EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 231:

  In the context of Windows Security, what is a 'null' user?

  A. A user that has no skills
  B. An account that has been suspended by the admin
  C. A pseudo account that has no username and password
  D. A pseudo account that was created for security administration purpose
  C. A pseudo account that has no username and password

• Question 232:

  Which of the following describes the characteristics of a Boot Sector Virus?

  A. Modifies directory table entries so that directory entries point to the virus code instead of the actual program.
  B. Moves the MBR to another location on the RAM and copies itself to the original location of the MBR.
  C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.
  D. Overwrites the original MBR and only executes the new virus code.
  C. Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR.

• Question 233:

  Tony wants to integrate a 128-bit symmetric block cipher with key sizes of 128,192, or 256 bits into a software program, which involves 32 rounds of computational operations that include substitution and permutation operations on four 32-bit word blocks using 8-variable S-boxes with 4-bit entry and 4-bit exit. Which of the following algorithms includes all the above features and can be integrated by Tony into the software program?

  A. TEA
  B. CAST-128
  C. RC5
  D. serpent
  D. serpent

• Question 234:

  Sam, a web developer, was instructed to incorporate a hybrid encryption software program into a web application to secure email messages. Sam used an encryption software, which is a free implementation of the OpenPGP standard that uses both symmetric-key cryptography and asymmetric-key cryptography for improved speed and secure key exchange. What is the encryption software employed by Sam for securing the email messages?

  A. PGP
  B. S/MIME
  C. SMTP
  D. GPG
  A. PGP

• Question 235:

  A penetration tester was assigned to scan a large network range to find live hosts. The network is known for using strict TCP filtering rules on its firewall, which may obstruct common host discovery techniques. The tester needs a method that can bypass these firewall restrictions and accurately identify live systems. What host discovery technique should the tester use?

  A. UDP Ping Scan
  B. lCMP ECHO Ping Scan
  C. ICMP Timestamp Ping Scan
  D. TCP SYN Ping Scan
  D. TCP SYN Ping Scan

  ---

  Explanation/Reference:

  The host discovery technique that the tester should use is TCP SYN Ping Scan. This technique sends a TCP SYN packet to a specified port on the target host and waits for a response. If the host responds with a TCP SYN/ACK packet, it means the host is alive and the port is open. If the host responds with a TCP RST packet, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead or filtered by a firewall. TCP SYN Ping Scan can bypass firewall restrictions because it mimics the initial stage of a TCP three-way handshake, which is a common and legitimate network activity. Therefore, most firewalls will allow TCP SYN packets to pass through and reach the target host, unless they are configured to block specific ports or IP addresses. TCP SYN Ping Scan can also accurately identify live systems because it does not rely on ICMP, which may be blocked or rate-limited by some firewalls or routers. The other options are not as effective or feasible as TCP SYN Ping Scan for the following reasons:

  A. UDP Ping Scan: This technique sends a UDP packet to a specified port on the target host and waits for a response. If the host responds with an ICMP Port Unreachable message, it means the host is alive but the port is closed. If the host does not respond at all, it means the host is either dead, the port is open, or the packet is filtered by a firewall. UDP Ping Scan may not bypass firewall restrictions because some firewalls may block or drop UDP packets, especially if they are sent to uncommon or reserved ports. UDP Ping Scan may also not accurately identify live systems because it cannot distinguish between open ports and filtered packets, and it may generate false positives or negatives due to packet loss or rate-limiting.

  B. ICMP ECHO Ping Scan: This technique sends an ICMP ECHO Request packet to the target host and waits for an ICMP ECHO Reply packet. If the host responds with an ICMP ECHO Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall. ICMP ECHO Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP ECHO Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting. C. ICMP Timestamp Ping Scan: This technique sends an ICMP Timestamp Request packet to the target host and waits for an ICMP Timestamp Reply packet. If the host responds with an ICMP Timestamp Reply packet, it means the host is alive. If the host does not respond at all, it means the host is either dead or filtered by a firewall. ICMP Timestamp Ping Scan may not bypass firewall restrictions because some firewalls may block or drop ICMP packets, especially if they are sent to prevent ping sweeps or denial-of-service attacks. ICMP Timestamp Ping Scan may also not accurately identify live systems because it may generate false positives or negatives due to packet loss or rate-limiting. References:

