EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 431:

  Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to attack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host?

  A. Honeypot

  B. DMZ host

  C. DWZ host

  D. Bastion Host

  Correct Answer: D

  A bastion host is a gateway between an inside network and an outside network. Used as a security measure, the bastion host is designed to defend against attacks aimed at the inside network. Depending on a network's complexity and configuration, a single bastion host may stand guard by itself, or be part of a larger security system with different layers of protection.

• Question 432:

  What is Cygwin?

  A. Cygwin is a free C++ compiler that runs on Windows

  B. Cygwin is a free Unix subsystem that runs on top of Windows

  C. Cygwin is a free Windows subsystem that runs on top of Linux

  D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

  Correct Answer: B

  Cygwin is a Linux-like environment for Windows. It consists of two parts:

  A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality. A collection of tools which provide Linux look and feel. The Cygwin DLL works with all non-beta, non "release candidate", ix86 32 bit

  versions of Windows since Windows 95, with the exception of Windows CE.

• Question 433:

  Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condition in the Linux kernel within the execve() system call. There is no known workaround that exists for this vulnerability. What is the correct action to be taken by Rebecca in this situation as a recommendation to management?

  A. Rebecca should make a recommendation to disable the () system call

  B. Rebecca should make a recommendation to upgrade the Linux kernel promptly

  C. Rebecca should make a recommendation to set all child-process to sleep within the execve()

  D. Rebecca should make a recommendation to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege

  Correct Answer: B

• Question 434:

  After studying the following log entries, how many user IDs can you identify that the attacker has tampered with?

  1.

  mkdir -p /etc/X11/applnk/Internet/.etc

  2.

  mkdir -p /etc/X11/applnk/Internet/.etcpasswd

  3.

  touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd

  4.

  touch -acmr /etc /etc/X11/applnk/Internet/.etc

  5.

  passwd nobody -d

  6.

  /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash

  7.

  passwd dns -d

  8.

  touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd

  9.

  touch -acmr /etc/X11/applnk/Internet/.etc /etc

  A. IUSR_

  B. acmr, dns

  C. nobody, dns

  D. nobody, IUSR_

  Correct Answer: C

  Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns.

• Question 435:

  Which of the following snort rules look for FTP root login attempts?

  A. alert tcp -> any port 21 (msg:"user root";)

  B. alert tcp -> any port 21 (message:"user root";)

  C. alert ftp -> ftp (content:"user password root";)

  D. alert tcp any any -> any any 21 (content:"user root";)

  Correct Answer: D

  The snort rule header is built by defining action (alert), protocol (tcp), from IP subnet port (any any), to IP subnet port (any any 21), Payload Detection Rule Options (content:"user root";)

• Question 436:

  John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.

  Take a look at the following Linux logfile snippet. The hacker compromised and "owned" a Linux machine. What is the hacker trying to accomplish here?

  [root@apollo /]# rm rootkit.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm - rf /root/ .bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 359 ? 00:00:00 inetd rm: cannot remove `/tmp/h': No such file or directory rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# ps -aux | grep portmap [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/ .bash_history ; rm - rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd rm: cannot remove `/sbin/portmap': No such file or directory rm: cannot remove `/tmp/h': No such file or directory >rm: cannot remove `/usr/sbin/rpc.portmap': No such file or directory [root@apollo /]# rm: cannot remove `/sbin/portmap': No such file or directory

  A. The hacker is planting a rootkit

  B. The hacker is trying to cover his tracks

  C. The hacker is running a buffer overflow exploit to lock down the system

  D. The hacker is attempting to compromise more machines on the network

  Correct Answer: B

  By deleting temporary directories and emptying like bash_history that contains the last commands used with the bash shell he is trying to cover his tracks.

• Question 437:

  John is discussing security with Jane. Jane had mentioned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been acting erratically lately. LKM stands for Loadable Kernel Module.

  What does this mean in the context of Linux Security?

  A. Loadable Kernel Modules are a mechanism for adding functionality to a file system without requiring a kernel recompilation.

  B. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel after it has been recompiled and the system rebooted.

  C. Loadable Kernel Modules are a mechanism for adding auditing to an operating-system kernel without requiring a kernel recompilation.

  D. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation.

  Correct Answer: D

  Loadable Kernel Modules, or LKM, are object files that contain code to extend the running kernel, or so-called base kernel, without the need of a kernel recompilation. Operating systems other than Linux, such as BSD systems, also provide support for LKM's. However, the Linux kernel generally makes far greater and more versatile use of LKM's than other systems. LKM's are typically used to add support for new hardware, filesystems or for adding system calls. When the functionality provided by an LKM is no longer required, it can be unloaded, freeing memory.

• Question 438:

  Rebecca has noted multiple entries in her logs about users attempting to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limiting access to only specific IP addresses that are trusted by using one of the built-in Linux Operating System tools?

  A. Ensure all files have at least a 755 or more restrictive permissions.

  B. Configure rules using ipchains.

  C. Configure and enable portsentry on his server.

  D. Install an intrusion detection system on her computer such as Snort.

  Correct Answer: B

  ipchains is a free software based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling code, ipfwadm. In Linux 2.2, ipchains is required to administer the IP packet filters. ipchains was written because the older IPv4 firewall code used in Linux 2.0 did not work with IP fragments and didn't allow for specification of protocols other than TCP, UDP, and ICMP.

• Question 439:

  Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryption are used to secure Linux passwords. (Choose all that apply.

  A. Linux passwords can be encrypted with MD5

  B. Linux passwords can be encrypted with SHA

  C. Linux passwords can be encrypted with DES

  D. Linux passwords can be encrypted with Blowfish

  E. Linux passwords are encrypted with asymmetric algrothims

  Correct Answer: ACD

  Linux passwords are enrcypted using MD5, DES, and the NEW addition Blowfish. The default on most linux systems is dependant on the distribution, RedHat uses MD5, while slackware uses DES. The blowfish option is there for those who wish to use it. The encryption algorithm in use can be determined by authconfig on RedHat-based systems, or by reviewing one of two locations, on PAM- based systems (Pluggable Authentication Module) it can be found in /etc/pam.d/, the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.

• Question 440:

  WinDump is a popular sniffer which results from the porting to Windows of TcpDump for Linux. What library does it use ?

  A. LibPcap

  B. WinPcap

  C. Wincap

  D. None of the above

  Correct Answer: B

  WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.