EC-COUNCIL EC-COUNCIL Certifications 312-38 Questions & Answers

• Question 271:

  Adam, a malicious hacker, has just succeeded in stealing a secure cookie via a XSS attack. He is able to replay the cookie even while the session is valid on the server. Which of the following is the most likely reason of this cause?

  A. Encryption is performed at the network layer (layer 1 encryption).

  B. Encryption is performed at the application layer (single encryption key).

  C. No encryption is applied.

  D. Two way encryption is applied.

  Correct Answer: B

  Single key encryption uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible. Symmetric encryption is a type of encryption that uses a single key to encrypt and decrypt data. Symmetric encryption algorithms are faster than public key encryption. Therefore, it is commonly used when a message sender needs to encrypt a large amount of data. Data Encryption Standard (DES) uses the symmetric encryption key algorithm to encrypt data.

• Question 272:

  Which of the following procedures is intended to provide security personnel to identify, mitigate, and recover from malware events, such as unauthorized access to systems or data, denial-of-service or unauthorized changes to the system hardware, software, or information?

  A. None

  B. disaster survival plan

  C. Cyber Incident Response Plan

  D. A resident of the emergency plan

  E. Crisis communications guidelines

  Correct Answer: C

• Question 273:

  John visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1.

  Original cookie values:

  ItemID1=2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1=2 ItemPrice1=1 ItemID2=1 ItemPrice2=1

  Now, he clicks the Buy button, and the prices are sent to the server that calculates the total price. Which of the following hacking techniques is John performing?

  A. Computer-based social engineering

  B. Man-in-the-middle attack

  C. Cookie poisoning

  D. Cross site scripting

  Correct Answer: C

  John is performing cookie poisoning. In cookie poisoning, an attacker modifies the value of cookies before sending them back to the server. On modifying the cookie values, an attacker can log in to any other user account and can perform identity theft. The following figure explains how cookie poisoning occurs:

  

  For example: The attacker visits an online shop that stores the IDs and prices of the items to buy in a cookie. After selecting the items that he wants to buy, the attacker changes the price of the item to 1. Original cookie values: ItemID1= 2 ItemPrice1=900 ItemID2=1 ItemPrice2=200 Modified cookie values: ItemID1= 2 ItemPrice1=1 ItemID2=1 ItemPrice2=1 Now, the attacker clicks the Buy button and the prices are sent to the server that calculates the total price. Another use of a Cookie Poisoning attack is to pretend to be another user after changing the username in the cookie values: Original cookie values: LoggedIn= True Username = Mark Modified cookie values: LoggedIn= True Username = Admin Now, after modifying the cookie values, the attacker can do the admin login. Answer option D is incorrect. A cross site scripting attack is one in which an attacker enters malicious data into a Website. For example, the attacker posts a message that contains malicious code to any newsgroup site. When another user views this message, the browser interprets this code and executes it and, as a result, the attacker is able to take control of the user's system. Cross site scripting attacks require the execution of client-side languages such as JavaScript, Java, VBScript, ActiveX, Flash, etc. within a user's Web environment. With the help of a cross site scripting attack, the attacker can perform cookie stealing, sessions hijacking, etc.

• Question 274:

  Which of the following UTP cables uses four pairs of twisted cable and provides transmission speeds of up to 16 Mbps?

  A. Category 5e

  B. Category 5

  C. Category 3

  D. Category 6

  Correct Answer: C

  Category 3 type of UTP cable uses four pairs of twisted cable and provides transmission speeds of up to 16 Mbps. They are commonly used in Ethernet networks that operate at the speed of 10 Mbps. A higher speed is also possible by these cables implementing the Fast Ethernet (100Base-T4) specifications. This cable is used mainly for telephone systems. Answer option B is incorrect. This category of UTP cable is the most commonly used cable in present day networks. It consists of four twisted pairs and is used in those Ethernet networks that run at the speed of 100 Mbps. Category 5 cable can also provide a higher speed of up to 1000 Mbps. Answer option A is incorrect. It is also known as Category 5 Enhanced cable. Its specification is the same as category 5, but it has some enhanced features and is used in Ethernets that run at the speed of 1000 Mbps. Answer option D is incorrect. This category of UTP cable is designed to support high-speed networks that run at the speed of 1000 Mbps. It consists of four pairs of wire and uses all of them for data transmission. Category 6 provides more than twice the speed of Category 5e, but is also more expensive.

• Question 275:

  Which of the following policies is used to add additional information about the overall security posture and serves to protect employees and organizations from inefficiency or ambiguity?

  A. User policy

  B. Group policy

  C. Issue-Specific Security Policy

  D. IT policy

  Correct Answer: C

  The Issue-Specific Security Policy (ISSP) is used to add additional information about the overall security posture. It helps in providing detailed, targeted guidance for instructing organizations in the secure use of tech systems. This policy serves to protect employees and organizations from inefficiency or ambiguity. Answer option A is incorrect. A user policy helps in defining what users can and should do to use network and organization's computer equipment. It also defines what limitations are put on users for maintaining the network secure such as whether users can install programs on their workstations, types of programs users are using, and how users can access data. Answer option D is incorrect. IT policy includes general policies for the IT department. These policies are intended to keep the network secure and stable. It includes the following: Virus incident and security incident Backup policy Client update policies Server configuration, patch update, and modification policies (security) Firewall policies, Dmz policy, email retention, and auto forwarded email policy Answer option B is incorrect. A group policy specifies how programs, network resources, and the operating system work for users and computers in an organization.

• Question 276:

  Which of the following statements are true about volatile memory? Each correct answer represents a complete solution. Choose all that apply.

  A. The content is stored permanently and even the power supply is switched off.

  B. A volatile storage device is faster in reading and writing data.

  C. Read only memory (ROM) is an example of volatile memory.

  D. It is computer memory that requires power to maintain the stored information.

  Correct Answer: DB

  Volatile memory, also known as volatile storage, is computer memory that requires power to maintain the stored information, unlike non-volatile memory which does not require a maintained power supply. It has been less popularly known as temporary memory. Most forms of modern random access memory (RAM) are volatile storage, including dynamic random access memory (DRAM) and static random access memory (SRAM). A volatile storage device is faster in reading and writing data. Answer options A and C are incorrect. Non-volatile memory, nonvolatile memory, NVM, or non-volatile storage, in the most basic sense, is computer memory that can retain the stored information even when not powered. Examples of nonvolatile memory include read-only memory, flash memory, most types of magnetic computer storage devices (e.g. hard disks, floppy disks, and magnetic tape), optical discs, and early computer storage methods such as paper tape and punched cards.

• Question 277:

  John works as a professional Ethical Hacker. He has been assigned the project of testing the security of www.we-are-secure.com. He is using a tool to crack the wireless encryption keys. The description of the tool is as follows:

  ,,It is a Linux-based WLAN WEP cracking tool that recovers encryption keys. It operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys."

  Which of the following tools is John using to crack the wireless encryption keys?

  A. Cain

  B. PsPasswd

  C. Kismet

  D. AirSnort

  Correct Answer: D

  AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys. Answer option C is incorrect. Kismet is a Linux-based 802.11 wireless network sniffer and intrusion detection system. It can work with any wireless card that supports raw monitoring (rfmon) mode. Kismet can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet can be used for the following tasks: To identify networks by passively collecting packets To detect standard named networks To detect masked networks To collect the presence of non-beaconing networks via data traffic Answer option A is incorrect. Cain is a multipurpose tool that can be used to perform many tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password cracking program can perform the following types of password cracking attacks: Dictionary attack Brute force attack Rainbow attack Hybrid attack Answer option B is incorrect. PsPasswd is a tool that helps Network Administrators change an account password on the local or remote system. The command syntax of PsPasswd is as follows: pspasswd [\\computer[,computer[,..] | @file [-u user [-p psswd]] Username [NewPassword]

  

• Question 278:

  You are a professional Computer Hacking forensic investigator. You have been called to collect evidences of buffer overflow and cookie snooping attacks. Which of the following logs will you review to accomplish the task? Each correct answer represents a complete solution. Choose all that apply.

