EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 131:

  You are an ethical hacker contracted to conduct a security audit for a company. During the audit, you discover that the company's wireless network is using WEP encryption. You understand the vulnerabilities associated with WEP and plan to recommend a more secure encryption method. Which of the following would you recommend as a Suitable replacement to enhance the security of the company's wireless network?

  A. MAC address filtering
  B. WPA2-PSK with AES encryption
  C. Open System authentication
  D. SSID broadcast disabling
  B. WPA2-PSK with AES encryption

  ---

  Explanation/Reference:

  encryption is an outdated and insecure method of protecting wireless networks from unauthorized access and eavesdropping. WEP uses a static key that can be easily cracked by various tools and techniques, such as capturing the initialization vectors, brute-forcing the key, or exploiting the weak key scheduling algorithm. Therefore, you should recommend a more secure encryption method to enhance the security of the company's wireless network. One of the most suitable replacements for WEP encryption is WPA2-PSK with AES encryption. WPA2 stands for Wi-Fi Protected Access 2, which is a security standard that improves upon the previous WPA standard. WPA2 uses a robust encryption algorithm called AES, which stands for Advanced Encryption Standard. AES is a block cipher that uses a 128-bit key and is considered to be very secure and resistant to attacks. WPA2-PSK stands for WPA2 Pre-Shared Key, which is a mode of WPA2 that uses a passphrase or a password to generate the encryption key. The passphrase or password must be entered by the users who want to connect to the wireless network. The key is then derived from the passphrase or password using a function called PBKDF2, which stands for Password-Based Key Derivation Function 2. PBKDF2 adds a salt and a number of iterations to the passphrase or password to make it harder to crack. WPA2-PSK with AES encryption offers several advantages over WEP encryption, such as: It uses a dynamic key that changes with each session, instead of a static key that remains the same. It uses a stronger encryption algorithm that is more difficult to break, instead of a weaker encryption algorithm that is more vulnerable to attacks. It uses a longer key that provides more security, instead of a shorter key that provides less security. It uses a more secure key derivation function that adds complexity and randomness, instead of a simple key generation function that is predictable and flawed. Therefore, you should recommend WPA2-PSK with AES encryption as a suitable replacement to enhance the security of the company's wireless network. References: Wireless Security - Encryption - Online Tutorials Library WiFi Security: WEP, WPA, WPA2, WPA3 And Their Differences - NetSpot WPA2-PSK (Wi-Fi Protected Access 2 Pre-Shared Key)

• Question 132:

  A penetration tester is tasked with gathering information about the subdomains of a target organization's website. The tester needs a versatile and efficient solution for the task. Which of the following options would be the most effective method to accomplish this goal?

  A. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT
  B. Analyzing Linkedin profiles to find employees of the target company and their job titles
  C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing
  D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization
  A. Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT

  ---

  Explanation/Reference:

  Employing a tool like Sublist3r, which is designed to enumerate the subdomains of websites using OSINT, would be the most effective method to accomplish this goal. This option works as follows:

  Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT (Open Source Intelligence). It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r

  enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS. Subbrute was integrated

  with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist.

  By using Sublist3r, the tester can quickly and efficiently discover the subdomains of the target organization's website, which can provide valuable information about the network structure, the services offered, the potential vulnerabilities, and

  the attack surface. Sublist3r can also be used to perform passive reconnaissance, which does not send any packets to the target domain, and thus avoids detection by the target organization.

  The other options are not as effective as option A for the following reasons:

  B. Analyzing Linkedin profiles to find employees of the target company and their job titles: This option is not relevant because it does not address the subdomain enumeration task, but the social engineering task. Linkedin is a social networking platform that allows users to create and share their professional profiles, which may include their name, job title, company, skills, education, and contacts. By analyzing Linkedin profiles, the tester may be able to find employees of the target company and their job titles, which can be useful for crafting phishing emails, impersonating employees, or exploiting human weaknesses. However, this option does not help to discover the subdomains of the target organization's website, which is the goal of this scenario.

