EC-COUNCIL 312-50 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50 Online Questions & Answers

• Question 651:

  You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

  A. XMAS scan
  B. Stealth scan
  C. Connect scan
  D. Fragmented packet scan
  C. Connect scan

  ---

  A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection.

• Question 652:

  Fred is the network administrator for his company. Fred is testing an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this?

  A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer.
  B. He can send an IP packet with the SYN bit and the source address of his computer.
  C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch.
  D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.
  D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

• Question 653:

  Study the snort rule given below and interpret the rule.

  alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)

  A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet
  B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet
  C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
  D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
  D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

  ---

  Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html

• Question 654:

  The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from getting sensitive information regarding the network devices using SNMP? (Select 2 answers)

  A. Enable SNMPv3 which encrypts username/password authentication
  B. Use your company name as the public community string replacing the default 'public'
  C. Enable IP filtering to limit access to SNMP device
  D. The default configuration provided by device vendors is highly secure and you don't need to change anything
  A. Enable SNMPv3 which encrypts username/password authentication
  C. Enable IP filtering to limit access to SNMP device

• Question 655:

  In Trojan terminology, what is required to create the executable file chess.exe as shown below?

  

  A. Mixer
  B. Converter
  C. Wrapper
  D. Zipper
  C. Wrapper

• Question 656:

  Frederickson Security Consultants is currently conducting a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is testing all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must utilize random, non-dictionary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved off numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of attack is best suited to crack these passwords in the shortest amount of time?

  A. Brute force attack
  B. Birthday attack
  C. Dictionary attack
  D. Brute service attack
  A. Brute force attack

• Question 657:

  Bank of Timbuktu was a medium-sized, regional financial institution in Timbuktu. The bank has deployed a new Internet-accessible Web application recently, using which customers could access their account balances, transfer money between accounts, pay bills and conduct online financial business using a Web browser.

  John Stevens was in charge of information security at Bank of Timbuktu. After one month in production, several customers complained about the Internet enabled banking application. Strangely, the account balances of many bank's customers has been changed! However, money hadn't been removed from the bank. Instead, money was transferred between accounts. Given this attack profile, John Stevens reviewed the Web application's logs and found the following entries:

  Attempted login of unknown user: John Attempted login of unknown user: sysaR Attempted login of unknown user: sencat Attempted login of unknown user: pete `'; Attempted login of unknown user: ` or 1=1-Attempted login of unknown user: `; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x90627579944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64 Transfer Funds user jason Pay Bill user mike Logout of user mike

  What kind of attack did the Hacker attempt to carry out at the bank? (Choose the best answer)

  A. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID.
  B. The Hacker attempted Session hijacking, in which the Hacker opened an account with the bank, then logged in to receive a session ID, guessed the next ID and took over Jason's session.
  C. The Hacker attempted a brute force attack to guess login ID and password using password cracking tools.
  D. The Hacker used a random generator module to pass results to the Web server and exploited Web application CGI vulnerability.
  A. The Hacker attempted SQL Injection technique to gain access to a valid bank login ID.

  ---

  The following part:

  Attempted login of unknown user: pete `';

  Attempted login of unknown user: ` or 1=1-Attempted login of unknown user: `; drop table logins-- Clearly shows a hacker trying to perform a SQL injection by bypassing the login with the statement 1=1 and then dumping the logins table.

• Question 658:

  Bill has started to notice some slowness on his network when trying to update his company's website while trying to access the website from the Internet. Bill asks the help desk manager if he has received any calls about slowness from the end users, but the help desk manager says that he has not. Bill receives a number of calls from customers that can't access the company website and can't purchase anything online. Bill logs on to a couple of this routers and notices that the logs shows network traffic is at all time high. He also notices that almost all the traffic is originating from a specific address.

  Bill decides to use Geotrace to find out where the suspect IP is originates from. The Geotrace utility runs a traceroute and finds that IP is coming from Panama. Bill knows that none of his customers are in Panama so he immediately thinks that his company is under a Denial of Service attack. Now Bill needs to find out more about the originating IP Address.

  What Internet registry should Bill look in to find the IP Address?

  A. LACNIC
  B. ARIN
  C. RIPELACNIC
  D. APNIC
  A. LACNIC

  ---

  LACNIC is the Latin American and Caribbean Internet Addresses Registry that administers IP addresses, autonomous system numbers, reverse DNS, and other network resources for that region.

• Question 659:

  John wants to try a new hacking tool on his Linux System. As the application comes from a site in his untrusted zone, John wants to ensure that the downloaded tool has not been Trojaned. Which of the following options would indicate the best course of action for John?

  A. Obtain the application via SSL
  B. Obtain the application from a CD-ROM disc
  C. Compare the files' MD5 signature with the one published on the distribution media
  D. Compare the file's virus signature with the one published on the distribution media
  C. Compare the files' MD5 signature with the one published on the distribution media

  ---

  In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

• Question 660:

  What does FIN in TCP flag define?

  A. Used to close a TCP connection
  B. Used to abort a TCP connection abruptly
  C. Used to indicate the beginning of a TCP connection
  D. Used to acknowledge receipt of a previous packet or transmission
  A. Used to close a TCP connection

  ---

  The FIN flag stands for the word FINished. This flag is used to tear down the virtual connections created using the previous flag (SYN), so because of this reason, the FIN flag always appears when the last packets are exchanged between a connection.