EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 111:

  You are conducting a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and after scanning each of them you notice that they all show port 21 in closed state. What should be the next logical step that should be performed?

  A. Connect to open ports to discover applications.

  B. Perform a ping sweep to identify any additional systems that might be up.

  C. Perform a SYN scan on port 21 to identify any additional systems that might be up.

  D. Rescan every computer to verify the results.

  Correct Answer: C

  As ICMP is blocked you'll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed, probably any additional, previously unknown, systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from additional systems.

• Question 112:

  Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company?

  A. To create a denial of service attack.

  B. To verify information about the mail administrator and his address.

  C. To gather information about internal hosts used in email treatment.

  D. To gather information about procedures that are in place to deal with such messages.

  Correct Answer: C

  The replay from the email server that states that there is no such recipient will also give you some information about the name of the email server, versions used and so on.

• Question 113:

  Bob has been hired to perform a penetration test on ABC.com. He begins by looking at IP address ranges owned by the company and details of domain name registration. He then goes to News Groups and financial web sites to see if they are leaking any sensitive information of have any technical details online.

  Within the context of penetration testing methodology, what phase is Bob involved with?

  A. Passive information gathering

  B. Active information gathering

  C. Attack phase

  D. Vulnerability Mapping

  Correct Answer: A

  He is gathering information and as long as he doesn't make contact with any of the targets systems he is considered gathering this information in a passive mode.

• Question 114:

  The following excerpt is taken from a honeyput log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. Study the log given below and answer the following question:

  (Note: The objective of this questions is to test whether the student has learnt about passive OS fingerprinting (which should tell them the OS from log captures):

  can they tell a SQL injection attack signature; can they infer if a user ID has been created by an attacker and whether they can read plain source destination entries from log entries.)

  

  What can you infer from the above log?

  A. The system is a windows system which is being scanned unsuccessfully.

  B. The system is a web application server compromised through SQL injection.

  C. The system has been compromised and backdoored by the attacker.

  D. The actual IP of the successful attacker is 24.9.255.53.

  Correct Answer: A

• Question 115:

  While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out. What is the most likely cause behind this response?

  A. The firewall is dropping the packets.

  B. An in-line IDS is dropping the packets.

  C. A router is blocking ICMP.

  D. The host does not respond to ICMP packets.

  Correct Answer: C

  Type 3 message = Destination Unreachable [RFC792], Code 13 (cause) = Communication Administratively Prohibited [RFC1812]

• Question 116:

  Exhibit Joe Hacker runs the hping2 hacking tool to predict the target host's sequence numbers in one of the hacking session. What does the first and second column mean? Select two.

  

  A. The first column reports the sequence number

  B. The second column reports the difference between the current and last sequence number

  C. The second column reports the next sequence number

  D. The first column reports the difference between current and last sequence number

  Correct Answer: AB

• Question 117:

  Doug is conducting a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4.

  A. UDP is filtered by a gateway

  B. The packet TTL value is too low and cannot reach the target

  C. The host might be down

  D. The destination network might be down

  E. The TCP windows size does not match

  F. ICMP is filtered by a gateway

  Correct Answer: ABCF

  If the destination host or the destination network is down there is no way to get an answer and if TTL (Time To Live) is set too low the UDP packets will "die" before reaching the host because of too many hops between the scanning computer and the target. The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host and ICMP is mainly used for echo requests and not in port scans.

• Question 118:

  Maurine is working as a security consultant for Hinklemeir Associate. She has asked the Systems Administrator to create a group policy that would not allow null sessions on the network. The Systems Administrator is fresh out of college and has never heard of null sessions and does not know what they are used for. Maurine is trying to explain to the Systems Administrator that hackers will try to create a null session when footprinting the network.

  Why would an attacker try to create a null session with a computer on a network?

  A. Enumerate users shares

  B. Install a backdoor for later attacks

  C. Escalate his/her privileges on the target server

  D. To create a user with administrative privileges for later use

  Correct Answer: A

  The Null Session is often referred to as the "Holy Grail" of Windows hacking. Listed as the number 5 windows vulnerability on the SANS/FBI Top 20 list, Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/ Server Messaging Block) architecture. You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password. Using these null connections allows you to gather the following information from the host:

  -

  List of users and groups

  -

  List of machines

  -

  List of shares

  -Users and host SID' (Security Identifiers)

• Question 119:

  SNMP is a connectionless protocol that uses UDP instead of TCP packets? (True or False)

  A. True

  B. False

  Correct Answer: A

  TCP and UDP provide transport services. But UDP was preferred. This is due to TCP characteristics, it is a complicate protocol and it consume to many memory and CPU resources. Where as UDP is easy to build and run. Into devices (repeaters and modems) vendors have built simple version of IP and UDP.

• Question 120:

  Jonathan being a keen administrator has followed all of the best practices he could find on securing his Windows Server. He renamed the Administrator account to a new name that can't be easily guessed but there remain people who attempt to compromise his newly renamed administrator account. How can a remote attacker decipher the name of the administrator account if it has been renamed?

  A. The attacker guessed the new name

  B. The attacker used the user2sid program

  C. The attacker used to sid2user program

  D. The attacker used NMAP with the V option

  Correct Answer: C

  User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.