  A. Program logs

  B. Web server logs

  C. Event logs

  D. System logs

  Correct Answer: ACD

  Evidences of buffer overflow and cookie snooping attacks can be traced from system logs, event logs, and program logs, depending on the type of overflow or cookie snooping attack executed and the error recovery method used by the hacker.

  Answer option B is incorrect. Web server logs are used to investigate cross-site scripting attacks.

• Question 279:

  Which of the following tools is an open source protocol analyzer that can capture traffic in real time?

  A. NetResident

  B. Wireshark

  C. Bridle

  D. NetWitness

  E. None

  Correct Answer: B

  Wireshark is an open source protocol analyzer that can capture traffic in real time. Wireshark is a free packet sniffer computer application. It is used for network troubleshooting, analysis, software and communications protocol development,

  and education. Wireshark is very similar to tcpdump, but it has a graphical front-end, and many more information sorting and filtering options. It allows the user to see all traffic being passed over the network (usually an Ethernet network but

  support is being added for others) by putting the network interface into promiscuous mode.

  Wireshark uses pcap to capture packets, so it can only capture the packets on the networks supported by pcap. It has the following features:

  Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.

  Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loopback.

  Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.

  Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.

  Data display can be refined using a display filter. Plugins can be created for dissecting new protocols.

  Answer option C is incorrect. Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be

  designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

  Answer option D is incorrect. NetWitness is used to analyze and monitor the network traffic and activity.

  Answer option A is incorrect. Netresident is used to capture, store, analyze, and reconstruct network events and activities.

• Question 280:

  John works as an Ethical Hacker for www.company.com Inc. He wants to find out the ports that are open in www.company.com's server using a port scanner. However, he does not want to establish a full TCP connection. Which of the following scanning techniques will he use to accomplish this task?

  A. TCP SYN

  B. Xmas tree

  C. TCP SYN/ACK

  D. TCP FIN

  Correct Answer: A

  According to the scenario, John does not want to establish a full TCP connection. Therefore, he will use the TCP SYN scanning technique. TCP SYN scanning is also known as half-open scanning because in this type of scanning, a full TCP

  connection is never opened. The steps of TCP SYN scanning are as follows:

  1.The attacker sends a SYN packet to the target port.

  2.If the port is open, the attacker receives the SYN/ACK message.

  3.Now the attacker breaks the connection by sending an RST packet.

  4.If the RST packet is received, it indicates that the port is closed.

  This type of scanning is hard to trace because the attacker never establishes a full 3-way handshake connection and most sites do not create a log of incomplete TCP connections. Answer option C is incorrect. In TCP SYN/ACK scanning, an attacker sends a SYN/ACK packet to the target port. If the port is closed, the victim assumes that this packet was mistakenly sent by the attacker, and sends the RST packet to the attacker. If the port is open, the SYN/ACK packet will be ignored and the port will drop the packet. TCP SYN/ACK scanning is stealth scanning, but some intrusion detection systems can detect TCP SYN/ACK scanning. Answer option D is incorrect. TCP FIN scanning is a type of stealth scanning through which the attacker sends a FIN packet to the target port. If the port is closed, the victim assumes that this packet was sent mistakenly by the attacker and sends the RST packet to the attacker. If the port is open, the FIN packet will be ignored and the port will drop that packet. TCP FIN scanning is useful only for identifying ports of non-Windows operating systems because Windows operating systems send only RST packets irrespective of whether the port is open or closed. Answer option B is incorrect. Xmas Tree scanning is just the opposite of null scanning. In Xmas Tree scanning, all packets are turned on. If the target port is open, the service running on the target port discards the packets without any reply. According to RFC 793, if the port is closed, the remote system replies with the RST packet. Active monitoring of all incoming packets can help system network administrators detect an Xmas Tree scan.