EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 441:

  Jim's organization has just completed a major Linux roll out and now all of the organization's systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essential security equipment and software. The organization requires an option to control network traffic and also perform stateful inspection of traffic going into and out of the DMZ.

  Which built-in functionality of Linux can achieve this?

  A. IP Tables

  B. IP Chains

  C. IP Sniffer

  D. IP ICMP

  Correct Answer: A

  iptables is a user space application program that allows a system administrator to configure the netfilter tables, chains, and rules (described above). Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /sbin/ iptables. IP Tables performs stateful inspection while the older IP Chains only performs stateless inspection.

• Question 442:

  You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data.

  What kind of program can you use to track changes to files on the server?

  A. Network Based IDS (NIDS)

  B. Personal Firewall

  C. System Integrity Verifier (SIV)

  D. Linux IP Chains

  Correct Answer: C

  System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

• Question 443:

  What is the expected result of the following exploit?

  

  A. Opens up a telnet listener that requires no username or password.

  B. Create a FTP server with write permissions enabled.

  C. Creates a share called "sasfile" on the target system.

  D. Creates an account with a user name of Anonymous and a password of [email protected].

  Correct Answer: A

  The script being depicted is in perl (both msadc.pl and the script their using as a wrapper) -- $port, $your, $user, $pass, $host are variables that hold the port # of a DNS server, an IP, username, and FTP password. $host is set to argument variable 0 (which means the string typed directly after the command). Essentially what happens is it connects to an FTP server and downloads nc.exe (the TCP/IP swiss-army knife -- netcat) and uses nc to open a TCP port spawning cmd.exe (cmd.exe is the Win32 DOS shell on NT/2000/2003/XP), cmd.exe when spawned requires NO username or password and has the permissions of the username it is being executed as (probably guest in this instance, although it could be administrator). The #'s in the script means the text following is a comment, notice the last line in particular, if the # was removed the script would spawn a connection to itself, the host system it was running on.

• Question 444:

  Joe the Hacker breaks into company's Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode.

  Running "ifconfig a" will produce the following:

  # ifconfig a

  1o0: flags=848 mtu 8232 inet 127.0.0.1 netmask ff000000hme0: flags=863 mtu inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 8:0:20:9c:a2:35

  What can Joe do to hide the wiretap program from being detected by ifconfig command?

  A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu

  B. Run the wiretap program in stealth mode from being detected by the ifconfig command.

  C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console.

  D. You cannot disable Promiscuous mode detection on Linux systems.

  Correct Answer: C

  The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls.

• Question 445:

  Windump is the windows port of the famous TCPDump packet sniffer available on a variety of platforms. In order to use this tool on the Windows platform you must install a packet capture library. What is the name of this library?

  A. NTPCAP

  B. LibPCAP

  C. WinPCAP

  D. PCAP

  Correct Answer: C

  WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

• Question 446:

  John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever.

  John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server.

  Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. How would Jon protect his network form these types of attacks?

  A. Install a proxy server and terminate SSL at the proxy

  B. Install a hardware SSL "accelerator" and terminate SSL at this layer

  C. Enable the IDS to filter encrypted HTTPS traffic

  D. Enable the firewall to filter encrypted HTTPS traffic

  Correct Answer: AB

  By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic.

• Question 447:

  This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network.

  What is this technique called?

  A. IP Fragmentation or Session Splicing

  B. IP Routing or Packet Dropping

  C. IDS Spoofing or Session Assembly

  D. IP Splicing or Packet Reassembly

  Correct Answer: A

  The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild.

• Question 448:

  Bob has set up three web servers on Windows Server 2003 IIS 6.0. Bob has followed all the recommendations for securing the operating system and IIS. These servers are going to run numerous e-commerce websites that are projected to bring in thousands of dollars a day. Bob is still concerned about the security of this server because of the potential for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traffic on ports 80 and 443 to ensure that no malicious data is getting into the network.

  Why will this not be possible?

  A. Firewalls can't inspect traffic coming through port 443

  B. Firewalls can only inspect outbound traffic

  C. Firewalls can't inspect traffic coming through port 80

  D. Firewalls can't inspect traffic at all, they can only block or allow certain ports

  Correct Answer: D

  In order to really inspect traffic and traffic patterns you need an IDS.

• Question 449:

  Angela is trying to access an education website that requires a username and password to login. When Angela clicks on the link to access the login page, she gets an error message stating that the page can't be reached. She contacts the website's support team and they report that no one else is having any issues with the site. After handing the issue over to her company's IT department, it is found that the education website requires any computer accessing the site must be able to respond to a ping from the education's server. Since Angela's computer is behind a corporate firewall, her computer can't ping the education website back.

  What ca Angela's IT department do to get access to the education website?

  A. Change the IP on Angela's Computer to an address outside the firewall

  B. Change the settings on the firewall to allow all incoming traffic on port 80

  C. Change the settings on the firewall all outbound traffic on port 80

  D. Use a Internet browser other than the one that Angela is currently using

  Correct Answer: A

  Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and ping uses ICMP. The browser used by the user will not make any difference. The only alternative here that would solve the problem is to move the computer to outside the firewall.

• Question 450:

  SSL has been as the solution to a lot of common security problems. Administrator will often time make use of SSL to encrypt communications from points A to Point B. Why do you think this could be a bad idea if there is an Intrusion Detection System deployed to monitor the traffic between Point A to Point B?

  A. SSL is redundant if you already have IDS's in place

  B. SSL will trigger rules at regular interval and force the administrator to turn them off

  C. SSL will make the content of the packet and Intrusion Detection System are blinded

  D. SSL will slow down the IDS while it is breaking the encryption to see the packet content

  Correct Answer: C

  An IDS will not be able to evaluate the content in the packets if it is encrypted.