EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 261:

  Exhibit:

  ettercap NCLzs --quiet

  What does the command in the exhibit do in "Ettercap"?

  A. This command will provide you the entire list of hosts in the LAN

  B. This command will check if someone is poisoning you and will report its IP.

  C. This command will detach from console and log all the collected passwords from the network to a file.

  D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

  Correct Answer: C

  -N = NON interactive mode (without ncurses)

  -C = collect all users and passwords

  -L = if used with -C (collector) it creates a file with all the password sniffed in the session in the form "YYYYMMDD-collected-pass.log" -z = start in silent mode (no arp storm on start up)

  -s = IP BASED sniffing

  --quiet = "demonize" ettercap. Useful if you want to log all data in background.

• Question 262:

  Steven, a security analyst for XYZ associates, is analyzing packets captured by Ethereal on a Linux Server inside his network when the server starts to slow down tremendously. Steven examines the following Ethereal captures: A. Smurf Attack

  

  B. ARP Spoofing

  C. Ping of Death

  D. SYN Flood

  Correct Answer: A

  A perpetrator is sending a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding.

• Question 263:

  Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By

  spoofing the source IP Address of the packet, all the responses will get sent to the spoofed IP Address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out.

  Who are the primary victims of these attacks on the Internet today?

  A. IRC servers are the primary victim to smurf attacks

  B. IDS devices are the primary victim to smurf attacks

  C. Mail Servers are the primary victim to smurf attacks

  D. SPAM filters are the primary victim to surf attacks

  Correct Answer: A

  IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet. On IRCs, hackers will use bots (automated programs) that connect to IRC servers and collect IP addresses. The bots then send the forged packets to the amplifiers to inundate the victim.

• Question 264:

  Bryce the bad boy is purposely sending fragmented ICMP packets to a remote target. The tool size of this ICMP packet once reconstructed is over 65,536 bytes. From the information given, what type of attack is Bryce attempting to perform?

  A. Smurf

  B. Fraggle

  C. SYN Flood

  D. Ping of Death

  Correct Answer: D

  A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size (or 84 bytes when IP header is considered); many computer systems cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65,536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.

• Question 265:

  Hackers usually control Bots through:

  A. IRC Channel

  B. MSN Messenger

  C. Trojan Client Software

  D. Yahoo Chat

  E. GoogleTalk

  Correct Answer: A

  Most of the bots out today has a function to connect to a predetermined IRC channel in order to get orders.

• Question 266:

  The SYN Flood attack sends TCP connections requests faster than a machine can process them.

  Attacker creates a random source address for each packet. SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP Address Victim responds to spoofed IP Address then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connection legitimate users are ignored and will not be able to access the server

  How do you protect your network against SYN Flood attacks?

  A. SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP Address port number and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus the server first allocates memory on the third packet of the handshake, not the first.

  B. RST cookies The server sends a wrong SYN|ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.

  C. Micro Blocks. Instead of allocating a complete connection, simply allocate a micro-record of 16- bytes for the incoming SYN object.

  D. Stack Tweaking. TCP can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection.

  Correct Answer: ABCD

  All above helps protecting against SYN flood attacks. Most TCP/IP stacks today are already tweaked to make it harder to perform a SYN flood DOS attack against a target.

• Question 267:

  Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this?

  A. Someone Spoofed Peter's IP Address while doing a land attack

  B. Someone Spoofed Peter's IP Address while doing a DoS attack

  C. Someone Spoofed Peter's IP Address while doing a smurf Attack

  D. Someone Spoofed Peter's IP address while doing a fraggle attack

  Correct Answer: C

  An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

• Question 268:

  Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf attack. What should Peter do to prevent a smurf attack? Select the best answer.

  A. He should disable unicast on all routers

  B. Disable multicast on the router

  C. Turn off fragmentation on his router

  D. Make sure all anti-virus protection is updated on all systems

  E. Make sure his router won't take a directed broadcast

  Correct Answer: E

  Unicasts are one-to-one IP transmissions, by disabling this he would disable most network transmissions but still not prevent the smurf attack. Turning of multicast or fragmentation on the router has nothing to do with Peter's concerns as a smurf attack uses broadcast, not multicast and has nothing to do with fragmentation. Anti-virus protection will not help prevent a smurf attack. A smurf attack is a broadcast from a spoofed source. If directed broadcasts are enabled on the destination all the computers at the destination will respond to the spoofed source, which is really the victim. Disabling directed broadcasts on a router can prevent the attack.

• Question 269:

  Eve decides to get her hands dirty and tries out a Denial of Service attack that is relatively new to her. This time she envisages using a different kind of method to attack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an attack similar to that of fraggle. What is the technique that Eve used in the case above?

  A. Smurf

  B. Bubonic

  C. SYN Flood

  D. Ping of Death

  Correct Answer: A

  A fraggle attack is a variation of the smurf attack for denial of service in which the attacker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network.

• Question 270:

  Henry is an attacker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legitimate users from gaining access. What type of attack is Henry using?

  A. Henry is executing commands or viewing data outside the intended target path

  B. Henry is using a denial of service attack which is a valid threat used by an attacker

  C. Henry is taking advantage of an incorrect configuration that leads to access with higher-than- expected privilege

  D. Henry uses poorly designed input validation routines to create or alter commands to gain access to unintended data or execute commands

  Correct Answer: B

  Henry's intention is to perform a DoS attack against his target, possibly a DDoS attack. He uses systems other than his own to perform the attack in order to cover the tracks back to him and to get more "punch" in the DoS attack if he uses multiple systems.