  C. Utilizing the Harvester tool to extract email addresses related to the target domain using a search engine like Google or Bing: This option is not sufficient because it does not provide a comprehensive list of subdomains, but only a partial list based on email addresses. The Harvester is a tool that can extract email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources, such as search engines, PGP key servers, and SHODAN computer database. By using the Harvester, the tester may be able to extract some email addresses related to the target domain, which can reveal some subdomains, such as mail.target.com or support.target.com. However, this option does not guarantee to find all the subdomains of the target organization's website, as some subdomains may not have any email addresses associated with them, or may not be indexed by the search engines. D. Using a people search service, such as Spokeo or Intelius, to gather information about the employees of the target organization: This option is not applicable because it does not address the subdomain enumeration task, but the personal information gathering task. Spokeo and Intelius are people search services that can provide various information about individuals, such as their name, address, phone number, email, social media, criminal records, and financial history. By using these services, the tester may be able to gather information about the employees of the target organization, which can be useful for performing background checks, identity theft, or blackmail. However, this option does not help to discover the subdomains of the target organization's website, which is the goal of this scenario. References:

  1: GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testers

  2: Subdomain Discovery in Cybersecurity with Kali Linux | Medium

  3: LinkedIn - Wikipedia

  4: The Harvester - Kali Linux Tools

  5: Spokeo - Wikipedia

  6: Intelius - Wikipedia

• Question 133:

  During a black-box pen test, you attempt to pass IRC traffic over port 80/TCP from a compromised web enabled host. The traffic gets blocked; however, outbound HTTP traffic is unimpeded. What type of firewall is inspecting outbound traffic?

  A. Circuit
  B. Stateful
  C. Application
  D. Packet Filtering
  C. Application

  ---

  Explanation/Reference:

  https://en.wikipedia.org/wiki/Internet_Relay_Chat Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in text. The chat process works on a client/server networking model. IRC clients are computer programs that users can install on their system or web-based applications running either locally in the browser or on a third-party server. These clients communicate with chat servers to transfer messages to other clients. IRC is a plaintext protocol that is officially assigned port 194, according to IANA. However, running the service on this port requires running it with root-level permissions, which is inadvisable. As a result, the well-known port for IRC is 6667, a high-number port that does not require elevated privileges. However, an IRC server can also be configured to run on other ports as well. You can't tell if an IRC server is designed to be malicious solely based on port number. Still, if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious; the only real reason for IRCD to be running on port 80 is to try to evade firewalls. https://en.wikipedia.org/wiki/Application_firewall An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the OSI model's application layer, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based. Application layer filtering operates at a higher level than traditional security appliances. This allows packet decisions to be made based on more than just source/ destination IP Addresses or ports. It can also use information spanning across multiple connections for any given host.

  Network-based application firewalls Network-based application firewalls operate at the application layer of a TCP/IP stack. They can understand certain applications and protocols such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP). This allows it to identify unwanted applications or services using a non-standard port or detect if an allowed protocol is being abused.

  Host-based application firewalls A host-based application firewall monitors application system calls or other general system communication. This gives more granularity and control but is limited to only protecting the host it is running on. Control is applied by filtering on a per-process basis. Generally, prompts are used to define rules for processes that have not yet received a connection. Further filtering can be done by examining the process ID of the owner of the data packets. Many host-based application firewalls are combined or used in conjunction with a packet filter.

• Question 134:

  What is the purpose of DNS AAAA record?

  A. Authorization, Authentication and Auditing record
  B. Address prefix record
  C. Address database record
  D. IPv6 address resolution record
  D. IPv6 address resolution record

• Question 135:

  Which of the following antennas is commonly used in communications for a frequency band of 10 MHz to VHF and UHF?

  A. Yagi antenna
  B. Dipole antenna
  C. Parabolic grid antenna
  D. Omnidirectional antenna
  A. Yagi antenna

• Question 136:

  During an attempt to perform an SQL injection attack, a certified ethical hacker is focusing on the identification of database engine type by generating an ODBC error. The ethical hacker, after injecting various payloads, finds that the web application returns a standard, generic error message that does not reveal any detailed database information. Which of the following techniques would the hacker consider next to obtain useful information about the underlying database?

