EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 221:

  A file integrity program such as Tripwire protects against Trojan horse attacks by:

  A. Automatically deleting Trojan horse programs

  B. Rejecting packets generated by Trojan horse programs

  C. Using programming hooks to inform the kernel of Trojan horse behavior

  D. Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse

  Correct Answer: D

  Tripwire generates a database of the most common files and directories on your system. Once it is generated, you can then check the current state of your system against the original database and get a report of all the files that have been modified, deleted or added. This comes in handy if you allow other people access to your machine and even if you don't, if someone else does get access, you'll know if they tried to modify files such as /bin/login etc.

• Question 222:

  Sniffing is considered an active attack.

  A. True

  B. False

  Correct Answer: B

  Sniffing is considered a passive attack.

• Question 223:

  Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports?

  A. Netcat -h -U

  B. Netcat -hU

  C. Netcat -sU -p 1-1024

  D. Netcat -u -v -w2 1-1024

  E. Netcat -sS -O target/1024

  Correct Answer: D

  The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versatile.

• Question 224:

  Exhibit: * Missing*

  Jason's Web server was attacked by a trojan virus. He runs protocol analyzer and notices that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representation of the network packet, before

  being decoded. Jason wants to identify the trojan by looking at the destination port number and mapping to a trojan-port number database on the Internet. Identify the remote server's port number by decoding the packet?

  A. Port 1890 (Net-Devil Trojan)

  B. Port 1786 (Net-Devil Trojan)

  C. Port 1909 (Net-Devil Trojan)

  D. Port 6667 (Net-Devil Trojan)

  Correct Answer: D

  From trace, 0x1A0B is 6667, IRC Relay Chat, which is one port used. Other ports are in the 900's.

• Question 225:

  John wishes to install a new application onto his Windows 2000 server. He wants to ensure that any application he uses has not been Trojaned. What can he do to help ensure this?

  A. Compare the file's MD5 signature with the one published on the distribution media

  B. Obtain the application via SSL

  C. Compare the file's virus signature with the one published on the distribution media

  D. Obtain the application from a CD-ROM disc

  Correct Answer: A

  MD5 was developed by Professor Ronald L. Rivest of MIT. What it does, to quote the executive summary of rfc1321, is:

  [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same

  message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being

  encrypted with a private (secret) key under a public-key cryptosystem such as RSA. In essence, MD5 is a way to verify data integrity, and is much more reliable than checksum and many other commonly used methods.

• Question 226:

  In Linux, the three most common commands that hackers usually attempt to Trojan are:

  A. car, xterm, grep

  B. netstat, ps, top

  C. vmware, sed, less

  D. xterm, ps, nc

  Correct Answer: B

  The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users, in this case netstat, ps, and top, for a complete list of commonly trojaned and rootkited software please reference this URL: http://www.usenix.org/publications/login/1999- 9/features/rootkits.html

• Question 227:

  You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open.

  What is the next step you would do?

  A. Re-install the operating system.

  B. Re-run anti-virus software.

  C. Install and run Trojan removal software.

  D. Run utility fport and look for the application executable that listens on port 6666.

  Correct Answer: D

  Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications.

• Question 228:

  You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming.

  Which command would you execute to extract the Trojan to a standalone file?

  A. c:\> type readme.txt:virus.exe > virus.exe

  B. c:\> more readme.txt | virus.exe > virus.exe

  C. c:\> cat readme.txt:virus.exe > virus.exe

  D. c:\> list redme.txt$virus.exe > virus.exe

  Correct Answer: C

  cat will concatenate, or write, the alternate data stream to its own file named virus.exe

• Question 229:

  Which of the following statements would not be a proper definition for a Trojan Horse?

  A. An unauthorized program contained within a legitimate program.This unauthorized program performs functions unknown (and probably unwanted) by the user.

  B. A legitimate program that has been altered by the placement of unauthorized code within it; this code perform functions unknown (and probably unwanted) by the user.

  C. An authorized program that has been designed to capture keyboard keystrokes while the user remains unaware of such an activity being performed.

  D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.

  Correct Answer: C

  A Trojan is all about running unauthorized code on the users computer without the user knowing of it.

• Question 230:

  After an attacker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem?

  A. Install pactehs

  B. Setup a backdoor

  C. Cover your tracks

  D. Install a zombie for DDOS

  Correct Answer: C

  As a hacker you don't want to leave any traces that could lead back to you.