EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 501:

  Why would an ethical hacker use the technique of firewalking?

  A. It is a technique used to discover wireless network on foot.

  B. It is a technique used to map routers on a network link.

  C. It is a technique used to discover the nature of rules configured on a gateway.

  D. It is a technique used to discover interfaces in promiscuous mode.

  Correct Answer: C

  Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map `open' or `pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

• Question 502:

  Which one of the following attacks will pass through a network layer intrusion detection system undetected?

  A. A teardrop attack

  B. A SYN flood attack

  C. A DNS spoofing attack

  D. A test.cgi attack

  Correct Answer: D

  Because a network-based IDS reviews packets and headers, it can also detect denial of service (DoS) attacks

  Not A or B:

  The following sections discuss some of the possible DoS attacks available.

  Smurf

  Fraggle

  SYN Flood

  Teardrop

  DNS DoS Attacks"

• Question 503:

  Once an intruder has gained access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escalation of priveges?

  A. Give users tokens

  B. Give user the least amount of privileges

  C. Give users two passwords

  D. Give users a strong policy document

  Correct Answer: B

  With less privileges it is harder to increase the privileges.

• Question 504:

  You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process known as?

  A. Footprinting

  B. Firewalking

  C. Enumeration

  D. Idle scanning

  Correct Answer: B

  Firewalking uses a traceroute-like IP packet analysis to determine whether or not a particular packet can pass from the attacker's host to a destination host through a packet-filtering device. This technique can be used to map `open' or `pass through' ports on a gateway. More over, it can determine whether packets with various control information can pass through a given gateway.

• Question 505:

  Exhibit

  

  Study the log given in the exhibit,

  Precautionary measures to prevent this attack would include writing firewall rules. Of these firewall rules, which among the following would be appropriate?

  A. Disallow UDP 53 in from outside to DNS server

  B. Allow UDP 53 in from DNS server to outside

  C. Disallow TCP 53 in from secondaries or ISP server to DNS server

  D. Block all UDP traffic

  Correct Answer: C

  According to the exhibit, the question is regarding the DNS Zone Transfer. Since Zone Transfers are done with TCP port 53, you should not allow this connect external to you organization.

• Question 506:

  Which programming language is NOT vulnerable to buffer overflow attacks?

  A. Java

  B. ActiveX

  C. C++

  D. Assembly Language

  Correct Answer: A

  Perl and Java has boundary checking, hence buffer overflows don't occur. On the other hand, Perl and Java don't offer access to the system that is as deep as some programs need.

• Question 507:

  Buffer X in an Accounting application module for Brownies Inc. can contain 200 characters. The programmer makes an assumption that 200 characters are more than enough. Because there were no proper boundary checks being conducted, Bob decided to insert 400 characters into the 200-character buffer. (Overflows the buffer). Below is the code snippet.

  

  How can you protect/fix the problem of your application as shown above?

  A. Because the counter starts with 0, we would stop when the counter is less than 200

  B. Because the counter starts with 0, we would stop when the counter is more than 200

  C. Add a separate statement to signify that if we have written 200 characters to the buffer, the stack should stop because it can't hold any more data

  D. Add a separate statement to signify that if we have written less than 200 characters to the buffer, the stack should stop because it can't hold any more data

  Correct Answer: AC

  I=199 would be the character number 200. The stack holds exact 200 characters so there is no need to stop before 200.

• Question 508:

  In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code?

  A. EIP

  B. ESP

  C. EAP

  D. EEP

  Correct Answer: A

  EIP is the instruction pointer which is a register, it points to your next command.

• Question 509:

  When writing shellcodes, you must avoid _________________ because these will end the string.

  

  A. Null Bytes

  B. Root Bytes

  C. Char Bytes

  D. Unicode Bytes

  Correct Answer: A

  The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. The original meaning of this character was like NOP -- when sent to a printer or a terminal, it does nothing (some terminals, however, incorrectly display it as space). Strings ending in a null character are said to be null-terminated.

• Question 510:

  Which of the following built-in C/C++ functions you should avoid to prevent your program from buffer overflow attacks?

  A. strcpy()

  B. strcat()

  C. streadd()

  D. strscock()

  Correct Answer: ABC

  When hunting buffer overflows, the first thing to look for is functions which write into arrays without any way to know the amount of space available. If you get to define the function, you can pass a length parameter in, or ensure that every array you ever pass to it is at least as big as the hard-coded maximum amount it will write. If you're using a function someone else (like, say, the compiler vendor) has provided then avoiding functions like gets(), which take some amount of data over which you have no control and stuff it into arrays they can never know the size of, is a good start. Make sure that functions like the str...() family which expect NUL-terminated strings actually get them - store a '\0' in the last element of each array involved just before you call the function, if necessary. Strscock() is not a valid C/C++ function.