Eccouncil 312-50 ExamECCOUNCIL Ethical Hacking andCountermeasures(CEHv6)Version = DemoTotal Questions in Original Product = 385http://www.passcertification.com/312-50.htmlPass CertificationNo1. Test Preparation Resource
PassCertification.com- 312-50 Exam Questions and Answers 1Question: 1Which of the following steganography utilities exploits the nature of white space and allowsthe user to conceal information in these white spaces?A. Gif-It-UpB. Image HideC. Nice TextD. SnowAnswer: DExplanation:The program snow is used to conceal messages in ASCII text by appending whitespace tothe end of lines. Because spaces and tabs are generally not visible in text viewers, themessage is effectively hidden from casual observers. And if the built-in encryption is used,the message cannot be read even if it is detected.Question: 2In the context of Trojans, what is the definition of a Wrapper?A. A tool used to encapsulate packets within a new header and footerB. An encryption tool to protect the TrojanC. A tool used to calculate bandwidth and CPU cycles wasted by the TrojanD. A tool used to bind the Trojan with a legitimate fileAnswer: DExplanation:These wrappers allow an attacker to take any executable back-door program and combine itwith any legitimate executable, creating a Trojan horse without writing a single line of newcode.
PassCertification.com- 312-50 Exam Questions and Answers 2Question: 3When Jason moves a file via NFS over the companys network, you want to grab a copy of itby sniffing. Which of the following tool accomplishes this?A. nfscopyB. macofC. filesnarfD. webspyAnswer: CExplanation: Filesnarf - sniff files from NFS trafficOPTIONS-i interfaceSpecify the interface to listen on.-v "Versus" mode. Invert thesenseofmatching,toselect non-matching files.patternSpecify regular expression for filename matching.expressionSpecifyatcpdump(8)filter expression to selecttraffic to sniff.SEE ALSODsniff, nfsdQuestion: 4What type of port scan is shown below?Scan directed at open port:ClientServer220.127.116.11:4079 -----FIN/URG/PSH----->18.104.22.168:2322.214.171.124:4079 <----NO RESPONSE------126.96.36.199:23Scan directed at closed port:ClientServer188.8.131.52:4079 -----FIN/URG/PSH----->184.108.40.206:23220.127.116.11:4079<-----RST/ACK----------18.104.22.168:23A. Windows ScanB. Idle ScanC. SYN Stealth ScanD. XMAS ScanAnswer: D
PassCertification.com- 312-50 Exam Questions and Answers 3Explanation:A Xmas port scan is variant of TCP port scan. This type of scan tries to obtain informationabout the state of a target port by sending a packet which has multiple TCP flags set to 1 -"lit as an Xmas tree". The flags set for Xmas scan are FIN, URG and PSH. The purpose is toconfuse and bypass simple firewalls. Some stateless firewalls only check against securitypolicy those packets which have the SYN flag set (that is, packets that initiate connectionaccording to the standards). Since Xmas scan packets are different, they can pass throughthese simple systems and reach the target host.Question: 5Derek has stumbled upon a wireless network and wants to assess its security. However, hedoes not find enough traffic for a good capture. He intends to use AirSnort on the capturedtraffic to crack the WEP key and does not know the IP address range or the AP. How can hegenerate traffic on the network so that he can capture enough packets to crack the WEPkey?A. Derek can use a session replay on the packets capturedB. Derek can use KisMAC as it needs two USB devices to generate trafficC. Use any ARP requests found in the captureD. Use Ettercap to discover the gateway and ICMP ping flood tool to generate trafficAnswer: DExplanation:By forcing the network to answer to a lot of ICMP messages you can gather enough packetsto crack the WEP key.
PassCertification.com- 312-50 Exam Questions and Answers 4Question: 6The following is an entry captured by a network IDS.You are assigned the task of analyzingthis entry. You notice the value 0x90, which is the most common NOOP instruction for theIntel processor. You figure that the attacker is attempting a buffer overflow attack. You alsonotice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude aboutthe attack?A. The attacker is attempting a buffer overflow attack and has succeededB. The buffer overflow attack has been neutralized by the IDSC. The attacker is creating a directory on the compromised machineD. The attacker is attempting an exploit that launches a command-line shellAnswer: DExplanation:This log entry shows a hacker using a buffer overflow to fill the data buffer and trying toinsert the execution of /bin/sh into the executable code part of the thread. It is probably anexisting exploit that is used, or a directed attack with a custom built buffer overflow with the“payload” that launches the command shell.
PassCertification.com- 312-50 Exam Questions and Answers 5Question: 7Bill has started to notice some slowness on his network when trying to update his companyswebsite and while trying to access the website from the Internet. Bill asks the help deskmanager if he has received any calls about slowness from the end users, but the help deskmanager says that he has not. Bill receives a number of calls from customers that cannotaccess the company website and cannot purchase anything online. Bill logs on to a coupleof his routers and notices that the logs show network traffic is at an all time high. He alsonotices that almost all the traffic is originating from a specific address. Bill decides to useGeotrace to find out where the suspect IP is originates from. The Geotrace utility runs atraceroute and finds that the IP is coming from Panama. Bill knows that none of hiscustomers are in Panama so he immediately thinks that his company is under a Denial ofService attack. Now Bill needs to find out more about the originating IP address. WhatInternet registry should Bill look in to find the IP address?A. RIPE LACNICB. APNICC. ARIND. LACNICAnswer: DExplanation:LACNIC is the Latin American and Caribbean Internet Addresses Registry that administersIP addresses, autonomous system numbers, reverse DNS, and other network resources forthat region.Question: 8Bob has been hired to do a web application security test. Bob notices that the site is dynamicand must make use of a back end database. Bob wants to see if SQL Injection would bepossible. What is the first character that Bob should use to attempt breaking valid SQLrequest?A. Semi ColumnB. Single QuoteC. Exclamation MarkD. Double QuoteAnswer: B
PassCertification.com- 312-50 Exam Questions and Answers 6Explanation:In SQL single quotes are used around values in queries, by entering another single quoteBob tests if the application will submit a null value and probably returning an error.Question: 9Angela is trying to access an education website that requires a username and password tologin. When Angela clicks on the link to access the login page, she gets an error messagestating that the page cannot be reached. She contacts the websites support team and theyreport that no one else is having any issues with the site. After handing the issue over to hercompanys IT department, it is found that the education website requires any computeraccessing the site must be able to respond to a ping from the educations server. SinceAngelas computer is behind a corporate firewall, her computer cannot ping the educationwebsite back. What can Angelas IT department do to get access to the education website?A. Use an Internet browser other than the one that Angela is currently usingB. Change the settings on the firewall to allow all incoming traffic on port 80C. Change the IP on Angelas computer to an address outside the firewallD. Change the settings on the firewall to allow all outgoing traffic on port 80Answer: CExplanation:Allowing traffic to and from port 80 will not help as this will be UDP or TCP traffic and pinguses ICMP. The browser used by the user will not make any difference. The only alternativehere that would solve the problem is to move the computer to outside the firewall.Question: 10Null sessions are un-authenticated connections (not using a username or password.) to anNT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on yournetwork?A. 137 and 139B. 137 and 443C. 139 and 445D. 139 and 443Answer: C
PassCertification.com- 312-50 Exam Questions and Answers 7Explanation:NULL sessions take advantage of “features” in the SMB (Server Message Block) protocolthat exist primarily for trust relationships. You can establish a NULL session with a Windowshost by logging on with a NULL user name and password. Primarily the following ports arevulnerable if they are accessible:139 TCP NETBIOSSessionService139 UDP NETBIOSSessionService445 TCP SMB/CIFSQuestion: 11An attacker runs netcat tool to transfer a secret file between two hosts.Machine A: netcat -l -p 1234 < secretfileachine B: netcat 192.168.3.4 > 1234He is worried about information being sniffed on the network. How would the attacker usenetcat to encrypt the information before transmitting onto the wire?A. Use cryptcat instead of netcatB. Machine A: netcat -l -p -s password 1234 < testfileMachine B: netcat <machine A IP> 1234C. Machine A: netcat -l -e magickey -p 1234 < testfileMachine B: netcat <machine A IP> 1234D. Machine A: netcat -l -p 1234 < testfile -pw passwordMachine B: netcat <machine A IP> 1234 -pw passwordAnswer: AExplanation:Netcat cannot encrypt the file transfer itself but would need to use a third party application toencrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofishencryption.
PassCertification.com- 312-50 Exam Questions and Answers 8Question: 12LAN Manager passwords are concatenated to 14 bytes, and split in half. The two halves arehashed individually. If the password is 7 characters or less, than the second half of the hashis always:A. 0xAAD3B435B51404AAB. 0xAAD3B435B51404CCC. 0xAAD3B435B51404BBD. 0xAAD3B435B51404EEAnswer: DExplanation:A problem with LM stems from the total lack of salting or cipher block chaining in the hashingprocess. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parityDES key. This key is used to encrypt the 8 byte string"KGS!@". Same thing happens withthe second part of the password. This lack of salting creates two interesting consequences.Obviously this means the password is always stored in the same way, and just begs for atypical lookup table attack. The other consequence is that it is easy to tell if a password isbigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constantDES hash of 0xAAD3B435B51404EE.Question: 13Lori has just been tasked by her supervisor toonduct vulnerability scan on the corporatenetwork.She has been instructed to perform a very thorough test of the network to ensurethat there are no security holes on any of the machines.Loris company does not own anycommercial scanning products, so she decides to download a free one off the Internet.Lorihas never done a vulnerability scan before, so she is unsure of some of the settingsavailable in the software she downloaded.One of the options is to choose which ports thatcan be scanned.Lori wants to do exactly what her boss has told her, but she does not knowwhat ports should be scanned. If Lori is supposed to scan all known TCP ports, how manyports should she select in the software?A. 1025B. 1024C. 65536D. Lori should not scan TCP ports, only UDP portsAnswer: C
PassCertification.com- 312-50 Exam Questions and Answers 9Explanation:In both TCP and UDP, each packet header will specify a source port and a destination port,each of which is a 16-bit unsigned integer (i.e. ranging from 0 to 65535).Question: 14Hackers usually control Bots through:A. MSN MessengerB. Trojan client softwareC. GoogleTalkD. Yahoo ChatE. IRC ChannelAnswer: EExplanation:Most of the bots out today has a function to connect to a predetermined IRC channel in orderto get orders.Question: 15NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You aretrying to intercept the traffic from a victim machine to a corporate network printer. You areattempting to hijack the printer network connection from your laptop by sniffing the wire.Which port does SMB over TCP/IP use?A. 445B. 139C. 179D. 443Answer: A
PassCertification.com- 312-50 Exam Questions and Answers 10Eccouncil 312-50 ExamECCOUNCIL Ethical Hacking andCountermeasures(CEHv6)Version = DemoTotal Questions in Original Product = 385http://www.passcertification.com/312-50.htmlPass CertificationNo1. Test Preparation Resource