EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 161:

  You are a penetration tester working to test the user awareness of the employees of the client xyz. You harvested two employees' emails from some public sources and are creating a client-side backdoor to send it to the employees via email. Which stage of the cyber kill chain are you at?

  A. Reconnaissance
  B. Command and control
  C. Weaponization
  D. Exploitation
  C. Weaponization

  ---

  Explanation/Reference:

  Weaponization The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified during analysis, the adversary selects or creates a tailored deliverable malicious payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific network devices, operating systems, endpoint devices, or even individuals within the organization to carry out their attack. For example, the adversary may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary: o Identifying appropriate malware payload based on the analysis o Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability Creating a phishing email campaign o Leveraging exploit kits and botnets

  https://en.wikipedia.org/wiki/Kill_chain

  The Cyber Kill Chain consists of 7 steps: Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and finally, actions on objectives. Below you can find detailed information on each.

  1.

  Reconnaissance: In this step, the attacker/intruder chooses their target. Then they conduct in-depth research on this target to identify its vulnerabilities that can be exploited.

  2.

  Weaponization: In this step, the intruder creates a malware weapon like a virus, worm, or such to exploit the target's vulnerabilities. Depending on the target and the purpose of the attacker, this malware can exploit new, undetected vulnerabilities (also known as the zero-day exploits) or focus on a combination of different vulnerabilities.

  3.

  Delivery: This step involves transmitting the weapon to the target. The intruder/attacker can employ different USB drives, e-mail attachments, and websites for this purpose.

  4.

  Exploitation: In this step, the malware starts the action. The program code of the malware is triggered to exploit the target's vulnerability/vulnerabilities.

  5.

  Installation: In this step, the malware installs an access point for the intruder/attacker. This access point is also known as the backdoor.

  6.

  Command and Control: The malware gives the intruder/attacker access to the network/system.

  7.

  Actions on Objective: Once the attacker/intruder gains persistent access, they finally take action to fulfill their purposes, such as encryption for ransom, data exfiltration, or even data destruction.

• Question 162:

  A security analyst is investigating a potential network-level session hijacking incident. During the investigation, the analyst finds that the attacker has been using a technique in which they injected an authentic-looking reset packet using a spoofed source IP address and a guessed acknowledgment number. As a result, the victim's connection was reset. Which of the following hijacking techniques has the attacker most likely used?

  A. TCP/IP hijacking
  B. UDP hijacking
  C. RST hijacking
  D. Blind hijacking
  C. RST hijacking

  ---

  Explanation/Reference:

  The attacker has most likely used RST hijacking, which is a type of network- level session hijacking technique that exploits the TCP reset (RST) mechanism. TCP reset is a way of terminating an established TCP connection by sending a packet with the RST flag set, indicating that the sender does not want to continue the communication. RST hijacking involves sending a forged RST packet to one or both ends of a TCP connection, using a spoofed source IP address and a guessed acknowledgment number, to trick them into believing that the other end has closed the connection. As a result, the victim's connection is reset and the attacker can take over the session or launch a denial-of-service attack. The other options are not correct for the following reasons:

  A. TCP/IP hijacking: This option is a general term that refers to any type of network-level session hijacking technique that targets TCP/IP connections. RST hijacking is a specific type of TCP/IP hijacking, but not the only one. Other types of TCP/IP hijacking include SYN hijacking, source routing, and sequence prediction3. B. UDP hijacking: This option is not applicable because UDP is a connectionless protocol that does not use TCP reset mechanism. UDP hijacking is a type of network-level session hijacking technique that targets UDP connections, such as DNS or VoIP. UDP hijacking involves intercepting and modifying UDP packets to redirect or manipulate the communication between the sender and the receiver. D. Blind hijacking: This option is not accurate because blind hijacking is a type of network-level session hijacking technique that does not require injecting RST packets. Blind hijacking involves guessing the sequence and acknowledgment numbers of a TCP connection without being able to see the responses from the target. Blind hijacking can be used to inject malicious data or commands into an active TCP session, but not to reset the connection. References:

  1: RST Hijacking - an overview | ScienceDirect Topics

  2: TCP Reset Attack - an overview | ScienceDirect Topics

  3: TCP/IP Hijacking - an overview | ScienceDirect Topics

  4: UDP Hijacking - an overview | ScienceDirect Topics

  5: Blind Hijacking - an overview | ScienceDirect Topics

• Question 163:

  An attacker has installed a RAT on a host. The attacker wants to ensure that when a user attempts to go to "www.MyPersonalBank.com", the user is directed to a phishing site. Which file does the attacker need to modify?

  A. Boot.ini
  B. Sudoers
  C. Networks
  D. Hosts
  D. Hosts

• Question 164:

  An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certified Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why?

