EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 321:

  John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.

  Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

  [root@apollo /]# rm rootkit.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm - rf /root/ .bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/ .bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory

  A. The hacker is planting a rootkit
  B. The hacker is trying to cover his tracks
  C. The hacker is running a buffer overflow exploit to lock down the system
  D. The hacker is attempting to compromise more machines on the network
  B. The hacker is trying to cover his tracks

  ---

  By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.

• Question 322:

  James is an IT security consultant as well as a certified ethical hacker. James has been asked to audit the network security of Yerta Manufacturing, a tool manufacturing company in Phoenix. James performs some initial external tests and then begins testing the security from inside the company's network.

  James finds some big problems right away; a number of users that are working on Windows XP computers have saved their usernames and passwords used to connect to servers on the network. This way, those users do not have to type in their credentials every time they want access to a server. James tells the IT manager of Yerta Manufacturing about this, and the manager does not believe this is possible on Windows XP. To prove his point, James has a user logon to a computer and then James types in a command that brings up a window that says "Stored User Names and Passwords".

  What command did James type in to get this window to come up?

  A. To bring up this stored user names and passwords window, James typed in "rundll32.exe storedpwd.dll, ShowWindow"
  B. James had to type in "rundll32.exe keymgr.dll, KRShowKeyMgr" to get the window to pop up
  C. James typed in the command "rundll32.exe storedpwd.dll" to get the Stored User Names and Passwords window to come up
  D. The command to bring up this window is "KRShowKeyMgr"
  B. James had to type in "rundll32.exe keymgr.dll, KRShowKeyMgr" to get the window to pop up

  ---

  The Stored User Names and Passwords applet lets you assign user names and passwords to use when needing to authenticate yourself to services in domains other than the one you are currently logged into. The normal way of running this applet can be difficult to find quickly, so here is a way to launch it using a desktop shortcut using the rundll32.exe program: Click on START - RUN and type the following (follwed by ENTER): rundll32.exe keymgr.dll,KRShowKeyMgr http://www.tweakxp.com/article37352.aspx

• Question 323:

  Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threat, but it does not secure the application from coding errors. It can provide data privacy, integrity and enable strong authentication but it cannot mitigate programming errors.

  What is a good example of a programming error that Bob can use to illustrate to the management that encryption will not address all of their security concerns?

  A. Bob can explain that a random generator can be used to derive cryptographic keys but it uses a weak seed value and it is a form of programming error.
  B. Bob can explain that by using passwords to derive cryptographic keys it is a form of a programming error.
  C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique.
  D. Bob can explain that by using a weak key management technique it is a form of programming error.
  C. Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique.

  ---

  A buffer overflow occurs when you write a set of values (usually a string of characters) into a fixed length buffer and write at least one value outside that buffer's boundaries (usually past its end). A buffer overflow can occur when reading input from the user into a buffer, but it can also occur during other kinds of processing in a program. Technically, a buffer overflow is a problem with the program's internal implementation.

• Question 324:

  Exhibit:

  

  The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a

  buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output.

  As an analyst what would you conclude about the attack?

  A. The buffer overflow attack has been neutralized by the IDS
  B. The attacker is creating a directory on the compromised machine
  C. The attacker is attempting a buffer overflow attack and has succeeded
  D. The attacker is attempting an exploit that launches a command-line shell
  D. The attacker is attempting an exploit that launches a command-line shell

  ---

  This log entry shows a hacker using a buffer overflow to fill the data buffer and trying to insert the execution of /bin/sh into the executable code part of the thread. It is probably an existing exploit that is used, or a directed attack with a custom built buffer overflow with the "payload" that launches the command shell.

• Question 325:

  Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.

  Which built-in functionality of Linux can achieve this?

  A. IP Tables
  B. IP Chains
  C. IP Sniffer
  D. IP ICMP
  A. IP Tables

  ---

  iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/ iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.

• Question 326:

  Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system.

  Which of the following is NOT an example of default installation?

  A. Many systems come with default user accounts with well-known passwords that administrators forget to change
  B. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system
  C. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services
  D. Enabling firewall and anti-virus software on the local system
  D. Enabling firewall and anti-virus software on the local system

• Question 327:

  What are the two basic types of attacks?(Choose two.

  A. DoS
  B. Passive
  C. Sniffing
  D. Active
  E. Cracking
  B. Passive
  D. Active

  ---

  Passive and active attacks are the two basic types of attacks.

• Question 328:

  Which Steganography technique uses Whitespace to hide secret messages?

  A. snow
  B. beetle
  C. magnet
  D. cat
  A. snow

• Question 329:

  When writing shellcodes, you must avoid _________________ because these will end the string.

  

  A. Null Bytes
  B. Root Bytes
  C. Char Bytes
  D. Unicode Bytes
  A. Null Bytes

  ---

  The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. The original meaning of this character was like NOP -- when sent to a printer or a terminal, it does nothing (some terminals, however, incorrectly display it as space). Strings ending in a null character are said to be null-terminated.

• Question 330:

  Which of the following is NOT part of CEH Scanning Methodology?

  A. Check for Live systems
  B. Check for Open Ports
  C. Banner Grabbing
  D. Prepare Proxies
  E. Social Engineering attacks
  F. Scan for Vulnerabilities
  G. Draw Network Diagrams
  E. Social Engineering attacks