EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 551:

  home/root # traceroute www.targetcorp.com traceroute to www.targetcorp.com (192.168.12.18), 64 hops may, 40 byte packets 1 router.anon.com (192.13.212.254) 1.373 ms 1.123 ms 1.280 ms 2 192.13.133.121 (192.13.133.121) 3.680 ms 3.506 ms 4.583 ms 3 firewall.anon.com (192.13.192.17) 127.189 ms 257.404 ms 208.484 ms 4 anon-gw.anon.com

  (192.93.144.89) 471.68 ms 376.875 ms 228.286 ms 5 fe5-0.lin.isp.com (192.162.231.225) 2.961 ms 3.852 ms 2.974 ms 6 fe0-0.lon0.isp.com (192.162.231.234) 3.979 ms 3.243 ms 4.370 ms 7 192.13.133.5 (192.13.133.5) 11.454 ms 4.221

  ms 3.333 ms 6 * * *

  7 * * *

  8 www.targetcorp.com (192.168.12.18) 5.392 ms 3.348 ms 3.199 ms

  Use the traceroute results shown above to answer the following question:

  The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out.

  A. True
  B. False
  A. True

  ---

  As seen in the exhibit there is 2 registrations with timeout, this tells us that the firewall filters packets where the TTL has reached 0, when you continue with higher starting values for TTL you will get an answer from the target of the traceroute.

• Question 552:

  Web servers are often the most targeted and attacked hosts on organizations' networks. Attackers may exploit software bugs in the Web server, underlying operating system, or active content to gain unauthorized access.

  

  Identify the correct statement related to the above Web Server installation?

  A. Lack of proper security policy, procedures and maintenance
  B. Bugs in server software, OS and web applications
  C. Installing the server with default settings
  D. Unpatched security flaws in the server software, OS and applications
  C. Installing the server with default settings

• Question 553:

  Exhibit

  

  (Note: the student is being tested on concepts learnt during passive OS fingerprinting, basic TCP/IP connection concepts and the ability to read packet signatures from a sniff dump.)

  Snort has been used to capture packets on the network. On studying the packets, the penetration tester finds it to be abnormal. If you were the penetration tester, why would you find this abnormal?

  What is odd about this attack? Choose the best answer.

  A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags.
  B. This is back orifice activity as the scan comes form port 31337.
  C. The attacker wants to avoid creating a sub-carries connection that is not normally valid.
  D. These packets were crafted by a tool, they were not created by a standard IP stack.
  B. This is back orifice activity as the scan comes form port 31337.

  ---

  Port 31337 is normally used by Back Orifice. Note that 31337 is hackers spelling of `elite', meaning `elite hackers'.

• Question 554:

  Gerald, the systems administrator for Hyped Enterprise, has just discovered that his network has been breached by an outside attacker. After performing routine maintenance on his servers, his discovers numerous remote tools were installed that no one claims to have knowledge of in his department.

  Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to proxy server in Brazil.

  Gerald calls the company that owns the proxy server and after searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and after scanning through the logs again, they trace the source back to a proxy server in China.

  What tool Geralds's attacker used to cover their tracks?

  A. Tor
  B. ISA
  C. IAS
  D. Cheops
  A. Tor

  ---

  Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

• Question 555:

  Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?

  A. Smurf
  B. Bubonic
  C. SYN Flood
  D. Ping of Death
  A. Smurf

  ---

  A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.

• Question 556:

  What tool can crack Windows SMB passwords simply by listening to network traffic? Select the best answer.

  A. This is not possible
  B. Netbus
  C. NTFSDOS
  D. L0phtcrack
  D. L0phtcrack

  ---

  This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

• Question 557:

  Nathan is testing some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result?

  A. The switches will drop into hub mode if the ARP cache is successfully flooded.
  B. If the ARP cache is flooded, the switches will drop into pix mode making it less susceptible to attacks.
  C. Depending on the switch manufacturer, the device will either delete every entry in its ARP cache or reroute packets to the nearest switch.
  D. The switches will route all traffic to the broadcast address created collisions.
  A. The switches will drop into hub mode if the ARP cache is successfully flooded.

• Question 558:

  When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniffing. Which of the following tool accomplishes this?

  A. macof
  B. webspy
  C. filesnarf
  D. nfscopy
  C. filesnarf

  ---

  Filesnarf - sniff files from NFS traffic

  OPTIONS

  -i interface

  Specify the interface to listen on.

  -v "Versus" mode. Invert the sense of matching, to

  select non-matching files.

  pattern

  Specify regular expression for filename matching.

  expression

  Specify a tcpdump(8) filter expression to select

  traffic to sniff.

  SEE ALSO

  Dsniff, nfsd

• Question 559:

  You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming. Which command would you execute to extract the Trojan to a standalone file?

  A. c:\> type readme.txt:virus.exe > virus.exe
  B. c:\> more readme.txt | virus.exe > virus.exe
  C. c:\> cat readme.txt:virus.exe > virus.exe
  D. c:\> list redme.txt$virus.exe > virus.exe
  C. c:\> cat readme.txt:virus.exe > virus.exe

  ---

  cat will concatenate, or write, the alternate data stream to its own file named virus.exe

• Question 560:

  Symmetric encryption algorithms are known to be fast but present great challenges on the key management side. Asymmetric encryption algorithms are slow but allow communication with a remote host without having to transfer a key out of band or in person. If we combine the strength of both crypto systems where we use the symmetric algorithm to encrypt the bulk of the data and then use the asymmetric encryption system to encrypt the symmetric key, what would this type of usage be known as?

  A. Symmetric system
  B. Combined system
  C. Hybrid system
  D. Asymmetric system
  C. Hybrid system

  ---

  Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes. As a result, public- key cryptosystems are commonly "hybrid" systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Similarly, hybrid signature schemes are often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed.