EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 501:

  Ethical hacker Jane Doe is attempting to crack the password of the head of the IT department at ABC Company. She is utilizing a rainbow table and notices that, upon entering a password, extra characters are added to the password after submission. What countermeasure is the company using to protect against rainbow tables?

  A. Password key hashing
  B. Password salting
  C. Password hashing
  D. Account lockout
  B. Password salting

  ---

  Explanation/Reference:

  Passwords are usually delineated as "hashed and salted". salting is simply the addition of a unique, random string of characters renowned solely to the site to every parole before it's hashed, typically this "salt" is placed in front of each password. The salt value needs to be hold on by the site, which means typically sites use the same salt for each parole. This makes it less effective than if individual salts are used. The use of unique salts means that common passwords shared by multiple users ?like "123456" or "password" ?aren't revealed revealed when one such hashed password is known ?because despite the passwords being the same the immediately and hashed values are not. Large salts also protect against certain methods of attack on hashes, including rainbow tables or logs of hashed passwords previously broken. Both hashing and salting may be repeated more than once to increase the issue in breaking the security.

• Question 502:

  In your cybersecurity class, you are learning about common security risks associated with web servers. One topic that comes up is the risk posed by using default server settings. Why is using default settings on a web server considered a security risk, and what would be the best initial step to mitigate this risk?

  A. Default settings cause server malfunctions; simplify the settings
  B. Default settings allow unlimited login attempts; setup account lockout
  C. Default settings reveal server software type; change these settings
  D. Default settings enable auto-updates; disable and manually patch
  C. Default settings reveal server software type; change these settings

  ---

  Explanation/Reference:

  Using default settings on a web server is considered a security risk because it can reveal the server software type and version, which can help attackers identify potential vulnerabilities and launch targeted attacks. For example, if the default settings include a server signature that displays the name and version of the web server software, such as Apache 2.4.46, an attacker can search for known exploits or bugs that affect that specific software and version. Additionally, default settings may also include other insecure configurations, such as weak passwords, unnecessary services, or open ports, that can expose the web server to unauthorized access or compromise. The best initial step to mitigate this risk is to change the default settings to hide or obscure the server software type and version, as well as to disable or remove any unnecessary or insecure features. For example, to hide the server signature, one can modify the ServerTokens and ServerSignature directives in the Apache configuration file1. Alternatively, one can use a web application firewall or a reverse proxy to mask the server information from the client requests2. Changing the default settings can reduce the attack surface and make it harder for attackers to exploit the web server. References: How to Hide Apache Version Number and Other Sensitive Info How to hide server information from HTTP headers? - Stack Overflow

• Question 503:

  A penetration tester is performing the footprinting process and is reviewing publicly available information about an organization by using the Google search engine. Which of the following advanced operators would allow the pen tester to restrict the search to the organization's web domain?

  A. [allinurl:]
  B. [location:]
  C. [site:]
  D. [link:]
  C. [site:]

  ---

  Explanation/Reference:

  Google hacking or Google dorking https://en.wikipedia.org/wiki/Google_hacking It is a hacker technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites are using. Google dorking could also be used for OSINT.

  Search syntax https://en.wikipedia.org/wiki/Google_Search Google's search engine has its own built-in query language. The following list of queries can be run to find a list of files, find information about your competition, track people, get information about SEO backlinks, build email lists, and of course, discover web vulnerabilities.

  -[site:] - Search within a specific website

• Question 504:

  To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly used when referring to this type of testing?

  A. Randomizing
  B. Bounding
  C. Mutating
  D. Fuzzing
  D. Fuzzing

• Question 505:

  While scanning with Nmap, Patin found several hosts which have the IP ID of incremental sequences. He then decided to conduct: nmap -Pn -p- -si kiosk.adobe.com www.riaa.com. kiosk.adobe.com is the host with incremental IP ID

  sequence.

  What is the purpose of using "-si" with Nmap?

  A. Conduct stealth scan
  B. Conduct ICMP scan
  C. Conduct IDLE scan
  D. Conduct silent scan
  C. Conduct IDLE scan

  ---

  Explanation/Reference:

  Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest. Example 5.19 shows an example of Ereet scanning the Recording Industry Association of America by bouncing an idle scan off an Adobe machine named Kiosk.

