EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 51:

  One of the ways to map a targeted network for live hosts is by sending an ICMP ECHO request to the broadcast or the network address. The request would be broadcasted to all hosts on the targeted network. The live hosts will send an ICMP ECHO Reply to the attacker source IP address.

  You send a ping request to the broadcast address 192.168.5.255.

  [root@ceh/root]# ping -b 192.168.5.255 WARNING: pinging broadcast address PING 192.168.5.255 (192.168.5.255) from 192.168.5.1 : 56(84) bytes of data. 64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=4.1 ms 64 bytes from 192.168.5.5: icmp_seq=0 ttl=255 time=5.7 ms --

  There are 40 computers up and running on the target network. Only 13 hosts send a reply while others do not. Why?

  A. You cannot ping a broadcast address. The above scenario is wrong.

  B. You should send a ping request with this command ping 192.168.5.0-255

  C. Linux machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

  D. Windows machines will not generate an answer (ICMP ECHO Reply) to an ICMP ECHO request aimed at the broadcast address or at the network address.

  Correct Answer: D

  As stated in the correct option, Microsoft Windows does not handle pings to a broadcast address correctly and therefore ignores them.

• Question 52:

  Steve scans the network for SNMP enabled devices. Which port number Steve should scan?

  A. 69

  B. 150

  C. 161

  D. 169

  Correct Answer: C

  The SNMP default port is 161. Port 69 is used for tftp, 150 is for SQL-NET and 169 is for SEND.

• Question 53:

  Why would an attacker want to perform a scan on port 137?

  A. To discover proxy servers on a network

  B. To disrupt the NetBIOS SMB service on the target host

  C. To check for file and print sharing on Windows systems

  D. To discover information about a target host using NBTSTAT

  Correct Answer: D

  Microsoft encapsulates netbios information within

  TCP/Ip using ports 135-139. It is trivial for an attacker to issue the following command:

  nbtstat -A (your Ip address)

  from their windows machine and collect information about your windows machine (if you are not blocking traffic to port 137 at your borders).

• Question 54:

  Study the log below and identify the scan type.

  tcpdump -vv host 192.168.1.10

  17:34:45.802163 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 36166)

  17:34:45.802216 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 33796)

  17:34:45.802266 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 47066)

  17:34:46.111982 eth0 < 192.168.1.1 > victim: ip-proto-74 0 (ttl 48, id 35585)

  17:34:46.112039 eth0 < 192.168.1.1 > victim: ip-proto-117 0 (ttl 48, id 32834)

  17:34:46.112092 eth0 < 192.168.1.1 > victim: ip-proto-25 0 (ttl 48, id 26292)

  17:34:46.112143 eth0 < 192.168.1.1 > victim: ip-proto-162 0 (ttl 48, id 51058)

  tcpdump -vv -x host 192.168.1.10

  17:35:06.731739 eth0 < 192.168.1.10 > victim: ip-proto-130 0 (ttl 59, id 42060) 4500 0014 a44c 0000 3b82 57b8 c0a8 010a c0a8 0109 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000

  A. nmap -sR 192.168.1.10

  B. nmap -sS 192.168.1.10

  C. nmap -sV 192.168.1.10

  D. nmap -sO -T 192.168.1.10

  Correct Answer: D

• Question 55:

  You have initiated an active operating system fingerprinting attempt with nmap against a target system:

  [root@ceh NG]# /usr/local/bin/nmap -sT -O 10.0.0.1

  Starting nmap 3.28 ( www.insecure.org/nmap/) at 2003-06-18 19:14 IDT Interesting ports on 10.0.0.1: (The 1628 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open LDAP 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s 2301/tcp open compaqdiag 5555/tcp open freeciv 5800/tcp open vnc-http 5900/tcp open vnc 6000/tcp filtered X11

  Remote operating system guess: Windows XP, Windows 2000, NT4 or 95/98/98SE Nmap run completed -- 1 IP address (1 host up) scanned in 3.334 seconds

  Using its fingerprinting tests nmap is unable to distinguish between different groups of Microsoft based operating systems - Windows XP, Windows 2000, NT4 or 95/98/98SE. What operating system is the target host running based on the open ports shown above?

  A. Windows XP

  B. Windows 98 SE

  C. Windows NT4 Server

  D. Windows 2000 Server

  Correct Answer: D

  The system is reachable as an active directory domain controller (port 389, LDAP)

• Question 56:

  You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not

  ping packet?

  [ceh]# ping 10.2.3.4

  PING 10.2.3.4 (10.2.3.4) from 10.2.3.80 : 56(84) bytes of data.

  --- 10.2.3.4 ping statistics --3 packets transmitted, 0 packets received, 100% packet loss

  [ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4

  HPING 10.2.3.4 (eth0 10.2.3.4): NO FLAGS are set, 40 headers + 0 data bytes

  len=46 ip=10.2.3.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.8 ms len=46 ip=10.2.3.4 flags=RA seq=1 ttl=128 id=54935 win=0 rtt=0.7 ms len=46 ip=10.2.3.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.7 ms len=46 ip=10.2.3.4

  flags=RA seq=3 ttl=128 id=55959 win=0 rtt=0.7 ms

  --- 10.2.3.4 hping statistic --4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.7/0.8/0.8 ms

  A. ping packets cannot bypass firewalls

  B. you must use ping 10.2.3.4 switch

  C. hping2 uses TCP instead of ICMP by default

  D. hping2 uses stealth TCP packets to connect

  Correct Answer: C

  Default protocol is TCP, by default hping2 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being logged.

• Question 57:

  Which of the following command line switch would you use for OS detection in Nmap?

  A. -D

  B. -O

  C. -P

  D. -X

  Correct Answer: B

  OS DETECTION: -O: Enable OS detection (try 2nd generation w/fallback to 1st) -O2: Only use the new OS detection system (no fallback) -O1: Only use the old (1st generation) OS detection system --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

• Question 58:

  Which of the following commands runs snort in packet logger mode?

  A. ./snort -dev -h ./log

  B. ./snort -dev -l ./log

  C. ./snort -dev -o ./log

  D. ./snort -dev -p ./log

  Correct Answer: B

  Note: If you want to store the packages in binary mode for later analysis use ./snort -l ./log -b

• Question 59:

  A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information?

  A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites

  B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system

  C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number

  D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0

  Correct Answer: B

• Question 60:

  An nmap command that includes the host specification of 202.176.56-57.* will scan _______ number of hosts.

  A. 2

  B. 256

  C. 512

  D. Over 10,000

  Correct Answer: C

  The hosts with IP address 202.176.56.0-255 and 202.176.56.0-255 will be scanned (256+256=512)