EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 241:

  Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the position.

  Harold is currently trying to run a Sniffer on the agency's network to get an idea of what kind of traffic is being passed around but the program he is using does not seem to be capturing anything. He pours through the sniffer's manual but can't find anything that directly relates to his problem. Harold decides to ask the network administrator if the has any thoughts on the problem. Harold is told that the sniffer was not working because the agency's network is a switched network, which can't be sniffed by some programs without some tweaking.

  What technique could Harold use to sniff agency's switched network?

  A. ARP spoof the default gateway

  B. Conduct MiTM against the switch

  C. Launch smurf attack against the switch

  D. Flood switch with ICMP packets

  Correct Answer: A

  ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN) or stop the traffic altogether (known as a denial of service attack). The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack).

• Question 242:

  Ethernet switches can be adversely affected by rapidly bombarding them with spoofed ARP responses. He port to MAC Address table (CAM Table) overflows on the switch and rather than failing completely, moves into broadcast mode, then the hacker can sniff all of the packets on the network.

  Which of the following tool achieves this?

  A. ./macof

  B. ./sniffof

  C. ./dnsiff

  D. ./switchsnarf

  Correct Answer: A

  macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing).

• Question 243:

  Daryl is a network administrator working for Dayton Technologies. Since Daryl's background is in web application development, many of the programs and applications his company uses are web-based. Daryl sets up a simple forms-based logon screen for all the applications he creates so they are secure.

  The problem Daryl is having is that his users are forgetting their passwords quite often and sometimes he does not have the time to get into his applications and change the passwords for them. Daryl wants a tool or program that can monitor web-based passwords and notify him when a password has been changed so he can use that tool whenever a user calls him and he can give them their password right then.

  What tool would work best for Daryl's needs?

  A. Password sniffer

  B. L0phtcrack

  C. John the Ripper

  D. WinHttrack

  Correct Answer: A

  L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords.

  John the Ripper is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customisable cracker. It can be run against

  various encrypted password formats including several crypt password hash types WinHttrack is a offline browser.

  A password sniffer would give Daryl the passwords when they are changed as it is a web based authentication over a simple form but still it would be more correct to give the users new passwords instead of keeping a copy of the passwords

  in clear text.

• Question 244:

  You are sniffing as unprotected WiFi network located in a JonDonalds Cybercafe with Ethereal to capture hotmail e-mail traffic. You see lots of people using their laptops browsing the web while snipping brewed coffee from JonDonalds. You want to sniff their email message traversing the unprotected WiFi network.

  Which of the following ethereal filters will you configure to display only the packets with the hotmail messages?

  A. (http contains "hotmail") andand ( http contains "Reply-To")

  B. (http contains "e-mail" ) andand (http contains "hotmail")

  C. (http = "login.passport.com" ) andand (http contains "SMTP")

  D. (http = "login.passport.com" ) andand (http contains "POP3")

  Correct Answer: A

  Each Hotmail message contains the tag Reply-To: and "xxxx-xxx- xxx.xxxx.hotmail.com" in the received tag.

• Question 245:

  Exhibit:

  

  You have captured some packets in Ethereal. You want to view only packets sent from 10.0.0.22. What filter will you apply?

  A. ip = 10.0.0.22

  B. ip.src == 10.0.0.22

  C. ip.equals 10.0.0.22

  D. ip.address = 10.0.0.22

  Correct Answer: B

  ip.src tells the filter to only show packets with 10.0.0.22 as the source.

• Question 246:

  How would you describe a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS's on a network?

  A. Covert Channel

  B. Crafted Channel

  C. Bounce Channel

  D. Deceptive Channel

  Correct Answer: A

  A covert channel is described as: "any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy." Essentially, it is a method of communication that is not part of an actual computer system design, but can be used to transfer information to users or system processes that normally would not be allowed access to the information.

• Question 247:

  ARP poisoning is achieved in _____ steps

  A. 1

  B. 2

  C. 3

  D. 4

  Correct Answer: B

  The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM attack.

• Question 248:

  What is the command used to create a binary log file using tcpdump?

  A. tcpdump -r log

  B. tcpdump -w ./log

  C. tcpdump -vde -r log

  D. tcpdump -l /var/log/

  Correct Answer: B

  tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] -w Write the raw packets to file rather than parsing and printing them out.

• Question 249:

  Which of the following is not considered to be a part of active sniffing?

  A. MAC Flooding

  B. ARP Spoofing

  C. SMAC Fueling

  D. MAC Duplicating

  Correct Answer: C

• Question 250:

  What port number is used by Kerberos protocol?

  A. 44

  B. 88

  C. 419

  D. 487

  Correct Answer: B

  Kerberos traffic uses UDP/TCP protocol source and destination port 88.