EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 481:

  If you come across a sheepdip machine at your client's site, what should you do?

  A. A sheepdip computer is used only for virus-checking.

  B. A sheepdip computer is another name for a honeypot

  C. A sheepdip coordinates several honeypots.

  D. A sheepdip computers defers a denial of service attack.

  Correct Answer: A

  Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

• Question 482:

  What is a sheepdip?

  A. It is another name for Honeynet

  B. It is a machine used to coordinate honeynets

  C. It is the process of checking physical media for virus before they are used in a computer

  D. None of the above

  Correct Answer: C

  Also known as a footbath, a sheepdip is the process of checking physical media, such as floppy disks or CD-ROMs, for viruses before they are used in a computer. Typically, a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers, meaning it is not connected to the network. Most sheepdips use at least two different antivirus programs in order to increase effectiveness.

• Question 483:

  All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ?

  A. They are all Windows based webserver

  B. They are all Unix based webserver

  C. The company is not using IDS

  D. The company is not using a stateful firewall

  Correct Answer: D

  If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.

• Question 484:

  While examining a log report you find out that an intrusion has been attempted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the the intrusion ?

  A. 192.10.25.9

  B. 10.0.3.4

  C. 203.20.4.5

  D. 222.273.290.239

  E. 222.173.290.239

  Correct Answer: E

  Convert the hex number to binary and then to decimal.

  0xde.0xad.0xbe.0xef translates to 222.173.190.239 and not 222.273.290.239

  0xef =

  15*1 = 15

  14*16 = 224

  = 239

  0xbe =

  14*1 = 14

  11*16 = 176

  = 190

  0xad =

  13*1 = 13

  10*16 = 160

  = 173

  0xde =

  14*1 = 14

  13*16 = 208

  = 222

• Question 485:

  You are doing IP spoofing while you scan your target. You find that the target has port 23 open.Anyway you are unable to connect. Why?

  A. A firewall is blocking port 23

  B. You cannot spoof + TCP

  C. You need an automated telnet tool

  D. The OS does not reply to telnet even if port 23 is open

  Correct Answer: A

  The question is not telling you what state the port is being reported by the scanning utility, if the program used to conduct this is nmap, nmap will show you one of three states "open", "closed", or "filtered" a port can be in an "open" state yet filtered, usually by a stateful packet inspection filter (ie. Netfilter for linux, ipfilter for bsd). C and D to make any sense for this question, their bogus, and B, "You cannot spoof + TCP", well you can spoof + TCP, so we strike that out.

• Question 486:

  Statistics from cert.org and other leading security organizations has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. What do you think is the main reason behind the significant increase in hacking attempts over the past years?

  A. It is getting more challenging and harder to hack for non technical people.

  B. There is a phenomenal increase in processing power.

  C. New TCP/IP stack features are constantly being added.

  D. The ease with which hacker tools are available on the Internet.

  Correct Answer: D

  Today you don't need to be a good hacker in order to break in to various systems, all you need is the knowledge to use search engines on the internet.

• Question 487:

  When referring to the Domain Name Service, what is denoted by a `zone'?

  A. It is the first domain that belongs to a company.

  B. It is a collection of resource records.

  C. It is the first resource record type in the SOA.

  D. It is a collection of domains.

  Correct Answer: B

  A reasonable definition of a zone would be a portion of the DNS namespace where responsibility has been delegated.

• Question 488:

  The following excerpt is taken from a honeypot log. The log captures activities across three days. There are several intrusion attempts; however, a few are successful. From the options given below choose the one best interprets the following

  entry:

  Apr 26 06:43:05 [6282] IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53

  (Note: The objective of this question is to test whether the student can read basic information from log entries and interpret the nature of attack.)

  

  Interpret the following entry:

  Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107.53

  A. An IDS evasion technique

  B. A buffer overflow attempt

  C. A DNS zone transfer

  D. Data being retrieved from 63.226.81.13.

  Correct Answer: B

  The IDS log file is depicting numerous attacks, however, most of them are from different attackers, in reference to the attack in question, he is trying to mask his activity by trying to act legitimate, during his session on the honeypot, he changes users two times by using the "su" command, but never triess to attempt anything to severe.

• Question 489:

  Snort is an open source Intrusion Detection system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features offered by Snort?

  A. IDS, Packet Logger, Sniffer

  B. IDS, Firewall, Sniffer

  C. IDS, Sniffer, Proxy

  D. IDS, Sniffer, content inspector

  Correct Answer: A

  Snort is a free software network intrusion detection and prevention system capable of performing packet logging and real-time traffic analysis, on IP networks. Snort was written by Martin Roesch but is now owned and developed by Sourcefire

• Question 490:

  Bill has successfully executed a buffer overflow against a Windows IIS web server. He has been able to spawn an interactive shell and plans to deface the main web page. He first attempts to use the "Echo" command to simply overwrite index.html and remains unsuccessful. He then attempts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain.

  What is the probable cause of Bill's problem?

  A. The system is a honeypot.

  B. There is a problem with the shell and he needs to run the attack again.

  C. You cannot use a buffer overflow to deface a web page.

  D. The HTML file has permissions of ready only.

  Correct Answer: D

  The question states that Bill had been able to spawn an interactive shell. By this statement we can tell that the buffer overflow and its corresponding code was enough to spawn a shell. Any shell should make it possible to change the webpage. So we either don't have sufficient privilege to change the webpage (answer D) or it's a honeypot (answer A). We think the preferred answer is D