distributed denial of service attack.

  ---

  In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conducting DDos attacks.

• Question 263:

  Sara is using the nslookup command to craft queries to list all DNS information (such as Name Servers, host names, MX records, CNAME records, glue records (delegation for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Sara is trying to accomplish? Select the best answer.

  A. A zone harvesting
  B. A zone transfer
  C. A zone update
  D. A zone estimate
  B. A zone transfer

  ---

  The zone transfer is the method a secondary DNS server uses to update its information from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS information from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is often not implemented. By connecting to a specific DNS server and successfully issuing the ls d domain-name > file-name you have initiated a zone transfer.

• Question 264:

  Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network.

  Why will this not be possible?

  A. Firewalls can't inspect traffic coming through port 443
  B. Firewalls can only inspect outbound traffic
  C. Firewalls can't inspect traffic coming through port 80
  D. Firewalls can't inspect traffic at all, they can only block or allow certain ports
  D. Firewalls can't inspect traffic at all, they can only block or allow certain ports

  ---

  In order to really inspect traffic and traffic patterns you need an IDS.

• Question 265:

  Jack Hacker wants to break into company's computers and obtain their secret double fudge cookie recipe. Jacks calls Jane, an accountant at company pretending to be an administrator from company. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records". Jane does not suspect anything amiss, and parts with her password. Jack can now access company's computers with a valid user name and password, to steal the cookie recipe.

  What kind of attack is being illustrated here? (Choose the best answer)

  A. Reverse Psychology
  B. Reverse Engineering
  C. Social Engineering
  D. Spoofing Identity
  E. Faking Identity
  C. Social Engineering

  ---

  This is a typical case of pretexting. Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone.

• Question 266:

  _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at.

  A. Mandatory Access Control
  B. Authorized Access Control
  C. Role-based Access Control
  D. Discretionary Access Control
  A. Mandatory Access Control

  ---

  In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."

• Question 267:

  Mark works as a contractor for the Department of Defense and is in charge of network security. He has spent the last month securing access to his network from all possible entry points. He has segmented his network into several subnets and has installed firewalls all over the network. He has placed very stringent rules on all the firewalls, blocking everything in and out except ports that must be used. He does need to have port 80 open since his company hosts a website that must be accessed from the Internet. Mark is fairly confident of his perimeter defense, but is still worried about programs like Hping2 that can get into a network through convert channels.

  How should mark protect his network from an attacker using Hping2 to scan his internal network?

  A. Blocking ICMP type 13 messages
  B. Block All Incoming traffic on port 53
  C. Block All outgoing traffic on port 53
  D. Use stateful inspection on the firewalls
  A. Blocking ICMP type 13 messages

  ---

  An ICMP type 13 message is an ICMP timestamp request and waits for an ICMP timestamp reply. The remote node is right to do, still it would not be necessary as it is optional and thus many ip stacks ignore such packets. Nevertheless, nmap again achived to make its packets unique by setting the originating timestamp field in the packet to 0.

• Question 268:

  Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer.

  A. archive.org
  B. There is no way to get the changed webpage unless you contact someone at the company
  C. Usenet
  D. Javascript would not be in their html so a service like usenet or archive wouldn't help you
  A. archive.org

  ---

  Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code.

• Question 269:

  A simple compiler technique used by programmers is to add a terminator 'canary word' containing four letters NULL (0x00), CR (0x0d), LF (0x0a) and EOF (0xff) so that most string operations are terminated. If the canary word has been altered when the function returns, and the program responds by emitting an intruder alert into syslog, and then halts what does it indicate?

  A. The system has crashed
  B. A buffer overflow attack has been attempted
  C. A buffer overflow attack has already occurred
  D. A firewall has been breached and this is logged
  E. An intrusion detection system has been triggered
  B. A buffer overflow attack has been attempted

  ---

  Terminator Canaries are based on the observation that most buffer overflows and stack smash attacks are based on certain string operations which end at terminators. The reaction to this observation is that the canaries are built of NULL terminators, CR, LF, and -1. The undesirable result is that the canary is known.

• Question 270:

  ETHER: Destination address : 0000BA5EBA11 ETHER: Source address :

  00A0C9B05EBD ETHER: Frame Length : 1514 (0x05EA) ETHER: Ethernet Type :

  0x0800 (IP) IP: Version = 4 (0x4) IP: Header Length = 20 (0x14) IP:

  Service Type = 0 (0x0) IP: Precedence = Routine IP: ...0.... = Normal Delay IP: ....0... = Normal Throughput IP: .....0.. = Normal Reliability IP: Total Length = 1500 (0x5DC) IP: Identification = 7652 (0x1DE4) IP: Flags Summary = 2 (0x2)

  IP: .......0 = Last fragment in datagram IP: ......1. = Cannot fragment datagram IP:

  Fragment Offset = (0x0) bytes IP: Time to Live = 127 (0x7F) IP: Protocol = TCP - Transmission Control IP: Checksum = 0xC26D IP: Source Address = 10.0.0.2 IP:

  Destination Address = 10.0.1.201 TCP: Source Port = Hypertext Transfer Protocol TCP: Destination Port = 0x1A0B TCP: Sequence Number = 97517760 (0x5D000C0) TCP: Acknowledgement Number = 78544373 (0x4AE7DF5) TCP:

  Data Offset = 20 (0x14) TCP: Reserved = 0 (0x0000) TCP: Flags = 0x10 : .A.... TCP: ..0..... = No urgent data TCP: ...1.... = Acknowledgement field significant TCP: ....0... = No Push function TCP:

  .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin TCP: Window = 28793 (0x7079) TCP: Checksum = 0x8F27 TCP: Urgent Pointer = 0 (0x0) An employee wants to defeat detection by a network-based IDS application. He

  does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application?

  A. Create a SYN flood
  B. Create a network tunnel
  C. Create multiple false positives
  D. Create a ping flood
  B. Create a network tunnel

  ---

  Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.