  Example 5.19. An idle scan against the RIAA

  # nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com

  Starting Nmap ( http://nmap.org ) Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental Nmap scan report for 208.225.90.120 (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 135/tcp open loc-srv 443/tcp open https 1027/tcp open IIS 1030/tcp open iad1 2306/tcp open unknown 5631/tcp open pcanywheredata 7937/tcp open unknown 7938/tcp open unknown 36890/tcp open unknown

  Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

  https://nmap.org/book/idlescan.html

• Question 506:

  An ethical hacker is testing a web application of a financial firm. During the test, a 'Contact Us' form's input field is found to lack proper user input validation, indicating a potential Cross-Site Scripting (XSS) vulnerability. However, the application has a stringent Content Security Policy (CSP) disallowing inline scripts and scripts from external domains but permitting scripts from its own domain. What would be the hacker's next step to confirm the XSS vulnerability?

  A. Try to disable the CSP to bypass script restrictions
  B. Inject a benign script inline to the form to see if it executes
  C. Utilize a script hosted on the application's domain to test the form
  D. Load a script from an external domain to test the vulnerability
  C. Utilize a script hosted on the application's domain to test the form

  ---

  Explanation/Reference:

  The hacker's next step to confirm the XSS vulnerability would be to utilize a script hosted on the application's domain to test the form. This is because the application's CSP allows scripts from its own domain, but not from inline or external

  sources. Therefore, the hacker can try to inject a payload that references a script file on the same domain as the application, such as:

  where script.js contains some benign code, such as alert('XSS') or print('XSS'). If the script executes in the browser, then the hacker has confirmed the XSS vulnerability. Otherwise, the CSP has blocked the script and prevented the XSS

  attack. The other options are not feasible or effective for the following reasons:

  A. Try to disable the CSP to bypass script restrictions: This option is not feasible because the hacker cannot disable the CSP on the server side, and the browser enforces the CSP on the client side. The hacker would need to modify the

  browser settings or use a browser extension to disable the CSP, but this would not affect the victim's browser or the application's security. B. Inject a benign script inline to the form to see if it executes: This option is not effective because the

  application's CSP disallows inline scripts, meaning scripts that are embedded in the HTML code. Therefore, the hacker would not be able to inject a script tag or an event handler attribute that contains some code, such as:

  or The CSP would block these scripts and prevent the XSS attack. D. Load a script from an external domain to test the vulnerability: This option is not effective because

  the application's CSP disallows scripts from external domains, meaning scripts that are loaded from a different domain than the application. Therefore, the hacker would not be able to inject a script tag that references a script file on another

  domain, such as:

  The CSP would block these scripts and prevent the XSS attack.

  References:

  1: Content Security Policy (CSP) - HTTP | MDN

  2: What is Content Security Policy (CSP) | Header Examples | Imperva

  3: Content-Security-Policy (CSP) Header Quick Reference

  4: What is cross-site scripting (XSS)? - PortSwigger

  5: Cross Site Scripting (XSS) | OWASP Foundation

  6: The Impact of Cross-Site Scripting Vulnerabilities and their Prevention

  7: XSS Vulnerability 101: Identify and Stop Cross-Site Scripting

• Question 507:

  The following is an entry captured by a network IDS. You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack.

  You also notice "/bin/sh" in the ASCII part of the output.

  As an analyst what would you conclude about the attack?

  

  A. The buffer overflow attack has been neutralized by the IDS
  B. The attacker is creating a directory on the compromised machine
  C. The attacker is attempting a buffer overflow attack and has succeeded
  D. The attacker is attempting an exploit that launches a command-line shell
  D. The attacker is attempting an exploit that launches a command-line shell

• Question 508:

  A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to

  disallow users from entering HTML as input into their Web application.

  What kind of Web application vulnerability likely exists in their software?

  A. Cross-site scripting vulnerability
  B. SQL injection vulnerability
  C. Web site defacement vulnerability
  D. Gross-site Request Forgery vulnerability
  A. Cross-site scripting vulnerability

  ---

  Explanation/Reference:

  There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non- persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue.

