EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 101:

  What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system?

  A. Blind Port Scanning

  B. Idle Scanning

  C. Bounce Scanning

  D. Stealth Scanning

  E. UDP Scanning

  Correct Answer: B

  from NMAP:-sI Idlescan: This advanced scan method allows fora truly blind TCP port scan of the target (meaning no packets are sent tothe tar- get from your real IP address). Instead, a unique side-channelattack exploits predictable "IP fragmentation ID" sequence generation onthe zombie host to glean information about the open ports on the target.

• Question 102:

  An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be identified:

  21 ftp 23 telnet 80 http 443 https

  What does this suggest ?

  A. This is a Windows Domain Controller

  B. The host is not firewalled

  C. The host is not a Linux or Solaris system

  D. The host is not properly patched

  Correct Answer: D

  If the answer was A nmap would guess it, it holds the MS signature database, the host not being firewalled makes no difference. The host is not linux or solaris, well it very well could be. The host is not properly patched? That is the closest; nmaps OS detection architecture is based solely off the TCP ISN issued by the operating systems TCP/IP stack, if the stack is modified to show output from randomized ISN's or if your using a program to change the ISN then OS detection will fail. If the TCP/IP IP ID's are modified then os detection could also fail, because the machine would most likely come back as being down.

• Question 103:

  John has scanned the web server with NMAP. However, he could not gather enough information to help him identify the operating system running on the remote host accurately. What would you suggest to John to help identify the OS that is being used on the remote web server?

  A. Connect to the web server with a browser and look at the web page.

  B. Connect to the web server with an FTP client.

  C. Telnet to port 8080 on the web server and look at the default page code.

  D. Telnet to an open port and grab the banner.

  Correct Answer: D

  Most people don't care about changing the banners presented by applications listening to open ports and therefore you should get fairly accurate information when grabbing banners from open ports with, for example, a telnet application.

• Question 104:

  You are having problems while retrieving results after performing port scanning during internal testing. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open.

  Which one of the following statements is probably true?

  A. The systems have all ports open.

  B. The systems are running a host based IDS.

  C. The systems are web servers.

  D. The systems are running Windows.

  Correct Answer: D

  The null scan turns off all flags, creating a lack of TCP flags that should never occur in the real world. If the port is closed, a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microsoft (like usual) decided to completely ignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to distinguish that the system being scanned is running Microsoft Windows.

• Question 105:

  What are twp types of ICMP code used when using the ping command?

  A. It uses types 0 and 8.

  B. It uses types 13 and 14.

  C. It uses types 15 and 17.

  D. The ping command does not use ICMP but uses UDP.

  Correct Answer: A

  ICMP Type 0 = Echo Reply, ICMP Type 8 = Echo

• Question 106:

  You are scanning into the target network for the first time. You find very few conventional ports open. When you attempt to perform traditional service identification by connecting to the open ports, it yields either unreliable or no results. You are unsure of which protocols are being used. You need to discover as many different protocols as possible.

  Which kind of scan would you use to achieve this? (Choose the best answer)

  A. Nessus scan with TCP based pings.

  B. Nmap scan with the sP (Ping scan) switch.

  C. Netcat scan with the u e switches.

  D. Nmap with the sO (Raw IP packets) switch.

  Correct Answer: D

  Running Nmap with the sO switch will do a IP Protocol Scan. The IP protocol scan is a bit different than the other nmap scans. The IP protocol scan is searching for additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP protocols such as EGP or IGP may be identified.

• Question 107:

  An attacker is attempting to telnet into a corporation's system in the DMZ. The attacker doesn't want to get caught and is spoofing his IP address. After numerous tries he remains unsuccessful in connecting to the system. The attacker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is still unable to connect to the target system.

  What is the most probable reason?

  A. The firewall is blocking port 23 to that system.

  B. He cannot spoof his IP and successfully use TCP.

  C. He needs to use an automated tool to telnet in.

  D. He is attacking an operating system that does not reply to telnet even when open.

  Correct Answer: B

  Spoofing your IP will only work if you don't need to get an answer from the target system. In this case the answer (login prompt) from the telnet session will be sent to the "real" location of the IP address that you are showing as the connection initiator.

• Question 108:

  War dialing is a very old attack and depicted in movies that were made years ago. Why would a modem security tester consider using such an old technique?

  A. It is cool, and if it works in the movies it must work in real life.

  B. It allows circumvention of protection mechanisms by being on the internal network.

  C. It allows circumvention of the company PBX.

  D. A good security tester would not use such a derelict technique.

  Correct Answer: B

  If you are lucky and find a modem that answers and is connected to the target network, it usually is less protected (as only employees are supposed to know of its existence) and once connected you don't need to take evasive actions towards any firewalls or IDS.

• Question 109:

  What type of port scan is shown below?

  

  A. Idle Scan

  B. Windows Scan

  C. XMAS Scan

  D. SYN Stealth Scan

  Correct Answer: C

  An Xmas port scan is variant of TCP port scan. This type of scan tries to obtain information about the state of a target port by sending a packet which has multiple TCP flags set to 1 - "lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and PSH. The purpose is to confuse and bypass simple firewalls. Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Xmas scan packets are different, they can pass through these simple systems and reach the target host.

• Question 110:

  Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable option?

  A. A half-scan

  B. A UDP scan

  C. A TCP Connect scan

  D. A FIN scan

  Correct Answer: C

  A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. Otherwise an error code is returned. Example of a three-way handshake followed by a reset: Source Destination Summary ------------------------------------------------------------------------------------- [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 SYN SEQ=3362197786 LEN=0 WIN=5840 [192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN ACK=3362197787 SEQ=58695210 LEN=0 WIN=65535 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 ACK=58695211 WIN<<2=5840 [192.168.0.8] [192.168.0.10] TCP: D=80 S=49389 RST ACK=58695211 WIN<<2=5840