EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 451:

  An Employee wants to bypass detection by a network-based IDS application and does not want to attack the system containing the IDS application. Which of the following strategies can the employee use to evade detection by the network based IDS application?

  A. Create a ping flood

  B. Create a SYN flood

  C. Create a covert network tunnel

  D. Create multiple false positives

  Correct Answer: C

  HTTP Tunneling is a technique by which communications performed using various network protocols are encapsulated using the HTTP protocol, the network protocols in question usually belonging to the TCP/IP family of protocols. The HTTP protocol therefore acts as a wrapper for a covert channel that the network protocol being tunneled uses to communicate. The HTTP stream with its covert channel is termed a HTTP Tunnel. Very few firewalls blocks outgoing HTTP traffic.

• Question 452:

  Blake is in charge of securing all 20 of his company's servers. He has enabled hardware and software firewalls, hardened the operating systems and disabled all unnecessary service on all the servers. Unfortunately, there is proprietary

  AS400 emulation software that must run on one of the servers that requires the telnet service to function properly. Blake is especially concerned about his since telnet can be a very large security risk in an organization. Blake is concerned

  about how his particular server might look to an outside attacker so he decides to perform some footprinting scanning and penetration tests on the server. Blake telents into the server and types the following command:

  HEAD/HTTP/1.0

  After pressing enter twice, Blake gets the following results:

  What has the Blake just accomplished?

  

  A. Grabbed the banner

  B. Downloaded a file to his local computer

  C. Submitted a remote command to crash the server

  D. Poisoned the local DNS cache of the server

  Correct Answer: A

• Question 453:

  What is the advantage in encrypting the communication between the agent and the monitor in an Intrusion Detection System?

  A. Encryption of agent communications will conceal the presence of the agents

  B. The monitor will know if counterfeit messages are being generated because they will not be encrypted

  C. Alerts are sent to the monitor when a potential intrusion is detected

  D. An intruder could intercept and delete data or alerts and the intrusion can go undetected

  Correct Answer: B

• Question 454:

  What is the purpose of firewalking?

  A. It's a technique used to discover Wireless network on foot

  B. It's a technique used to map routers on a network link

  C. It's a technique used to discover interface in promiscuous mode

  D. It's a technique used to discover what rules are configured on a gateway

  Correct Answer: D

  Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map `open' or `pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

• Question 455:

  An Evil Cracker is attempting to penetrate your private network security. To do this, he must not be seen by your IDS, as it may take action to stop him. What tool might he use to bypass the IDS? Select the best answer.

  A. Firewalk

  B. Manhunt

  C. Fragrouter

  D. Fragids

  Correct Answer: C

  Firewalking is a way to disguise a portscan. Thus, firewalking is not a tool, but a method of conducting a port scan in which it can be hidden from some firewalls.

  Synamtec Man-Hunt is an IDS, not a tool to evade an IDS.

  Fragrouter is a tool that can take IP traffic and fragment it into multiple pieces. There is a legitimate reason that fragmentation is done, but it is also a technique that can help an attacker to evade detection while Fragids is a made-up tool and

  does not exist.

• Question 456:

  There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? Select the best answers.

  A. Emulators of vulnerable programs

  B. More likely to be penetrated

  C. Easier to deploy and maintain

  D. Tend to be used for production

  E. More detectable

  F. Tend to be used for research

  Correct Answer: ACDE

  A low interaction honeypot would have emulators of vulnerable programs, not the real programs. A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator.

  Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little

  maintenance. A low interaction honeypot tends to be used for production. Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a

  honeypot. A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research.

• Question 457:

  Exhibit: Given the following extract from the snort log on a honeypot, what service is being exploited? :

  

  A. FTP

  B. SSH

  C. Telnet

  D. SMTP

  Correct Answer: A

  The connection is done to 172.16.1.104:21.

• Question 458:

  Exhibit:

  

  Given the following extract from the snort log on a honeypot, what do you infer from the attack?

  A. A new port was opened

  B. A new user id was created

  C. The exploit was successful

  D. The exploit was not successful

  Correct Answer: D

  The attacker submits a PASS to the honeypot and receives a login incorrect before disconnecting.

• Question 459:

  Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks?

  A. Port Security

  B. Switch Mapping

  C. Port Reconfiguring

  D. Multiple Recognition

  Correct Answer: A

  With Port Security the switch will keep track of which ports are allowed to send traffic on a port.

• Question 460:

  A program that defends against a port scanner will attempt to:

  A. Sends back bogus data to the port scanner

  B. Log a violation and recommend use of security-auditing tools

  C. Limit access by the scanning system to publicly available ports only

  D. Update a firewall rule in real time to prevent the port scan from being completed

  Correct Answer: D