Question CEH EXAM

Ace your homework & exams now with Quizwiz!

54 Shayla is an IT security consultant, specializing in social engineering and external penetra on tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security. No employees for the company, other than the IT director, know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. A er mee ng with the female employee numerous mes, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics oﬃces. What type of insider threat would Shayla be considered? A. She would be considered an Insider Aﬃliate B. Because she does not have any legal access herself,Shayla would be considered an Outside Aﬃliate C. Shayla is an Insider Associate since she has befriended an actual employee D. Since Shayla obtained access with a legi mate company badge; she would be considered a Pure Insider

55 What port number is used by Kerberos protocol? A. 88 B. 44 C. 487 D. 419

1 Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing at-tacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Mul ple Recogni on on the switch

101 What sequence of packets is sent during the ini al TCP three-way handshake? A. SYN,SYN-ACK,ACK B. SYN,URG,ACK C. SYN,ACK,SYN-ACK D. FIN,FIN-ACK,ACK

110 John the hacker is sniﬃng the network to inject ARP packets. He injects broadcast frames onto the wire to conduct MiTM a ack. What is the des na on MAC address of a broadcast frame? A. 0xFFFFFFFFFFFF B. 0xDDDDDDDDDDDD C. 0xAAAAAAAAAAAA D. 0xBBBBBBBBBBBB

138 Your company has blocked all the ports via external firewall and only allows port 80/443 to connect to the Internet. You want to use FTP to connect to some remote server on the Internet. How would you accomplish this? A. Use HTTP Tunneling B. Use Proxy Chaining C. Use TOR Network D. Use Reverse Chaining

17 More sophis cated IDSs look for common shellcode signatures. But even these systems can be bypassed, by using polymorphic shellcode. This is a technique common among virus writers ?it basically hides the true nature of the shellcode in diﬀerent disguises. How does a polymorphic shellcode work? A. They encrypt the shellcode by XORing values over the shellcode,using loader code to decrypt the shellcode,and then execu ng the decrypted shellcode B. They convert the shellcode into Unicode,using loader to convert back to machine code then execu ng them C. They reverse the working instruc ons into opposite order by masking the IDS signatures D. They compress shellcode into normal instruc ons,uncompress the shellcode using loader code and then execu ng the shellcode

20 The following script shows a simple SQL injec on. The script builds an SQL query by concatena ng hard-coded strings together with a string entered by the user: The user is prompted to enter the name of a city on a Web form. If she enters Chicago, the query assembled by the script looks similar to the following: SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago' How will you delete the OrdersTable from the database using SQL Injec on? A. Chicago'; drop table OrdersTable - B. Delete table'blah'; OrdersTable - C. EXEC; SELECT * OrdersTable > DROP - D. cmdshell'; 'del c:sqlmydbOrdersTable' //

26 An a acker finds a web page for a target organiza on that supplies contact informa on for the company. Using available details to make the message seem authen c, the a acker dra s e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confiden al informa on, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. Google's Gmail was hacked using this technique and a ackers stole source code and sensi ve data from Google servers. This is highly sophis cated a ack using zero-day exploit vectors, social engineering and malware websites that focused on targeted individuals working for the company. What is this deadly a ack called? A. Spear phishing a ack B. Trojan server a ack C. Javelin a ack D. Social networking a ack

39 Google uses a unique cookie for each browser used by an individual user on a computer. This cookie contains infor-ma on that allows Google to iden fy records about that user on its database. This cookie is submi ed every me a user launches a Google search, visits a site using AdSense etc. The informa on stored in Google's database, iden fied by the cookie, includes -Everything you search for using Google -Every web page you visit that has Google Adsense ads How would you prevent Google from storing your search keywords? A. Block Google Cookie by applying Privacy and Security se ngs in your web browser B. Disable the Google cookie using Google Advanced Search se ngs on Google Search page C. Do not use Google but use another search engine Bing which will not collect and store your search keywords D. Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.

44 Which of the following statements would NOT be a proper defini on for a Trojan Horse? A. An authorized program that has been designed to capture keyboard keystroke while the user is unaware of such ac vity being performed B. An unauthorized program contained within a legi mate program. This unauthorized program performs func ons unknown (and probably unwanted) by the user C. A legi mate program that has been altered by the placement of unauthorized code within it; this code performs func ons unknown (and probably unwanted) by the user 24 D. Any program that appears to perform a desirable and necessary func on but that (because of unauthorized code within it that is unknown to the user) performs func ons unknown (and definitely unwanted) by the user

46 SNMP is a connec onless protocol that uses UDP instead of TCP packets (True or False) A. true B. false

438 Pentest results.indicate that voice over IP traﬃc is traversing a network..Which of the following tools will decode a packet capture and extract the voice conversa ons? A. Cain B. John the Ripper C. Nikto D. Hping

65 Which Steganography technique uses Whitespace to hide secret messages? A. snow B. beetle C. magnet D. cat

600 Which of the following tools can be used to perform a zone transfer? A. NSLookup B. Finger C. Dig D. Sam Spade E. Host F. Netcat G. Neotrace

A,C,D,E There are a number of tools that can be used to perform a zone transfer. Some of these include: NSLookup,Host,Dig,and Sam Spade. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00237.jpg Latest ECCouncil 312-50v8 Real Exam Download 601-610 (2014-05-12 13:52)

108 This method is used to determine the Opera ng system and version running on a remote target system. What is it called? A. Service Degrada on B. OS Fingerprin ng C. Manual Target System D. Iden fica on Scanning

5 This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do. A. UDP Scanning B. IP Fragment Scanning C. Inverse TCP flag scanning D. ACK flag scanning

361 There is a WEP encrypted wireless access point (AP) with no clients connected. In order to crack the WEP key, a fake authen ca on needs to be performed. What informa on is needed when performing fake authen ca on to an AP? (Choose two.) A. The IP address of the AP B. The MAC address of the AP C. The SSID of the wireless network D. A failed authen ca on packet

B,C

637 Which of the following LM hashes represent a password of less than 8 characters? (Select 2) A. BA810DBA98995F1817306D272A9441BB B. 44EFCE164AB921CQAAD3B435B51404EE C. 0182BD0BD4444BF836077A718CCDF409 D. CEC52EB9C8E3455DC2265B23734E0DAC E. B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D

B,E No ce the last 8 characters are the same

514 Botnets are networks of compromised computers that are controlled remotely and surrep ously by one or more cyber criminals. How do cyber criminals infect a vic m's computer with bots? (Select 4 answers) A. A ackers physically visit every vic m's computer to infect them with malicious so ware B. Home computers that have security vulnerabili es are prime targets for botnets C. Spammers scan the Internet looking for computers that are unprotected and use these "open-doors" to install malicious so ware D. A ackers use phishing or spam emails that contain links or a achments E. A ackers use websites to host the bots u lizing Web Browser vulnerabili es

B,C,D,E

207 Which type of password cracking technique works like dic onary a ack but adds some numbers and symbols to the words from the dic onary and tries to crack the password? A. Dic onary a ack B. Brute forcing a ack C. Hybrid a ack D. Syllable a ack E. Rule-based a ack

325 Which of the following programs is usually targeted at Microso Oﬃce products? A. Polymorphic virus B. Mul part virus C. Macro virus D. Stealth virus

415 WPA2 uses AES for wireless data encryp on at which of the following encryp on levels? A. 64 bit and CCMP B. 128 bit and CRC C. 128 bit and CCMP D. 128 bit and TKIP 152

472 A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain connec vity pass-words that can be decoded with which of the following? A. Cupp B. Nessus C. Cain.and Abel D. John The Ripper Pro

686 Which of the following display filters will you enable in Ethereal to view the three-way handshake for a connec on from host 192.168.0.1? A. ip == 192.168.0.1 and tcp.syn B. ip.addr = 192.168.0.1 and syn = 1 C. ip.addr==192.168.0.1 and tcp.flags.syn D. ip.equals 192.168.0.1 and syn.equals on

688 Which of the following is not considered to be a part of ac ve sniﬃng? A. MAC Flooding B. ARP Spoofing C. SMAC Fueling D. MAC Duplica ng

694 Global deployment of RFC 2827 would help mi gate what classifica on of a ack? A. Sniﬃng a ack B. Denial of service a ack C. Spoofing a ack D. Reconnaissance a ack E. Prot Scan a ack

C 240 RFC 2827 - Network Ingress Filtering: Defea ng Denial of Service A acks which employ IP Source Address Spoofing

271 A company.has made the decision to host their own email and basic web services. The administrator needs to set up the external firewall to limit what protocols should be allowed to get to the public part of the company's network. Which ports should the administrator open? (Choose.three.) A. Port 22 B. Port 23 C. Port 25 118 D. Port 53 E. Port 80 F. Port 139 G. Port 445

C,D,E

151 A ackers send an ACK probe packet with random sequence number, no response means port is filtered (Stateful firewall is present) and RST response means the port is not filtered. What type of Port Scanning is this? A. RST flag scanning B. FIN flag scanning C. SYN flag scanning D. ACK flag scanning

398 A developer for a company.is tasked with crea ng a program that will allow customers to update their billing and shipping informa on. The billing address field used is limited to 50 characters..What pseudo code would the developer use to avoid a buﬀer overflow a ack on the billing address field? A. if (billingAddress = 50) {update field } else exit B. if (billingAddress != 50) {update field } else exit C. if (billingAddress >= 50) {update field } else exit D. if (billingAddress <= 50) {update field } else exit

40 How many bits encryp on does SHA-1 use? A. 64 bits 22 B. 128 bits C. 256 bits D. 160 bits

401 What is one thing a tester.can do.to ensure.that the so ware is trusted and is not changing or tampering with cri cal data on the back end of a system it is loaded on? A. Proper tes ng B. Secure coding principles C. Systems security and architecture review 149 D. Analysis of interrupts within the so ware

409 Which of the following is a symmetric cryptographic standard?. A. DSA B. PKI C. RSA D. 3DES

60 What file system vulnerability does the following command take advantage of? type c:anyfile.exe > c:winntsystem32calc.exe:anyfile.exe A. HFS B. Backdoor access C. XFS D. ADS

79 In Buﬀer Overflow exploit, which of the following registers gets overwri en with return address of the exploit code? A. EEP B. ESP C. EAP D. EIP

716 What is Hunt used for? A. Hunt is used to footprint networks B. Hunt is used to sniﬀ traﬃc C. Hunt is used to hack web servers D. Hunt is used to intercept traﬃc i.e. man-in-the-middle traﬃc E. Hunt is used for password cracking

D 251 Hunt can be used to intercept traﬃc. It is useful with telnet, p,and others to grab traﬃc between two computers or to hijack sessions.

799 Which of the following is NOT a valid NetWare access level? A. Not Logged in B. Logged in C. Console Access D. Administrator

D 273 Administrator is an account not a access level.

837 All the web servers in the DMZ respond to ACK scan on port 80. Why is this happening ? A. They are all Windows based webserver B. They are all Unix based webserver C. The company is not using IDS D. The company is not using a stateful firewall

D 287 If they used a stateful inspec on firewall this firewall would know if there has been a SYN-ACK before the ACK.

106 Which of the following is NOT part of CEH Scanning Methodology? A. Check for Live systems B. Check for Open Ports C. Banner Grabbing D. Prepare Proxies E. Social Engineering a acks F. Scan for Vulnerabili es G. Draw Network Diagrams

195 In which step Steganography fits in CEH System Hacking Cycle (SHC) A. Step 2: Crack the password B. Step 1: Enumerate users C. Step 3: Escalate privileges D. Step 4: Execute applica ons E. Step 5: Hide files F. Step 6: Cover your tracks

568 What is the disadvantage of an automated vulnerability assessment tool? A. Ineﬀec ve B. Slow C. Prone to false posi ves D. Prone to false nega ves E. Noisy

E Vulnerability assessment tools perform a good analysis of system vulnerabili es; however,they are noisy and will quickly trip IDS systems.

83 Bret is a web applica on administrator and has just read that there are a number of surprisingly common web ap-plica on vulnerabili es that can be exploited by unsophis cated a ackers with easily available tools on the Internet. He has also read that when an organiza on deploys a web applica on, they invite the world to send HTTP requests. 40 A acks buried in these requests sail past firewalls, filters, pla orm hardening, SSL, and IDS without no ce because they are inside legal HTTP requests. Bret is determined to weed out vulnerabili es. What are some of the common vulnerabili es in web applica ons that he should be concerned about? A. Non-validated parameters,broken access control,broken account and session management,cross-site scrip ng and buﬀer overflows are just a few common vulnerabili es B. Visible clear text passwords,anonymous user account set as default,missing latest security patch,no firewall filters set and no SSL configured are just a few common vulnerabili es C. No SSL configured,anonymous user account set as default,missing latest security patch,no firewall filters set and an ina en ve system administrator are just a few common vulnerabili es D. No IDS configured,anonymous user account set as default,missing latest security patch,no firewall filters set and visible clear text passwords are just a few common vulnerabili es

92 You receive an e-mail with the following text message. "Microso and HP today warned all customers that a new, highly dangerous virus has been discovered which will erase all your files at midnight. If there's a file called hidserv.exe on your computer, you have been infected and your computer is now running a hidden server that allows hackers to access your computer. Delete the file immediately. Please also pass this message to all your friends and colleagues as soon as possible." You launch your an virus so ware and scan the suspicious looking file hidserv.exe located in c:windows directory and the AV comes out clean meaning the file is not infected. You view the file signature and confirm that it is a legi mate Windows system file "Human Interface Device Service". What category of virus is this? A. Virus hoax B. Spooky Virus C. Stealth Virus D. Polymorphic Virus

94 One of the eﬀec ve DoS/DDoS countermeasures is 'Thro ling'. Which statement correctly defines this term? A. Set up routers that access a server with logic to adjust incoming traﬃc to levels that will be safe for the server to process B. Providers can increase the bandwidth on cri cal connec ons to prevent them from going down in the event of an a ack C. Replica ng servers that can provide addi onal failsafe protec on D. Load balance each server in a mul ple-server architecture

99 Which type of scan does NOT open a full TCP connec on? A. Stealth Scan B. XMAS Scan C. Null Scan D. FIN Scan

112 TCP packets transmi ed in either direc on a er the ini al three-way handshake will have which of the following bit set? A. SYN flag B. ACK flag C. FIN flag D. XMAS flag

115 Which of the following steganography u li es exploits the nature of white space and allows the user to conceal infor-ma on in these white spaces? A. Image Hide B. Snow C. Gif-It-Up D. NiceText

116 You have chosen a 22 character word from the dic onary as your password. How long will it take to crack the password by an a acker? A. 16 million years B. 5 minutes C. 23 days D. 200 years 56

135 John is using a special tool on his Linux pla orm that has a database containing signatures to be able to detect hun-dreds of vulnerabili es in UNIX, Windows, and commonly used web CGI/ASPX scripts. Moreover, the database detects DDoS zombies and Trojans as well. What would be the name of this tool? A. hping2 B. nessus C. nmap D. make

137 _ _ _ _ _ _ _ _ _ _ _ _ _ is a type of symmetric-key encryp on algorithm that transforms a fixed-length block of plaintext (unencrypted text) data into a block of ciphertext (encrypted text) data of the same length. 60 A. Stream Cipher B. Block Cipher C. Bit Cipher D. Hash Cipher

18 SYN Flood is a DOS a ack in which an a acker deliberately violates the three-way handshake and opens a large number of half-open TCP connec ons. The signature of a ack for SYN Flood contains: A. The source and des na on address having the same value B. A large number of SYN packets appearing on a network without the corresponding reply packets C. The source and des na on port numbers having the same value D. A large number of SYN packets appearing on a network with the corresponding reply packets

28 How does traceroute map the route a packet travels from point A to point B? A. Uses a TCP mestamp packet that will elicit a me exceeded in transit message B. Manipulates the value of the me to live (TTL) within packet to elicit a me exceeded in transit message C. Uses a protocol that will be rejected by gateways on its way to the des na on D. Manipulates the flags within packets to force gateways into genera ng error messages

29 How do you defend against DHCP Starva on a ack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this a ack

33 Stephanie works as a records clerk in a large oﬃce building in downtown Chicago. On Monday, she went to a manda-tory security awareness class (Security5) put on by her company's IT department. During the class, the IT department informed all employees that everyone's Internet ac vity was thenceforth going to be monitored. Stephanie is worried that her Internet ac vity might give her supervisor reason to write her up, or worse get her fired. Stephanie's daily work du es only consume about four hours of her me, so she usually spends the rest of the day surfing the web. Stephanie really enjoys surfing the Internet but definitely does not want to get fired for it. 19 What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Stealth IE B. Stealth Anonymizer C. Stealth Firefox D. Cookie Disabler

34 Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main oﬃce switch. What type of port will Neil need to setup in order to accomplish this? A. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. B. Neil will need to setup SPAN port that will copy all network traﬃc to the protocol analyzer. C. He will have to setup an Ether channel port to get a copy of all network traﬃc to the analyzer. D. He should setup a MODS port which will copy all network traﬃc.

47 TCP/IP Session Hijacking is carried out in which OSI layer? A. Datalink layer B. Transport layer C. Network layer D. Physical layer

49 You want to hide a secret.txt document inside c:windowssystem32tcpip.dll kernel library using ADS streams. How will you accomplish this? A. copy secret.txt c:windowssystem32tcpip.dll kernel>secret.txt B. copy secret.txt c:windowssystem32tcpip.dll:secret.txt C. copy secret.txt c:windowssystem32tcpip.dll |secret.txt D. copy secret.txt >< c:windowssystem32tcpip.dll kernel secret.txt

61 You are the Security Administrator of Xtrinity, Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees, you discover an employee has a ached cell phone 3G modem to his telephone line and worksta on. He has used this cell phone 3G modem to dial in to his worksta on, thereby bypassing your firewall. A security breach has occurred as a direct result of this ac vity. The employee explains that he used the modem because he had to download so ware for a department project. How would you resolve this situa on? A. Reconfigure the firewall B. Enforce the corporate security policy C. Install a network-based IDS D. Conduct a needs analysis

75 Consider the following code: URL:h p://www.cer fied.com/search.pl? 36 text=<script>alert(document.cookie)</script> If an a acker can trick a vic m user to click a link like this, and the Web applica on does not validate input, then the vic m's browser will pop up an alert showing the users current set of cookies. An a acker can do much more damage, including stealing passwords, rese ng your home page, or redirec ng the user to another Web site. What is the countermeasure against XSS scrip ng? A. Create an IP access list and restrict connec ons based on port number B. Replace "<" and ">" characters with " & l t;" and " & g t;" using server scripts C. Disable Javascript in IE and Firefox browsers D. Connect to the server using HTTPS protocol instead of HTTP

85 Steven the hacker realizes the network administrator of Acme Corpora on is using syskey in Windows 2008 Server to protect his resources in the organiza on. Syskey independently encrypts the hashes so that physical access to the server, tapes, or ERDs is only first step to cracking the passwords. Steven must break through the encryp on used by syskey before he can a empt to use brute force dic onary a acks on the hashes. Steven runs a program called "SysCracker" targe ng the Windows 2008 Server machine in a emp ng to crack the hash used by Syskey. He needs to configure the encryp on level before he can launch the a ack. How many bits does Syskey use for encryp on? A. 40-bit encryp on B. 128-bit encryp on C. 256-bit encryp on D. 64-bit encryp on

86 Bob waits near a secured door, holding a box. He waits un l an employee walks up to the secured door and uses the special card in order to access the restricted area of the target company. Just as the employee opens the door, Bob walks up to the employee (s ll holding the box) and asks the employee to hold the door open so that he can enter. What is the best way to undermine the social engineering ac vity of tailga ng? A. Issue special cards to access secure doors at the company and provide a one- me only brief descrip on of use of the special card B. Educate and enforce physical security policies of the company to all the employees on a regular basis 41 C. Setup a mock video camera next to the special card reader adjacent to the secure door D. Post a sign that states,"no tailga ng" next to the special card reader adjacent to the secure door

87 Ursula is a college student at a University in Amsterdam. Ursula originally went to college to study engineering but later changed to marine biology a er spending a month at sea with her friends. These friends frequently go out to sea to follow and harass fishing fleets that illegally fish in foreign waters. Ursula eventually wants to put companies prac cing illegal fishing out of business. Ursula decides to hack into the parent company's computers and destroy cri cal data knowing fully well that, if caught, she probably would be sent to jail for a very long me. What would Ursula be considered? A. Ursula would be considered a gray hat since she is performing an act against illegal ac vi es. B. She would be considered a suicide hacker. C. She would be called a cracker. D. Ursula would be considered a black hat.

51 In the context of Trojans, what is the defini on of a Wrapper? A. An encryp on tool to protect the Trojan B. A tool used to bind the Trojan with a legi mate file C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan D. A tool used to encapsulate packets within a new header and footer

B Wrapper does not change header or footer of any packets but it mix between legi mate file and Trojan file.

70 Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, oﬃce poli cs, and lack of respect or promo on. Disgruntled employees may pass company secrets and intellectual property to compe tors for monitory benefits. Here are some of the symptoms of a disgruntled employee: a.Frequently leaves work early, arrive late or call in sick b.Spends me surfing the Internet or on the phone c.Responds in a confronta onal, angry, or overly aggressive way to simple requests or comments d.Always nega ve; finds fault with everything These disgruntled employees are the biggest threat to enterprise security. How do you deal with these threats? (Select 2 answers) A. Limit access to the applica ons they can run on their desktop computers and enforce strict work hour rules B. By implemen ng Virtualiza on technology from the desktop to the data centre,organiza ons can isolate diﬀerent environments with varying levels of access and security to various employees 34 C. Organiza ons must ensure that their corporate data is centrally managed and delivered to users just and when needed D. Limit Internet access,e-mail communica ons,access to social networking sites and job hun ng portals

B,C

7 Anonymizer sites access the Internet on your behalf, protec ng your personal informa on from disclosure. An anonymizer protects all of your computer's iden fying informa on while it surfs for you, enabling you to remain at least one step removed from the sites you visit. You can visit Web sites without allowing anyone to gather informa on on sites visited by you. Services that provide anonymity disable pop-up windows and cookies, and conceal visitor's IP address. These services typically use a proxy server to process each HTTP request. When the user requests a Web page by clicking a hyperlink or typing a URL into their browser, the service retrieves and displays the informa on using its own server. The remote server (where the requested Web page resides) receives informa on on the anonymous Web surfing service in place of your informa on. In which situa ons would you want to use anonymizer? (Select 3 answers) A. Increase your Web browsing bandwidth speed by using Anonymizer B. To protect your privacy and Iden ty on the Internet C. To bypass blocking applica ons that would prevent access to Web sites or parts of sites that you want to visit. D. Post nega ve entries in blogs without revealing your IP iden ty

B,C,D

103 You are footprin ng an organiza on and gathering compe ve intelligence. You visit the company's website for con-tact informa on and telephone numbers but do not find them listed there. You know they had the en re staﬀ directory listed on their website 12 months ago but now it is not there. Is there any way you can retrieve informa on from a website that is outdated? A. Visit Google's search engine and view the cached copy B. Crawl the en re website and store them into your computer C. Visit Archive.org web site to retrieve the Internet archive of the company's website D. Visit the company's partners and customers website for this informa on

107 Lee is using Wireshark to log traﬃc on his network. He no ces a number of packets being directed to an internal IP from an outside IP where the packets are ICMP and their size is around 65, 536 bytes. What is Lee seeing here? A. Lee is seeing ac vity indica ve of a Smurf a ack. B. Most likely,the ICMP packets are being sent in this manner to a empt IP spoofing. 51 C. Lee is seeing a Ping of death a ack. D. This is not unusual traﬃc,ICMP packets can be of any size.

