EC-COUNCIL 312-50V12 Online Practice Questions and Exam Preparation

EC-COUNCIL 312-50V12 Online Questions & Answers

• Question 511:

  Which Intrusion Detection System is the best applicable for large environments where critical assets on the network need extra scrutiny and is ideal for observing sensitive network segments?

  A. Honeypots
  B. Firewalls
  C. Network-based intrusion detection system (NIDS)
  D. Host-based intrusion detection system (HIDS)
  C. Network-based intrusion detection system (NIDS)

• Question 512:

  A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred?

  A. The computer is not using a private IP address.
  B. The gateway is not routing to a public IP address.
  C. The gateway and the computer are not on the same network.
  D. The computer is using an invalid IP address.
  B. The gateway is not routing to a public IP address.

  ---

  Explanation/Reference:

  https://en.wikipedia.org/wiki/Private_network In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet. The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks:

  1.

  10.0.0.0 ?10.255.255.255

  2.

  172.16.0.0 ?172.31.255.255

  3.

  192.168.0.0 ?192.168.255.255

  Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet.

  1.

  Mediation servers like IRC, Usenet, SMTP and Proxy server

  2.

  Network address translation (NAT)

  3.

  Tunneling protocol

  NOTE: So, the problem is just one of these technologies.

• Question 513:

  Session splicing is an IDS evasion technique in which an attacker delivers data in multiple, small sized packets to the target computer, making it very difficult for an IDS to detect the attack signatures. Which tool can be used to perform session splicing attacks?

  A. tcpsplice
  B. Burp
  C. Hydra
  D. Whisker
  D. Whisker

  ---

  Explanation/Reference:

  Many IDS reassemble communication streams; hence, if a packet is not received within a reasonable period, many IDS stop reassembling and handling that stream. If the application under attack keeps a session active for a longer time than that spent by the IDS on reassembling it, the IDS will stop. As a result, any session after the IDS stops reassembling the sessions will be susceptible to malicious data theft by attackers. The IDS will not log any attack attempt after a successful splicing attack. Attackers can use tools such as Nessus for session splicing attacks.? Did you know that the EC-Council exam shows how well you know their official book? So, there is no "Whisker" in it. In the chapter "Evading IDS" -> "Session Splicing", the recommended tool for performing a session-splicing attack is Nessus. Where Wisker came from is not entirely clear, but I will assume the author of the question found it while copying Wikipedia. https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'. By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer. NOTE: Yes, I found scraps of information about the tool that existed in 2012, but I can not give you unverified information. According to the official tutorials, the correct answer is Nessus, but if you know anything about Wisker, please write in the QA section. Maybe this question will be updated soon, but I'm not sure about that.

• Question 514:

  Due to a slowdown of normal network operations, the IT department decided to monitor internet traffic for all of the employees. From a legal standpoint, what would be troublesome to take this kind of measure?

  A. All of the employees would stop normal work activities
  B. IT department would be telling employees who the boss is
  C. Not informing the employees that they are going to be monitored could be an invasion of privacy.
  D. The network could still experience traffic slow down.
  C. Not informing the employees that they are going to be monitored could be an invasion of privacy.

• Question 515:

  Which command can be used to show the current TCP/IP connections?

  A. Netsh
  B. Netstat
  C. Net use connection
  D. Net use
  A. Netsh

• Question 516:

  If a tester is attempting to ping a target that exists but receives no response or a response that states the destination is unreachable, ICMP may be disabled and the network may be using TCP. Which other option could the tester use to get a response from a host using TCP?

  A. Traceroute
  B. Hping
  C. TCP ping
  D. Broadcast ping
  B. Hping

  ---

  Explanation/Reference:

  https://tools.kali.org/information-gathering/hping3

• Question 517:

  Andrew is an Ethical Hacker who was assigned the task of discovering all the active devices hidden by a restrictive firewall in the IPv4 range in a given target network. Which of the following host discovery techniques must he use to perform the given task?