  1: Host Discovery in Nmap Network Scanning - GeeksforGeeks

  2: nmap Host Discovery Techniques

  3: TCP SYN Ping Scan - Nmap : Ping Sweep - an overview | ScienceDirect Topics : UDP Ping Scan - Nmap : UDP Ping Scan - an overview | ScienceDirect Topics : ICMP Ping Scan - Nmap : ICMP Ping Scan - an overview | ScienceDirect Topics

• Question 236:

  Study the snort rule given below and interpret the rule.

  alert tcp any any --> 192.168.1.0/24 (content:"|00 01 86 a5|"; msG. "mountd access";)

  A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111
  B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet
  C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet
  D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111
  D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

• Question 237:

  What is the first step for a hacker conducting a DNS cache poisoning (DNS spoofing) attack against an organization?

  A. The attacker queries a nameserver using the DNS resolver.
  B. The attacker makes a request to the DNS resolver.
  C. The attacker forges a reply from the DNS resolver.
  D. The attacker uses TCP to poison the ONS resofver.
  B. The attacker makes a request to the DNS resolver.

  ---

  Explanation/Reference:

  https://ru.wikipedia.org/wiki/DNS_spoofing DNS spoofing is a threat that copies the legitimate server destinations to divert the domain's traffic. Ignorant these attacks, the users are redirected to malicious websites, which results in insensitive and personal data being leaked. It is a method of attack where your DNS server is tricked into saving a fake DNS entry. This will make the DNS server recall a fake site for you, thereby posing a threat to vital information stored on your server or computer. The cache poisoning codes are often found in URLs sent through spam emails. These emails are sent to prompt users to click on the URL, which infects their computer. When the computer is poisoned, it will divert you to a fake IP address that looks like a real thing. This way, the threats are injected into your systems as well. Different Stages of Attack of DNS Cache Poisoning:

  -

  The attacker proceeds to send DNS queries to the DNS resolver, which forwards the Root/TLD authoritative DNS server request and awaits an answer.

  -

  The attacker overloads the DNS with poisoned responses that contain several IP addresses of the malicious website. To be accepted by the DNS resolver, the attacker's response should match a port number and the query ID field before the DNS response. Also, the attackers can force its response to increasing their chance of success.

  -

  If you are a legitimate user who queries this DNS resolver, you will get a poisoned response from the cache, and you will be automatically redirected to the malicious website.

• Question 238:

  Ricardo has discovered the username for an application in his targets environment. As he has a limited amount of time, he decides to attempt to use a list of common passwords he found on the Internet. He compiles them into a list and then feeds that list as an argument into his password-cracking application, what type of attack is Ricardo performing?

  A. Known plaintext
  B. Password spraying
  C. Brute force
  D. Dictionary
  D. Dictionary

  ---

  Explanation/Reference:

  A dictionary Attack as an attack vector utilized by the attacker to break in a very system, that is password protected, by golf shot technically each word in a very dictionary as a variety of password for that system. This attack vector could be a

  variety of Brute Force Attack.

  The lexicon will contain words from an English dictionary and conjointly some leaked list of commonly used passwords and once combined with common character substitution with numbers, will generally be terribly effective and quick.

  How is it done?

  Basically, it's attempting each single word that's already ready. it's done victimization machine-controlled tools that strive all the possible words within the dictionary.

  Some password Cracking Software:

  1.

  John the ripper

  2.

  L0phtCrack

  3.

  Aircrack-ng

• Question 239:

  James is working as an ethical hacker at Technix Solutions. The management ordered James to discover how vulnerable its network is towards footprinting attacks. James took the help of an open-source framework for performing automated reconnaissance activities. This framework helped James in gathering information using free tools and resources. What is the framework used by James to conduct footprinting and reconnaissance activities?

  A. WebSploit Framework
  B. Browser Exploitation Framework
  C. OSINT framework
  D. SpeedPhish Framework
  C. OSINT framework

• Question 240:

  What is the purpose of a demilitarized zone on a network?

  A. To scan all traffic coming through the DMZ to the internal network
  B. To only provide direct access to the nodes within the DMZ and protect the network behind it
  C. To provide a place to put the honeypot
  D. To contain the network devices you wish to protect
  B. To only provide direct access to the nodes within the DMZ and protect the network behind it