119 Bob was frustrated with his compe tor, Brownies Inc., and decided to launch an a ack that would result in serious financial losses. He planned the a ack carefully and carried out the a ack at the appropriate moment. Meanwhile, Trent, an administrator at Brownies Inc., realized that their main financial transac on server had been a acked. As a result of the a ack, the server crashed and Trent needed to reboot the system, as no one was able to access the resources of the company. This process involves human interac on to fix it. What kind of Denial of Service a ack was best illustrated in the scenario above? A. Simple DDoS a ack B. DoS a acks which involves flooding a network or system C. DoS a acks which involves crashing a network or system D. DoS a acks which is done accidentally or deliberately

3 This IDS defea ng technique works by spli ng a datagram (or packet) into mul ple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled un l it reaches its final des na on. It would be a processor-intensive task for IDS to reassemble all fragments itself, and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Rou ng or Packet Dropping B. IDS Spoofing or Session Assembly C. IP Fragmenta on or Session Splicing D. IP Splicing or Packet Reassembly

43 This a ack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal informa on. A ackers send a legi mate-looking e-mail asking users to update their informa on on the company's Web site, but the URLs in the e-mail actually point to a false Web site. A. Wiresharp a ack B. Switch and bait a ack C. Phishing a ack D. Man-in-the-Middle a ack

68 You want to capture Facebook website traﬃc in Wireshark. What display filter should you use that shows all TCP packets that contain the word 'facebook'? A. display==facebook B. traﬃc.content==facebook C. tcp contains facebook D. list.display.facebook

73 Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about poten al tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? A. Smooth Talking B. Swipe Ga ng C. Tailga ng D. Trailing

74 While performing a ping sweep of a local subnet you receive an ICMP reply of Code 3/Type 13 for all the pings you have sent out. What is the most likely cause of this? A. The firewall is dropping the packets B. An in-line IDS is dropping the packets C. A router is blocking ICMP D. The host does not respond to ICMP packets

91 In the context of password security: a simple dic onary a ack involves loading a dic onary file (a text file full of dic-onary words) into a cracking applica on such as L0phtCrack or John the Ripper, and running it against user accounts located by the applica on. The larger the word and word fragment selec on, the more eﬀec ve the dic onary a ack is. The brute force method is the most inclusive - though slow. Usually, it tries every possible le er and number combina on in its automated explora on. If you would use both brute force and dic onary combined together to have varia ons of words, what would you call such an a ack? A. Full Blown A ack B. Thorough A ack C. Hybrid A ack D. BruteDict A ack 44

97 Bob has set up three web servers on Windows Server 2008 IIS 7.0. Bob has followed all the recommenda ons for securing the opera ng system and IIS. These servers are going to run numerous e-commerce websites that are pro-jected to bring in thousands of dollars a day. Bob is s ll concerned about the security of these servers because of the poten al for financial loss. Bob has asked his company's firewall administrator to set the firewall to inspect all incoming traﬃc on ports 80 and 443 to ensure that no malicious data is ge ng into the network. Why will this not be possible? A. Firewalls cannot inspect traﬃc coming through port 443 B. Firewalls can only inspect outbound traﬃc C. Firewalls cannot inspect traﬃc at all,they can only block or allow certain ports D. Firewalls cannot inspect traﬃc coming through port 80

104 You are the CIO for Avantes Finance Interna onal, a global finance company based in Geneva. You are responsible for network func ons and logical security throughout the en re corpora on. Your company has over 250 servers running Windows Server, 5000 worksta ons running Windows Vista, and 200 mobile users working from laptops on Windows 7. Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company informa on. While doing damage assessment on the possible public rela ons nightmare this may become, a news story leaks about the stolen laptops and also that sensi ve informa on from those computers was posted to a blog online. What built-in Windows feature could you have implemented to protect the sensi ve informa on on these laptops? A. You should have used 3DES which is built into Windows B. If you would have implemented Pre y Good Privacy (PGP) which is built into Windows,the sensi ve informa on on the laptops would not have leaked out C. You should have u lized the built-in feature of Distributed File System (DFS) to protect the sensi ve informa on on the laptops D. You could have implemented Encrypted File System (EFS) to encrypt the sensi ve files on the laptops

111 You are gathering compe ve intelligence on an organiza on. You no ce that they have jobs listed on a few Internet job-hun ng sites. There are two jobs for network and system administrators. How can this help you in foot prin ng the organiza on? A. To learn about the IP range used by the target network B. To iden fy the number of employees working for the company C. To test the limits of the corporate security policy enforced in the company D. To learn about the opera ng systems,services and applica ons used on the network

120 Johnny is a member of the hacking group Orpheus1. He is currently working on breaking into the Department of Defense's front end Exchange Server. He was able to get into the server, located in a DMZ, by using an unused service account that had a very weak password that he was able to guess. Johnny wants to crack the administrator password, but does not have a lot of me to crack it. He wants to use a tool that already has the LM hashes computed for all possible permuta ons of the administrator password. 57 What tool would be best used to accomplish this? A. SMBCrack B. SmurfCrack C. PSCrack D. RainbowTables

136 Fred is scanning his network to ensure it is as secure as possible. Fred sends a TCP probe packet to a host with a FIN flag and he receives a RST/ACK response. What does this mean? A. This response means the port he is scanning is open. B. The RST/ACK response means the port Fred is scanning is disabled. C. This means the port he is scanning is half open. D. This means that the port he is scanning on the host is closed.

16 You are the security administrator of Jaco Banking Systems located in Boston. You are se ng up e-banking website (h p://www.ejacobank.com) authen ca on system. Instead of issuing banking customer with a single password, you give them a printed list of 100 unique passwords. Each me the customer needs to log into the e-banking system website, the customer enters the next password on the list. If someone sees them type the password using shoulder surfing, MiTM or keyloggers, then no damage is done because the password will not be accepted a second me. Once the list of 100 passwords is almost finished, the system automa cally sends out a new password list by encrypted e-mail to the customer. You are confident that this security implementa on will protect the customer from password abuse. Two months later, a group of hackers called "HackJihad" found a way to access the one- me password list issued to customers of Jaco Banking Systems. The hackers set up a fake website (h p://www.e-jacobank.com) and used phishing a acks to direct ignorant customers to it. The fake website asked users for their e-banking username and password, and the next unused entry from their one- me password sheet. The hackers collected 200 customer's user-name/passwords this way. They transferred money from the customer's bank account to various oﬀshore accounts. Your decision of password policy implementa on has cost the bank with USD 925, 000 to hackers. You immediately shut down the e-banking website while figuring out the next best security solu on What eﬀec ve security solu on will you recommend in this case? A. Implement Biometrics based password authen ca on system. Record the customers face image to the authen - ca on database B. Configure your firewall to block logon a empts of more than three wrong tries C. Enable a complex password policy of 20 characters and ask the user to change the password immediately a er they logon and do not store password histories D. Implement RSA SecureID based authen ca on system

19 Which of the following type of scanning u lizes automated process of proac vely iden fying vulnerabili es of the compu ng systems present on a network? A. Port Scanning B. Single Scanning C. External Scanning D. Vulnerability Scanning

2 Jimmy, an a acker, knows that he can take advantage of poorly designed input valida on rou nes to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? A. Jimmy can submit user input that executes an opera ng system command to compromise a target system B. Jimmy can gain control of system to flood the target system with requests,preven ng legi mate users from gaining access C. Jimmy can u lize an incorrect configura on that leads to access with higher-than expected privilege of the database D. Jimmy can u lize this par cular database threat that is an SQL injec on technique to penetrate a target system

24 Jason works in the sales and marke ng department for a very large adver sing agency located in Atlanta. Jason is working on a very important marke ng campaign for his company's largest client. Before the project could be completed and implemented, a compe ng adver sing company comes out with the exact same marke ng materials and adver sing, thus rendering all the work done for Jason's client unusable. Jason is ques oned about this and says he has no idea how all the material ended up in the hands of a compe tor. Without any proof, Jason's company cannot do anything except move on. A er working on another high profile client for about a month, all the marke ng and sales material again ends up in the hands of another compe tor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay un l they can figure out what is going on. Jason's supervisor decides to go through his email and finds a number of emails that were sent to the compe tors that ended up with the marke ng material. The only items in the emails were a ached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used? A. Stealth Rootkit Technique B. ADS Streams Technique C. Snow Hiding Technique D. Image Steganography Technique

27 Vulnerability scanners are automated tools that are used to iden fy vulnerabili es and misconfigura ons of hosts. They also provide informa on regarding mi ga ng discovered vulnerabili es. Which of the following statements is incorrect? A. Vulnerability scanners a empt to iden fy vulnerabili es in the hosts scanned. B. Vulnerability scanners can help iden fy out-of-date so ware versions,missing patches,or system upgrades C. They can validate compliance with or devia ons from the organiza on's security policy D. Vulnerability scanners can iden fy weakness and automa cally fix and patch the vulnerabili es without user inter-ven on

36 Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this? A. Jayden can use the commanD. ip binding set. 20 B. Jayden can use the commanD. no ip spoofing. C. She should use the commanD. no dhcp spoofing. D. She can use the commanD. ip dhcp snooping binding.

63 What is a sniﬃng performed on a switched network called? A. Spoofed sniﬃng B. Passive sniﬃng C. Direct sniﬃng D. Ac ve sniﬃng

66 Cyber Criminals have long employed the tac c of masking their true iden ty. In IP spoofing, an a acker gains unau-thorized access to a computer or a network by making it appear that a malicious message has come from a trusted machine, by "spoofing" the IP address of that machine. 32 How would you detect IP spoofing? A. Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet B. Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet,if the connec on completes then it is a spoofed packet C. Turn on 'Enable Spoofed IP Detec on' in Wireshark,you will see a flag ck if the packet is spoofed D. Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet

67 David is a security administrator working in Boston. David has been asked by the oﬃce's manager to block all POP3 traﬃc at the firewall because he believes employees are spending too much me reading personal email. How can David block POP3 at the firewall? A. David can block port 125 at the firewall. B. David can block all EHLO requests that originate from inside the oﬃce. C. David can stop POP3 traﬃc by blocking all HELO requests that originate from inside the oﬃce. D. David can block port 110 to block all POP3 traﬃc.

37 Peter extracts the SID list from Windows 2008 Server machine using the hacking tool "SIDExtracter". Here is the output of the SIDs: From the above list iden fy the user account with System Administrator privileges? A. John B. Rebecca C. Sheela D. Shawn E. Somia F. Chang G. Micah

117 While tes ng web applica ons, you a empt to insert the following test script into the search area on the company's web site: <script>alert('Tes ng Tes ng Tes ng')</script> Later, when you press the search bu on, a pop up box appears on your screen with the text "Tes ng Tes ng Tes ng". What vulnerability is detected in the web applica on here? A. Cross Site Scrip ng B. Password a acks C. A Buﬀer Overflow D. A hybrid a ack

141 In which loca on, SAM hash passwords are stored in Windows 7? A. c:windowssystem32configSAM B. c:winntsystem32machineSAM C. c:windowsetcdriversSAM D. c:windowsconfigetcSAM

143 Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats, but it does not secure the applica on from coding errors. It can provide data privacy; integrity and enable strong authen ca on but it cannot mi gate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryp on will not address all their security concerns? A. Bob can explain that using a weak key management technique is a form of programming error B. Bob can explain that using passwords to derive cryptographic keys is a form of a programming error C. Bob can explain that a buﬀer overflow is an example of programming error and it is a common mistake associated with poor programming technique D. Bob can explain that a random number generator can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error

145 One of the most common and the best way of cracking RSA encryp on is to begin to derive the two prime numbers, which are used in the RSA PKI mathema cal process. If the two numbers p and q are discovered through a _ _ _ _ _ _ _ _ _ _ _ _ _ process, then the private key can be derived. A. Factoriza on B. Prime Detec on C. Hashing D. Brute-forcing

146 Data is sent over the network as clear text (unencrypted) when Basic Authen ca on is configured on Web Servers. A. true B. false

149 Charlie is the network administrator for his company. Charlie just received a new Cisco router and wants to test its capabili es out and to see if it might be suscep ble to a DoS a ack resul ng in its locking up. The IP address of the Cisco switch is 172.16.0.45. What command can Charlie use to a empt this task? A. Charlie can use the commanD. ping -l 56550 172.16.0.45 -t. B. Charlie can try using the commanD. ping 56550 172.16.0.45. C. By using the command ping 172.16.0.45 Charlie would be able to lockup the router D. He could use the commanD. ping -4 56550 172.16.0.45.

152 What is the command used to create a binary log file using tcpdump? A. tcpdump -w ./log B. tcpdump -r log C. tcpdump -vde logtcpdump -vde ? log D. tcpdump -l /var/log/

158 Frederickson Security Consultants is currently conduc ng a security audit on the networks of Hawthorn Enterprises, a contractor for the Department of Defense. Since Hawthorn Enterprises conducts business daily with the federal government, they must abide by very stringent security policies. Frederickson is tes ng all of Hawthorn's physical and logical security measures including biometrics, passwords, and permissions. The federal government requires that all users must u lize random, non-dic onary passwords that must take at least 30 days to crack. Frederickson has confirmed that all Hawthorn employees use a random password generator for their network passwords. The Frederickson consultants have saved oﬀ numerous SAM files from Hawthorn's servers using Pwdump6 and are going to try and crack the network passwords. What method of a ack is best suited to crack these passwords in the shortest amount of me? A. Brute force a ack B. Birthday a ack C. Dic onary a ack D. Brute service a ack

162 69 Blane is a network security analyst for his company. From an outside IP, Blane performs an XMAS scan using Nmap. Almost every port scanned does not illicit a response. What can he infer from this kind of response? A. These ports are open because they do not illicit a response. B. He can tell that these ports are in stealth mode. C. If a port does not respond to an XMAS scan using NMAP,that port is closed. D. The scan was not performed correctly using NMAP since all ports,no ma er what their state,will illicit some sort of response from an XMAS scan.

164 A simple compiler technique used by programmers is to add a terminator 'canary word' containing four le ers NULL (0×00), CR (0x0d), LF (0x0a) and EOF (0xﬀ) so that most string opera ons are terminated. If the canary word has been altered when the func on returns, and the program responds by emi ng an intruder alert into syslog, and then halts what does it indicate? A. A buﬀer overflow a ack has been a empted B. A buﬀer overflow a ack has already occurred C. A firewall has been breached and this is logged D. An intrusion detec on system has been triggered E. The system has crashed

171 Nathan is tes ng some of his network devices. Nathan is using Macof to try and flood the ARP cache of these switches. If these switches' ARP cache is successfully flooded, what will be the result? A. The switches will drop into hub mode if the ARP cache is successfully flooded. B. If the ARP cache is flooded,the switches will drop into pix mode making it less suscep ble to a acks. C. Depending on the switch manufacturer,the device will either delete every entry in its ARP cache or reroute packets to the nearest switch. D. The switches will route all traﬃc to the broadcast address created collisions.

182 Yancey is a network security administrator for a large electric company. This company provides power for over 100, 000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has le . Yancey does not care if his ac ons land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him. What would Yancey be considered? A. Yancey would be considered a Suicide Hacker B. Since he does not care about going to jail,he would be considered a Black Hat C. Because Yancey works for the company currently; he would be a White Hat D. Yancey is a Hack vist Hacker since he is standing up to a company that is downsizing

188 You went to great lengths to install all the necessary technologies to prevent hacking a acks, such as expensive fire-walls, an virus so ware, an -spam systems and intrusion detec on/preven on tools in your company's network. You have configured the most secure policies and ghtened every device on your network. You are confident that hack-ers will never be able to gain access to your network with complex security system in place. Your peer, Peter Smith who works at the same department disagrees with you. He says even the best network security technologies cannot prevent hackers gaining access to the network because of presence of "weakest link" in the security chain. What is Peter Smith talking about? A. Untrained staﬀ or ignorant computer users who inadvertently become the weakest link in your security chain B. "zero-day" exploits are the weakest link in the security chain since the IDS will not be able to detect these a acks C. "Polymorphic viruses" are the weakest link in the security chain since the An -Virus scanners will not be able to detect these a acks D. Con nuous Spam e-mails cannot be blocked by your security system since spammers use diﬀerent techniques to bypass the filters in your gateway

189 How does a denial-of-service a ack work? A. A hacker prevents a legi mate user (or group of users) from accessing a service B. A hacker uses every character,word,or le er he or she can think of to defeat authen ca on C. A hacker tries to decipher a password by using a system,which subsequently crashes the network D. A hacker a empts to imitate a legi mate user by confusing a computer or even another person

191 This is an a ack that takes advantage of a web site vulnerability in which the site displays content that includes un-sani zed user-provided data. <ahref="h p://foobar.com/index.html?id= %3Cscript %20src= %22h p://baddomain.com/badscript.js %22 %3E %3C/script %3E">See foobar</a> What is this a ack? A. Cross-site-scrip ng a ack 88 B. SQL Injec on C. URL Traversal a ack D. Buﬀer Overflow a ack

200 Iden fy SQL injec on a ack from the HTTP requests shown below: A. h p://www.myserver.c0m/search.asp? lname=smith %27 %3bupdate %20usertable %20set %20passwd %3d %27hAx0r %27 %3b- B. h p://www.myserver.c0m/script.php?mydata= %3cscript %20src= %22 C. h p %3a %2f %2fwww.yourserver.c0m %2 adscript.js %22 %3e %3c %2fscript %3e D. h p://www.vic m.com/example accountnumber=67891 &creditamount=999999999

205 Bill is a security analyst for his company. All the switches used in the company's oﬃce are Cisco switches. Bill wants to make sure all switches are safe from ARP poisoning. How can Bill accomplish this? A. Bill can use the command: ip dhcp snooping. B. Bill can use the command: no ip snoop. C. Bill could use the command: ip arp no flood. D. He could use the command: ip arp no snoop.

214 WWW wanderers or spiders are programs that traverse many pages in the World Wide Web by recursively retrieving linked pages. Search engines like Google, frequently spider web pages for indexing. How will you stop web spiders from crawling certain directories on your website? A. Place robots.txt file in the root of your website with lis ng of directories that you don't want to be crawled B. Place authen ca on on root directories that will prevent crawling from these spiders C. Enable SSL on the restricted directories which will block these spiders from crawling D. Place "HTTP:NO CRAWL" on the html pages that you don't want the crawlers to index

218 If an a acker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? A. The zombie computer will respond with an IPID of 24334. 104 B. The zombie computer will respond with an IPID of 24333. C. The zombie computer will not send a response. D. The zombie computer will respond with an IPID of 24335.

225 Wayne is the senior security analyst for his company. Wayne is examining some traﬃc logs on a server and came across some inconsistencies. Wayne finds some IP packets from a computer purpor ng to be on the internal network. The packets originate from 192.168.12.35 with a TTL of 15. The server replied to this computer and received a response from 192.168.12.35 with a TTL of 21. What can Wayne infer from this traﬃc log? A. The ini al traﬃc from 192.168.12.35 was being spoofed. B. The traﬃc from 192.168.12.25 is from a Linux computer. C. The TTL of 21 means that the client computer is on wireless. D. The client computer at 192.168.12.35 is a zombie computer.

229 You are the security administrator for a large network. You want to prevent a ackers from running any sort of tracer-oute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this? A. There is no way to completely block tracerou ng into this area B. Block UDP at the firewall C. Block TCP at the firewall D. Block ICMP at the firewall

230 Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company's entrance doors and follows an employee into the oﬃce a er they use their valid access card to gain entrance. What type of social engineering a ack has Neil employed here? A. Neil has used a tailga ng social engineering a ack to gain access to the oﬃces B. He has used a piggybacking technique to gain unauthorized access C. This type of social engineering a ack is called man trapping D. Neil is using the technique of reverse social engineering to gain access to the oﬃces of Davidson Avionics

247 Jake is a network administrator who needs to get reports from all the computer and network devices on his network. Jake wants to use SNMP but is afraid that won't be secure since passwords and messages are in clear text. How can Jake gather network informa on in a secure manner? A. He can use SNMPv3 B. Jake can use SNMPrev5 C. He can use SecWMI D. Jake can use SecSNMP

252 You are trying to package a RAT Trojan so that An -Virus so ware will not detect it. Which of the listed technique will NOT be eﬀec ve in evading An -Virus scanner? A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file B. Break the Trojan into mul ple smaller files and zip the individual pieces C. Change the content of the Trojan using hex editor and modify the checksum D. Encrypt the Trojan using mul ple hashing algorithms like MD5 and SHA-1

258 Least privilege is a security concept that requires that a user is A. limited to those func ons required to do the job. B. given root or administra ve privileges. C. trusted to keep all data and access to that data under their sole control. D. given privileges equal to everyone else in the department.

259 A covert channel is a channel that 115 A. transfers informa on over,within a computer system,or network that is outside of the security policy. B. transfers informa on over,within a computer system,or network that is within the security policy. C. transfers informa on via a communica on path within a computer system,or network for transfer of data. D. transfers informa on over,within a computer system,or network that is encrypted.

262 Which of the following is a hashing algorithm? A. MD5 B. PGP C. DES D. ROT13

263 Which of the following iden fies the three modes in which.Snort can be configured to run? 116 A. Sniﬀer,Packet Logger,and Network Intrusion Detec on System B. Sniﬀer,Network Intrusion Detec on System,and Host Intrusion Detec on System C. Sniﬀer,Host Intrusion Preven on System,and Network Intrusion Preven on System D. Sniﬀer,Packet Logger,and Host Intrusion Preven on System

265 A company has.five diﬀerent subnets: 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0. How can.NMAP be used.to scan these adjacent Class C networks? A. NMAP.-P 192.168.1-5. B. NMAP.-P 192.168.0.0/16 C. NMAP.-P 192.168.1.0,2.0,3.0,4.0,5.0 D. NMAP.-P 192.168.1/17

266 Which vital role does the U.S. Computer Security Incident Response Team (CSIRT) provide? A. Incident response services to any user,company,government agency,or organiza on in partnership with the De-partment of Homeland Security B. Maintenance of the na onos Internet infrastructure,builds out new Internet infrastructure,and decommissions old Internet infrastructure C. Registra on of cri cal penetra on tes ng for the Department of Homeland Security and public and private sectors D. Measurement of key vulnerability assessments on behalf of the Department of Defense (DOD) and State Depart-ment,as well as private sectors

274 In the so ware security development life cyle process, threat modeling occurs in which phase? A. Design B. Requirements C. Verifica on D. Implementa on

275 Which of the following items of a computer system will an an -virus program scan for viruses? A. Boot Sector B. Deleted Files C. Windows Process List D. Password Protected Files

276 Which of the following can take an arbitrary length of input and produce a message digest output of 160 bit? A. SHA-1 119 B. MD5 C. HAVAL D. MD4

280 During a wireless penetra on test, a tester detects an access point using WPA2 encryp on. Which of the following a acks should be used to obtain the key? A. The tester must capture the WPA2 authen ca on handshake and then crack it. B. The tester must use the tool inSSIDer to crack it using the ESSID of the network. C. The tester.cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard. 120 D. The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.

