EC-COUNCIL EC-COUNCIL Certifications 312-50 Questions & Answers

• Question 61:

  What does ICMP (type 11, code 0) denote?

  A. Unknown Type

  B. Time Exceeded

  C. Source Quench

  D. Destination Unreachable

  Correct Answer: B

  An ICMP Type 11, Code 0 means Time Exceeded [RFC792], Code 0 = Time to Live exceeded in Transit and Code 1 = Fragment Reassembly Time Exceeded.

• Question 62:

  You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any information. What should you do next?

  A. Use NetScan Tools Pro to conduct the scan

  B. Run nmap XMAS scan against 192.168.1.10

  C. Run NULL TCP hping2 against 192.168.1.10

  D. The firewall is blocking all the scans to 192.168.1.10

  Correct Answer: C

• Question 63:

  A distributed port scan operates by:

  A. Blocking access to the scanning clients by the targeted host

  B. Using denial-of-service software against a range of TCP ports

  C. Blocking access to the targeted host by each of the distributed scanning clients

  D. Having multiple computers each scan a small number of ports, then correlating the results

  Correct Answer: D

  Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traffic against a victim in order to shut them down.

• Question 64:

  Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

  A. It is a network fault and the originating machine is in a network loop

  B. It is a worm that is malfunctioning or hardcoded to scan on port 500

  C. The attacker is trying to detect machines on the network which have SSL enabled

  D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

  Correct Answer: D

  Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN software, such as Freeswan, PGPnet, and various vendors of in-a- box VPN solutions such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets, IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of negotiating to send the encrypted tunnel over a UDP channel, which is useful for use across firewalls that block IP protocols other than TCP or UDP).

• Question 65:

  You are performing a port scan with nmap. You are in hurry and conducting the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results?

  A. XMAS scan

  B. Stealth scan

  C. Connect scan

  D. Fragmented packet scan

  Correct Answer: C

  A TCP Connect scan, named after the Unix connect() system call is the most accurate scanning method. If a port is open the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection.

• Question 66:

  You are concerned that someone running PortSentry could block your scans, and you decide to slow your scans so that no one detects them. Which of the following commands will help you achieve this?

  A. nmap -sS -PT -PI -O -T1

  B. nmap -sO -PT -O -C5

  C. nmap -sF -PT -PI -O

  D. nmap -sF -P0 -O

  Correct Answer: A

  -T[0-5]: Set timing template (higher is faster)

• Question 67:

  While performing ping scans into a target network you get a frantic call from the organization's security team. They report that they are under a denial of service attack. When you stop your scan, the smurf attack event stops showing up on the organization's IDS monitor. How can you modify your scan to prevent triggering this event in the IDS?

  A. Scan more slowly.

  B. Do not scan the broadcast IP.

  C. Spoof the source IP address.

  D. Only scan the Windows systems.

  Correct Answer: B

  Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same time.

• Question 68:

  You are manually conducting Idle Scanning using Hping2. During your scanning you notice that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs?

  A. The zombie you are using is not truly idle.

  B. A stateful inspection firewall is resetting your queries.

  C. Hping2 cannot be used for idle scanning.

  D. These ports are actually open on the target system.

  Correct Answer: A

  If the IPID is incremented by more than the normal increment for this type of system it means that the system is interacting with some other system beside yours and has sent packets to an unknown host between the packets destined for you.

• Question 69:

  While reviewing the result of scanning run against a target network you come across the following:

  

  Which among the following can be used to get this output?

  A. A Bo2k system query.

  B. nmap protocol scan

  C. A sniffer

  D. An SNMP walk

  Correct Answer: D

  SNMP lets you "read" information from a device. You make a query of the server (generally known as the "agent"). The agent gathers the information from the host system and returns the answer to your SNMP client. It's like having a single interface for all your informative Unix commands. Output like system.sysContact.0 is called a MIB.

• Question 70:

  Which of the following Nmap commands would be used to perform a UDP scan of the lower 1024 ports?

  A. Nmap -h -U

  B. Nmap -hU

  C. Nmap -sU -p 1-1024

  D. Nmap -u -v -w2 1-1024

  E. Nmap -sS -O target/1024

  Correct Answer: C

  Nmap -sU -p 1-1024 is the proper syntax. Learning Nmap and its switches are critical for successful completion of the CEH exam.