  A. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files
  B. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files
  C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules
  D. koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware
  B. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files

  ---

  Explanation/Reference:

  YARA rules are a powerful way to detect and classify malware based on patterns, signatures, and behaviors. They can be used to complement Snort rules, which are mainly focused on network traffic analysis. However, writing YARA rules manually can be time-consuming and error-prone, especially when dealing with large and diverse malware samples. Therefore, using a tool that can automate or assist the generation of YARA rules can be very helpful for ethical hackers. Among the four options, yarGen is the best choice for this purpose, because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files. This way, yarGen can reduce the false positives and increase the accuracy of the YARA rules. yarGen also supports various features, such as whitelisting, scoring, wildcards, and regular expressions, to improve the quality and efficiency of the YARA rules. The other options are not as suitable as yarGen for this purpose. AutoYara is a tool that automates the generation of YARA rules from a set of malicious and benign files, but it does not perform any filtering or optimization of the strings, which may result in noisy and ineffective YARA rules. YaraRET is a tool that helps in reverse engineering Trojans to generate YARA rules, but it is limited to a specific type of malware and requires manual intervention and analysis. koodous is a platform that combines social networking with antivirus signatures and YARA rules to detect malware, but it is not a tool for generating YARA rules, rather it is a tool for sharing and collaborating on YARA rules. References: yarGen - A Tool to Generate YARA Rules YARA Rules: The Basics Why master YARA: from routine to extreme threat hunting cases

• Question 165:

  What does the following command in netcat do? nc -l -u -p55555 < /etc/passwd

  A. logs the incoming connections to /etc/passwd file
  B. loads the /etc/passwd file to the UDP port 55555
  C. grabs the /etc/passwd file when connected to UDP port 55555
  D. deletes the /etc/passwd file when connected to the UDP port 55555
  C. grabs the /etc/passwd file when connected to UDP port 55555

• Question 166:

  Which of the following Google advanced search operators helps an attacker in gathering information about websites that are similar to a specified target URL?

  A. [inurl:]
  B. [related:]
  C. [info:]
  D. [site:]
  B. [related:]

  ---

  Explanation/Reference:

  related:This operator displays websites that are similar or related to the URL specified.

• Question 167:

  An attacker changes the profile information of a particular user (victim) on the target website. The attacker uses this string to update the victim's profile to a text file and then submit the data to the attacker's database.

  < iframe src=""http://www.vulnweb.com/updateif.php"" style=""display:none"" > < /iframe >

  What is this type of attack (that can use either HTTP GET or HTTP POST) called?

  A. Browser Hacking
  B. Cross-Site Scripting
  C. SQL Injection
  D. Cross-Site Request Forgery
  D. Cross-Site Request Forgery

  ---

  Explanation/Reference:

  https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. This is done by making a logged in user in the victim platform access an attacker controlled website and from there execute malicious JS code, send forms or retrieve "images" to the victims account.

  In order to be able to abuse a CSRF vulnerability you first need to find a relevant action to abuse (change password or email, make the victim follow you on a social network, give you more privileges...). The session must rely only on cookies or HTTP Basic Authentication header, any other header can't be used to handle the session. An finally, there shouldn't be unpredictable parameters on the request.

  Several counter-measures could be in place to avoid this vulnerability. Common defenses:

  -

  SameSite cookies: If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.

  -

  Cross-origin resource sharing: Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the CORS policy of the victim site. Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response.

  -Ask for the password user to authorise the action.

  -Resolve a captcha

  - Read the Referrer or Origin headers. If a regex is used it could be bypassed form example with: http://mal.net?orig=http://example.com (ends with the url) http://example.com.mal.net (starts with the url)

  -Modify the name of the parameters of the Post or Get request

  - Use a CSRF token in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.

  

• Question 168:

  Morris, an attacker, wanted to check whether the target AP is in a locked state. He attempted using different utilities to identify WPS-enabled APs in the target wireless network. Ultimately, he succeeded with one special command-line utility. Which of the following command-line utilities allowed Morris to discover the WPS-enabled APs?

  A. wash
  B. ntptrace
  C. macof
  D. net View
  A. wash

• Question 169:

  The network users are complaining because their system are slowing down. Further, every time they attempt to go a website, they receive a series of pop-ups with advertisements. What types of malware have the system been infected with?

  A. Virus
  B. Spyware
  C. Trojan
  D. Adware
  D. Adware

  ---

  Explanation/Reference:

  Adware, or advertising supported computer code, is computer code that displays unwanted advertisements on your pc. Adware programs can tend to serve you pop-up ads, will modification your browser's homepage, add spyware and simply

  bombard your device with advertisements. Adware may be a additional summary name for doubtless unwanted programs. It's roughly a virulent disease and it's going to not be as clearly malicious as a great deal of different problematic code

  floating around on the net. create no mistake concerning it, though, that adware has to return off of no matter machine it's on. Not solely will adware be extremely annoying whenever you utilize your machine, it might additionally cause

  semipermanent problems for your device.

  Adware a network users the browser to gather your internet browsing history so as to 'target' advertisements that appear tailored to your interests. At their most innocuous, adware infections square measure simply annoying. as an example,

  adware barrages you with pop-up ads that may create your net expertise markedly slower and additional labor intensive.

• Question 170:

  You are logged in as a local admin on a Windows 7 system and you need to launch the Computer Management Console from command line. Which command would you use?

  A. c:\compmgmt.msc
  B. c:\services.msc
  C. c:\ncpa.cp
  D. c:\gpedit
  A. c:\compmgmt.msc

  ---

  Explanation/Reference:

  To start the Computer Management Console from command line just type compmgmt.msc /computer:computername in your run box or at the command line and it should automatically open the Computer Management console.

  References: http://www.waynezim.com/tag/compmgmtmsc/