288 Which of the following types of firewall inspects only header informa on in network traﬃc? A. Packet filter B. Stateful inspec on C. Circuit-level gateway D. Applica on-level gateway

292 Which tool would be used to collect wireless packet data? A. NetStumbler B. John the Ripper C. Nessus D. Netcat

299 When does the Payment Card Industry Data Security Standard (PCI-DSS) require organiza ons to perform external and internal penetra on tes ng? A. At least once a year and a er any significant upgrade or modifica on B. At least once every three years or a er any significant upgrade or modifica on C. At least.twice a year or a er any significant upgrade or modifica on D. At least once.every.two.years and a er any significant upgrade or modifica on

300 Which.type of.antenna is used in wireless communica on? A. Omnidirec onal B. Parabolic C. Uni-direc onal D. Bi-direc onal

301 Employees in a company are no longer able to access Internet web sites on their computers. The network adminis-trator is able to successfully ping IP address of web servers on the Internet and is able to open web sites by using an IP address in place of the URL..The administrator runs the nslookup command for www.eccouncil.org and receives an error message sta ng there is no response from the server. What should the administrator do next? A. Configure the firewall to allow traﬃc on TCP ports 53 and UDP port 53. B. Configure the firewall to allow traﬃc on TCP ports 80 and UDP port 443. C. Configure the firewall to allow traﬃc on TCP port 53. D. Configure the firewall to allow traﬃc on TCP port 8080.

309 How is sniﬃng broadly categorized? A. Ac ve and passive B. Broadcast and unicast C. Unmanaged and.managed D. Filtered and unfiltered

310 An engineer is learning to write exploits in C++ and is using.the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A. g++ hackersExploit.cpp -o calc.exe B. g++ hackersExploit.py -o calc.exe C. g++ -i hackersExploit.pl -o calc.exe D. g++ -compile Ƀi hackersExploit.cpp -o calc.exe

322 Which method can provide a be er return on IT security investment and provide a thorough and comprehensive assessment of organiza onal security covering policy, procedure design, and implementa on? A. Penetra on tes ng B. Social engineering C. Vulnerability scanning D. Access control list reviews

323 When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traﬃc on the wire? A. Network tap B. Layer 3 switch C. Network bridge D. Applica on firewall

324 How does an opera ng system protect the passwords used for account logins? A. The opera ng system performs a one-way hash of the passwords. B. The opera ng system stores the passwords in a secret file that users cannot find. C. The opera ng system encrypts the passwords,and decrypts them.when needed. D. The opera ng system stores all passwords in a protected segment of non-vola le memory.

329 Smart cards use which protocol to transfer the cer ficate in a secure manner? A. Extensible Authen ca on Protocol (EAP) B. Point to Point Protocol (PPP) C. Point to Point Tunneling Protocol (PPTP) D. Layer 2 Tunneling Protocol (L2TP)

333 Which NMAP.feature can a tester implement or adjust while scanning for open ports to avoid detec on by the net-workos IDS? A. Timing op ons to slow the speed.that the port scan is conducted B. Fingerprin ng to iden fy which opera ng systems are running on the network C. ICMP ping sweep to determine which hosts on the network are not available D. Traceroute to control the path of the packets sent during the scan

340 How can telnet be used to fingerprint a web server? A. telnet webserverAddress 80 HEAD / HTTP/1.0 B. telnet webserverAddress 80.PUT / HTTP/1.0 C. telnet webserverAddress 80 HEAD / HTTP/2.0 D. telnet webserverAddress 80.PUT / HTTP/2.0

350 The use of technologies like IPSec can help guarantee the followinG. authen city, integrity, confiden ality and A. non-repudia on. B. operability. C. security. D. usability.

355 Which of the following lists are valid data-gathering ac vi es associated with a risk assessment? A. Threat iden fica on,vulnerability iden fica on,control analysis B. Threat iden fica on,response iden fica on,mi ga on iden fica on C. A ack profile,defense profile,loss profile D. System profile,vulnerability iden fica on,security determina on

358 Bluetooth uses which digital modula on technique to exchange informa on between paired devices? A. PSK (phase-shi keying) B. FSK (frequency-shi keying) C. ASK (amplitude-shi keying) D. QAM (quadrature amplitude modula on)

364 When analyzing the IDS logs, the.system administrator no ced an alert was logged when.the external router was accessed from.the administrator's.computer.to update the router configura on. What type of.an alert is this? A. False posi ve. B. False nega ve C. True positve D. True nega ve

376 Which of the following items is unique to the N- er architecture method of designing so ware applica ons? A. Applica on layers can be separated,allowing each layer to be upgraded independently from other layers. B. It is compa ble with various databases including Access,Oracle,and SQL. C. Data security is ed into each layer and must be updated for all layers when any upgrade is performed. D. Applica on layers can be wri en in C,ASP.NET,or Delphi without any performance loss.

395 If.a tester is a emp ng to ping a target that.exists but receives no response or a response that states the des na on is unreachable, ICMP may be disabled and the network may be using TCP. Which other op on could the tester use to get a response from a host using TCP? A. Hping B. Traceroute C. TCP ping D. Broadcast ping

396 How can rainbow tables be defeated? A. Password sal ng B. Use of.non-dic onary words C. All uppercase character passwords D. Lockout accounts under brute force password cracking a empts

397 Which of the following is.an advantage of u lizing security tes ng methodologies.to conduct a security audit? A. They provide a repeatable framework. B. Anyone can run the command line scripts. 148 C. They are available at low cost. D. They are subject to government regula on.

407 Which of the following is a primary service of the.U.S. Computer Security Incident Response Team (CSIRT)? A. CSIRT provides an incident response service to enable a reliable and trusted single point of contact for repor ng computer security incidents worldwide. B. CSIRT provides a computer security surveillance service to supply a government with important intelligence infor-ma on on individuals travelling abroad. C. CSIRT provides a penetra on tes ng service to support excep on repor ng on incidents worldwide by individuals and mul -na onal corpora ons. D. CSIRT provides a vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset.

408 Which of the following is a.client-server tool u lized to evade firewall inspec on? A. tcp-over-dns B. kismet C. nikto D. hping

411 What technique is used to perform a Connec on Stream.Parameter Pollu on.(CSPP) a ack? A. Injec ng parameters into a connec on string using semicolons as a separator B. Inser ng malicious Javascript code into input parameters C. Se ng a user's session iden fier (SID) to an explicit known value D. Adding mul ple parameters with the same name in HTTP requests

412 Which of the following open source tools would be the best choice to scan a network for poten al targets? A. NMAP B. NIKTO C. CAIN D. John the Ripper

413 Which of the following levels of algorithms does Public Key Infrastructure (PKI) use? A. RSA 1024 bit strength B. AES 1024 bit strength C. RSA 512 bit strength D. AES 512 bit strength

416 Which of the following network a acks relies on sending an abnormally large packet size that exceeds TCP/IP specifi-ca ons? A. Ping of death B. SYN flooding C. TCP hijacking D. Smurf a ack

420 Which of the following is a preven ve control? A. Smart card authen ca on 153 B. Security policy C. Audit trail D. Con nuity of opera ons plan

424 A botnet can be managed through which of the following? A. IRC B. E-Mail C. Linkedin and Facebook D. A vulnerable FTP server 154

429 155 A technician is resolving an issue where a computer is unable to connect to the Internet using a wireless access point. The computer is able to transfer files locally to other machines, but cannot successfully reach the Internet. When the technician examines the IP address and default gateway they are both on the 192.168.1.0/24. Which of the following has occurred? A. The.gateway is not rou ng to a public IP address. B. The computer is using an invalid IP address. C. The gateway and the computer are not on the same network. D. The computer is not using a private IP address.

430 A Network Administrator was recently promoted to Chief Security Oﬃcer at a local university. One of employee's new responsibili es is to manage the implementa on of an RFID card access system to a new server room on campus. The server room will house student enrollment informa on that is securely backed up to an oﬀ-site loca on. During a mee ng with an outside consultant, the Chief Security Oﬃcer explains that he is concerned that the exis ng security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis. Which of the following is an issue with the situa on? A. Segrega on of du es B. Undue influence C. Lack of experience D. Inadequate disaster recovery plan

432 What is the main advantage that a network-based IDS/IPS system has over a host-based solu on? A. They do not use host system resources. B. They are placed at the boundary,allowing them to inspect all traﬃc. C. They are easier to install and configure. 156 D. They will not interfere with user interfaces.

436 Which of the following is used to indicate a single-line comment in structured query language (SQL)? A. - B. || C. % % D. "

443 How can a policy help.improve an employee's security awareness? A. By implemen ng wri en security procedures,enabling employee security training,and promo ng the benefits of security B. By using informal networks of communica on,establishing secret passing procedures,and immediately terminat-ing employees C. By sharing security secrets with employees,enabling employees to share secrets,and establishing a consulta ve help line D. By decreasing an employee's vaca on me,addressing ad-hoc employment clauses,and ensuring that managers know employee strengths

447 Which of the following.does proper basic configura on of snort as a network intrusion detec on system require? A. Limit the packets captured to the snort configura on file. B. Capture every packet on the network segment. C. Limit the packets captured to a single segment. D. Limit the packets captured to the /var/log/snort directory.

453 Which.security strategy requires using several, varying methods to protect IT systems against.a acks? A. Defense in depth B. Three-way handshake C. Covert channels D. Exponen al backoﬀ algorithm

457 Which property ensures that a hash func on will not produce the same hashed value for two diﬀerent messages? A. Collision resistance B. Bit length C. Key strength D. Entropy

458 From the two screenshots below, which of the following.is occurring? A. 10.0.0.253 is performing an IP scan against 10.0.0.0/24,10.0.0.252 is performing a port scan against 10.0.0.2. B. 10.0.0.253 is performing an IP scan against 10.0.0.2,10.0.0.252 is performing a port scan against 10.0.0.2. C. 10.0.0.2 is performing an IP scan against 10.0.0.0/24,10.0.0.252 is performing a port scan against 10.0.0.2. D. 10.0.0.252 is performing an IP scan against 10.0.0.2,10.0.0.252 is performing a port scan against 10.0.0.2.

462 When se ng up a wireless network, an administrator.enters.a pre-shared key for security. Which of the following is true? A. The key entered is a symmetric key used to encrypt the wireless data. 163 B. The key entered is a hash that is used to prove the integrity of the wireless data. C. The key entered is based on the Diﬃe-Hellman method. D. The key is an RSA key used to encrypt the wireless data.

471 ICMP ping and ping sweeps are used to.check for ac ve systems and to check A. if.ICMP ping traverses a firewall. B. the route that the.ICMP ping took. C. the loca on of the switchport in rela on to the.ICMP ping. D. the number of hops an ICMP.ping takes to reach a des na on.

474 A pentester gains acess to a Windows applica on server and.needs to determine the se ngs of the built-in Windows firewall. Which command would.be used? A. Netsh firewall show config B. WMIC firewall show config C. Net firewall show config D. Ipconfig firewall show config

485 Which system consists of a publicly available set of databases that contain domain name registra on contact informa-on? A. WHOIS 171 B. IANA. C. CAPTCHA D. IETF

487 Which set of access control solu ons implements two-factor authen ca on? A. USB token and PIN B. Fingerprint scanner and re na scanner C. Password and PIN D. Account and password

493 A cer fied ethical hacker (CEH) is approached by a friend who believes her husband is chea ng. She oﬀers to pay to break into her husband's email account in order to find proof so she can take him to court..What is the ethical response? A. Say no; the friend is not the owner of the account. B. Say yes; the friend needs help to gather evidence. C. Say yes; do.the job for free. D. Say no; make sure that the friend knows the risk sheos asking the CEH.to take.

494 A hacker is a emp ng to see which ports have been le open on a network. Which NMAP switch would the hacker use? A. -sO B. -sP C. -sS D. -sU

495 The network administrator for a company is se ng up a website with e-commerce capabili es. Packet sniﬃng is a concern because credit card informa on will be sent electronically over the Internet. Customers visi ng the site will need to encrypt the data with HTTPS. Which type of cer ficate.is used to encrypt and decrypt the data? A. Asymmetric B. Confiden al C. Symmetric D. Non-confiden al

496 Which security control role does.encryp on.meet? A. Preventa ve B. Detec ve C. Oﬀensive D. Defensive

502 Which of the following is op mized for confiden al communica ons, such as bidirec onal voice and video? A. RC4 B. RC5 C. MD4 D. MD5

503 The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabili es? A. An a acker,working slowly enough,can evade detec on by the IDS. B. Network packets are dropped if the volume exceeds the threshold. C. Thresholding interferes with the IDSo ability to reassemble fragmented packets. D. The IDS will not dis nguish among packets origina ng from diﬀerent sources.

506 _ _ _ _ _ _ _ _ _ _ is found in all versions of NTFS and is described as the ability to fork file data into exis ng files without aﬀec ng their func onality, size, or display to tradi onal file browsing u li es like dir or Windows Explorer A. Alternate Data Streams B. Merge Streams C. Steganography D. NetBIOS vulnerability

508 Paul has just finished se ng up his wireless network. He has enabled numerous security features such as changing the default SSID, enabling WPA encryp on, and enabling MAC filtering on his wireless router. Paul no ces that when he uses his wireless connec on, the speed is some mes 54 Mbps and some mes it is only 24Mbps or less. Paul connects to his wireless router's management u lity and no ces that a machine with an unfamiliar name is connected through his wireless connec on. Paul checks the router's logs and no ces that the unfamiliar machine has the same MAC address as his laptop. What is Paul seeing here? A. MAC spoofing B. Macof C. ARP spoofing 174 D. DNS spoofing

512 Harold is the senior security analyst for a small state agency in New York. He has no other security professionals that work under him, so he has to do all the security-related tasks for the agency. Coming from a computer hardware background, Harold does not have a lot of experience with security methodologies and technologies, but he was the only one who applied for the posi on. Harold is currently trying to run a Sniﬀer on the agency's network to get an idea of what kind of traﬃc is being passed around, but the program he is using does not seem to be capturing anything. He pours through the Sniﬀer's manual, but cannot find anything that directly relates to his problem. Harold decides to ask the network administrator if he has any thoughts on the problem. Harold is told that the Sniﬀer was not working because the agency's network is a switched network, which cannot be sniﬀed by some programs without some tweaking. What technique could Harold use to sniﬀ his agency's switched network? A. ARP spoof the default gateway B. Conduct MiTM against the switch C. Launch smurf a ack against the switch D. Flood the switch with ICMP packets

518 What is "Hack vism"? A. Hacking for a cause B. Hacking ruthlessly C. An associa on which groups ac vists D. None of the above

529 You receive an email with the following message: 180 Hello Steve, We are having technical diﬃculty in restoring user database record a er the recent blackout. Your account data is corrupted. Please logon to the SuperEmailServices.com and change your password. h p://[email protected]/support/logon.htm If you do not reset your password within 7 days, your account will be permanently disabled locking you out from our e-mail services. Sincerely, Technical Support SuperEmailServices From this e-mail you suspect that this message was sent by some hacker since you have been using their e-mail services for the last 2 years and they have never sent out an e-mail such as this. You also observe the URL in the message and confirm your suspicion about 0xde.0xad.0xbde.0xef which looks like hexadecimal numbers. You immediately enter the following at Windows 2000 command prompt: Ping 0xde.0xad.0xbe.0xef You get a response with a valid IP address. What is the obstructed IP address in the e-mail URL? A. 222.173.190.239 B. 233.34.45.64 C. 54.23.56.55 D. 199.223.23.45

535 Network Administrator Patricia is doing an audit of the network. Below are some of her findings concerning DNS. Which of these would be a cause for alarm? Select the best answer. A. There are two external DNS Servers for Internet domains. Both are AD integrated. B. All external DNS is done by an ISP. C. Internal AD Integrated DNS servers are using private DNS names that are D. unregistered. E. Private IP addresses are used on the internal network and are registered with the internal AD integrated DNS server.

80 Web servers o en contain directories that do not need to be indexed. You create a text file with search engine indexing restric ons and place it on the root directory of the Web Server. User-agent: * Disallow: /images/ Disallow: /banners/ Disallow: /Forms/ Disallow: /Dic onary/ Disallow: / _borders/ Disallow: / _fpclass/ Disallow: / _overlay/ Disallow: / _private/ Disallow: / _themes/ What is the name of this file? A. robots.txt B. search.txt C. blocklist.txt D. spf.txt

84 What is War Dialing? A. War dialing involves the use of a program in conjunc on with a modem to penetrate the modem/PBX-based systems B. War dialing is a vulnerability scanning technique that penetrates Firewalls C. It is a social engineering technique that uses Phone calls to trick vic ms D. Involves IDS Scanning Fragments to bypass Internet filters and stateful Firewalls

440 Which of the following examples best represents a logical or technical.control? A. Security tokens B. Hea ng and air condi oning C. Smoke and fire alarms D. Corporate security policy

A Latest ECCouncil 312-50v8 Real Exam Download 441-450 (2014-05-12 11:13)

450 Which United States legisla on mandates that the Chief Execu ve Oﬃcer (CEO) and the Chief Financial Oﬃcer (CFO) must sign statements verifying the completeness and accuracy of financial reports? A. Sarbanes-Oxley Act (SOX) 160 B. Gramm-Leach-Bliley Act (GLBA) C. Fair and Accurate Credit Transac ons Act (FACTA) D. Federal Informa on Security Management Act (FISMA)

A Latest ECCouncil 312-50v8 Real Exam Download 451-460 (2014-05-12 11:14)

460 An NMAP scan of a server shows port 69.is open. What risk could this pose? A. Unauthen cated access B. Weak SSL version C. Cleartext login D. Web portal data leak

A Latest ECCouncil 312-50v8 Real Exam Download 461-470 (2014-05-12 11:15)

618 Which of the following represents the ini al two commands that an IRC client sends to join an IRC network? A. USER,NICK B. LOGIN,NICK C. USER,PASS D. LOGIN,USER

A A "PASS" command is not required for either client or server connec on to be registered,but it must precede the server message or the la er of the NICK/USER combina on. (RFC 1459)

639 This kind of password cracking method uses word lists in combina on with numbers and special characters: A. Hybrid B. Linear C. Symmetric D. Brute Force

A A Hybrid (or Hybrid Dic onary) A ack uses a word list that it modifies slightly to find passwords that are almost from a dic onary (like St0pid) 221

690 How would you describe a simple yet very eﬀec ve mechanism for sending and receiving unauthorized informa on or data between machines without aler ng any firewalls and IDS's on a network? A. Covert Channel B. Cra ed Channel C. Bounce Channel D. Decep ve Channel

A A covert channel is described as: "any communica on channel that can be exploited by a process to transfer infor-ma on in a manner that violates the systems security policy." Essen ally,it is a method of communica on that is not part of an actual computer system design,but can be used to transfer informa on to users or system processes that normally would not be allowed access to the informa on. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00240.jpg Latest ECCouncil 312-50v8 Real Exam Download 691-700 (2014-05-12 14:02)

710 Eve decides to get her hands dirty and tries out a Denial of Service a ack that is rela vely new to her. This me she envisages using a diﬀerent kind of method to a ack Brownies Inc. Eve tries to forge the packets and uses the broadcast address. She launches an a ack similar to that of fraggle. What is the technique that Eve used in the case above? A. Smurf B. Bubonic C. SYN Flood D. Ping of Death

A A fraggle a ack is a varia on of the smurf a ack for denial of service in which the a acker sends spoofed UDP packets instead of ICMP echo reply (ping) packets to the broadcast address of a large network. Latest ECCouncil 312-50v8 Real Exam Download 721-730 (2014-05-12 14:04)

603 What is a NULL scan? A. A scan in which all flags are turned oﬀ B. A scan in which certain flags are oﬀ C. A scan in which all flags are on D. A scan in which the packet size is set to zero E. A scan with a illegal packet size

A A null scan has all flags turned oﬀ.

655 What hacking a ack is challenge/response authen ca on used to prevent? A. Replay a acks B. Scanning a acks C. Session hijacking a acks D. Password cracking a acks

A A replay a ack is a form of network a ack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. With a challenge/response authen ca on you ensure that captured packets canot be retransmi ed without a new authen ca on.

839 If you come across a sheepdip machine at your clientos site, what should you do? A. A sheepdip computer is used only for virus-checking. B. A sheepdip computer is another name for a honeypot C. A sheepdip coordinates several honeypots. D. A sheepdip computers defers a denial of service a ack.

A Also known as a footbath,a sheepdip is the process of checking physical media,such as floppy disks or CD-ROMs,for viruses before they are used in a computer. Typically,a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers,meaning it is not connected to the network. Most sheepdips use at least two diﬀerent an virus programs in order to increase eﬀec veness.

840 If you come across a sheepdip machaine at your client site, what would you infer? A. A sheepdip computer is used only for virus checking. B. A sheepdip computer is another name for honeypop. C. A sheepdip coordinates several honeypots. D. A sheepdip computer defers a denial of service a ack.

707 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 1000 D. 1001 E. 1024 F. 512

A Because of the way in which Windows func ons,the true administrator account always has a RID of 500.

592 Bob is acknowledged as a hacker of repute and is popular among visitors of pundergroundq sites. Bob is willing to share his knowledge with those who are willing to learn, and many have expressed their interest in learning from him. However, this knowledge has a risk associated with it, as it can be used for malevolent a acks as well. In this context, what would be the most aﬀec ve method to bridge the knowledge gap between the pblackq hats or crackers and the pwhiteq hats or computer security professionals? (Choose the test answer) A. Educate everyone with books,ar cles and training on risk analysis,vulnerabili es and safeguards. B. Hire more computer security monitoring personnel to monitor computer systems and networks. C. Make obtaining either a computer security cer fica on or accredita on easier to achieve so more individuals feel that they are a part of something larger than life. D. Train more Na onal Guard and reservist in the art of computer security to help out in mes of emergency or crises.

A Bridging the gap would consist of educa ng the white hats and the black hats equally so that their knowledge is rela vely the same. Using books,ar cles,the internet,and professional training seminars is a way of comple ng this goal.

644 When discussing passwords, what is considered a brute force a ack? A. You a empt every single possibility un l you exhaust all possible combina ons or discover the password B. You threaten to use the rubber hose on someone unless they reveal their password C. You load a dic onary of words into your cracking program D. You create hashes of a large number of words and compare it with the encrypted passwords E. You wait un l the password expires

A Brute force cracking is a me consuming process where you try every possible combina on of le ers, numbers, and characters un l you discover a match.

660 _ _ _ _ _ is the process of conver ng something from one representa on to the simplest form. It deals with the way in which systems convert data from one form to another. A. Canonicaliza on B. Character Mapping C. Character Encoding D. UCS transforma on formats

A Canonicaliza on (abbreviated c14n) is the process of conver ng data that has more than one possible representa on into a "standard" canonical representa on. This can be done to compare diﬀerent representa ons for equivalence,to count the number of dis nct data structures (e.g.,in combinatorics),to improve the eﬃciency of various algorithms by elimina ng repeated calcula ons,or to make it possible to impose a meaningful sor ng order. Latest ECCouncil 312-50v8 Real Exam Download 671-680 (2014-05-12 13:59)

824 An employee wants to defeat detec on by a network-based IDS applica on. He does not want to a ack the system containing the IDS applica on. Which of the following strategies can be used to defeat detec on by a network-based IDS applica on? (Choose the best answer) A. Create a network tunnel. B. Create a mul ple false posi ves. C. Create a SYN flood. D. Create a ping flood.

A Certain types of encryp on presents challenges to network-based intrusion detec on and may leave the IDS blind to certain a acks,where a host-based IDS analyzes the data a er it has been decrypted.

629 Bob is doing a password assessment for one of his clients. Bob suspects that security policies are not in place. He also suspects that weak passwords are probably the norm throughout the company he is evalua ng. Bob is familiar with password weaknesses and key loggers. Which of the following op ons best represents the means that Bob can adopt to retrieve passwords from his clients hosts and servers? A. Hardware,So ware,and Sniﬃng. 217 B. Hardware and So ware Keyloggers. C. Passwords are always best obtained using Hardware key loggers. D. So ware only,they are the most eﬀec ve.

A Diﬀerent types of keylogger planted into the environment would retrieve the passwords for Bob.

752 Say that "abigcompany.com" had a security vulnerability in the javascript on their website in the past. They recently fixed the security vulnerability, but it had been there for many months. Is there some way to 4go back and see the code for that error? Select the best answer. A. archive.org B. There is no way to get the changed webpage unless you contact someone at the company C. Usenet D. Javascript would not be in their html so a service like usenet or archive wouldn't help you

A Explana ons: Archive.org is a website that periodically archives internet content. They have archives of websites over many years. It could be used to go back and look at the javascript as javascript would be in the HTML code.

784 Joe Hacker is going wardriving. He is going to use PrismStumbler and wants it to go to a GPS mapping so ware appli-ca on. What is the recommended and well-known GPS mapping package that would interface with PrismStumbler? Select the best answer. A. GPSDrive B. GPSMap C. WinPcap D. Microso Mappoint

A Explana ons: GPSDrive is a Linux GPS mapping package. It recommended to be used to send PrismStumbler data to so that it can be mapped. GPSMap is a generic term and not a real so ware package. WinPcap is a packet capture library for Windows. It is used to capture packets and deliver them to other programs for analysis. As it is for Windows,it isn't going to do what Joe Hacker is wan ng to do. Microso Mappoint is a Windows applica on. PrismStumbler is a Linux applica on. Thus,these two are not going to work well together.

733 What is Form Scalpel used for? A. Dissec ng HTML Forms 253 B. Dissec ng SQL Forms C. Analysis of Access Database Forms D. Troubleshoo ng Netscape Navigator E. Quatro Pro Analysis Tool

A Form Scalpel automa cally extracts forms from a given web page and splits up all fields for edi ng and manipula on.

540 Bob has been hired to perform a penetra on test on XYZ.com. He begins by looking at IP address ranges owned by the company and details of domain name registra on. He then goes to News Groups and financial web sites to see if they are leaking any sensi ve informa on of have any technical details online. Within the context of penetra on tes ng methodology, what phase is Bob involved with? A. Passive informa on gathering B. Ac ve informa on gathering C. A ack phase D. Vulnerability Mapping

A He is gathering informa on and as long as he doesnot make contact with any of the targets systems he is considered gathering this informa on in a passive mode.

756 Bill is a emp ng a series of SQL queries in order to map out the tables within the database that he is trying to exploit. Choose the a ack type from the choices given below. A. Database Fingerprin ng B. Database Enumera on C. SQL Fingerprin ng D. SQL Enumera on

A He is trying to create a view of the characteris cs of the target database,he is taking itos fingerprints

547 What are two types of ICMP code used when using the ping command? A. It uses types 0 and 8. B. It uses types 13 and 14. C. It uses types 15 and 17. D. The ping command does not use ICMP but uses UDP.

A ICMP Type 0 = Echo Reply,ICMP Type 8 = Echo

578 198 You are manually conduc ng Idle Scanning using Hping2. During your scanning you no ce that almost every query increments the IPID regardless of the port being queried. One or two of the queries cause the IPID to increment by more than one value. Why do you think this occurs? A. The zombie you are using is not truly idle. B. A stateful inspec on firewall is rese ng your queries. C. Hping2 cannot be used for idle scanning. D. These ports are actually open on the target system.

A If the IPID is incremented by more than the normal increment for this type of system it means that the system is interac ng with some other system beside yours and has sent packets to an unknown host between the packets des ned for you.

829 Network Intrusion Detec on systems can monitor traﬃc in real me on networks. Which one of the following techniques can be very eﬀec ve at avoiding proper detec on? A. Fragmenta on of packets. B. Use of only TCP based protocols. C. Use of only UDP based protocols. D. Use of fragmented ICMP traﬃc only.

A If the default fragmenta on reassembly meout is set to higher on the client than on the IDS then the it is possible to send an a ack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer ac ng vic m.

708 You have been called to inves gate a sudden increase in network traﬃc at XYZ. It seems that the traﬃc generated was too heavy that normal business func ons could no longer be rendered to external employees and clients. A er a quick inves ga on, you find that the computer has services running a ached to TFN2k and Trinoo so ware. What do you think was the most likely cause behind this sudden increase in traﬃc? A. A distributed denial of service a ack. B. A network card that was jabbering. C. A bad route on the firewall. D. Invalid rules entry at the gateway.

A In computer security,a denial-of-service a ack (DoS a ack) is an a empt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers,and the a ack a empts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). TFN2K and Trinoo are tools used for conduc ng DDos a acks.

751 _ _ _ _ _ _ _ _ _ ensures that the enforcement of organiza onal security policy does not rely on voluntary web applica-on user compliance. It secures informa on by assigning sensi vity labels on informa on and comparing this to the level of security a user is opera ng at. 259 A. Mandatory Access Control B. Authorized Access Control C. Role-based Access Control D. Discre onary Access Control

A In computer security,mandatory access control (MAC) is a kind of access control,defined by the TCSEC as "a means of restric ng access to objects based on the sensi vity (as represented by a label) of the informa on contained in the objects and the formal authoriza on (i.e.,clearance) of subjects to access informa on of such sensi vity."

841 What type of a ack changes its signature and/or payload to avoid detec on by an virus programs? A. Polymorphic B. Rootkit C. Boot sector D. File infec ng

A In computer terminology,polymorphic code is code that mutates while keeping the original algorithm intact. This technique is some mes used by computer viruses,shellcodes and computer worms to hide their presence.

672 John wishes to install a new applica on onto his Windows 2000 server. He wants to ensure that any applica on he uses has not been Trojaned. What can he do to help ensure this? A. Compare the file's MD5 signature with the one published on the distribu on media B. Obtain the applica on via SSL C. Compare the file's virus signature with the one published on the distribu on media D. Obtain the applica on from a CD-ROM disc

A MD5 was developed by Professor Ronald L. Rivest of MIT. What it does,to quote the execu ve summary of rfc1321,is: [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computa onally infeasible to produce two messages having the same message digest,or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applica ons,where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. In essence,MD5 is a way to verify data integrity,and is much more reliable than checksum and many other commonly used methods.

667 You want to use netcat to generate huge amount of useless network data con nuously for various performance tes ng between 2 hosts. Which of the following commands accomplish this? A. Machine A #yes AAAAAAAAAAAAAAAAAAAAAA | nc Ƀv Ƀv Ƀl Ƀp 2222 > /dev/null Machine B #yes BBBBBBBBBBBBBBBBBBBBBB | nc machinea 2222 > /dev/null B. Machine A cat somefile | nc Ƀv Ƀv Ƀl Ƀp 2222 Machine B cat somefile | nc othermachine 2222 C. Machine A nc Ƀl Ƀp 1234 | uncompress Ƀc | tar xvfp Machine B tar cfp - /some/dir | compress Ƀc | nc Ƀw 3 machinea 1234 D. Machine A while true : do nc Ƀv Ƀl Ƀs Ƀp 6000 machineb 2 Machine B while true ; do nc Ƀv Ƀl Ƀs Ƀp 6000 machinea 2 done

A Machine A is se ng up a listener on port 2222 using the nc command andthen having the le er A sent an infinite amount of mes,when yes is used to send data yes NEVER stops un l it recieves a break signal from the terminal (Control+C),on the client end (machine B),nc is being used as a client to connect to machine A,sending the le er B and infinite amount of mes,while both clients have established a TCP connec on each client is infinitely sending data to each other,this process will run FOREVER un l it has been stopped by an administrator or the a acker.

796 If you perform a port scan with a TCP ACK packet, what should an OPEN port return? A. RST B. No Reply C. SYN/ACK D. FIN

A Open ports return RST to an ACK scan.

825 Carl has successfully compromised a web server from behind a firewall by exploi ng a vulnerability in the web server program. He wants to proceed by installing a backdoor program. However, he is aware that not all inbound ports on the firewall are in the open state. From the list given below, iden fy the port that is most likely to be open and allowed to reach the server that Carl has just compromised. A. 53 B. 110 C. 25 D. 69

A Port 53 is used by DNS and is almost always open,the problem is o en that the port is opened for the hole world and not only for outside DNS servers.

785 Virus Scrubbers and other malware detec on program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifica ons of binary files on your system by unknown malware? A. System integrity verifica on tools B. An -Virus So ware C. A properly configured gateway D. There is no way of finding out un l a new updated signature file is released

A Programs like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g.,daily) basis,Tripwire can no fy system administrators of corrupted or tam-pered files,so damage control measures can be taken in a mely manner.

832 Snort is an open source Intrusion Detec on system. However, it can also be used for a few other purposes as well. Which of the choices below indicate the other features oﬀered by Snort? A. IDS,Packet Logger,Sniﬀer B. IDS,Firewall,Sniﬀer C. IDS,Sniﬀer,Proxy D. IDS,Sniﬀer,content inspector

A Snort is a free so ware network intrusion detec on and preven on system capable of performing packet logging & real- me traﬃc analysis,on IP networks. Snort was wri en by Mar n Roesch but is now owned and developed by Sourcefire

815 Clive is conduc ng a pen-test and has just port scanned a system on the network. He has iden fied the opera ng system as Linux and been able to elicit responses from ports 23, 25 and 53. He infers port 23 as running Telnet service, port 25 as running SMTP service and port 53 as running DNS service. The client confirms these findings and a ests to the current availability of the services. When he tries to telnet to port 23 or 25, he gets a blank screen in response. On typing other commands, he sees only blank spaces or underscores symbols on the screen. What are you most likely to infer from this? A. The services are protected by TCP wrappers B. There is a honeypot running on the scanned machine C. An a acker has replaced the services with trojaned ones D. This indicates that the telnet and SMTP server have crashed

A TCP Wrapper is a host-based network ACL system,used to filter network access to Internet protocol services run on (Unix-like) opera ng systems such as Linux or BSD. It allows host or subnetwork IP addresses,names and/or ident query replies,to be used as tokens on which to filter for access control purposes.

598 One of your team members has asked you to analyze the following SOA record. What is the version? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 D. 2400 E. 60 F. 4800

A The SOA starts with the format of YYYYMMDDVV where VV is the version.

705 When working with Windows systems, what is the RID of the true administrator account? A. 500 B. 501 C. 512 D. 1001 E. 1024 F. 1000

A The built-in administrator account always has a RID of 500.

774 In order to a ack a wireless network, you put up an access point and override the signal of the real access point. As users send authen ca on data, you are able to capture it. What kind of a ack is this? A. Rouge access point a ack B. Unauthorized access point a ack C. War Chalking D. WEP a ack 265

A The defini on of a Rogue access point is: 1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configura on,users have exposed their company's network to the outside world. 2. An access point (AP) set up by an a acker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that adver se its presence) from the company's legi mate AP and transmits iden cal beacons,which some client machines inside the building associate with.

835 You are doing IP spoofing while you scan your target. You find that the target has port 23 open. Anyway you are unable to connect. Why? A. A firewall is blocking port 23 B. You cannot spoof + TCP C. You need an automated telnet tool D. The OS does not reply to telnet even if port 23 is open

A The ques on is not telling you what state the port is being reported by the scanning u lity,if the program used to conduct this is nmap,nmap will show you one of three states Ƀ popenq,pclosedq,or pfilteredq a port can be in an popenq state yet filtered,usually by a stateful packet inspec on filter (ie. Ne ilter for linux,ipfilter for bsd). C and D to make any sense forthis ques on,their bogus,and B,pYou cannot spoof + TCPq,well you can spoof + TCP,so we strike that out.

696 Which one of the following network a acks takes advantages of weaknesses in the fragment reassembly func onality of the TCP/IP protocol stack? A. Teardrop B. Smurf C. Ping of Death D. SYN flood E. SNMP A ack

A The teardrop a ack uses overlapping packet fragments to confuse a target system and cause the system to reboot or crash.

698 What happens during a SYN flood a ack? A. TCP connec on requests floods a target machine is flooded with randomized source address & ports for the TCP ports. B. A TCP SYN packet,which is a connec on ini a on,is sent to a target machine,giving the target hostos address as both source and des na on,and is using the same port on the target host as both source and des na on. C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field. D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.

A To a server that requires an exchange of a sequence of messages. The clientsystem begins by sending a SYN message to the server. The server thenacknowledges the SYN message by sending a SYN-ACK message to the client. Theclient then finishes establishing the connec on by responding with an ACKmessage and then data can be exchanged. At the point where the server systemhas sent an acknowledgment (SYN-ACK) back to client but has not yet receivedthe ACK message,there is a half-open connec on. A data structuredescribing all pending connec ons is in memory of the server that can bemade to overflow by inten onally crea ng too many par ally openconnec ons. Another common a ack is the SYN flood,in which a target machine isflooded with TCP connec on requests. The source addresses and source TCP ports of the connec on request packets are randomized; the purpose is to force the target host to maintain state informa on for many connec ons that will never be completed. SYN flood a acks are usually no ced because the target host (frequently an HTTP or SMTP server) becomes extremely slow,crashes,or hangs. It's also possible for the traﬃc returned from the target host to cause trouble on routers; because this return traﬃc goes to the randomized source addresses of the original packets,it lacks the locality proper es of "real" IP traﬃc,and may overflow route caches. On Cisco routers,this problem o en manifests itself in the router running out of memory.

601 Under what condi ons does a secondary name server request a zone transfer from a primary name server? A. When a primary SOA is higher that a secondary SOA B. When a secondary SOA is higher that a primary SOA C. When a primary name server has had its service restarted D. When a secondary name server has had its service restarted E. When the TTL falls to zero

A Understanding DNS is cri cal to mee ng the requirements of the CEH. When the serial number that is within the SOA record of the primary server is higher than the Serial number within the SOA record of the secondary DNS server,a zone transfer will take place.

760 A par cular database threat u lizes a SQL injec on technique to penetrate a target system. How would an a acker use this technique to compromise a database? A. An a acker uses poorly designed input valida on rou nes to create or alter SQL commands to gain access to unin-tended data or execute commands of the database B. An a acker submits user input that executes an opera ng system command to compromise a target system C. An a acker gains control of system to flood the target system with requests,preven ng legi mate users from gaining access D. An a acker u lizes an incorrect configura on that leads to access with higher-than-expected privilege of the database

A Using the poorly designed input valida on to alter or steal data from a database is a SQL injec on a ack. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00244.jpg 263 Latest ECCouncil 312-50v8 Real Exam Download 761-770 (2014-05-12 14:13)

739 Which of the following statements best describes the term Vulnerability? A. A weakness or error that can lead to a compromise 255 B. An agent that has the poten al to take advantage of a weakness C. An ac on or event that might prejudice security D. The loss poten al of a threat.

A Vulnerabili es are all weaknesses that can be exploited.

795 If you receive a RST packet while doing an ACK scan, it indicates that the port is open.(True/False). A. True B. False 272

A When and ACK is sent to an open port,a RST is returned.

763 WEP is used on 802.11 networks, what was it designed for? A. WEP is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what it usually expected of a wired LAN. B. WEP is designed to provide strong encryp on to a wireless local area network (WLAN) with a lever of integrity and privacy adequate for sensible but unclassified informa on. C. WEP is designed to provide a wireless local area network (WLAN) with a level of availability and privacy comparable to what is usually expected of a wired LAN. D. WEOP is designed to provide a wireless local area network (WLAN) with a level of privacy comparable to what it usually expected of a wired LAN.

A 264 Latest ECCouncil 312-50v8 Real Exam Download 771-780 (2014-05-12 14:15)

384 Interna onal Organiza on for Standardiza on (ISO) standard 27002 provides guidance for compliance by outlining A. guidelines and prac ces for security controls. B. financial soundness and business viability metrics. C. standard best prac ce for configura on management. D. contract agreement wri ng standards.

A 145

702 Clive has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the external gateway interface. Further inspec on reveals that they are not responses from the internal hostso requests but simply responses coming from the Internet. What could be the most likely cause? A. Someone has spoofed Cliveos IP address while doing a smurf a ack. B. Someone has spoofed Cliveos IP address while doing a land a ack. C. Someone has spoofed Cliveos IP address while doing a fraggle a ack. D. Someone has spoofed Cliveos IP address while doing a DoS a ack.

A 243 The smurf a ack,named a er its exploit program,is a denial-of-service a ack that uses spoofed broadcast ping mes-sages to flood a target system. In such an a ack,a perpetrator sends a large amount of ICMP echo (ping) traﬃc to IP broadcast addresses,all of it having a spoofed source address of the intended vic m. If the rou ng device delivering traﬃc to those broadcast addresses performs the IP broadcast to layer 2 broadcast func on,most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply,mul plying the traﬃc by the number of hosts responding. On a mul -access broadcast network,hundreds of machines might reply to each packet.

159 You want to know whether a packet filter is in front of 192.168.1.10. Pings to 192.168.1.10 don't get answered. A basic nmap scan of 192.168.1.10 seems to hang without returning any informa on. What should you do next? A. Run NULL TCP hping2 against 192.168.1.10 B. Run nmap XMAS scan against 192.168.1.10 C. The firewall is blocking all the scans to 192.168.1.10 D. Use NetScan Tools Pro to conduct the scan

A 67

572 Which of the following Nmap commands would be used to perform a stack fingerprin ng? A. Nmap -O -p80 <host(s.> B. Nmap -hU -Q<host(s.> C. Nmap -sT -p <host(s.> D. Nmap -u -o -w2 <host> E. Nmap -sS -0p target

A This op on ac vates remote host iden fica on via TCP/IP fingerprin ng. In other words,it uses a bunch of techniques to detect subtlety in the underlying opera ng system network stack of the computers you are scanning. It uses this informa on to create a "fingerprint" which it compares with its database of known OS fingerprints (the nmap-os-fingerprints file. to decide what type of system you are scanning.

706 If you send a SYN to an open port, what is the correct response?(Choose all correct answers. 244 A. SYN B. ACK C. FIN D. PSH

A,B The proper response is a SYN / ACK. This technique is also known as half-open scanning.

426 What are common signs that a system has been compromised or hacked? (Choose three.) A. Increased amount of failed logon events B. Pa erns in me gaps in system and/or event logs C. New user accounts created D. Consistency in usage baselines E. Par ons are encrypted F. Server hard drives become fragmented

A,B,C

476 A tester is a emp ng to capture and analyze the traﬃc on a given network and realizes that the network has several switches. What could be used to successfully sniﬀ the traﬃc on this switched network? (Choose three.) A. ARP spoofing B. MAC duplica on C. MAC flooding D. SYN flood E. Reverse smurf a ack F. ARP broadcas ng

A,B,C

211 100 The SNMP Read-Only Community String is like a password. The string is sent along with each SNMP Get-Request and allows (or denies) access to a device. Most network vendors ship their equipment with a default password of "public". This is the so-called "default public community string". How would you keep intruders from ge ng sensi ve informa on regarding the network devices using SNMP? (Select 2 answers) A. Enable SNMPv3 which encrypts username/password authen ca on B. Use your company name as the public community string replacing the default 'public' C. Enable IP filtering to limit access to SNMP device D. The default configura on provided by device vendors is highly secure and you don't need to change anything

A,C

294 Which of the following.statements.are true regarding N- er architecture? (Choose two.) A. Each layer must be able to exist on a physically independent system. B. The N- er architecture must have at least one logical layer. C. Each layer should exchange informa on only with the layers above and below it.. D. When a layer is changed or updated,the other layers must.also be.recompiled or modified.

A,C

400 In keeping with the best prac ces of layered security, where are the best places to place intrusion detec on/intrusion preven on systems? (Choose two.) A. HID/HIP (Host-based Intrusion Detec on/Host-based Intrusion Preven on) B. NID/NIP (Node-based Intrusion Detec on/Node-based Intrusion Preven on) C. NID/NIP (Network-based Intrusion Detec on/Network-based Intrusion Preven on) D. CID/CIP (Computer-based Intrusion Detec on/Computer-based Intrusion Preven on)

A,C

434 Which of the following are variants of mandatory access control mechanisms? (Choose two.) A. Two factor authen ca on B. Acceptable use policy C. Username / password D. User educa on program E. Sign in register

A,C

468 Which of the following are advantages of adop ng a Single Sign On (SSO) system? (Choose two.) A. A reduc on in password fa gue for users.because they do not need to know mul ple passwords when accessing mul ple applica ons B. A reduc on in network and applica on monitoring since all recording will be completed at the SSO system C. A reduc on in system administra on overhead since any user login problems can be resolved at the SSO system.D. A reduc on in overall risk to the system since network and applica on a acks can only happen at the SSO point

A,C

509 What two things will happen if a router receives an ICMP packet, which has a TTL value of 1, and the des na on host is several hops away? (Select 2 answers) A. The router will discard the packet B. The router will decrement the TTL value and forward the packet to the next router on the path to the des na on host C. The router will send a me exceeded message to the source host D. The router will increment the TTL value and forward the packet to the next router on the path to the des na on host. E. The router will send an ICMP Redirect Message to the source host

A,C

828 Bob, an Administrator at XYZ was furious when he discovered that his buddy Trent, has launched a session hijack a ack against his network, and sniﬀed on his communica on, including administra ve tasks suck as configuring routers, firewalls, IDS, via Telnet. Bob, being an unhappy administrator, seeks your help to assist him in ensuring that a ackers such as Trent will not be able to launch a session hijack in XYZ. Based on the above scenario, please choose which would be your correc ve measurement ac ons. (Choose two) A. Use encrypted protocols,like those found in the OpenSSH suite. B. Implement FAT32 filesystem for faster indexing and improved performance. C. Configure the appropriate spoof rules on gateways (internal and external). D. Monitor for CRP caches,by using IDS products. 284

A,C First you should encrypt the data passed between the par es; in par cular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services,because it completely prevents sniﬃng-style a acks. However,it could s ll be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the a acker from using the same IP address as the vic m as thus you can implement secondary check to see that the IP does not change in the middle of the session.

575 Name two so ware tools used for OS guessing? (Choose two. A. Nmap B. Snadboy C. Queso D. UserInfo E. NetBus

A,C 197 Nmap and Queso are the two best-known OS guessing programs. OS guessing so ware has the ability to look at peculiari es in the way that each vendor implements the RFC's. These diﬀerences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user.

269 Which of the following are valid types of rootkits? (Choose three.) A. Hypervisor level B. Network level C. Kernel level D. Applica on level E. Physical level F. Data access level

A,C,D

663 One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out? Select the best answers. A. John the Ripper can be used to crack a variety of passwords,but one limita on is that the output doesn't show if the password is upper or lower case. B. BY using NTLMV1,you have implemented an eﬀec ve countermeasure to password cracking. C. SYSKEY is an eﬀec ve countermeasure. D. If a Windows LM password is 7 characters or less,the hash will be passed with the following characters,in HEX-00112233445566778899. E. Enforcing Windows complex passwords is an eﬀec ve countermeasure. 232

A,C,E Explana ons: John the Ripper can be used to crack a variety of passwords,but one limita on is that the output doesn't show if the password is upper or lower case. John the Ripper is a very eﬀec ve password cracker. It can crack pass-words for many diﬀerent types of opera ng systems. However,one limita on is that the output doesn't show if the password is upper or lower case. BY using NTLMV1,you have implemented an eﬀec ve countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this,set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an eﬀec ve coun-termeasure. It uses 128 bit encryp on on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters: 0xAAD3B435B51404EE Enforcing Windows complex passwords is an eﬀec ve countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case,lower case,special characters,and numbers.

605 Which of the following statements about a zone transfer correct?(Choose three. A. A zone transfer is accomplished with the DNS B. A zone transfer is accomplished with the nslookup service C. A zone transfer passes all zone informa on that a DNS server maintains D. A zone transfer passes all zone informa on that a nslookup server maintains E. A zone transfer can be prevented by blocking all inbound TCP port 53 connec ons F. Zone transfers cannot occur on the Internet

A,C,E 208 Securing DNS servers should be a priority of the organiza wealth of informa on about an organiza on. This informa

776 Bob reads an ar cle about how insecure wireless networks can be. He gets approval from his management to imple-ment a policy of not allowing any wireless devices on the network. What other steps does Bob have to take in order to successfully implement this? (Select 2 answer.) A. Train users in the new policy. B. Disable all wireless protocols at the firewall. C. Disable SNMP on the network so that wireless devices cannot be configured. D. Con nuously survey the area for wireless devices.

A,D If someone installs a access point and connect it to the network there is no way to find it unless you are constantly surveying the area for wireless devices. SNMP and firewalls can not prevent the installa on of wireless devices on the corporate network.

645 Which of the following are well know password-cracking programs?(Choose all that apply. A. L0phtcrack B. NetCat C. Jack the Ripper D. Netbus E. John the Ripper

A,E L0phtcrack and John the Ripper are two well know password-cracking programs. Netcat is considered the Swiss-army knife of hacking tools, but is not used for password cracking

161 A digital signature is simply a message that is encrypted with the public key instead of the private key. A. true B. false

166 Neil is closely monitoring his firewall rules and logs on a regular basis. Some of the users have complained to Neil that there are a few employees who are visi ng oﬀensive web site during work hours, without any considera on for 71 others. Neil knows that he has an up-to-date content filtering system and such access should not be authorized. What type of technique might be used by these oﬀenders to access the Internet without restric on? A. They are using UDP that is always authorized at the firewall B. They are using HTTP tunneling so ware that allows them to communicate with protocols in a way it was not in-tended C. They have been able to compromise the firewall,modify the rules,and give themselves proper access D. They are using an older version of Internet Explorer that allow them to bypass the proxy server

170 "Tes ng the network using the same methodologies and tools employed by a ackers" Iden fy the correct terminology that defines the above statement. A. Vulnerability Scanning B. Penetra on Tes ng C. Security Policy Implementa on D. Designing Network Security

177 What port number is used by LDAP protocol? A. 110 B. 389 C. 464 D. 445

181 When a normal TCP connec on starts, a des na on host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The des na on host must then hear an ACK (acknowledge) of the SYN/ACK before the connec on is established. This is referred to as the "TCP three-way handshake." While wai ng for the ACK to the SYN ACK, a connec on queue of finite size on the des na on host keeps track of connec ons wai ng to be completed. This queue typically emp es quickly since the ACK is expected to arrive a few milliseconds a er the SYN ACK. How would an a acker exploit this design by launching TCP SYN a ack? A. A acker generates TCP SYN packets with random des na on addresses towards a vic m host B. A acker floods TCP SYN packets with random source addresses towards a vic m host C. A acker generates TCP ACK packets with random source addresses towards a vic m host D. A acker generates TCP RST packets with random source addresses towards a vic m host 79

184 Every company needs a formal wri en document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed 81 copies of the policy should be given to every employee as soon as possible a er they join the organiza on. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems un l they have signed the policy in acceptance of its terms. What is this document called? A. Informa on Audit Policy (IAP) B. Informa on Security Policy (ISP) C. Penetra on Tes ng Policy (PTP) D. Company Compliance Policy (CCP)

190 You are trying to break into a highly classified top-secret mainframe computer with highest security system in place at Merclyn Barley Bank located in Los Angeles. You know that conven onal hacking doesn't work in this case, because organiza ons such as banks are generally ght and secure when it comes to protec ng their systems. In other words you are trying to penetrate an otherwise impenetrable system. How would you proceed? A. Look for "zero-day" exploits at various underground hacker websites in Russia and China and buy the necessary exploits from these hackers and target the bank's network B. Try to hang around the local pubs or restaurants near the bank,get talking to a poorly-paid or disgruntled em-ployee,and oﬀer them money if they'll abuse their access privileges by providing you with sensi ve informa on C. Launch DDOS a acks against Merclyn Barley Bank's routers and firewall systems using 100,000 or more "zombies" and "bots" D. Try to conduct Man-in-the-Middle (MiTM) a ack and divert the network traﬃc going to the Merclyn Barley Bank's Webserver to that of your machine using DNS Cache Poisoning techniques

196 Which defini on below best describes a covert channel? A. A server program using a port that is not well known B. Making use of a protocol in a way it was not intended to be used C. It is the mul plexing taking place on a communica on link D. It is one of the weak channels used by WEP that makes it insecure

219 Jacob is looking through a traﬃc log that was captured using Wireshark. Jacob has come across what appears to be SYN requests to an internal computer from a spoofed IP address. What is Jacob seeing here? A. Jacob is seeing a Smurf a ack. B. Jacob is seeing a SYN flood. C. He is seeing a SYN/ACK a ack. D. He has found evidence of an ACK flood.

231 A er a client sends a connec on request (SYN) packet to the server, the server will respond (SYN-ACK) with a sequence number of its choosing, which then must be acknowledged (ACK) by the client. This sequence number is predictable; the a ack connects to a service first with its own IP address, records the sequence number chosen, and then opens a second connec on from a forged IP address. The a ack doesn't see the SYN-ACK (or any other packet) from the server, but can guess the correct responses. If the source IP address is used for authen ca on, then the a acker can use the one-sided communica on to break into the server. What a acks can you successfully launch against a server using the above technique? A. Denial of Service a acks B. Session Hijacking a acks C. Web page defacement a acks D. IP spoofing a acks

233 Harold just got home from working at Henderson LLC where he works as an IT technician. He was able to get oﬀ early because they were not too busy. When he walks into his home oﬃce, he no ces his teenage daughter on the computer, apparently cha ng with someone online. As soon as she hears Harold enter the room, she closes all her windows and tries to act like she was playing a game. When Harold asks her what she was doing, she acts very nervous and does not give him a straight answer. Harold is very concerned because he does not want his daughter to fall vic m to online predators and the sort. Harold doesn't necessarily want to install any programs that will restrict the sites his daughter goes to, because he doesn't want to alert her to his trying to figure out what she is doing. Harold wants to use some kind of program that will track her ac vi es online, and send Harold an email of her ac vity once a day so he can see what she has been up to. What kind of so ware could Harold use to accomplish this? A. Install hardware Keylogger on her computer B. Install screen capturing Spyware on her computer C. Enable Remote Desktop on her computer D. Install VNC on her computer 106

234 You are performing a port scan with nmap. You are in hurry and conduc ng the scans at the fastest possible speed. However, you don't want to sacrifice reliability for speed. If stealth is not an issue, what type of scan should you run to get very reliable results? A. Stealth scan B. Connect scan C. Fragmented packet scan D. XMAS scan

241 A majority of a acks come from insiders, people who have direct access to a company's computer system as part of their job func on or a business rela onship. Who is considered an insider? A. A compe tor to the company because they can directly benefit from the publicity generated by making such an a ack B. Disgruntled employee,customers,suppliers,vendors,business partners,contractors,temps,and consultants C. The CEO of the company because he has access to all of the computer systems D. A government agency since they know the company's computer system strengths and weaknesses

242 Jeremy is web security consultant for Informa on Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy's first task is to scan all the company's external websites. Jeremy comes upon a login page which appears to allow employees access to sensi ve areas on the website. James types in the following statement in the username field: SELECT * from Users where username='admin' ?AND password=" AND email like ' %@testers.com %' What will the SQL statement accomplish? A. If the page is suscep ble to SQL injec on,it will look in the Users table for usernames of admin B. This statement will look for users with the name of admin,blank passwords,and email addresses that end in @testers.com C. This Select SQL statement will log James in if there are any users with NULL passwords D. James will be able to see if there are any default user accounts in the SQL database

244 If an a acker's computer sends an IPID of 31400 to a zombie (Idle Scanning) computer on an open port, what will be the response? A. 31400 B. 31402 C. The zombie will not send a response D. 31401

251 Simon is security analyst wri ng signatures for a Snort node he placed internally that captures all mirrored traﬃc from his border firewall. From the following signature, what will Snort look for in the payload of the suspected packets? alert tcp $EXTERNAL _NET any -> $HOME _NET 27374 (msG. "BACKDOOR SIG - SubSseven 22";flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids, 485;) alert A. The payload of 485 is what this Snort signature will look for. B. Snort will look for 0d0a5b52504c5d3030320d0a in the payload. C. Packets that contain the payload of BACKDOOR SIG - SubSseven 22 will be flagged. D. From this snort signature,packets with HOME _NET 27374 in the payload will be flagged.

253 What will the following command produce on a website's login page if executed successfully? SELECT email, passwd, login _id, full _name FROM members WHERE email = '[email protected]'; DROP TABLE members; -' A. This code will insert the [email protected] email address into the members table. B. This command will delete the en re members table. C. It retrieves the password for the first user in the members table. D. This command will not produce anything since the syntax is incorrect.

267 When u lizing technical assessment methods to assess the security posture of a network, which of the following techniques would be most eﬀec ve in determining whether end-user security training would be beneficial? A. Vulnerability scanning B. Social engineering C. Applica on security tes ng 117 D. Network sniﬃng

278 A hacker, who posed as a hea ng and air condi oning specialist, was able to install a sniﬀer program in.a switched environment.network. Which a ack could.the hacker use.to sniﬀ all of the packets in the network? A. Fraggle B. MAC Flood C. Smurf D. Tear Drop

284 When an alert rule is matched in a network-based IDS like snort, the IDS does which of the following? A. Drops the packet and moves on to the next one B. Con nues to evaluate the packet un l all rules are checked C. Stops checking rules,sends an alert,and lets the packet con nue 121 D. Blocks the connec on with the source IP address in the packet

305 Which tool can be used to silently copy files from USB devices? A. USB Grabber B. USB Dumper C. USB Sniﬀer D. USB Snoopy

307 126 A bank stores and processes sensi ve privacy informa on related to home loans..However, audi ng has never been enabled on the system..What is the first step that the bank should take before.enabling.the audit feature? A. Perform a vulnerability scan of the system. B. Determine the impact of enabling the audit feature. C. Perform a cost/benefit analysis of the audit feature. D. Allocate funds for staﬃng of audit log review.

308 A consultant has been hired by the V.P. of a large financial organiza on to assess the company's security pos-ture..During the security tes ng, the consultant comes across child pornography on the V.P.'s computer..What is the consultant's obliga on to the financial organiza on? A. Say nothing and con nue with the security tes ng. B. Stop work immediately and contact the authori es. C. Delete the pornography,say nothing,and con nue security tes ng. D. Bring the discovery to the financial organiza on's human resource department.

312 What.is the most secure way to mi gate the the of corporate informa on from a laptop.that was le in a hotel room? A. Set a BIOS password. B. Encrypt the data on the hard drive. C. Use a strong logon password to the opera ng system. D. Back up everything on the laptop and store the backup in a safe place.

318 A security consultant is trying to bid on a large contract that involves penetra on tes ng and repor ng. The company accep ng bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result? A. The consultant will ask for money on the bid because of great work. B. The consultant.may expose vulnerabili es of other companies. C. The company accep ng bids will want the same type of format of tes ng. D. The company accep ng bids will hire the consultant because of the great work performed.

320 What is the outcome of the commqnc -l -p 2222 | nc 10.1.0.43 1234"? A. Netcat will listen on the 10.1.0.43 interface for 1234 seconds.on port 2222. B. Netcat will listen on port 2222 and output anything received to a remote connec on on 10.1.0.43.port 1234. C. Netcat will listen for a connec on from 10.1.0.43 on port 1234 and output anything received to port 2222. D. Netcat will listen on port 2222 and then output anything received to local interface 10.1.0.43.

328 Data hiding analysis can be useful in A. determining the level of encryp on used to encrypt the data. B. detec ng and recovering data that may indicate knowledge,ownership or intent. C. iden fying the amount of central processing unit (cpu) usage over me to process the data. D. preven ng a denial of service a ack on a set of enterprise servers to prevent users from accessing the data.

332 Which of the following is a protocol that is prone to a man-in-the-middle (MITM) a ack and maps a 32-bit address to a 48-bit address? A. ICPM B. ARP C. RARP D. ICMP

336 Which NMAP command combina on would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprin ng and service detec on? A. NMAP.-PN -A -O -sS 192.168.2.0/24 B. NMAP.-P0 -A -O -p1-65535 192.168.0/24 C. NMAP.-P0 -A -sT -p0-65535 192.168.0/16 D. NMAP.-PN -O -sS -p 1-1024 192.168.0/8

342 Which of the following is an example of an asymmetric encryp on implementa on? A. SHA1 B. PGP C. 3DES D. MD5

343 What is the purpose of conduc ng security assessments on network resources? A. Documenta on B. Valida on C. Implementa on D. Management 135

346 Which of the following is a characteris c of Public Key Infrastructure.(PKI)? A. Public-key cryptosystems are faster than.symmetric-key cryptosystems. B. Public-key cryptosystems distribute public-keys within digital signatures. C. Public-key cryptosystems do not require a secure key distribu on channel. D. Public-key cryptosystems do not provide technical non-repudia on via digital signatures.

353 A penetra on tester is a emp ng to scan an internal corporate network from the internet without aler ng the border sensor. Which is the most eﬃcient technique should the tester consider using? A. Spoofing an IP address B. Tunneling scan over SSH C. Tunneling over high port numbers D. Scanning using fragmented IP packets

354 A circuit level gateway works at which of the following layers of the OSI Model? A. Layer 5 - Applica on B. Layer 4 Ƀ TCP C. Layer 3 Ƀ Internet protocol D. Layer 2 Ƀ Data link

360 A security policy will be more accepted by employees if it is consistent and has the support of A. coworkers. B. execu ve management. C. the security oﬃcer. D. a supervisor.

366 Which of the following is an example of IP spoofing? A. SQL injec ons B. Man-in-the-middle C. Cross-site scrip ng D. ARP poisoning

367 Which of the following processes of PKI (Public Key Infrastructure) ensures that a trust rela onship exists and that a cer ficate is s ll valid for specific opera ons? A. Cer ficate issuance B. Cer ficate valida on C. Cer ficate.cryptography D. Cer ficate revoca on

369 When crea ng a security program, which approach would be used if senior management is suppor ng and enforcing the security policy? A. A.bo om-up approach B. A top-down approach C. A senior crea on approach D. An IT assurance approach

371 Which Open Web Applica on Security Project (OWASP) implements a web applica on full of known vulnerabili es? A. WebBugs B. WebGoat C. VULN _HTML D. WebScarab

374 To send a PGP encrypted message, which piece of informa on from the recipient must the sender have before en-cryp ng the message? 142 A. Recipient's private key B. Recipient's public key C. Master encryp on key D. Sender's public key

375 An a acker has been successfully modifying the purchase price of items purchased on.the company's.web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detec on System (IDS) logs and found no a acks that could have caused this. What is the mostly likely way the a acker has been able to modify the.purchase price? A. By using SQL injec on B. By changing hidden form values C. By using cross site scrip ng D. By.u lizing a buﬀer overflow a ack

380 Which type of scan is used on the eye to measure the layer of blood vessels? A. Facial recogni on scan B. Re nal scan C. Iris scan D. Signature kine cs scan

383 A hacker was able to sniﬀ packets on a company's wireless network. The following informa on was discovereD. The Key.10110010 01001011 The Cyphertext 01100101 01011010 Using the Exlcusive OR, what was the original message? A. 00101000 11101110 B. 11010111 00010001 C. 00001101 10100100 D. 11110010 01011011

385 Which solu on can be.used to emulate computer services, such as mail and p, and to capture informa on related to logins or ac ons? A. Firewall B. Honeypot C. Core server D. Layer 4 switch

388 Which type of intrusion detec on system can monitor and alert on a acks, but cannot stop them? A. Detec ve B. Passive C. Intui ve D. Reac ve 146

391 Which results will be returned with the following Google search query? site:target.com -site:Marke ng.target.com accoun ng A. Results matching all words in the query B. Results matching paccoun ngq in domain target.com but.not on the site Marke ng.target.com C. Results from matches on the site marke ng.target.com that are in the domain target.com but do not include the word accoun ng D. Results for matches on target.com and Marke ng.target.com that include the word paccoun ngq

393 Which type of security document is wri en with specific step-by-step details? A. Process B. Procedure C. Policy D. Paradigm

394 A.cer fied ethical hacker (CEH).completed a penetra on test of the main headquarters of.a company.almost two months ago, but has yet to get paid..The customer is suﬀering from financial problems, and the CEH is worried that the company will go out of business and end up not paying..What ac ons should.the CEH.take? A. Threaten to publish the penetra on test results if not paid. B. Follow proper legal procedures against the company to request payment. C. Tell other customers of the financial problems with payments from this company. D. Exploit some of the vulnerabili es found on the company webserver to deface it.

402 Which of the following algorithms provides be er protec on against brute force a acks by using a 160-bit message digest? A. MD5 B. SHA-1 C. RC4 D. MD4

403 Company A and Company B have just merged and each has its own Public Key Infrastructure (PKI). What must the Cer ficate Authori es (CAs) establish so that the private PKIs for Company A and Company B trust one another and each private PKI can validate digital cer ficates from the other company? A. Poly key exchange B. Cross cer fica on C. Poly.key reference D. Cross-site exchange

418 The Open Web Applica on Security Project (OWASP) tes ng methodology addresses the need to secure web applica-ons by providing which one of the following services? A. An extensible security framework named COBIT B. A list of flaws and how to fix them C. Web applica on patches D. A security cer fica on for hardened web applica ons

421 Which of the following describes the characteris cs of a Boot Sector Virus? A. Moves the MBR to another loca on on the.RAM and copies itself to the original loca on of the MBR B. Moves the MBR to another loca on on the hard disk and copies itself to the original loca on of the MBR C. Modifies directory table entries so that directory entries point to the virus code instead of the actual program D. Overwrites the original MBR and only executes the new virus code

423 The precau on of prohibi ng employees from bringing personal compu ng devices into a facility is what type of security control? A. Physical B. Procedural C. Technical D. Compliance.

444 Which statement is.TRUE.regarding network firewalls preven ng Web Applica on a acks? A. Network firewalls can prevent a acks because they can detect malicious HTTP traﬃc. B. Network firewalls cannot prevent a acks because ports 80 and 443 must be opened. C. Network firewalls can prevent a acks if they are properly configured. D. Network firewalls cannot prevent a acks because.they are.too complex to configure.

448 When analyzing the IDS logs, the.system administrator no ces connec ons from outside of the LAN have been sending packets where the Source IP address and Des na on IP address.are the same. There have been no alerts sent.via email or logged in the IDS. Which type of.an alert.is this? A. False posi ve B. False nega ve C. True posi ve D. True nega ve

451 Which of the following is a component of a risk assessment? A. Physical security B. Administra ve safeguards C. DMZ D. Logical interface

456 Which of the following programming languages is most vulnerable to buﬀer overflow a acks? A. Perl B. C++ C. Python D. Java

459 Which of the following can the administrator do to verify that a tape backup can be recovered in its en rety? A. Restore a random file. B. Perform a full restore. C. Read the first 512 bytes of the tape. 162 D. Read the last 512 bytes of the tape.

469 An.ethical hacker for a large security research firm performs penetra on tests, vulnerability tests, and risk assess-ments. A friend.recently started.a company and asks the hacker to perform a penetra on test and vulnerability as-sessment of the new company as a favor..What should the hacker's next step be before star ng work on this job? A. Start by foot prin ng the network and mapping out a plan of a ack. B. Ask the employer for.authoriza on to perform the work outside the company. C. Begin the reconnaissance phase with passive informa on gathering and then move into ac ve informa on gather-ing. D. Use social engineering techniques on the friend's employees to help iden fy areas that may be suscep ble to a ack.

478 What are the three types of authen ca on? A. Something you: know,remember,prove B. Something you: have,know,are C. Something you: show,prove,are D. Something you: show,have,prove 167

482 Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly func on? A. Fast processor to help with network traﬃc analysis B. They must be dual-homed C. Similar RAM requirements D. Fast network interface cards

486 A tester.has been hired to do a web applica on security test. The tester no ces that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injec on is possible, what is the first character that.the tester should use to a empt breaking a valid SQL request? A. Semicolon B. Single quote C. Exclama on mark D. Double quote

491 During a penetra on test, a tester.finds that the web applica on being analyzed is vulnerable to Cross Site Scrip ng (XSS). Which of the following condi ons must be met to exploit this vulnerability? A. The.web applica on does not have the secure flag set. B. The session cookies.do not have the H pOnly flag set. C. The vic m user should not have an endpoint security solu on. D. The vic m's browser must have Ac veX technology enabled.

497 169 A consultant.is hired to do physical penetra on tes ng at a large financial company. In the first day of his assessment, the consultant goes to the company's building dressed like an.electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get into the restricted area. Which type of a ack.did the consultant perform? A. Man trap B. Tailga ng C. Shoulder surfing D. Social engineering

507 A company is legally liable for the content of email that is sent from its systems, regardless of whether the message was sent for private or business-related purposes. This could lead to prosecu on for the sender and for the company's directors if, for example, outgoing email was found to contain material that was pornographic, racist, or likely to incite someone to commit an act of terrorism. You can always defend yourself by "ignorance of the law" clause. A. true B. false

521 User which Federal Statutes does FBI inves gate for computer crimes involving e-mail scams and mail fraud? A. 18 U.S.C 1029 Possession of Access Devices B. 18 U.S.C 1030 Fraud and related ac vity in connec on with computers C. 18 U.S.C 1343 Fraud by wire,radio or television D. 18 U.S.C 1361 Injury to Government Property E. 18 U.S.C 1362 Government communica on systems F. 18 U.S.C 1831 Economic Espionage Act G. 18 U.S.C 1832 Trade Secrets Act

523 Which one of the following is defined as the process of distribu ng incorrect Internet Protocol (IP) addresses/names with the intent of diver ng traﬃc? A. Network aliasing B. Domain Name Server (DNS) poisoning C. Reverse Address Resolu on Protocol (ARP) D. Port scanning

524 A XYZ security System Administrator is reviewing the network system log files. He notes the following: -Network log files are at 5 MB at 12:00 noon. -At 14:00 hours,the log files at 3 MB. What should he assume has happened and what should he do about the situa on? A. He should contact the a ackeros ISP as soon as possible and have the connec on disconnected. B. He should log the event as suspicious ac vity,con nue to inves gate,and take further steps according to site security policy. C. He should log the file size,and archive the informa on,because the router crashed. 179 D. He should run a file system check,because the Syslog server has a self correc ng file system problem. E. He should disconnect from the Internet discon nue any further unauthorized use,because an a ack has taken place.

526 Snort has been used to capture packets on the network. On studying the packets, the penetra on tester finds it to be abnormal. If you were the penetra on tester, why would you find this abnormal? What is odd about this a ack? (Choose the most appropriate statement) A. This is not a spoofed packet as the IP stack has increasing numbers for the three flags. B. This is back orifice ac vity as the scan comes from port 31337. C. The a acker wants to avoid crea ng a sub-carrier connec on that is not normally valid. D. There packets were created by a tool; they were not created by a standard IP stack.

527 Your XYZ trainee Sandra asks you which are the four exis ng Regional Internet Registry (RIR's)? A. APNIC,PICNIC,ARIN,LACNIC B. RIPE NCC,LACNIC,ARIN,APNIC C. RIPE NCC,NANIC,ARIN,APNIC D. RIPE NCC,ARIN,APNIC,LATNIC

528 A very useful resource for passively gathering informa on about a target company is: A. Host scanning B. Whois search C. Traceroute D. Ping sweep

56 What does FIN in TCP flag define? A. Used to abort a TCP connec on abruptly 28 B. Used to close a TCP connec on C. Used to acknowledge receipt of a previous packet or transmission D. Used to indicate the beginning of a TCP connec on

661 Which type of a ack is port scanning? A. Web server a ack B. Informa on gathering C. Unauthorized access D. Denial of service a ack

811 Rebecca is a security analyst and knows of a local root exploit that has the ability to enable local users to use available exploits to gain root privileges. This vulnerability exploits a condi on in the Linux kernel within the execve() system 278 call. There is no known workaround that exists for this vulnerability. What is the correct ac on to be taken by Rebecca in this situa on as a recommenda on to management? A. Rebecca should make a recommenda on to disable the() system call B. Rebecca should make a recommenda on to upgrade the Linux kernel promptly C. Rebecca should make a recommenda on to set all child-process to sleep within the execve() D. Rebecca should make a recommenda on to hire more system administrators to monitor all child processes to ensure that each child process can't elevate privilege

470 A large.company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to evaluate the possible threats. The analyst will use the Blackjacking a ack method to demonstrate how an a acker could cir-cumvent perimeter defenses and gain access to the.corporate network. What tool should the analyst use to perform a Blackjacking a ack? A. Paros Proxy B. BBProxy C. BBCrack D. Blooover

B 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00229.jpg 165 Latest ECCouncil 312-50v8 Real Exam Download 471-480 (2014-05-12 11:16)

480 While checking the se ngs on the internet browser, a technician finds that the proxy server se ngs have been checked and.a computer is trying to use itself as a proxy server..What specific octet within the subnet does the tech-nician see? A. 10.10.10.10 B. 127.0.0.1 C. 192.168.1.1 D. 192.168.168.168

B 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00230.jpg Latest ECCouncil 312-50v8 Real Exam Download 491-500 (2014-05-12 11:17)

693 Which one of the following ins gates a SYN flood a ack? A. Genera ng excessive broadcast packets. B. Crea ng a high number of half-open connec ons. C. Inser ng repe ve Internet Relay Chat (IRC) messages. D. A large number of Internet Control Message Protocol (ICMP) traces.

B A SYN a ack occurs when an a acker exploits the use of the buﬀer space during a Transmission Control Protocol (TCP) session ini aliza on handshake.The a acker floods the target system's small "in-process" queue with connec on requests,but it does not respond when a target system replies to those requests.This causes the target system to me out while wai ng for the proper response,which makes the system crash or become unusable.

552 What port scanning method is the most reliable but also the most detectable? A. Null Scanning B. Connect Scanning C. ICMP Scanning D. Idlescan Scanning E. Half Scanning F. Verbose Scanning

B A TCP Connect scan,named a er the Unix connect() system call is the most accurate scanning method. If a port is open the opera ng system completes the TCP three-way handshake,and the port scanner immediately closes the connec on.

666 What is a Trojan Horse? A. A malicious program that captures your username and password B. Malicious code masquerading as or replacing legi mate code C. An unauthorized user who gains access to your user database and adds themselves as a user D. A server that is to be sacrificed to all hacking a empts in order to log and monitor the hacking ac vity

B A Trojan Horse is an apparently useful and innocent program containing addi onal hidden code which allows the unauthorized collec on,exploita on,falsifica on,or destruc on of data.

614 Which defini on among those given below best describes a covert channel? 211 A. A server program using a port that is not well known. B. Making use of a protocol in a way it is not intended to be used. C. It is the mul plexing taking place on a communica on link. D. It is one of the weak channels used by WEP which makes it insecure.

B A covert channel is described as: "any communica on channel that can be exploited by a process to transfer infor-ma on in a manner that violates the systems security policy." Essen ally,it is a method of communica on that is not part of an actual computer system design,but can be used to transfer informa on to users or system processes that normally would not be allowed access to the informa on.

695 What happens when one experiences a ping of death? A. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP) and the ptypeq field in the ICMP header is set to 18 (Address Mask Reply). B. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP),the Last Fragment bit is set,and (IP oﬀset n 8) + (IP data length) >65535. In other words,the IP oﬀset (which represents the star ng posi on of this fragment in the original packet,and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. C. This is when an IP datagram is received with the pprotocolq field in the IP header set to 1 (ICMP) and the source equal to des na on address. D. This is when an the IP header is set to 1 (ICMP) and the ptypeq field in the ICMP header is set to 5 (Redirect).

B A hacker can send an IP packet to a vulnerable machine such that the las ragment contains an oﬀest where (IP oﬀset *8) + (IP data length)>65535.This means that when the packet is reassembled,its total length is largerthan the legal limit,causing buﬀer overruns in the machine's OS (becousethe buﬀer sizes are defined only to accomodate the maxi-mum allowed size o he packet based on RFC 791)...IDS can generally recongize such a acks bylooking for packet frag-ments that have the IP header's protocol field set to1 (ICMP),the last bit set,and (IP oﬀset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Prac ces by Saadat Malik pg 414 "Ping of Death" at-tacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data),containing aminimum of 20 octets of IP header informa on and zero or more octets ofop onal informa on,with the rest of the packet being data. Ping of Deathat-tacks can cause crashing,freezing,and reboo ng.

616 Eric has discovered a fantas c package of tools named Dsniﬀ on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploita on. He was able to eﬀec vely intercept communica ons between the two en es and establish creden als with both sides of the connec ons. The two remote ends of the communica on never no ce that Eric is relaying the informa on between the two. What would you call this a ack? A. Interceptor B. Man-in-the-middle C. ARP Proxy D. Poisoning A ack

B A man-in-the-middle a ack (MITM) is an a ack in which an a acker is able to read,insert and modify at will,messages between two par es without either party knowing that the link between them has been compromised.

833 When referring to the Domain Name Service, what is denoted by a nzoneo? A. It is the first domain that belongs to a company. B. It is a collec on of resource records. C. It is the first resource record type in the SOA. D. It is a collec on of domains.

B A reasonable defini on of a zone would be a por on of the DNS namespace where responsibility has been delegated.

780 Ma hew re-injects a captured wireless packet back onto the network. He does this hundreds of mes within a second. The packet is correctly encrypted and Ma hew assumes it is an ARP request packet. The wireless host responds with a stream of responses, all individually encrypted with diﬀerent IVs. What is this a ack most appropriately called? A. Spoof a ack B. Replay a ack C. Injec on a ack D. Rebound a ack

B A replay a ack is a form of network a ack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it,possibly as part of a masquerade a ack by IP packet subs tu on (such as stream cipher a ack). 267 Latest ECCouncil 312-50v8 Real Exam Download 781-790 (2014-05-12 14:17)

712 John is using tokens for the purpose of strong authen ca on. He is not confident that his security is considerably strong. In the context of Session hijacking why would you consider this as a false sense of security? A. The token based security cannot be easily defeated. B. The connec on can be taken over a er authen ca on. C. A token is not considered strong authen ca on. D. Token security is not widely used in the industry.

B A token will give you a more secure authen ca on,but the tokens will not help against a acks that are directed against you a er you have been authen cated.

790 Which of the following is one of the key features found in a worm but not seen in a virus? A. The payload is very small,usually below 800 bytes. B. It is self replica ng without need for user interven on. C. It does not have the ability to propagate on its own. D. All of them cannot be detected by virus scanners. 270

B A worm is similar to a virus by its design,and is considered to be a sub-class of a virus. Worms spread from computer to computer,but unlike a virus,it has the capability to travel without any help from a person. A worm takes advantage of file or informa on transport features on your system,which allows it to travel unaided. Latest ECCouncil 312-50v8 Real Exam Download 791-800 (2014-05-12 14:20)

656 What file system vulnerability does the following command take advantage of? type c:anyfile.exe > c:winntsystem32calc.exe:anyfile.exe A. HFS B. ADS C. NTFS D. Backdoor access

B ADS (or Alternate Data Streams) is a pfeatureq in the NTFS file system that makes it possible to hide informa on in alternate data streams in exis ng files. The file can have mul ple data streams and the data streams are accessed by filename:stream.

747 Liza has forgo en her password to an online bookstore. The web applica on asks her to key in her email so that they can send her the password. Liza enters her email [email protected]'. The applica on displays server error. What is wrong with the web applica on? A. The email is not valid B. User input is not sani zed C. The web server may be down D. The ISP connec on is not reliable

B All input from web browsers,such as user data from HTML forms and cookies,must be stripped of special charac-ters and HTML tags as described in the following CERT advisories: h p://www.cert.org/advisories/CA-1997-25.html h p://www.cert.org/advisories/CA-2000-02.html

728 You visit a website to retrieve the lis ng of a company's staﬀ members. But you can not find it on the website. You know the lis ng was certainly present one year before. How can you retrieve informa on from the outdated website? A. Through Google searching cached files B. Through Archive.org C. Download the website and crawl it D. Visit customers' and prtners' websites

B Archive.org mirrors websites and categorizes them by date and month depending on the crawl me. Archive.org dates back to 1996,Google is incorrect because the cache is only as recent as the latest crawl,the cache is over-wri en on each subsequent crawl. Download the website is incorrect becausethat's the same as what you see online. Visi ng customer partners websites is just bogus. The answer is then Firmly,C,archive.org

713 250 What is the key advantage of Session Hijacking? A. It can be easily done and does not require sophis cated skills. B. You can take advantage of an authen cated connec on. C. You can successfully predict the sequence number genera on. D. You cannot be traced in case the hijack is detected.

B As an a acker you donot have to steal an account and password in order to take advantage of an authen cated connec on.

745 What does black box tes ng mean? 257 A. You have full knowledge of the environment B. You have no knowledge of the environment C. You have par al knowledge of the environment

B Black box tes ng is conducted when you have no knowledge of the environment. It is more me consuming and expensive.

628 If a token and 4-digit personal iden fica on number (PIN) are used to access a computer system and the token per-forms oﬀ-line checking for the correct PIN, what type of a ack is possible? A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

B Brute force a acks are performed with tools that cycle through many possible character,number,and symbol combi-na ons to guess a password. Since the token allows oﬄine checking of PIN,the cracker can keep trying PINS un l it is cracked.

742 Scanning for services is an easy job for Bob as there are so many tools available from the Internet. In order for him to check the vulnerability of XYZ, he went through a few scanners that are currently available. Here are the scanners that he uses: 1. Axentos NetRecon (h p://www.axent.com) 2. SARA, by Advanced Research Organiza on (h p://www-arc.com/sara) 256 3. VLAD the Scanner, by Razor (h p://razor.bindview.com/tools/) However, there are many other alterna ve ways to make sure that the services that have been scanned will be more accurate and detailed for Bob. What would be the best method to accurately iden fy the services running on a vic m host? A. Using Cheops-ng to iden fy the devices ofXYZ. B. Using the manual method of telnet to each of the open ports ofXYZ. C. Using a vulnerability scanner to try to probe each port to verify or figure out which service is running forXYZ. D. Using the default port and OS to make a best guess of what services are running on each port forXYZ.

B By running a telnet connec on to the open ports you will receive banners that tells you what service is answering on that specific port.

723 Bart is looking for a Windows NT/2000/XP command-line tool that can be used to assign, display, or modify ACLos (access control lists) to files or folders and also one that can be used within batch files. Which of the following tools can be used for that purpose? (Choose the best answer) A. PERM.exe B. CACLS.exe C. CLACS.exe D. NTPERM.exe

B Cacls.exe is a Windows NT/2000/XP command-line tool you can use to assign,display,or modify ACLs (access control lists) to files or folders. Cacls is an interac ve tool,and since it's a command-line u lity,you can also use it in batch files.

731 This kind of a ack will let you assume a users iden ty at a dynamically generated web page or site: A. SQL Injec on B. Cross Site Scrip ng C. Session Hijacking D. Zone Transfer

B Cross-site scrip ng (XSS) is a type of computer security vulnerability typically found in web applica ons which allow code injec on by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scrip ng vulnerability can be used by a ackers to bypass access controls such as the same origin policy.

812 What is Cygwin? A. Cygwin is a free C++ compiler that runs on Windows B. Cygwin is a free Unix subsystem that runs on top of Windows C. Cygwin is a free Windows subsystem that runs on top of Linux D. Cygwin is a X Windows GUI subsytem that runs on top of Linux GNOME environment

B Cygwin is a Linux-like environment for Windows. It consists of two parts: A DLL (cygwin1.dll) which acts as a Linux API emula on layer providing substan al LinuxAPI func onality A collec on of tools which provide Linux look and feel The Cygwin DLL works with all non-beta,non "release candidate",ix86 32 bit versions of Windows since Windows 95,with the excep on of Windows CE.

720 252 Tess King is making use of Digest Authen ca on for her Web site. Why is this considered to be more secure than Basic authen ca on? A. Basic authen ca on is broken B. The password is never sent in clear text over the network C. The password sent in clear text over the network is never reused. D. It is based on Kerberos authen ca on protocol

B Digest access authen ca on is one of the agreed methods a web page can use to nego ate creden als with a web user (using the HTTP protocol). This method builds upon (and obsoletes) the basic authen ca on scheme,allowing user iden ty to be established without having to send a password in plaintext over the network. Latest ECCouncil 312-50v8 Real Exam Download 731-740 (2014-05-12 14:06)

817 Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a fire-wall. He wants to use Linux as his firewall and use the latest freely available version that is oﬀered. What do you recommend? 280 Select the best answer. A. Ipchains B. Iptables C. Checkpoint FW for Linux D. Ipfwadm

B Explana ons: Ipchains was improved over ipfwadm with its chaining mechanism so that it can have mul ple rulesets. However,it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version.

819 You are a emp ng to map out the firewall policy for an organiza on. You discover your target system is one hop beyond the firewall. Using hping2, you send SYN packets with the exact TTL of the target system star ng at port 1 and going up to port 1024. What is this process known as? A. Footprin ng B. Firewalking C. Enumera on 281 D. Idle scanning

B Firewalking uses a traceroute-like IP packet analysis to determine whether or not a par cular packet can pass from the a ackeros host to a des na on host through a packet-filtering device. This technique can be used to map nopeno or npass througho ports on a gateway. More over,it can determine whether packets with various control informa on can pass through a given gateway.

844 To scan a host downstream from a security gateway, Firewalking: A. Sends a UDP-based packet that it knows will be blocked by the firewall to determine how specifically the firewall responds to such packets B. Uses the TTL func on to send packets with a TTL value set to expire one hop past the iden fied security gateway C. Sends an ICMP "administra vely prohibited" packet to determine if the gateway will drop the packet without com-ment. 289 D. Assesses the security rules that relate to the target system before it sends packets to any hops on the route to the gateway

551 What port scanning method involves sending spoofed packets to a target system and then looking for adjustments to the IPID on a zombie system? A. Blind Port Scanning B. Idle Scanning C. Bounce Scanning D. Stealth Scanning E. UDP Scanning

B From NMAP: -sI <zombie host[:probeport]> Idlescan: This advanced scan method allows for a truly blind TCP port scan of the target (meaning no packets are sent to the tar- get from your real IP address). Instead,a unique side-channel a ack exploits predictable "IP fragmenta on ID" sequence genera on on the zombie hos o glean informa on about the open ports on the target.

621 Exhibit: Based on the following extract from the log of a compromised machine, what is the hacker really trying to steal? 214 A. har.txt B. SAM file C. wwwroot D. Repair file

B He is actually trying to get the file har.txt but this file contains a copy of the SAM file.

709 Henry is an a acker and wants to gain control of a system and use it to flood a target system with requests, so as to prevent legi mate users from gaining access. What type of a ack is Henry using? A. Henry is execu ng commands or viewing data outside the intended target path B. Henry is using a denial of service a ack which is a valid threat used by an a acker C. Henry is taking advantage of an incorrect configura on that leads to access with higher-than-expected privilege D. Henry uses poorly designed input valida on rou nes to create or alter commands to gain access to unintended data or execute commands 245

B Henryos inten on is to perform a DoS a ack against his target,possibly a DDoS a ack. He uses systems other than his own to perform the a ack in order to cover the tracks back to him and to get more ppunchq in the DoS a ack if he uses mul ple systems.

555 What ICMP message types are used by the ping command? A. Timestamp request (13) and mestamp reply (14) B. Echo request (8) and Echo reply (0) C. Echo request (0) and Echo reply (1) D. Ping request (1) and Ping reply (2)

B ICMP Type 0 = Echo Reply,ICMP Type 8 = Echo

533 While footprin ng a network, what port/service should you look for to a empt a zone transfer? A. 53 UDP B. 53 TCP C. 25 UDP D. 25 TCP E. 161 UDP F. 22 TCP G. 60 TCP

B IF TCP port 53 is detected,the opportunity to a empt a zone transfer is there.

545 War dialing is a very old a ack and depicted in movies that were made years ago. Why would a modem security tester consider using such an old technique? A. It is cool,and if it works in the movies it must work in real life. B. It allows circumven on of protec on mechanisms by being on the internal network. C. It allows circumven on of the company PBX. D. A good security tester would not use such a derelict technique.

B If you are lucky and find a modem that answers and is connected to the target network,it usually is less protected (as only employees are supposed to know of its existence) and once connected you donot need to take evasive ac ons towards any firewalls or IDS.

632 A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniﬀ the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. What do you think is the most likely reason behind this? A. There is a NIDS present on that segment. B. Kerberos is preven ng it. C. Windows logons cannot be sniﬀed. D. L0phtcrack only sniﬀs logons to web servers.

B In a Windows 2000 network using Kerberos you normally use pre-authen ca on and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniﬀed.

700 What is the goal of a Denial of Service A ack? A. Capture files from a remote computer. B. Render a network or computer incapable of providing normal service. C. Exploit a weakness in the TCP stack. D. Execute service at PS 1009.

B In computer security,a denial-of-service a ack (DoS a ack) is an a empt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers,and the a ack a empts to make the hosted web pages unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB). 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00241.jpg Latest ECCouncil 312-50v8 Real Exam Download 701-710 (2014-05-12 14:03)

798 What is the name of the so ware tool used to crack a single account on Netware Servers using a dic onary a ack? A. NPWCrack B. NWPCrack C. NovCrack D. CrackNov E. GetCrack

B NWPCrack is the so ware tool used to crack single accounts on Netware servers.

584 Which of the following commands runs snort in packet logger mode? A. ./snort -dev -h ./log B. ./snort -dev -l ./log C. ./snort -dev -o ./log D. ./snort -dev -p ./log

B Note: If you want to store the packages in binary mode for later analysis use ./snort -l ./log -b

585 200 Which of the following command line switch would you use for OS detec on in Nmap? A. -D B. -O C. -P D. -X

B OS DETECTION: -O: Enable OS detec on (try 2nd genera on w/fallback to 1st) -O2: Only use the new OS detec on system (no fallback) -O1: Only use the old (1st genera on) OS detec on system -osscan-limit: Limit OS detec on to promising targets -osscan-guess: Guess OS more aggressively

635 What is the algorithm used by LM for Windows2000 SAM? A. MD4 B. DES C. SHA D. SSL

B Okay, this is a tricky ques on. We say B,DES, but it could be A pMD4q depending on what their asking - Windows 2000/XP keeps users passwords not "apparently",but as hashes,i.e. actually as "check sum" of the passwords. Let's go into the passwords keeping at large. The most interes ng structure of the complex SAM-file building is so called V-block. It's size is 32 bytes and it includes hashes of the password for the local entering: NT Hash of 16-byte length,and hash used during the authen ca on of access to the common resources of other computers LanMan Hash,or simply LM Hash,of the same 16-byte length. Algorithms of the forma on of these hashes are following: NT Hash forma on: 1. User password is being generated to the Unicode-line. 2. Hash is being generated based on this line using MD4 algorithm. 3. Gained hash in being encoded by the DES algorithm, RID (i.e. user iden fier) had been used as a key. It was necessary for gaining variant hashes for users who have equal passwords. You remember that all users have diﬀerent RIDs (RID of the Administrator's built in account is 500, RID of the Guest's built in account is 501, all other users get RIDs equal 1000, 1001, 1002, etc.). LM Hash forma on: 1. User password is being shi ed to capitals and added by nulls up to 14-byte length. 2. Gained line is divided on halves 7 bytes each, and each of them is being encoded separately using DES, output is 8-byte hash and total 16-byte hash. 3. Then LM Hash is being addi onally encoded the same way as it had been done in the NT Hash forma on algorithm step 3.

531 According to the CEH methodology, what is the next step to be performed a er footprin ng? A. Enumera on B. Scanning 181 C. System Hacking D. Social Engineering E. Expanding Influence

B Once footprin ng has been completed,scanning should be a empted next. Scanning should take place on two dis nct levels: network and host.

680 A POP3 client contacts the POP3 server: A. To send mail B. To receive mail C. to send and receive mail 231 D. to get the address to send mail to E. ini ate a UDP SMTP connec on to read mail

B POP is used to receive e-mail. SMTP is used to send e-mail. Latest ECCouncil 312-50v8 Real Exam Download 661-670 (2014-05-12 13:59)

717 You want to carry out session hijacking on a remote server. The server and the client are communica ng via TCP a er a successful TCP three way handshake. The server has just received packet #120 from the client. The client has a receive window of 200 and the server has a receive window of 250. Within what range of sequence numbers should a packet, sent by the client fall in order to be accepted by the server? A. 200-250 B. 121-371 C. 120-321 D. 121-231 E. 120-370

B Package number 120 have already been received by the server and the window is 250 packets,so any package number from 121 (next in sequence) to 371 (121+250).

646 Password cracking programs reverse the hashing process to recover passwords.(True/False. A. True B. False

B Password cracking programs do not reverse the hashing process. Hashing is a one-way process. What these programs can do is to encrypt words, phrases, and characters using the same encryp on process and compare them to the original password. A hashed match reveals the true password.

534 Your lab partner is trying to find out more informa on about a compe tors web site. The site has a .com extension. She has decided to use some online whois tools and look in one of the regional Internet registrys. Which one would you suggest she looks in first? A. LACNIC 182 B. ARIN C. APNIC D. RIPE E. AfriNIC

B Regional registries maintain records from the areas from which they govern. ARIN is responsible for domains served within North and South America and therefore,would be a good star ng point for a .com domain.

640 _ _ _ _ _ _ _ _ _ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes. A. Trojan B. RootKit C. DoS tool D. Scanner E. Backdoor

B Rootkits are tools that can hide processes from the process list,can hide files,registryentries,and intercept keystrokes. Latest ECCouncil 312-50v8 Real Exam Download 641-650 (2014-05-12 13:56)

579 While performing ping scans into a target network you get a fran c call from the organiza onos security team. They report that they are under a denial of service a ack. When you stop your scan, the smurf a ack event stops showing up on the organiza onos IDS monitor. How can you modify your scan to prevent triggering this event in the IDS? A. Scan more slowly. B. Do not scan the broadcast IP. C. Spoof the source IP address. D. Only scan the Windows systems.

B Scanning the broadcast address makes the scan target all IP addresses on that subnet at the same me.

719 Which of the following a acks takes best advantage of an exis ng authen cated connec on? A. Spoofing B. Session Hijacking C. Password Sniﬃng D. Password Guessing

B Session hijacking is the act of taking control of a user session a er successfully obtaining or genera ng an authen ca-on session ID. Session hijacking involves an a acker using captured,brute forced or reverse-engineered session IDs to seize control of a legi mate user's Web applica on session while that session is s ll in progress.

633 You are a emp ng to crack LM Manager hashed from Windows 2000 SAM file. You will be using LM Brute force hacking tool for decryp on. What encryp on algorithm will you be decryp ng? A. MD4 B. DES C. SHA D. SSL

B The LM hash is computed as follows. 1. The useros password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The pfixed-lengthq password is split into two 7-byte halves. 4. These values are used to create two DES keys,one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string pKGS!@ # $ %q,resul ng in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value,which is the LM hash.

610 Which DNS resource record can indicate how long any "DNS poisoning" could last? A. MX B. SOA C. NS D. TIMEOUT

B The SOA contains informa on of secondary servers,update intervals and expira on mes. Latest ECCouncil 312-50v8 Real Exam Download 611-620 (2014-05-12 13:53)

775 On wireless networks, SSID is used to iden fy the network. Why are SSID not considered to be a good security mech-anism to protect a wireless networks? A. The SSID is only 32 bits in length. B. The SSID is transmi ed in clear text. C. The SSID is the same as the MAC address for all vendors. D. The SSID is to iden fy a sta on,not a network.

B The SSID IS constructed to iden fy a network,it IS NOT the same as the MAC address and SSIDos consists of a maximum of 32 alphanumeric characters.

559 When Nmap performs a ping sweep, which of the following sets of requests does it send to the target device? A. ICMP ECHO _REQUEST & TCP SYN B. ICMP ECHO _REQUEST & TCP ACK C. ICMP ECHO _REPLY & TFP RST D. ICMP ECHO _REPLY & TCP FIN

B The default behavior of NMAP is to do both an ICMP ping sweep (the usual kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging these this will be fairly characteris c of NMAP. 192

671 In Linux, the three most common commands that hackers usually a empt to Trojan are: A. car,xterm,grep B. netstat,ps,top C. vmware,sed,less D. xterm,ps,nc

B The easiest programs to trojan and the smartest ones to trojan are ones commonly run by administrators and users,in this case netstat,ps,and top,for a complete list of commonly trojaned and rootkited so ware please reference this URL: h p://www.usenix.org/publica ons/login/1999-9/features/rootkits.html 228

689 ARP poisoning is achieved in _ _ _ _ _ steps A. 1 B. 2 C. 3 D. 4

B The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router,associa ng his computer's MAC address with your IP Address. Now your router thinks the hacker's computer is your computer. Next,the hacker sends a malicious ARP reply to your computer,associa ng his MAC Address with the routers IP Address. Now your machine thinks the hacker's computer is your router. The hacker has now used ARP poisoning to accomplish a MitM a ack. 238

599 206 MX record priority increases as the number increases. (True/False. A. True B. False

B The highest priority MX record has the lowest number.

754 Which of the following is most eﬀec ve against passwords? Select the Answer: A. Dic onary A ack B. BruteForce a ack C. Targeted A ack D. Manual password A ack 260

B The most eﬀec ve means of password a ack is brute force,in a brute force a ack the program will a empt to use every possible combina on of characters. While this takes longer then a dic onary a ack,which uses a text file of real words,it is always capable of breaking the password.

589 Which Type of scan sends a packets with no flags set? Select the Answer A. Open Scan B. Null Scan C. Xmas Scan 202 D. Half-Open Scan

B The types of port connec ons supported are: . TCP Full Connect. This mode makes a full connec on to the target's TCP ports and can save any data or banners returned from the target. This mode is the most accurate for determining TCP services,but it is also easily recognized by Intrusion Detec on Systems (IDS). . UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of that message indicates either the port is used,or the target does not return the ICMP message which can lead to false posi ves. It can save any data or banners returned from the target. This mode is also easily recognized by IDS. . TCP Full/UDP ICMP Combined. This mode combines the previous two modes into one opera on. . TCP SYN Half Open. (Windows XP/2000 only) This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with a SYN|ACK and closed ports respond with ACK|RST or RST. This mode is less likely to be noted by IDS,but since the connec on is never fully completed,it cannot gather data or banner informa on. However,the a acker has full control over TTL,Source Port,MTU,Sequence number,and Window parameters in the SYN packet. . TCP Other. (Windows XP/2000 only) This mode sends out a TCP packet with any combina on of the SYN,FIN,ACK,RST,PSH,URG flags set to the target port and listens for the response. Again,the a acker can have full control over TTL,Source Port,MTU,Sequence number,and Window parameters in the custom TCP packet. The Ana-lyze feature helps with analyzing the response based on the flag se ngs chosen. Each opera ng system responds diﬀerently to these special combina ons. The tool includes presets for XMAS,NULL,FIN and ACK flag se ngs.

746 Bryan no ces the error on the web page and asks Liza to enter liza' or '1 ='1 in the email field. They are greeted with a message "Your login informa on has been mailed to [email protected]". What do you think has occurred? A. The web applica on picked up a record at random B. The web applica on returned the first record it found C. The server error has caused the applica on to malfunc on D. The web applica on emailed the administrator about the error

B The web applica on sends a query to an SQL database and by giving it the criteria 1=1,which always will be true,it will return the first value it finds.

607 Tess King is using the nslookup command to cra queries to list all DNS informa on (such as Name Servers, host names, MX records, CNAME records, glue records (delega on for child Domains), zone serial number, TimeToLive (TTL) records, etc) for a Domain. What do you think Tess King is trying to accomplish? Select the best answer. A. A zone harves ng B. A zone transfer C. A zone update D. A zone es mate

B The zone transfer is the method a secondary DNS server uses to update its informa on from the primary DNS server. DNS servers within a domain are organized using a master-slave method where the slaves get updated DNS informa-on from the master DNS. One should configure the master DNS server to allow zone transfers only from secondary (slave) DNS servers but this is o en not implemented. By connec ng to a specific DNS server and successfully issuing the ls Ƀd domain-name > file-name you have ini ated a zone transfer.

714 What type of cookies can be generated while visi ng diﬀerent web sites on the Internet? A. Permanent and long term cookies. B. Session and permanent cookies. C. Session and external cookies. D. Cookies are all the same,there is no such thing as diﬀerent type of cookies.

B There are two types of cookies: a permanent cookie that remains on a visitor's computer for a given me and a session cookie the is temporarily saved in the visitor's computer memory during the me that the visitor is using the Web site. Session cookies disappear when you close your Web browser.

830 What do you conclude from the nmap results below? Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) (The 1592 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open p 25/tcp open smtp 80/tcp open h p 443/tcp open h ps Remote opera ng system guess: Too many signatures match the reliability guess the OS. Nmap run completed Ƀ 1 IP address (1 host up) scanned in 91.66 seconds A. The system is a Windows Domain Controller. B. The system is not firewalled. C. The system is not running Linux or Solaris. D. The system is not properly patched.

B There is no reports of any ports being filtered.

562 Which of the following ICMP message types are used for des na ons unreachables? A. 0 B. 3 C. 11 D. 13 E. 17

B Type 3 messages are used for unreachable messages. 0 is Echo Reply,8 is Echo request,11 is me exceeded,13 is mestamp and 17 is subnet mask request. Learning these would be advisable for the test. 193

789 The Slammer Worm exploits a stack-based overflow that occurs in a DLL implemen ng the Resolu on Service. Which of the following Database Server was targeted by the slammer worm? A. Oracle B. MSSQL C. MySQL D. Sybase E. DB2

B W32.Slammer is a memory resident worm that propagates via UDP Port 1434 and exploits a vulnerability in SQL Server 2000 systems and systems with MSDE 2000 that have not applied the patch released by Microso Security Bulle n MS02-039.

729 You work as security technician at XYZ.com. While doing web applica on tes ng, you might be required to look through mul ple web pages online which can take a long me. Which of the processes listed below would be a more eﬃcient way of doing this type of valida on? A. Use mget to download all pages locally for further inspec on. B. Use wget to download all pages locally for further inspec on. C. Use get* to download all pages locally for further inspec on. D. Use get() to download all pages locally for further inspec on. 248

B Wget is a u lity used for mirroring websites,get* doesnot work,as for the actual FTP command to work there needs to be a space between get and * (ie. get *),get(); is just bogus,thatos a C func on thatos wri en 100 % wrong. mget is a command used from pwithinq p itself,ruling out A. Which leaves B use wget,which is designed for mirroring and download files,especially web pages,if used with the ɃR op on (ie. wget ɃR www.XYZ.com) it could mirror a site,all expect protected por ons of course. Note: GNU Wget is a free network u lity to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background,a er having logged oﬀ.

643 How can you determine if an LM hash you extracted contains a password that is less than 8 characters long? A. There is no way to tell because a hash cannot be reversed 222 B. The right most por on of the hash is always the same C. The hash always starts with AB923D D. The le most por on of the hash is always the same E. A por on of the hash will be all 0 s

B When looking at an extracted LM hash,you will some mes observe that the right mostpor on is always the same. This is padding that has been added to a password that is less than 8 characters long.

816 On a backdoored Linux box there is a possibility that legi mate programs are modified or trojaned. How is it possible to list processes and uids associated with them in a more reliable manner? A. Use "Is" B. Use "lsof" C. Use "echo" D. Use "netstat"

B lsof is a command used in many Unix-like systems that is used to report a list of all open files and the processes that opened them. It works in and supports several UNIX flavors.

500 A hacker is a emp ng to see which IP addresses are currently ac ve on a network. Which NMAP switch would the hacker use? A. -sO B. -sP C. -sS D. -sU

B 170 Latest ECCouncil 312-50v8 Real Exam Download 481-490 (2014-05-12 11:17)

392 One advantage of an applica on-level firewall is the ability to A. filter packets at the network level. B. filter specific commands,such as h p:post. C. retain state informa on for each packet. D. monitor tcp handshaking.

B 147

297 Which of the following are password cracking tools? (Choose.three.) A. BTCrack B. John the Ripper C. KerbCrack D. Nikto E. Cain and Abel F. Havij

B,C,E

602 What ports should be blocked on the firewall to prevent NetBIOS traﬃc from not coming through the firewall if your network is comprised of Windows NT, 2000, and XP?(Choose all that apply. A. 110 207 B. 135 C. 139 D. 161 E. 445 F. 1024

B,C,E NetBIOS traﬃc can quickly be used to enumerate and a ack Windows computers. Ports 135,139,and 445 should be blocked.

681 Samantha was hired to perform an internal security test of XYZ. She quickly realized that all networks are making use of switches instead of tradi onal hubs. This greatly limits her ability to gather informa on through network sniﬃng. Which of the following techniques can she use to gather informa on from the switched network or to disable some of the traﬃc isola on features of the switch? (Choose two) A. Ethernet Zapping B. MAC Flooding C. Sniﬃng in promiscuous mode D. ARP Spoofing

B,D 235 In a typical MAC flooding a ack,a switch is flooded with packets,each containing diﬀerent source MAC addresses. The inten on is to consume the limited memory set aside in the switch to store the MAC address-to-physical port transla on table.The result of this a ack causes the switch to enter a state called failopen mode,in which all incoming packets are broadcast out on all ports (as with a hub),instead of just down the correct port as per normal opera on. The principle of ARP spoofing is to send fake,or 'spoofed',ARP messages to an Ethernet LAN. These frames contain false MAC addresses,confusing network devices,such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniﬀed) or an unreachable host (a denial of service a ack).

612 Which of the following tools are used for enumera on? (Choose three.) A. SolarWinds B. USER2SID C. Cheops D. SID2USER E. DumpSec

B,D,E USER2SID,SID2USER,and DumpSec are three of the tools used for system enumera on. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a por on of your me preparing for the test prac cing with the tools and learning to understand their output.

569 What are two things that are possible when scanning UDP ports? (Choose two. A. A reset will be returned B. An ICMP message will be returned C. The four-way handshake will not be completed D. An RFC 1294 message will be returned E. Nothing

B,E Closed UDP ports can return an ICMP type 3 code 3 message. No response can mean the port is open or the packet was silently dropped.

157 Gerald, the Systems Administrator for Hyped Enterprises, has just discovered that his network has been breached by an outside a acker. A er performing rou ne maintenance on his servers, he discovers numerous remote tools were installed that no one claims to have knowledge of in his department. Gerald logs onto the management console for his IDS and discovers an unknown IP address that scanned his network constantly for a week and was able to access his network through a high-level port that was not closed. Gerald traces the IP address he found in the IDS log to a proxy server in Brazil. Gerald calls the company that owns the proxy server and a er searching through their logs, they trace the source to another proxy server in Switzerland. Gerald calls the company in Switzerland that owns the proxy server and a er scanning through the logs again, they trace the source back to a proxy server in China. What proxy tool has Gerald's a acker used to cover their tracks? A. ISA proxy B. IAS proxy C. TOR proxy D. Cheops proxy

163 In TCP communica ons there are 8 flags; FIN, SYN, RST, PSH, ACK, URG, ECE, CWR. These flags have decimal numbers assigned to them: FIN = 1 SYN = 2 RST = 4 PSH = 8 ACK = 16 URG = 32 ECE = 64 CWR =128 Example: To calculate SYN/ACK flag decimal value, add 2 (which is the decimal value of the SYN flag) to 16 (which is the decimal value of the ACK flag), so the result would be 18. Based on the above calcula on, what is the decimal value for XMAS scan? A. 23 B. 24 C. 41 D. 64

168 Bob is going to perform an ac ve session hijack against Brownies Inc. He has found a target that allows session oriented connec ons (Telnet) and performs the sequence predic on on the target opera ng system. He manages to find an ac ve session due to the high level of traﬃc on the network. What is Bob supposed to do next? 73 A. Take over the session B. Reverse sequence predic on C. Guess the sequence numbers D. Take one of the par es oﬄine

173 This TCP flag instructs the sending system to transmit all buﬀered data immediately. A. SYN B. RST C. PSH D. URG E. FIN

175 77 You work for Acme Corpora on as Sales Manager. The company has ght network security restric ons. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traﬃc that leaves from the internal network to the Internet. How will you achieve this without raising suspicion? A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques D. Change the extension of Sales.xls to sales.txt and upload them as a achment to your hotmail account

179 Within the context of Computer Security, which of the following statements describes Social Engineering best? A. Social Engineering is the act of publicly disclosing informa on B. Social Engineering is the means put in place by human resource to perform me accoun ng C. Social Engineering is the act of ge ng needed informa on from a person rather than breaking into a system D. Social Engineering is a training program within sociology studies

194 Michael is a junior security analyst working for the Na onal Security Agency (NSA) working primarily on breaking ter-rorist encrypted messages. The NSA has a number of methods they use to decipher encrypted messages including Government Access to Keys (GAK) and inside informants. The NSA holds secret backdoor keys to many of the encryp-on algorithms used on the Internet. The problem for the NSA, and Michael, is that terrorist organiza ons are star ng to use custom-built algorithms or obscure algorithms purchased from corrupt governments. For this reason, Michael and other security analysts like him have been forced to find diﬀerent methods of deciphering terrorist messages. One method that Michael thought of using was to hide malicious code inside seemingly harmless programs. Michael first monitors sites and bulle n boards used by known terrorists, and then he is able to glean email addresses to some of these suspected terrorists. Michael then inserts a stealth keylogger into a mapping program file readme.txt and 89 then sends that as an a achment to the terrorist. This keylogger takes screenshots every 2 minutes and also logs all keyboard ac vity into a hidden file on the terrorist's computer. Then, the keylogger emails those files to Michael twice a day with a built in SMTP server. What technique has Michael used to disguise this keylogging so ware? A. Steganography B. Wrapping C. ADS D. Hidden Channels

204 NTP allows you to set the clocks on your systems very accurately, to within 100ms and some mes-even 10ms. Knowing the exact me is extremely important for enterprise security. Various security protocols depend on an accurate source of me informa on in order to prevent "playback" a acks. These protocols tag their communica ons with the current me, to prevent a ackers from replaying the same communica ons, e.g., a login/password interac on or even an en re communica on, at a later date. One can circumvent this tagging, if the clock can be set back to the me the communica on was recorded. An a acker a empts to try corrup ng the clocks on devices on your network. You run Wireshark to detect the NTP traﬃc to see if there are any irregulari es on the network. What port number you should enable in Wireshark display filter to view NTP packets? A. TCP Port 124 B. UDP Port 125 C. UDP Port 123 D. TCP Port 126

209 What do you call a pre-computed hash? A. Sun tables B. Apple tables C. Rainbow tables D. Moon tables

222 The GET method should never be used when sensi ve data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let's say that you've entered your credit card informa on into a form that uses the GET method. The URL may appear like this: h ps://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234 The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this informa on. How would you protect from this type of a ack? 92 A. Never include sensi ve informa on in a script B. Use HTTPS SSLv3 to send the data instead of plain HTTPS C. Replace the GET with POST method when sending data D. Encrypt the data before you send using GET method

224 Lauren is performing a network audit for her en re company. The en re network is comprised of around 500 com-puters. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses? A. Only Windows systems will reply to this scan. B. A switched network will not respond to packets sent to the broadcast address. C. Only Linux and Unix-like (Non-Windows) systems will reply to this scan. D. Only servers will reply to this scan.

239 You want to perform advanced SQL Injec on a ack against a vulnerable website. You are unable to perform command shell hacks on this server. What must be enabled in SQL Server to launch these a acks? A. System services B. EXEC master access C. xp _cmdshell D. RDC

240 Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up a er a big fight. Kevin believes that she was seeing another per-son. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL a er successfully logged in: h p://www.youremailhere.com/mail.asp?mailbox=Kevin &Smith=121 %22 Kevin changes the URL to: h p://www.youremailhere.com/mail.asp?mailbox=Katy &Sanchez=121 %22 Kevin is trying to access her email ac-count to see if he can find out any informa on. What is Kevin a emp ng here to gain access to Katy's mailbox? A. This type of a empt is called URL obfusca on when someone manually changes a URL to try and gain unauthorized access B. By changing the mailbox's name in the URL,Kevin is a emp ng directory transversal C. Kevin is trying to u lize query string manipula on to gain access to her email account D. He is a emp ng a path-string a ack to gain access to her mailbox

248 June, a security analyst, understands that a polymorphic virus has the ability to mutate and can change its known viral signature and hide from signature-based an virus programs. Can June use an an virus program in this case and would it be eﬀec ve against a polymorphic virus? A. Yes. June can use an an virus program since it compares the parity bit of executable files to the database of known check sum counts and it is eﬀec ve on a polymorphic virus B. Yes. June can use an an virus program since it compares the signatures of executable files to the database of known viral signatures and it is very eﬀec ve against a polymorphic virus C. No. June can't use an an virus program since it compares the signatures of executable files to the database of known viral signatures and in the case the polymorphic viruses cannot be detected by a signature-based an -virus program D. No. June can't use an an virus program since it compares the size of executable files to the database of known viral signatures and it is eﬀec ve on a polymorphic virus

249 Which of the following Exclusive OR transforms bits is NOT correct? A. 0 xor 0 = 0 B. 1 xor 0 = 1 C. 1 xor 1 = 1 D. 0 xor 1 = 1

254 Oregon Corp is figh ng a li ga on suit with Scamster Inc. Oregon has assigned a private inves ga ve agency to go through garbage, recycled paper, and other rubbish at Scamster's oﬃce site in order to find relevant informa on. What would you call this kind of ac vity? A. CI Gathering B. Scanning C. Dumpster Diving D. Garbage Scooping

256 One way to defeat a mul -level security solu on is to leak data via A. a bypass regulator. B. steganography. C. a covert channel. D. asymmetric rou ng.

257 On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured? A. nessus + B. nessus *s C. nessus & D. nessus -d

260 SOAP services use which technology to format informa on? A. SATA B. PCI C. XML D. ISDN

261 A security engineer is a emp ng to map a companyos internal network. The engineer enters in the following NMAP commanD. NMAP Ƀn ɃsS ɃP0 Ƀp 80 ***.***.**.** What type of scan is this? A. Quick scan B. Intense scan C. Stealth scan D. Comprehensive scan

268 What is the broadcast address for the subnet 190.86.168.0/22? A. 190.86.168.255 B. 190.86.255.255 C. 190.86.171.255 D. 190.86.169.255

272 Which type of scan measures a person's external features through a digital video camera? A. Iris scan B. Re nal scan C. Facial recogni on scan D. Signature kine cs scan

273 In order to show improvement of security over me, what must be developed? A. Reports B. Tes ng tools C. Metrics D. Taxonomy of vulnerabili es

277 A computer science student needs to fill some informa on into a secured Adobe PDF job applica on that was received from a prospec ve employer. Instead of reques ng a new document that allowed the forms to be completed, the student decides to write a script that pulls passwords from a list of commonly used passwords to try against the secured PDF un l the correct password is found or the list is exhausted. Which cryptography a ack is the student a emp ng? A. Man-in-the-middle a ack B. Brute-force a ack C. Dic onary a ack D. Session hijacking

282 A security analyst is performing an audit on.the network to determine if there are any devia ons from the security policies in place. The analyst.discovers that a user from the IT department had a dial-out modem installed. Which security policy must the security analyst check to see if dial-out modems are allowed? A. Firewall-management policy B. Acceptable-use policy C. Remote-access policy D. Permissive policy

283 A company is using Windows Server 2003 for its Ac ve Directory (AD). What.is the most eﬃcient way to crack the passwords for the AD users? A. Perform a dic onary a ack. B. Perform a brute force a ack. C. Perform an a ack with a rainbow table. D. Perform a hybrid a ack.

