EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 91:

  _______ is one of the programs used to wardial.

  A. DialIT

  B. Netstumbler

  C. TooPac

  D. Kismet

  E. ToneLoc

  Correct Answer: E

  ToneLoc is one of the programs used to wardial. While this is considered an "old school" technique, it is still effective at finding backdoors and out of band network entry points.

• Question 92:

  When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device?

  A. ICMP ECHO_REQUEST and TCP SYN

  B. ICMP ECHO_REQUEST and TCP ACK

  C. ICMP ECHO_REPLY and TFP RST

  D. ICMP ECHO_REPLY and TCP FIN

  Correct Answer: B

  The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteristic of NMAP.

• Question 93:

  While attempting to discover the remote operating system on the target computer, you receive the following results from an nmap scan:

  Starting nmap V. 3.10ALPHA9 ( www.insecure.org/nmap/ ) Interesting ports on 172.121.12.222: (The 1592 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 25/tcp open smtp 53/tcp closed domain 80/tcp open http 443/tcp open https Remote operating system guess: Too many signatures match to reliably guess the OS. Nmap run completed -- 1 IP address (1 host up) scanned in 277.483 seconds

  What should be your next step to identify the OS?

  A. Perform a firewalk with that system as the target IP

  B. Perform a tcp traceroute to the system using port 53

  C. Run an nmap scan with the -v-v option to give a better output

  D. Connect to the active services and review the banner information

  Correct Answer: D

  Most people don't care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application.

• Question 94:

  home/root # traceroute www.targetcorp.com traceroute to www.targetcorp.com (192.168.12.18), 64 hops may, 40 byte packets 1 router.anon.com (192.13.212.254) 1.373 ms 1.123 ms 1.280 ms 2 192.13.133.121 (192.13.133.121) 3.680 ms 3.506 ms 4.583 ms 3 firewall.anon.com (192.13.192.17) 127.189 ms 257.404 ms 208.484 ms 4 anon-gw.anon.com

  (192.93.144.89) 471.68 ms 376.875 ms 228.286 ms 5 fe5-0.lin.isp.com (192.162.231.225) 2.961 ms 3.852 ms 2.974 ms 6 fe0-0.lon0.isp.com (192.162.231.234) 3.979 ms 3.243 ms 4.370 ms 7 192.13.133.5 (192.13.133.5) 11.454 ms 4.221

  ms 3.333 ms 6 * * *

  7 * * *

  8 www.targetcorp.com (192.168.12.18) 5.392 ms 3.348 ms 3.199 ms

  Use the traceroute results shown above to answer the following question:

  The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out.

  A. True

  B. False

  Correct Answer: A

  As seen in the exhibit there is 2 registrations with timeout, this tells us that the firewall filters packets where the TTL has reached 0, when you continue with higher starting values for TTL you will get an answer from the target of the traceroute.

• Question 95:

  What ICMP message types are used by the ping command?

  A. Timestamp request (13) and timestamp reply (14)

  B. Echo request (8) and Echo reply (0)

  C. Echo request (0) and Echo reply (1)

  D. Ping request (1) and Ping reply (2)

  Correct Answer: B

  ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo

• Question 96:

  Which of the following systems would not respond correctly to an nmap XMAS scan?

  A. Windows 2000 Server running IIS 5

  B. Any Solaris version running SAMBA Server

  C. Any version of IRIX

  D. RedHat Linux 8.0 running Apache Web Server

  Correct Answer: A

  When running a XMAS Scan, if a RST packet is received, the port is considered closed, while no response means it is open|filtered. The big downside is that not all systems follow RFC 793 to the letter. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400.

• Question 97:

  You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of what protocols are being used. You need to discover as many different protocols as possible. Which kind of scan would you use to do this?

  A. Nmap with the sO (Raw IP packets) switch

  B. Nessus scan with TCP based pings

  C. Nmap scan with the sP (Ping scan) switch

  D. Netcat scan with the u e switches

  Correct Answer: A

  Running Nmap with the sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.

• Question 98:

  Because UDP is a connectionless protocol: (Select 2)

  A. UDP recvfrom() and write() scanning will yield reliable results

  B. It can only be used for Connect scans

  C. It can only be used for SYN scans

  D. There is no guarantee that the UDP packets will arrive at their destination

  E. ICMP port unreachable messages may not be returned successfully

  Correct Answer: DE

  Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).

• Question 99:

  What does an ICMP (Code 13) message normally indicates?

  A. It indicates that the destination host is unreachable

  B. It indicates to the host that the datagram which triggered the source quench message will need to be re-sent

  C. It indicates that the packet has been administratively dropped in transit

  D. It is a request to the host to cut back the rate at which it is sending traffic to the Internet destination

  Correct Answer: C

  CODE 13 and type 3 is destination unreachable due to communication administratively prohibited by filtering hence maybe they meant "code 13", therefore would be C). Note:A - Type 3B - Type 4C - Type 3 Code 13D - Typ4 4

• Question 100:

  What port scanning method is the most reliable but also the most detectable?

  A. Null Scanning

  B. Connect Scanning

  C. ICMP Scanning

  D. Idlescan Scanning

  E. Half Scanning

  F. Verbose Scanning

  Correct Answer: B

  A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection.