EC-COUNCIL EC-COUNCIL Certifications 312-50V11 Questions & Answers

• Question 471:

  You are a penetration tester working to test the user awareness of the employees of the client xyz. You

  harvested two employees' emails from some public sources and are creating a client-side backdoor to

  send it to the employees via email.

  Which stage of the cyber kill chain are you at?

  A. Reconnaissance

  B. Command and control

  C. Weaponization

  D. Exploitation

  Correct Answer: D

  At this stage exploiting a vulnerability to execute code on victim's direction channel for remote manipulation of victim is that the objective. Here ancient hardening measures add resiliency, however custom defense capabilities are necessary to prevent zero-day exploits at this stage. once the weapon is delivered to victim host, exploitation triggers intruders' code. Most often, exploitation targets Associate in Nursing application or software vulnerability, however it may additionally additional merely exploit the users themselves or leverage Associate in Nursing software feature that auto-executes code. In recent years this has become a district of experience within the hacking community that is commonly incontestible at events like Blackhat, Defcon and also the like.

• Question 472:

  An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious

  sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured

  by the IDS and saved to a PCAP file.

  What type of network tool can be used to determine if these packets are genuinely malicious or simply a

  false positive?

  A. Protocol analyzer

  B. Network sniffer

  C. Intrusion Prevention System (IPS)

  D. Vulnerability scanner

  Correct Answer: A

• Question 473:

  Harris is attempting to identify the OS running on his target machine. He inspected the initial TTL in the IP header and the related TCP window size and obtained the following results:

  TTL: 64 Window Size: 5840

  What is the OS running on the target machine?

  A. Solaris OS

  B. Windows OS

  C. Mac OS

  D. Linux OS

  Correct Answer: D

• Question 474:

  Which type of security feature stops vehicles from crashing through the doors of a building?

  A. Bollards

  B. Receptionist

  C. Mantrap

  D. Turnstile

  Correct Answer: A

• Question 475:

  A new wireless client is configured to join a 802.11 network. This client uses the same hardware and

  software as many of the other clients on the network. The client can see the network, but cannot connect.

  A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association

  requests being sent by the wireless client.

  What is a possible source of this problem?

  A. The WAP does not recognize the client's MAC address

  B. The client cannot see the SSID of the wireless network

  C. Client is configured for the wrong channel

  D. The wireless client is not configured to use DHCP

  Correct Answer: A

• Question 476:

  A DDOS attack is performed at layer 7 to take down web infrastructure. Partial HTTP requests are sent to

  the web infrastructure or applications. Upon receiving a partial request, the target servers opens multiple

  connections and keeps waiting for the requests to complete.

  Which attack is being described here?

  A. Desynchronization

  B. Slowloris attack

  C. Session splicing

  D. Phlashing

  Correct Answer: B

  Developed by Robert "RSnake" Hansen, Slowloris is DDoS attack software that permits one computer to require down an internet server. Due the straightforward yet elegant nature of this attack, it requires minimal bandwidth to implement and affects the target server's web server only, with almost no side effects on other services and ports.Slowloris has proven highly-effective against many popular sorts of web server software, including Apache 1.x and 2.x.Over the years, Slowloris has been credited with variety of high-profile server takedowns. Notably, it had been used extensively by Iranian `hackivists' following the 2009 Iranian presidential election to attack Iranian government internet sites .Slowloris works by opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, expecting each of the attack requests to be completed.Periodically, the Slowloris sends subsequent HTTP headers for every request, but never actually completes the request. Ultimately, the targeted server's maximum concurrent connection pool is filled, and extra (legitimate) connection attempts are denied.By sending partial, as against malformed, packets, Slowloris can easily elapse traditional Intrusion Detection systems.Named after a kind of slow- moving Asian primate, Slowloris really does win the race by moving slowly and steadily. A Slowloris attack must await sockets to be released by legitimate requests before consuming them one by one.For a high-volume internet site , this will take a while . the method are often further slowed if legitimate sessions are reinitiated. But within the end, if the attack is unmitigated, Slowloris--like the tortoise--wins the race.If undetected or unmitigated, Slowloris attacks also can last for long periods of your time . When attacked sockets outing , Slowloris simply reinitiates the connections, continuing to reach the online server until mitigated.Designed for stealth also as efficacy, Slowloris are often modified to send different host headers within the event that a virtual host is targeted, and logs are stored separately for every virtual host.More importantly, within the course of an attack, Slowloris are often set to suppress log file creation. this suggests the attack can catch unmonitored servers off-guard, with none red flags appearing in log file entries.Methods of mitigationImperva's security services are enabled by reverse proxy technology, used for inspection of all incoming requests on their thanks to the clients' servers.Imperva's secured proxy won't forward any partial connection requests--rendering all Slowloris DDoS attack attempts completely and utterly useless.

• Question 477:

  Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run?

  A. Macro virus

  B. Stealth/Tunneling virus

  C. Cavity virus

  D. Polymorphic virus

  Correct Answer: B

• Question 478:

  Robin, a professional hacker, targeted an organization's network to sniff all the traffic. During this process.

  Robin plugged in a rogue switch to an unused port in the LAN with a priority lower than any other switch in the network so that he could make it a root bridge that will later allow him to sniff all the traffic in the network.

  What is the attack performed by Robin in the above scenario?

  A. ARP spoofing attack

  B. VLAN hopping attack

  C. DNS poisoning attack

  D. STP attack

  Correct Answer: D

  STP prevents bridging loops in a redundant switched network environment. By avoiding loops, you can ensure that broadcast traffic does not become a traffic storm. STP is a hierarchical tree-like topology with a "root" switch at the top. A switch is elected as root based on the lowest configured priority of any switch (0 through 65,535). When a switch boots up, it begins a process of identifying other switches and determining the root bridge. After a root bridge is elected, the topology is established from its perspective of the connectivity. The switches determine the path to the root bridge, and all redundant paths are blocked. STP sends configuration and topology change notifications and acknowledgments (TCN/ TCA) using bridge protocol data units (BPDU). An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration/topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. An attacker using STP network topology changes to force its host to be elected as the root bridge.

  

  switch

• Question 479:

  Bob is acknowledged as a hacker of repute and is popular among visitors of "underground" sites.

  Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent attacks as well. In this context, what would be the most effective method to bridge the knowledge gap between the "black" hats or crackers and the "white" hats or computer security professionals? (Choose the test answer.)

  A. Educate everyone with books, articles and training on risk analysis, vulnerabilities and safeguards.

  B. Hire more computer security monitoring personnel to monitor computer systems and networks.

  C. Make obtaining either a computer security certification or accreditation easier to achieve so more individuals feel that they are a part of something larger than life.

  D. Train more National Guard and reservist in the art of computer security to help out in times of emergency or crises.

  Correct Answer: A

• Question 480:

  Daniel Is a professional hacker who Is attempting to perform an SQL injection attack on a target website. www.movlescope.com. During this process, he encountered an IDS that detects SQL Injection attempts based on predefined signatures. To evade any comparison statement, he attempted placing characters such as `'or '1'='1" In any bask injection statement such as "or 1=1." Identify the evasion technique used by Daniel in the above scenario.

  A. Null byte

  B. IP fragmentation

  C. Char encoding

  D. Variation

  Correct Answer: D

  One may append the comment "? operator along with the String for the username and whole avoid executing the password segment of the SQL query. Everything when the -- operator would be considered as comment and not dead. To launch such an attack, the value passed for name could be 'OR `1'=`1' ; -Statement = "SELECT * FROM `CustomerDB' WHERE `name' = ` "+ userName + " ` AND `password' = ` "

  + passwd + " ` ; " Statement = "SELECT * FROM `CustomerDB' WHERE `name' = ` ' OR `1'=`1`;?+ " `

  AND `password' = ` " + passwd + " ` ; "

  All the records from the customer database would be listed. Yet, another variation of the SQL Injection

  Attack can be conducted in dbms systems that allow multiple SQL injection statements. Here, we will also

  create use of the vulnerability in sure dbms whereby a user provided field isn't strongly used in or isn't

  checked for sort constraints.

  This could take place once a numeric field is to be employed in a SQL statement; but, the programmer

  makes no checks to validate that the user supplied input is numeric.