EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 571:

  Global deployment of RFC 2827 would help mitigate what classification of attack?

  A. Sniffing attack
  B. Denial of service attack
  C. Spoofing attack
  D. Reconnaissance attack
  E. Prot Scan attack
  C. Spoofing attack

  ---

  RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

• Question 572:

  What happens during a SYN flood attack?

  A. TCP connection requests floods a target machine is flooded with randomized source address and ports for the TCP ports.
  B. A TCP SYN packet, which is a connection initiation, is sent to a target machine, giving the target host's address as both source and destination, and is using the same port on the target host as both source and destination.
  C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
  D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
  A. TCP connection requests floods a target machine is flooded with randomized source address and ports for the TCP ports.

  ---

  To a server that requires an exchange of a sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending a SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message and then data can be exchanged. At the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message, there is a half- open connection. A data structure describing all pending connections is in memory of the server that can be made to overflow by intentionally creating too many partially open connections. Another common attack is the SYN flood, in which a target machine is flooded with TCP connection requests. The source addresses and source TCP ports of the connection request packets are randomized; the purpose is to force the target host to maintain state information for many connections that will never be completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic returned from the target host to cause trouble on routers; because this return traffic goes to the randomized source addresses of the original packets, it lacks the locality properties of "real" IP traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the router running out of memory.

• Question 573:

  A Company security System Administrator is reviewing the network system log files. He notes the following: What should he assume has happened and what should he do about the situation?

  A. He should contact the attacker's ISP as soon as possible and have the connection disconnected.
  B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.
  C. He should log the file size, and archive the information, because the router crashed.
  D. He should run a file system check, because the Syslog server has a self correcting file system problem.
  E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place.
  B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.

  ---

  You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy.

• Question 574:

  Which of the following command line switch would you use for OS detection in Nmap?

  A. -D
  B. -O
  C. -P
  D. -X
  B. -O

  ---

  OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

• Question 575:

  Bob waits near a secured door, holding a box. He waits until an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. Just as the employee opens the door, Bob walks up to the employee (still holding the box) and asks the employee to hold the door open so that he can enter. What is the best way to undermine the social engineering activity of tailgating?

  A. issue special cards to access secured doors at the company and provide a one-time only brief description of use of the special card
  B. to post a sign that states "no tailgating" next to the special card reader adjacent to the secured door
  C. setup a mock video camera next to the special card reader adjacent to the secured door
  D. to educate all of the employees of the company on best security practices on a recurring basis
  D. to educate all of the employees of the company on best security practices on a recurring basis

  ---

  Tailgating will not work in small company's where everyone knows everyone, and neither will it work in very large companies where everyone is required to swipe a card to pass, but it's a very simple and effective social engineering attack against mid-sized companies where it's common for one employee not to know everyone. There is two ways of stop this attack either by buying expensive perimeter defense in form of gates that only let on employee pass at every swipe of a card or by educating every employee on a recurring basis.

• Question 576:

  Exhibit: You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

  

  A. ip = 10.0.0.22
  B. ip.src == 10.0.0.22
  C. ip.equals 10.0.0.22
  D. ip.address = 10.0.0.22
  B. ip.src == 10.0.0.22

  ---

  ip.src tells the filter to only show packets with 10.0.0.22 as the source.

• Question 577:

  Your boss is attempting to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an attack?

  A. SQL Input attack
  B. SQL Piggybacking attack
  C. SQL Select attack
  D. SQL Injection attack
  D. SQL Injection attack

  ---

  This technique is known as SQL injection attack

• Question 578:

  Which tool/utility can help you extract the application layer data from each TCP connection from a log file into separate files?

  A. Snort
  B. argus
  C. TCPflow
  D. Tcpdump
  C. TCPflow

  ---

  Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

• Question 579:

  What command would you type to OS fingerprint a server using the command line?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  C. Option C

• Question 580:

  Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a

  stream of responses, all individually encrypted with different IVs.

  What is this attack most appropriately called?

  A. Spoof Attack
  B. Replay Attack
  C. Inject Attack
  D. Rebound Attack
  B. Replay Attack

  ---

  A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.