EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 491:

  What do you conclude from the nmap results below?

  Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/)

  (The 1592 ports scanned but not shown below are in state: closed)

  PortStateService 21/tcpopenftp 25/tcpopensmtp 80/tcpopenhttp 443/tcpopenhttps

  Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed 1 IP address (1 host up) scanned in 91.66 seconds

  A. The system is a Windows Domain Controller.

  B. The system is not firewalled.

  C. The system is not running Linux or Solaris.

  D. The system is not properly patched.

  Correct Answer: B

  There is no reports of any ports being filtered.

• Question 492:

  Network Intrusion Detection systems can monitor traffic in real time on networks. Which one of the following techniques can be very effective at avoiding proper detection?

  A. Fragmentation of packets.

  B. Use of only TCP based protocols.

  C. Use of only UDP based protocols.

  D. Use of fragmented ICMP traffic only.

  Correct Answer: A

  If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.

• Question 493:

  Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers,

  firewalls, IDS, via Telnet.

  Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company.

  Based on the above scenario, please choose which would be your corrective measurement actions (Choose two)

  A. Use encrypted protocols, like those found in the OpenSSH suite.

  B. Implement FAT32 filesystem for faster indexing and improved performance.

  C. Configure the appropriate spoof rules on gateways (internal and external).

  D. Monitor for CRP caches, by using IDS products.

  Correct Answer: AC

  First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e- commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session.

• Question 494:

  You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this?

  A. Block ICMP at the firewall.

  B. Block UDP at the firewall.

  C. Both A and B.

  D. There is no way to completely block doing a trace route into this area.

  Correct Answer: D

  When you run a traceroute to a target network address, you send a UDP packet with one time to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL-- Exceeded) packet to your system with a source address. Your system displays the round-trip time for that first hop and sends out the next UDP packet with a TTL of 2.This process continues until you receive an ICMP message type 3 (Unreachable) code 3 (Port--Unreachable) from the destination system. Traceroute is completed when your machine receives a Port-Unreachable message.If you receive a message with three asterisks [* * *] during the traceroute, a router in the path doesn't return ICMP messages. Traceroute will continue to send UDP packets until the destination is reached or the maximum number of hops is exceeded.

• Question 495:

  While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observation?

  A. They are using Windows based web servers.

  B. They are using UNIX based web servers.

  C. They are not using an intrusion detection system.

  D. They are not using a stateful inspection firewall.

  Correct Answer: D

  If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK.

• Question 496:

  The programmers on your team are analyzing the free, open source software being used to run FTP services on a server in your organization. They notice that there is excessive number of functions in the source code that might lead to buffer overflow. These C++ functions do not check bounds. Identify the line the source code that might lead to buffer overflow.

  

  A. Line number 31.

  B. Line number 15

  C. Line number 8

  D. Line number 14

  Correct Answer: B

• Question 497:

  Neil monitors his firewall rules and log files closely on a regular basis. Some of the users have complained to Neil that there are a few employees who are visiting offensive web sites during work hours, without consideration for others. Neil knows that he has an updated content filtering system and that such access should not be authorized.

  What type of technique might be used by these offenders to access the Internet without restriction?

  A. They are using UDP which is always authorized at the firewall.

  B. They are using tunneling software which allows them to communicate with protocols in a way it was not intended.

  C. They have been able to compromise the firewall, modify the rules, and give themselves proper access.

  D. They are using an older version of Internet Explorer that allows them to bypass the proxy server.

  Correct Answer: B

  This can be accomplished by, for example, tunneling the http traffic over SSH if you have a SSH server answering to your connection, you enable dynamic forwarding in the ssh client and configure Internet Explorer to use a SOCKS Proxy for network traffic.

• Question 498:

  Carl has successfully compromised a web server from behind a firewall by exploiting a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state.

  From the list given below, identify the port that is most likely to be open and allowed to reach the server that Carl has just compromised.

  A. 53

  B. 110

  C. 25

  D. 69

  Correct Answer: A

  Port 53 is used by DNS and is almost always open, the problem is often that the port is opened for the hole world and not only for outside DNS servers.

• Question 499:

  An employee wants to defeat detection by a network-based IDS application. He does not want to attack the system containing the IDS application. Which of the following strategies can be used to defeat detection by a network-based IDS application? (Choose the best answer)

  A. Create a network tunnel.

  B. Create a multiple false positives.

  C. Create a SYN flood.

  D. Create a ping flood.

  Correct Answer: A

  Certain types of encryption presents challenges to network-based intrusion detection and may leave the IDS blind to certain attacks, where a host-based IDS analyzes the data after it has been decrypted.

• Question 500:

  What makes web application vulnerabilities so aggravating? (Choose two)

  A. They can be launched through an authorized port.

  B. A firewall will not stop them.

  C. They exist only on the Linux platform.

  D. They are detectable by most leading antivirus software.

  Correct Answer: AB

  As the vulnerabilities exists on a web server, incoming traffic on port 80 will probably be allowed and no firewall rules will stop the attack.