EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 231:

  In the context of Trojans, what is the definition of a Wrapper?

  A. An encryption tool to protect the Trojan.

  B. A tool used to bind the Trojan with legitimate file.

  C. A tool used to encapsulated packets within a new header and footer.

  D. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan.

  Correct Answer: B

  These wrappers allow an attacker to take any executable back-door program and combine it with any legitimate executable, creating a Trojan horse without writing a single line of new code.

• Question 232:

  You want to use netcat to generate huge amount of useless network data continuously for various performance testing between 2 hosts. Which of the following commands accomplish this?

  A. Machine A#yes AAAAAAAAAAAAAAAAAAAAAA | nc v v l p 2222 > /dev/nullMachine B#yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null

  B. Machine Acat somefile | nc v v l p 2222Machine Bcat somefile | nc othermachine 2222

  C. Machine Anc l p 1234 | uncompress c | tar xvfpMachine Btar cfp - /some/dir | compress c | nc w 3 machinea 1234

  D. Machine Awhile true : donc v l s p 6000 machineb 2Machine Bwhile true ; donc v l s p 6000 machinea 2done

  Correct Answer: A

  Machine A is setting up a listener on port 2222 using the nc command and then having the letter A sent an infinite amount of times, when yes is used to send data yes NEVER stops until it recieves a break signal from the terminal (Control+C), on the client end (machine B), nc is being used as a client to connect to machine A, sending the letter B and infinite amount of times, while both clients have established a TCP connection each client is infinitely sending data to each other, this process will run FOREVER until it has been stopped by an administrator or the attacker.

• Question 233:

  What is a Trojan Horse?

  A. A malicious program that captures your username and password

  B. Malicious code masquerading as or replacing legitimate code

  C. An unauthorized user who gains access to your user database and adds themselves as a user

  D. A server that is to be sacrificed to all hacking attempts in order to log and monitor the hacking activity

  Correct Answer: B

  A Trojan Horse is an apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

• Question 234:

  Assuring two systems that are using IPSec to protect traffic over the internet, what type of general attack could compromise the data?

  A. Spoof Attack

  B. Smurf Attack

  C. Man in the Middle Attack

  D. Trojan Horse Attack

  E. Back Orifice Attack

  Correct Answer: DE

  To compromise the data, the attack would need to be executed before the encryption takes place at either end of the tunnel. Trojan Horse and Back Orifice attacks both allow for potential data manipulation on host computers. In both cases, the data would be compromised either before encryption or after decryption, so IPsec is not preventing the attack.

• Question 235:

  Bob is conducting a password assessment for one of his clients. Bob suspects that password policies are not in place and weak passwords are probably the norm throughout the company he is evaluating. Bob is familiar with password weakness and key loggers. What are the means that Bob can use to get password from his client hosts and servers?

  A. Hardware, Software and Sniffing

  B. Hardware and Software Keyloggers

  C. Software only, they are the most effective

  D. Passwords are always best obtained using Hardware key loggers

  Correct Answer: A

  All loggers will work as long as he has physical access to the computers.

• Question 236:

  Steven is a senior security analyst for a state agency in Tulsa, Oklahoma. His agency is currently undergoing a mandated security audit by an outside consulting firm. The consulting firm is halfway through the audit and is preparing to perform the actual penetration testing against the agency's network. The firm first sets up a sniffer on the agency's wired network to capture a reasonable amount of traffic to analyze later. This takes approximately 2 hours to obtain 10 GB of data. The consulting firm then sets up a sniffer on the agency's wireless network to capture the same amount of traffic. This capture only takes about 30 minutes to get 10 GB of data.

  Why did capturing of traffic take much less time on the wireless network?

  A. Because wireless access points act like hubs on a network

  B. Because all traffic is clear text, even when encrypted

  C. Because wireless traffic uses only UDP which is easier to sniff

  D. Because wireless networks can't enable encryption

  Correct Answer: A

  You can not have directed radio transfers over a WLAN. Every packet will be broadcasted as far as possible with no concerns about who might hear it.

• Question 237:

  Windump is a Windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows Platform you must install a packet capture library. What is the name of this library?

  A. PCAP

  B. NTPCAP

  C. LibPCAP

  D. WinPCAP

  Correct Answer: D

  WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

• Question 238:

  What does the following command in "Ettercap" do? ettercap NCLzs quiet

  A. This command will provide you the entire list of hosts in the LAN

  B. This command will check if someone is poisoning you and will report its IP

  C. This command will detach ettercap from console and log all the sniffed passwords to a file

  D. This command broadcasts ping to scan the LAN instead of ARP request all the subset IPs

  Correct Answer: C

  -L specifies that logging will be done to a binary file and s tells us it is running in script mode.

• Question 239:

  The network administrator at Spears Technology, Inc has configured the default gateway Cisco Router's access-list as below:

  

  You are tried to conduct security testing on their network. You successfully brute-force for SNMP community string using a SNMP crack tool. The access-list configured at the router prevents you from establishing a successful connection. You want to retrieve the Cisco Configuration from the router. How would you proceed?

  A. Send a customized SNMP set request with spoofed source IP Address in the range- 192.168.1.0

  B. Run a network sniffer and capture the returned traffic with the configuration file from the router

  C. Run Generic Routing Encapsulation (GRE) tunneling protocol from your computer to the router masking your IP address

  D. Use the Cisco's TFTP default password to connect and download the configuration file

  Correct Answer: AB

  SNMP is allowed only by access-list 1. Therefore you need to spoof a 192.168.1.0/24 address and then sniff the reply from the gateway.

• Question 240:

  How do you defend against ARP spoofing?

  A. Place static ARP entries on servers, workstation and routers

  B. True IDS Sensors to look for large amount of ARP traffic on local subnets

  C. Use private VLANS

  D. Use ARPWALL system and block ARP spoofing attacks

  Correct Answer: ABC

  ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still under construction.