  A. UDP scan
  B. TCP Maimon scan
  C. arp ping scan
  D. ACK flag probe scan
  C. arp ping scan

  ---

  Explanation/Reference:

  One of the most common Nmap usage scenarios is scanning an Ethernet LAN. Most LANs, especially those that use the private address range granted by RFC 1918, do not always use the overwhelming majority of IP addresses. When Nmap attempts to send a raw IP packet, such as an ICMP echo request, the OS must determine a destination hardware (ARP) address, such as the target IP, so that the Ethernet frame can be properly addressed. .. This is required to issue a series of ARP requests. This is best illustrated by an example where a ping scan is attempted against an Area Ethernet host. The -send-ip option tells Nmap to send IP-level packets (rather than raw Ethernet), even on area networks. The Wireshark output of the three ARP requests and their timing have been pasted into the session. Raw IP ping scan example for offline targetsThis example took quite a couple of seconds to finish because the (Linux) OS sent three ARP requests at 1 second intervals before abandoning the host. Waiting for a few seconds is excessive, as long as the ARP response usually arrives within a few milliseconds. Reducing this timeout period is not a priority for OS vendors, as the overwhelming majority of packets are sent to the host that actually exists. Nmap, on the other hand, needs to send packets to 16 million IP s given a target like 10.0.0.0/8. Many targets are pinged in parallel, but waiting 2 seconds each is very delayed. There is another problem with raw IP ping scans on the LAN. If the destination host turns out to be unresponsive, as in the previous example, the source host usually adds an incomplete entry for that destination IP to the kernel ARP table. ARP tablespaces are finite and some operating systems become unresponsive when full. If Nmap is used in rawIP mode (-send-ip), Nmap may have to wait a few minutes for the ARP cache entry to expire before continuing host discovery. ARP scans solve both problems by giving Nmap the highest priority. Nmap issues raw ARP requests and handles retransmissions and timeout periods in its sole discretion. The system ARP cache is bypassed. The example shows the difference. This ARP scan takes just over a tenth of the time it takes for an equivalent IP.

  Example b ARP ping scan of offline target

  

  In example b, neither the -PR option nor the -send-eth option has any effect. This is often because ARP has a default scan type on the Area Ethernet network when scanning Ethernet hosts that Nmap discovers. This includes traditional wired Ethernet as 802.11 wireless networks. As mentioned above, ARP scanning is not only more efficient, but also more accurate. Hosts frequently block IP-based ping packets, but usually cannot block ARP requests or responses and communicate over the network.Nmap uses ARP instead of all targets on equivalent targets, even if different ping types (such as -PE and -PS) are specified. LAN.. If you do not need to attempt an ARP scan at all, specify end-ip as shown in Example a "Raw IP Ping Scan for Offline Targets".

  If you give Nmap control to send raw Ethernet frames, Nmap can also adjust the source MAC address. If you have the only PowerBook in your security conference room and a large ARP scan is initiated from an Apple-registered MAC address, your head may turn to you. Use the -spoof-mac option to spoof the MAC address as described in the MAC Address Spoofing section.

• Question 518:

  The network administrator at Spears Technology, Inc has configured the default gateway Cisco router's access-list as below:

  You are hired to conduct security testing on their network.

  You successfully brute-force the SNMP community string using a SNMP crack tool.

  The access-list configured at the router prevents you from establishing a successful connection.

  You want to retrieve the Cisco configuration from the router. How would you proceed?

  A. Use the Cisco's TFTP default password to connect and download the configuration file
  B. Run a network sniffer and capture the returned traffic with the configuration file from the router
  C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address
  D. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0
  B. Run a network sniffer and capture the returned traffic with the configuration file from the router
  D. Send a customized SNMP set request with a spoofed source IP address in the range - 192.168.1.0

• Question 519:

  You start performing a penetration test against a specific website and have decided to start from grabbing all the links from the main page. What Is the best Linux pipe to achieve your milestone?

  A. dirb https://site.com | grep "site"
  B. curl -s https://sile.com | grep `'< a href-\'http" | grep "Site-com- | cut -d "V" -f 2
  C. wget https://stte.com | grep "< a href=\*http" | grep "site.com"
  D. wgethttps://site.com | cut-d"http-
  C. wget https://stte.com | grep "< a href=\*http" | grep "site.com"

• Question 520:

  Which of the following is the best countermeasure to encrypting ransomwares?

  A. Use multiple antivirus softwares
  B. Pay a ransom
  C. Keep some generation of off-line backup
  D. Analyze the ransomware to get decryption key of encrypted data
  C. Keep some generation of off-line backup