  A. Use the UNION operator to combine the result sets of two or more SELECT statements
  B. Attempt to compromise the system through OS-level command shell execution
  C. Try to insert a string value where a number is expected in the input field
  D. Utilize a blind injection technique that uses time delays or error signatures to extract information
  D. Utilize a blind injection technique that uses time delays or error signatures to extract information

  ---

  Explanation/Reference:

  The technique that the hacker would consider next to obtain useful information about the underlying database is to utilize a blind injection technique that uses time delays or error signatures to extract information. A blind injection technique is a type of SQL injection technique that is used when the web application does not return any detailed error messages or data from the database, but only indicates whether the query was executed successfully or not. A blind injection technique relies on sending specially crafted SQL queries that cause a noticeable change in the behavior or response of the web application, such as a time delay or an error signature, which can then be used to infer information about the database. For example, the hacker could use the following methods: Time-based blind injection: This method involves injecting a SQL query that contains a time delay function, such as SLEEP() or WAITFOR DELAY, which pauses the execution of the query for a specified amount of time. The hacker can then measure the time difference between the normal and the delayed responses, and use it to determine whether the injected query was true or false. By using this method, the hacker can perform a binary search to guess the values of the data in the database, one bit at a time. Error-based blind injection: This method involves injecting a SQL query that contains a deliberate error, such as a division by zero, a type mismatch, or an invalid conversion, which causes the database to generate an error message. The hacker can then analyze the error message, which may contain useful information about the database, such as the version, the name, the structure, or the data. By using this method, the hacker can exploit the error handling mechanism of the database to extract information. The other options are not as suitable as option D for the following reasons:

  A. Use the UNION operator to combine the result sets of two or more SELECT statements: This option is not feasible because it requires the web application to return data from the database, which is not the case in this scenario. The UNION operator is a SQL operator that allows the hacker to append the results of another SELECT statement to the original query, and display them as part of the web page. This way, the hacker can retrieve data from other tables or columns that are not intended to be shown by the web application. However, this option does not work when the web application does not return any data or error messages from the database, as in this scenario.

  B. Attempt to compromise the system through OS-level command shell execution:

  This option is not relevant because it is not a SQL injection technique, but a post- exploitation technique. OS-level command shell execution is a method of gaining access to the underlying operating system of the web server, by injecting a

  SQL query that contains a system command, such as xp_cmdshell, exec, or shell_exec, which executes the command on the server. This way, the hacker can perform various actions on the server, such as uploading files, downloading files,

  or running programs. However, this option does not help to obtain information about the database, which is the goal of this scenario. C. Try to insert a string value where a number is expected in the input field: This option is not effective

  because it is a basic SQL injection technique that is used to detect SQL injection vulnerabilities, not to exploit them. Inserting a string value where a number is expected in the input field is a method of triggering a syntax error in the SQL

  query, which may reveal the structure or the content of the query in the error message. This way, the hacker can identify the vulnerable parameters and the type of the database. However, this option does not work when the web application

  does not return any detailed error messages from the database, as in this scenario.

  References:

  1: Blind SQL Injection - OWASP Foundation

  2: Blind SQL Injection - an overview | ScienceDirect Topics

  3: SQL Injection Union Attacks - OWASP Foundation

  4: OS Command Injection - OWASP Foundation

  5: SQL Injection - OWASP Foundation

• Question 137:

  Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

  A. ESP transport mode
  B. ESP confidential
  C. AH permiscuous
  D. AH Tunnel mode
  A. ESP transport mode

• Question 138:

  Joe works as an IT administrator in an organization and has recently set up a cloud computing service for the organization. To implement this service, he reached out to a telecom company for providing Internet connectivity and transport services between the organization and the cloud service provider, in the NIST cloud deployment reference architecture, under which category does the telecom company fall in the above scenario?

  A. Cloud booker
  B. Cloud consumer
  C. Cloud carrier
  D. Cloud auditor
  C. Cloud carrier

  ---

  Explanation/Reference:

  A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between cloud consumers and cloud providers. Cloud carriers provide access to consumers through network, telecommunication and other access devices. for instance, cloud consumers will obtain cloud services through network access devices, like computers, laptops, mobile phones, mobile web devices (MIDs), etc. The distribution of cloud services is often provided by network and telecommunication carriers or a transport agent, wherever a transport agent refers to a business organization that provides physical transport of storage media like high-capacity hard drives. Note that a cloud provider can started SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud consumers, and will require the cloud carrier to provide dedicated and secure connections between cloud consumers and cloud providers.

• Question 139:

  If executives are found liable for not properly protecting their company's assets and information systems, what type of law would apply in this situation?

  A. Criminal
  B. International
  C. Common
  D. Civil
  D. Civil

• Question 140:

  DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man- in-the-middle attacks?

  A. Spanning tree
  B. Dynamic ARP Inspection (DAI)
  C. Port security
  D. Layer 2 Attack Prevention Protocol (LAPP)
  B. Dynamic ARP Inspection (DAI)

  ---

  Explanation/Reference:

  Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning). DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.