• Question 509:

  If you send a TCP ACK segment to a known closed port on a firewall, but it does not respond with an RST, what do you know about the firewall you are scanning?

  A. There is no firewall in place.
  B. This event does not tell you encrypting about the firewall.
  C. It is a stateful firewall
  D. It Is a non-stateful firewall.
  B. This event does not tell you encrypting about the firewall.

• Question 510:

  Given the complexities of an organization's network infrastructure, a threat actor has exploited an unidentified vulnerability, leading to a major data breach. As a Certified Ethical Hacker (CEH), you are tasked with enhancing the organization's security stance. To ensure a comprehensive security defense, you recommend a certain security strategy. Which of the following best represents the strategy you would likely suggest and why?

  A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization.
  B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack.
  C. Adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense.
  D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems.
  C. Adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense.

  ---

  Explanation/Reference:

  The security strategy that you would likely suggest is to adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. This strategy is based on the concept of continuous monitoring and improvement of the security posture of an organization, using a feedback loop that integrates various security activities and technologies. A Continual/Adaptive Security Strategy aims to proactively identify and mitigate emerging threats, vulnerabilities, and risks, as well as to respond effectively and efficiently to security incidents and breaches. A Continual/Adaptive Security Strategy can help enhance the organization's security stance by providing the following benefits12: It can reduce the attack surface and the exposure time of the organization's network infrastructure, by applying timely patches, updates, and configurations, as well as by implementing security controls and policies. It can increase the visibility and awareness of the organization's network activity and behavior, by collecting, analyzing, and correlating data from various sources, such as logs, sensors, alerts, and reports. It can improve the detection and prevention capabilities of the organization, by using advanced tools and techniques, such as artificial intelligence, machine learning, threat intelligence, and behavioral analytics, to identify and block malicious or anomalous patterns and indicators. It can enhance the response and recovery processes of the organization, by using automated and orchestrated actions, such as isolation, quarantine, remediation, and restoration, to contain and resolve security incidents and breaches, as well as by conducting lessons learned and root cause analysis to prevent recurrence. The other options are not as appropriate as option C for the following reasons:

  A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization: This option is not sufficient because risk management is only one aspect of a comprehensive security strategy, and it does not address the dynamic and evolving nature of cyber threats and vulnerabilities. Risk management is a process of identifying, analyzing, evaluating, and treating the risks that may affect the organization's objectives and operations, as well as monitoring and reviewing the effectiveness of the risk treatment measures3. Risk management can help the organization prioritize and allocate resources for security, but it cannot guarantee the prevention or detection of security incidents and breaches, nor the response and recovery from them. B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack: This option is not optimal because defense-in-depth is a traditional and static approach to security, and it may not be able to cope with the sophisticated and persistent attacks that exploit unknown or zero-day vulnerabilities. Defense-in- depth is a strategy of implementing multiple and diverse security controls and mechanisms at different layers of the organization's network infrastructure, such as perimeter, network, endpoint, application, and data, to provide redundancy and resilience against attacks4. Defense-in-depth can help the organization protect its assets and systems from unauthorized access or damage, but it cannot ensure the timely detection and response to security incidents and breaches, nor the continuous improvement of the security posture.

  D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems: This option is not comprehensive because information assurance is a subset of cybersecurity, and it does not cover all the aspects of a holistic security strategy. Information assurance is a discipline of managing the risks associated with the use, processing, storage, and transmission of information and data, and ensuring the protection of the information and data from unauthorized access, use, disclosure, modification, or destruction5. Information assurance can help the organization safeguard its information and data from compromise or loss, but it does not address the prevention, detection, and response to security incidents and breaches, nor the adaptation and innovation of the security technologies and processes. References:

  1: Continual/Adaptive Security Strategy - an overview | ScienceDirect Topics

  2: Continual Adaptive Security: A New Approach to Cybersecurity | SecurityWeek.Com

  3: Risk Management - an overview | ScienceDirect Topics

  4: Defense in Depth - an overview | ScienceDirect Topics

  5: Information Assurance - an overview | ScienceDirect Topics