EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 161:

  Jess the hacker runs L0phtCrack's built-in sniffer utility which grabs SMB password hashes and stores them for offline cracking. Once cracked, these passwords can provide easy access to whatever network resources the user account has

  access to.

  But Jess is not picking up hashed from the network.

  Why?

  A. The network protocol is configured to use SMB Signing.

  B. The physical network wire is on fibre optic cable.

  C. The network protocol is configured to use IPSEC.

  D. L0phtCrack SMB filtering only works through Switches and not Hubs.

  Correct Answer: A

  To protect against SMB session hijacking, NT supports a cryptographic integrity mechanism, SMB Signing, to prevent active network taps from interjecting themselves into an already established session.

• Question 162:

  John is a keen administrator, and has followed all of the best practices as he could find on securing his Windows Server. He has renamed the Administrator account to a new name that he is sure cannot be easily guessed. However, there are people who already attempt to compromise his newly renamed administrator account.

  How is it possible for a remote attacker to decipher the name of the administrator account if it has been renamed?

  A. The attacker used the user2sid program.

  B. The attacker used the sid2user program.

  C. The attacker used nmap with the V switch.

  D. The attacker guessed the new name.

  Correct Answer: B

  User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. These utilities do not exploit a bug but call the functions LookupAccountName and LookupAccountSid respectively. What is more these can be called against a remote machine without providing logon credentials save those needed for a null session connection.

• Question 163:

  SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of information about remote hosts.

  Which of the following features makes this possible? (Choose two)

  A. It used TCP as the underlying protocol.

  B. It uses community string that is transmitted in clear text.

  C. It is susceptible to sniffing.

  D. It is used by all network devices on the market.

  Correct Answer: BC

  Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE). If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. Version 1 of SNMP has been criticized for its poor security. Authentication of clients is performed only by a "community string", in effect a type of password, which is transmitted in cleartext.

• Question 164:

  Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports?

  A. Finger

  B. FTP

  C. Samba

  D. SMB

  Correct Answer: D

  The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445.

• Question 165:

  You have successfully brute forced basic authentication configured on a Web Server using Brutus hacking tool. The username/password is "Admin" and "Bettlemani@". You logon to the system using the brute forced password and plant

  backdoors and rootkits.

  After downloading various sensitive documents from the compromised machine, you proceed to clear the log files to hide your trace..

  Which event log located at C:\Windows\system32\config contains the trace of your brute force attempts?

  A. AppEvent.Evt

  B. SecEvent.Evt

  C. SysEvent.Evt

  D. WinEvent.Evt

  Correct Answer: B

  The Security Event log (SecEvent.Evt) will contain all the failed logins against the system.

• Question 166:

  Michael is the security administrator for the for ABC company. Michael has been charged with strengthening the company's security policies, including its password policies. Due to certain legacy applications. Michael was only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He has informed the company's employes, however that the new password policy requires that everyone must have complex passwords with at least 14 characters. Michael wants to ensure that everyone is using complex passwords that meet the new security policy requirements. Michael has just logged on to one of the network's domain controllers and is about to run the following command:

  What will this command accomplish?

  

  A. Dumps SAM password hashes to pwd.txt

  B. Password history file is piped to pwd.txt

  C. Dumps Active Directory password hashes to pwd.txt

  D. Internet cache file is piped to pwd.txt

  Correct Answer: A

  Pwdump is a hack tool that is used to grab Windows password hashes from a remote Windows computer. Pwdump > pwd.txt will redirect the output from pwdump to a text file named pwd.txt

• Question 167:

  John Beetlesman, the hacker has successfully compromised the Linux System of Agent Telecommunications, Inc's WebServer running Apache. He has downloaded sensitive documents and database files off the machine.

  Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting.

  for ((i=0;i<1;i++));do

  ?dd if=/dev/random of=/dev/hda andand dd if=/dev/zero of=/dev/hda done

  What exactly is John trying to do?

  A. He is making a bit stream copy of the entire hard disk for later download

  B. He is deleting log files to remove his trace

  C. He is wiping the contents of the hard disk with zeros

  D. He is infecting the hard disk with random virus strings

  Correct Answer: C

  dd copies an input file to an output file with optional conversions. if is input file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCII NULL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive.

• Question 168:

  You are the security administrator for a large online auction company based out of Los Angeles. After getting your ENSA CERTIFICATION last year, you have steadily been fortifying your network's security including training OS hardening and network security. One of the last things you just changed for security reasons was to modify all the built-in administrator accounts on the local computers of PCs and in Active Directory. After through testing you found and no services or programs were affected by the name changes.

  Your company undergoes an outside security audit by a consulting company and they said that even through all the administrator account names were changed, the accounts could still be used by a clever hacker to gain unauthorized access. You argue with the auditors and say that is not possible, so they use a tool and show you how easy it is to utilize the administrator account even though its name was changed.

  What tool did the auditors use?

  A. sid2user

  B. User2sid

  C. GetAcct

  D. Fingerprint

  Correct Answer: A

  User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more.

• Question 169:

  You are the IT Manager of a large legal firm in California. Your firm represents many important clients whose names always must remain anonymous to the public. Your boss, Mr. Smith is always concerned about client information being leaked or revealed to the pres or public. You have just finished a complete security overhaul of your information system including an updated IPS, new firewall, email encryption and employee security awareness training. Unfortunately, many of your firm's clients do not trust technology to completely secure their information, so couriers routinely have to travel back and forth to and from the office with sensitive information.

  Your boss has charged you with figuring out how to secure the information the couriers must transport. You propose that the data be transferred using burned CD's or USB flash drives. You initially think of encrypting the files, but decide against that method for fear the encryption keys could eventually be broken.

  What software application could you use to hide the data on the CD's and USB flash drives?

  A. Snow

  B. File Snuff

  C. File Sneaker

  D. EFS

  Correct Answer: A

  The Snow software developed by Matthew Kwan will insert extra spaces at the end of each line. Three bits are encoded in each line by adding between 0 and 7 spaces that are ignored by most display programs including web browsers.

• Question 170:

  Which of the following is an attack in which a secret value like a hash is captured and then reused at a later time to gain access to a system without ever decrypting or decoding the hash.

  A. Replay Attacks

  B. Brute Force Attacks

  C. Cryptography Attacks

  D. John the Ripper Attacks

  Correct Answer: A

  A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.