EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 191:

  An attacker runs netcat tool to transfer a secret file between two hosts.

  Machine A: netcat -l -p 1234 < secretfile Machine B: netcat 192.168.3.4 > 1234

  He is worried about information being sniffed on the network. How would the attacker use netcat to encrypt the information before transmitting onto the wire?

  A. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat 1234

  B. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat 1234

  C. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat 1234 -pw password

  D. Use cryptcat instead of netcat

  Correct Answer: D

  Netcat cannot encrypt the file transfer itself but would need to use a third party application to encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryption.

• Question 192:

  You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case letters, capital letters, numbers and special characters.

  With your existing knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking attack you can run against these hash values and still get results?

  A. Online Attack

  B. Dictionary Attack

  C. Brute Force Attack

  D. Hybrid Attack

  Correct Answer: D

  A dictionary attack will not work as strong passwords are enforced, also the minimum length of 8 characters in the password makes a brute force attack time consuming. A hybrid attack where you take a word from a dictionary and exchange a number of letters with numbers and special characters will probably be the fastest way to crack the passwords.

• Question 193:

  Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three)

  A. Converts passwords to uppercase.

  B. Hashes are sent in clear text over the network.

  C. Makes use of only 32 bit encryption.

  D. Effective length is 7 characters.

  Correct Answer: ABD

  The LM hash is computed as follows.1. The user's password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The "fixed-length" password is split into two 7-byte halves. 4. These

  values are used to create two DES keys, one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string "KGS!@#$ %", resulting in two 8-byte ciphertext values. 6. These two ciphertext values are

  concatenated to form a 16-byte value, which is the LM hash.

  The hashes them self are sent in clear text over the network instead of sending the password in clear text.

• Question 194:

  While examining audit logs, you discover that people are able to telnet into the SMTP server on port

  25. You would like to block this, though you do not see any evidence of an attack or other wrong doing. However, you are concerned about affecting the normal functionality of the email server. From the following options choose how best you can achieve this objective?

  A. Block port 25 at the firewall.

  B. Shut off the SMTP service on the server.

  C. Force all connections to use a username and password.

  D. Switch from Windows Exchange to UNIX Sendmail.

  E. None of the above.

  Correct Answer: E

  Blocking port 25 in the firewall or forcing all connections to use username and password would have the consequences that the server is unable to communicate with other SMTP servers. Turning of the SMTP service would disable the email function completely. All email servers use SMTP to communicate with other email servers and therefore changing email server will not help.

• Question 195:

  Password cracking programs reverse the hashing process to recover passwords.(True/False.

  A. True

  B. False

  Correct Answer: B

  Password cracking programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryption process and compare them to the original password. A hashed match reveals the true password.

• Question 196:

  Which of the following are well know password-cracking programs?(Choose all that apply.

  A. L0phtcrack

  B. NetCat

  C. Jack the Ripper

  D. Netbus

  E. John the Ripper

  Correct Answer: AE

  L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking

• Question 197:

  When discussing passwords, what is considered a brute force attack?

  A. You attempt every single possibility until you exhaust all possible combinations or discover the password

  B. You threaten to use the rubber hose on someone unless they reveal their password

  C. You load a dictionary of words into your cracking program

  D. You create hashes of a large number of words and compare it with the encrypted passwords

  E. You wait until the password expires

  Correct Answer: A

  Brute force cracking is a time consuming process where you try every possible combination of letters, numbers, and characters until you discover a match.

• Question 198:

  How can you determine if an LM hash you extracted contains a password that is less than 8 characters long?

  A. There is no way to tell because a hash cannot be reversed

  B. The right most portion of the hash is always the same

  C. The hash always starts with AB923D

  D. The left most portion of the hash is always the same

  E. A portion of the hash will be all 0's

  Correct Answer: B

  When looking at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long.

• Question 199:

  What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common?

  A. All are hacking tools developed by the legion of doom

  B. All are tools that can be used not only by hackers, but also security personnel

  C. All are DDOS tools

  D. All are tools that are only effective against Windows

  E. All are tools that are only effective against Linux

  Correct Answer: C

  All are DDOS tools.

• Question 200:

  What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?

  A. Copy the system files from a known good system

  B. Perform a trap and trace

  C. Delete the files and try to determine the source

  D. Reload from a previous backup

  E. Reload from known good media

  Correct Answer: E

  If a rootkit is discovered, you will need to reload from known good media. This typically means performing a complete reinstall.