286 During a penetra on test, the tester conducts an ACK scan using NMAP against the external interface of the DMZ firewall. NMAP reports that port 80 is unfiltered. Based on this response, which type of packet inspec on is the firewall conduc ng? A. Host B. Stateful C. Stateless D. Applica on

290 Low humidity in a data center can cause which of the following.problems? A. Heat B. Corrosion C. Sta c electricity D. Airborne contamina on

302 Which ini al procedure should an ethical hacker perform a er being brought into an organiza on?. 125 A. Begin security tes ng. B. Turn over deliverables.. C. Sign a formal contract with non-disclosure. D. Assess what the organiza on is trying to protect.

313 The intrusion detec on system at.a so ware development company.suddenly generates mul ple alerts regarding a acks against the company's external webserver, VPN concentrator, and DNS servers..What should the security team do to determine which alerts to check first? A. Inves gate based on the maintenance schedule of the aﬀected systems. B. Inves gate based on the service level agreements of the systems. C. Inves gate based on the poten al eﬀect of the incident. D. Inves gate based on the order that the alerts arrived in.

327 Which of the following ensures.that updates to policies, procedures, and configura ons are made in a controlled and documented fashion? A. Regulatory compliance B. Peer review C. Change management D. Penetra on tes ng

334 Windows file servers commonly hold sensi ve files, databases, passwords and more.. Which of the following choices would be a common vulnerability that usually exposes them? A. Cross-site scrip ng B. SQL injec on 133 C. Missing patches D. CRLF injec on

335 Which.type of access control is used on a router or firewall to limit network ac vity? A. Mandatory B. Discre onary C. Rule-based D. Role-based

349 Which of the following tools will scan a network to perform vulnerability checks and compliance audi ng? A. NMAP B. Metasploit C. Nessus D. BeEF

352 Which of the following is a detec ve control? A. Smart card authen ca on B. Security policy C. Audit trail D. Con nuity of opera ons plan

356 138 A network security administrator is worried about poten al man-in-the-middle a acks.when.users access a corporate web site from their worksta ons. Which of the following is the.best.remedia on against this type of a ack? A. Implemen ng server-side PKI cer ficates for all connec ons B. Manda ng only client-side PKI cer ficates for all connec ons C. Requiring client and server PKI cer ficates for all connec ons D. Requiring strong authen ca on for all DNS queries

359 A security consultant decides to use mul ple layers of an -virus defense, such as end user desktop an -virus and E-mail gateway..This approach can be used to mi gate which kind of a ack? A. Forensic a ack B. ARP spoofing a ack C. Social engineering a ack D. Scanning a ack

362 What type of OS fingerprin ng technique sends specially cra ed packets to the remote OS and analyzes the received response? A. Passive B. Reflec ve C. Ac ve D. Distribu ve

370 141 Which element of Public Key Infrastructure (PKI).verifies the applicant? A. Cer ficate authority B. Valida on authority C. Registra on authority D. Verifica on authority

372 A hacker is a emp ng to use nslookup to query Domain Name Service (DNS). The hacker uses the nslookup interac ve mode for the search. Which command should the hacker type into the command shell to request the appropriate records? A. Locate type=ns B. Request type=ns C. Set type=ns D. Transfer type=ns

378 To reduce the a ack surface of a system, administrators should perform which of the following processes to remove unnecessary so ware, services, and insecure configura on se ngs? A. Harves ng B. Windowing C. Hardening D. Stealthing

379 While conduc ng a penetra on test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model..Which type of firewall is the tester trying to traverse? A. Packet filtering firewall B. Applica on-level firewall C. Circuit-level gateway firewall D. Stateful mul layer inspec on firewall

381 A security analyst in an insurance company is assigned to test a new web applica on that will be used by clients to help them choose and apply for an insurance plan. The analyst discovers that the applica on is developed in ASP scrip ng language and it uses MSSQL as a database backend. The analyst locates the applica on's search form and introduces the following code in the search input fielD. 144 IMG SRC=vbscript:msgbox("Vulnerable");> originalA ribute="SRC" originalPath="vbscript:msgbox("Vulnerable");>" When the analyst submits the form, the browser returns a pop-up window that says "Vulnerable". Which web applica ons vulnerability did the analyst discover? A. Cross-site request forgery B. Command injec on C. Cross-site scrip ng D. SQL injec on

390 Diﬃe-Hellman (DH) groups determine the strength of the key used in the key exchange process..Which of the following is.the correct bit size of the Diﬃe-Hellman (DH) group 5? A. 768 bit key B. 1025 bit key C. 1536 bit key D. 2048 bit key

399 If the final set of security controls does not eliminate all risk in a system, what could be done next? A. Con nue to apply controls un l there is zero risk. B. Ignore any remaining risk. C. If the residual risk is low enough,it can be accepted. D. Remove current controls since they are not completely eﬀec ve.

404 What is the best.defense against privilege escala on vulnerability? A. Patch systems regularly and upgrade interac ve login privileges at the system administrator level. B. Run administrator and applica ons on least privileges and use a content registry for tracking. C. Run services with least privileged accounts and implement mul -factor authen ca on and authoriza on. D. Review user roles and administrator privileges for maximum u liza on of automa on services.

405 Fingerprin ng.VPN firewalls is possible with which of the following tools? A. Angry IP B. Nikto C. Ike-scan D. Arp-scan

406 A company has publicly hosted web applica ons and an internal Intranet protected by a firewall..Which technique will help protect against enumera on? 150 A. Reject all invalid email received via SMTP. B. Allow full DNS zone transfers. C. Remove A records for internal hosts. D. Enable null session pipes.

410 Which of the following.cryptography a ack methods is usually performed without the use of a computer? A. Ciphertext-only a ack B. Chosen key a ack C. Rubber hose a ack D. Rainbow table a ack

422 Which of the following tools would be the best choice for achieving compliance with PCI Requirement 11? A. Truecrypt B. Sub7 C. Nessus D. Clamwin

425 Which of the following is a strong post designed to stop a car? A. Gate B. Fence C. Bollard D. Reinforced rebar

427 A recently hired network security associate at a local bank was given the responsibility to perform daily scans of the internal network to look for unauthorized devices. The employee decides to write a script that will scan the network for unauthorized devices every morning at 5:00 am. Which of the following programming languages would most likely be used? A. PHP B. C # C. Python D. ASP.NET

428 While performing data valida on of web content, a security technician is required to restrict malicious input. Which of the following processes.is an eﬃcient way of restric ng malicious input? A. Validate web content input for query strings. B. Validate web content input with scanning tools. C. Validate web content input for type,length,and range. D. Validate web content input for extraneous queries.

431 In the OSI model, where does PPTP encryp on take place? A. Transport layer B. Applica on layer C. Data link layer D. Network layer

441 Which of the following resources does NMAP need to be used as a basic vulnerability scanner covering several vectors like SMB, HTTP and.FTP? 158 A. Metasploit scrip ng engine B. Nessus scrip ng engine C. NMAP scrip ng engine D. SAINT scrip ng engine

446 Which of the following techniques will iden fy if computer files have been changed? A. Network sniﬃng B. Permission sets C. Integrity checking hashes D. Firewall alerts

452 What informa on should an IT system analysis provide to the risk assessor? A. Management buy-in B. Threat statement C. Security architecture D. Impact analysis

454 An IT security engineer no ces that the companyos web server is currently being hacked. What should the engineer do next? A. Unplug the network connec on on the companyos web server. B. Determine the origin of the a ack and launch a countera ack. C. Record as much informa on as possible from the a ack. D. Perform a system restart on the companyos web server. 161

463 Which of the following defines the role of a root Cer ficate Authority (CA) in a Public Key Infrastructure (PKI)? A. The root CA is the recovery agent used to encrypt data when a user's cer ficate is lost. B. The root CA stores the user's hash value for safekeeping. C. The CA is the trusted root that issues cer ficates. D. The root CA is used to encrypt email messages to prevent unintended disclosure of data.

464 Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results?.TCP port 21 Ƀ no response.TCP port 22 Ƀ no response.TCP port 23 Ƀ Time-to-live exceeded A. The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host. B. The lack of response from ports 21 and 22 indicate that those services are not running on the des na on server. C. The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall. D. The scan on port 23 was able to make a connec on to the des na on host promp ng the firewall to respond with a TTL error.

465 A security engineer has been asked to deploy a secure remote access solu on that will allow employees to connect to the companyos internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle a ack to occur? A. SSL B. Mutual authen ca on C. IPSec D. Sta c IP addresses

477 A newly discovered flaw in a so ware applica on would be considered which kind of security vulnerability? A. Input valida on flaw B. HTTP header injec on vulnerability C. 0-day vulnerability D. Time-to-check to me-to-use flaw

488 What is the name of the interna onal standard that establishes a baseline level of confidence in the security func on-ality of IT products by providing a set of requirements for evalua on? A. Blue Book B. ISO 26029 C. Common Criteria D. The Wassenaar Agreement

492 Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall? A. UDP 123 B. UDP 541 C. UDP 514 168 D. UDP 415

501 At a Windows Server command prompt, which command could be used to.list the running services? A. Sc query type= running B. Sc query \servername C. Sc query D. Sc config

504 Which of the following is considered an acceptable op on when managing a risk? A. Reject the risk. 173 B. Deny the risk. C. Mi gate the risk. D. Ini ate the risk.

505 A person approaches a network administrator and wants advice on how to send encrypted email from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryp on protocol that the network administrator should recommend? A. IP Security (IPSEC) B. Mul purpose Internet Mail Extensions (MIME) C. Pre y Good Privacy (PGP) D. Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS)

515 What is the essen al diﬀerence between an nEthical Hackero and a nCrackero? A. The ethical hacker does not use the same techniques or skills as a cracker. B. The ethical hacker does it strictly for financial mo ves unlike a cracker. C. The ethical hacker has authoriza on from the owner of the target. D. The ethical hacker is just a cracker who is ge ng paid.

516 What does the term pEthical Hackingq mean? A. Someone who is hacking for ethical reasons. B. Someone who is using his/her skills for ethical reasons. C. Someone who is using his/her skills for defensive purposes. D. Someone who is using his/her skills for oﬀensive purposes.

522 Which of the following ac vi es will NOT be considered as passive footprin ng? A. Go through the rubbish to find out any informa on that might have been discarded. B. Search on financial site such as Yahoo Financial to iden fy assets. C. Scan the range of IP address found in the target DNS database. D. Perform mul ples queries using a search engine.

53 Which type of hacker represents the highest risk to your network? A. black hat hackers B. grey hat hackers C. disgruntled employees D. script kiddies

72 How would you describe an a ack where an a acker a empts to deliver the payload over mul ple packets over long periods of me with the purpose of defea ng simple pa ern matching in IDS systems without session reconstruc on? A characteris c of this a ack would be a con nuous stream of small packets. A. Session Hijacking B. Session Stealing C. Session Splicing D. Session Fragmenta on

738 Bill has successfully executed a buﬀer overflow against a Windows IIS web server. He has been able to spawn an interac ve shell and plans to deface the main web page. He first a empts to use the "echo" command to simply overwrite index.html and remains unsuccessful. He then a empts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page in which also he remains unsuccessful. What is the probable cause of Bill's problem? A. You cannot use a buﬀer overflow to deface a web page B. There is a problem with the shell and he needs to run the a ack again C. The HTML file has permissions of read only D. The system is a honeypot

755 The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode a acks from 213.116.251.162. The file Permission Canonicaliza on vulnerability (UNICODE a ack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The a acker tries a Unicode a ack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is func oning correctly. The a acker makes a RDS query which results in the commands run as shown below: What can you infer from the exploit given? A. It is a local exploit where the a acker logs in using username johna2k. B. There are two a ackers on the system Ƀ johna2k and haxedj00. C. The a ack is a remote exploit and the hacker downloads three files. D. The a acker is unsuccessful in spawning a shell as he has specified a high end UDP port.

773 Access control is o en implemented through the use of MAC address filtering on wireless Access Points. Why is this considered to be a very limited security measure? A. Vendors MAC address assignment is published on the Internet. B. The MAC address is not a real random number. C. The MAC address is broadcasted and can be captured by a sniﬀer. D. The MAC address is used properly only on Macintosh computers.

777 Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the sta on responds by encryp ng the plaintext. It then transmits the resul ng ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traﬃc. What authen ca on mechanism is being followed here? A. no authen ca on B. single key authen ca on C. shared key authen ca on D. open system authen ca on

814 A er studying the following log entries, what is the a acker ul mately trying to achieve as inferred from the log sequence? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 279 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. Change password of user nobody B. Extract informa on from a local directory C. Change the files Modifica on Access Crea on mes D. Download rootkits and passwords into a new directory

842 You may be able to iden fy the IP addresses and machine names for the firewall, and the names of internal mail servers by: A. Sending a mail message to a valid address on the target network,and examining the header informa on generated by the IMAP servers B. Examining the SMTP header informa on generated by using the Ƀmx command parameter of DIG C. Examining the SMTP header informa on generated in response to an e-mail message sent to an invalid address D. Sending a mail message to an invalid address on the target network,and examining the header informa on gener-ated by the POP servers

9 Jack Hacker wants to break into Brown Co.'s computers and obtain their secret double fudge cookie recipe. Jack calls Jane, an accountant at Brown Co., pretending to be an administrator from Brown Co. Jack tells Jane that there has been a problem with some accounts and asks her to verify her password with him "just to double check our records." Jane does not suspect anything amiss, and parts with her password. Jack can now access Brown Co.'s computers with a valid user name and password, to steal the cookie recipe. What kind of a ack is being illustrated here? A. Reverse Psychology B. Reverse Engineering C. Social Engineering D. Spoofing Iden ty E. Faking Iden ty

490 Which statement best describes a server type under an N- er architecture? A. A group of servers at a specific layer B. A single server with a specific role C. A group of servers with a unique role D. A single server.at a specific layer

C Latest ECCouncil 312-50v8 Real Exam Download 501-510 (2014-05-12 11:18)

678 Exhibit: e ercap ɃNCLzs -quiet What does the command in the exhibit do in pE ercapq? A. This command will provide you the en re list of hosts in the LAN B. This command will check if someone is poisoning you and will report its IP. C. This command will detach from console and log all the collected passwords from the network to a file. D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs.

C -N = NON interac ve mode (without ncurses) -C = collect all users and passwords -L = if used with -C (collector) it creates a file with all the password sniﬀed in the session in the form "YYYYMMDD-collected-pass.log" -z = start in silent mode (no arp storm on start up) -s = IP BASED sniﬃng -quiet = "demonize" e ercap. Useful if you want to log all data in background.

654 What does the following command in netcat do? nc -l -u -p55555 < /etc/passwd A. logs the incoming connec ons to /etc/passwd file B. loads the /etc/passwd file to the UDP port 55555 C. grabs the /etc/passwd file when connected to UDP port 55555 D. deletes the /etc/passwd file when connected to the UDP port 55555

C -l forces netcat to listen for incoming connec ons. -u tells netcat to use UDP instead of TCP -p 5555 tells netcat to use port 5555 < /etc/passwd tells netcat to grab the /etc/passwd file when connected to. 226

771 802.11b is considered a _ _ _ _ _ _ _ _ _ _ _ _ protocol. A. Connec onless B. Secure C. Unsecure D. Token ring based E. Unreliable

C 802.11b is an insecure protocol. It has many weaknesses that can be used by a hacker.

634 219 In the context of password security, a simple dic onary a ack involves loading a dic onary file (a text file full of dic-onary words) into a cracking applica on such as L0phtCrack or John the Ripper, and running it against user accounts located by the applica on. The larger the word and word fragment selec on, the more eﬀec ve the dic onary a ack is. The brute force method is the most inclusive, although slow. It usually tries every possible le er and number combina on in its automated explora on. If you would use both brute force and dic onary methods combined together to have varia on of words, what would you call such an a ack? A. Full Blown B. Thorough C. Hybrid D. BruteDics

C A combina on of Brute force and Dic onary a ack is called a Hybrid a ack or Hybrid dic onary a ack.

759 When a malicious hacker iden fies a target and wants to eventually compromise this target, what would be among the first steps that he would perform? (Choose the best answer) A. Cover his tracks by eradica ng the log files and audit trails. B. Gain access to the remote computer in order to conceal the venue of a acks. C. Perform a reconnaissance of the remote target for iden cal of venue of a acks. D. Always begin with a scan in order to quickly iden fy venue of a acks.

C A hacker always starts with a preparatory phase (Reconnaissance) where he seeks to gather as much informa on as possible about the target of evalua on prior to launching an a ack. The reconnaissance can be either passive or ac ve (or both).

615 Susan has a ached to her companyos network. She has managed to synchronize her bossos sessions with that of the file server. She then intercepted his traﬃc des ned for the server, changed it the way she wanted to and then placed it on the server in his home directory. What kind of a ack is Susan carrying on? A. A sniﬃng a ack B. A spoofing a ack C. A man in the middle a ack D. A denial of service a ack

C A man-in-the-middle a ack (MITM) is an a ack in which an a acker is able to read,insert and modify at will,messages between two par es without either party knowing that the link between them has been compromised.

843 Which of the following is not an eﬀec ve countermeasure against replay a acks? A. Digital signatures B. Time Stamps C. System iden fica on D. Sequence numbers

C A replay a ack is a form of network a ack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Eﬀec ve countermeasures should be anything that makes it hard to delay or replay the packet ( me stamps and sequence numbers) or anything that prove the package is received as it was sent from the original sender (digital signature)

638 Which of the following is the primary objec ve of a rootkit? A. It opens a port to provide an unauthorized service B. It creates a buﬀer overflow C. It replaces legi mate programs D. It provides an undocumented opening in a program

C Actually the objec ve of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging,for example,ls to a version that doesnot show the files and process implanted by the a acker.

642 What do Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht have in common? A. All are hacking tools developed by the legion of doom B. All are tools that can be used not only by hackers,but also security personnel C. All are DDOS tools D. All are tools that are only eﬀec ve against Windows E. All are tools that are only eﬀec ve against Linux

C All are DDOS tools.

838 What is a sheepdip? A. It is another name for Honeynet B. It is a machine used to coordinate honeynets C. It is the process of checking physical media for virus before they are used in a computer D. None of the above

C Also known as a footbath,a sheepdip is the process of checking physical media,such as floppy disks or CD-ROMs,for viruses before they are used in a computer. Typically,a computer that sheepdips is used only for that process and nothing else and is isolated from the other computers,meaning it is not connected to the network. Most sheepdips use at least two diﬀerent an virus programs in order to increase eﬀec veness.

786 What are the main drawbacks for an -virus so ware? A. AV so ware is diﬃcult to keep up to the current revisions. B. AV so ware can detect viruses but can take no ac on. C. AV so ware is signature driven so new exploits are not detected. D. Itos rela vely easy for an a acker to change the anatomy of an a ack to bypass AV systems E. AV so ware isnot available on all major opera ng systems pla orms. F. AV so ware is very machine (hardware) dependent.

C Although there are func ons like heuris c scanning and sandbox technology,the An virus program is s ll mainly de-pending of signature databases and can only find already known viruses.

542 You are conduc ng a port scan on a subnet that has ICMP blocked. You have discovered 23 live systems and a er scanning each of them you no ce that they all show port 21 in closed state. What should be the next logical step that should be performed? A. Connect to open ports to discover applica ons. B. Perform a ping sweep to iden fy any addi onal systems that might be up. C. Perform a SYN scan on port 21 to iden fy any addi onal systems that might be up. D. Rescan every computer to verify the results.

C As ICMP is blocked youoll have trouble determining which computers are up and running by using a ping sweep. As all the 23 computers that you had discovered earlier had port 21 closed,probably any addi onal,previously un-known,systems will also have port 21 closed. By running a SYN scan on port 21 over the target network you might get replies from addi onal systems.

668 A er an a acker has successfully compromised a remote computer, what would be one of the last steps that would be taken to ensure that the compromise is not traced back to the source of the problem? A. Install pactehs B. Setup a backdoor C. Cover your tracks D. Install a zombie for DDOS 234

C As a hacker you donot want to leave any traces that could lead back to you.

553 What does an ICMP (Code 13) message normally indicates? A. It indicates that the des na on host is unreachable B. It indicates to the host that the datagram which triggered the source quench message will need to be re-sent C. It indicates that the packet has been administra vely dropped in transit D. It is a request to the host to cut back the rate at which it is sending traﬃc to the Internet des na on

C CODE 13 and type 3 is des na on unreachable due to communica on administra vely prohibited by filtering hence maybe they meant "code 13",therefore would be C). Note: A - Type 3 B - Type 4 C - Type 3 Code 13 D - Typ4 4

749 Jane has just accessed her preferred e-commerce web site and she has seen an item she would like to buy. Jane considers the price a bit too steep; she looks at the page source code and decides to save the page locally to modify some of the page variables. In the context of web applica on security, what do you think Jane has changed? A. An integer variable B. A 'hidden' price value C. A 'hidden' form field value D. A page cannot be changed locally; it can only be served by a web server

C Changing hidden form values is possible when a web site is poorly built and is trus ng the visitors computer to submit vital data,like the price of a product,to the database.

732 _ _ _ _ _ _ _ _ _ _ _ _ will let you assume a users iden ty at a dynamically generated web page or site. A. SQL a ack B. Injec on a ack C. Cross site scrip ng D. The shell a ack E. Winzapper

C Cross site scrip ng is also referred to as XSS or CSS. You must know the user is online and you must scam that user into clicking on a link that you have sent in order for this hack a ack to work.

682 Ethereal works best on _ _ _ _ _ _ _ _ _ _ _ _. A. Switched networks B. Linux pla orms C. Networks using hubs D. Windows pla orms E. LAN's

C Ethereal is used for sniﬃng traﬃc. It will return the best results when used on an unswitched (i.e. hub. network.

617 Eve is spending her day scanning the library computers. She no ces that Alice is using a computer whose port 445 is ac ve and listening. Eve uses the ENUM tool to enumerate Alice machine. From the command prompt, she types the following command. For /f "tokens=1 % %a in (hackfile.txt) do net use * \10.1.2.3c $ /user:"Administrator" % %a What is Eve trying to do? 212 A. Eve is trying to connect as an user with Administrator privileges B. Eve is trying to enumerate all users with Administra ve privileges C. Eve is trying to carry out a password crack for user Administrator D. Eve is trying to escalate privilege of the null user to that of Administrator

C Eve tries to get a successful login using the username Administrator and passwords from the file hackfile.txt.

662 You are a Administrator of Windows server. You want to find the port number for POP3. What file would you find the informa on in and where? Select the best answer. A. %windir %\etc\services B. system32\drivers\etc\services C. %windir %\system32\drivers\etcashservices D. /etc/services E. %windir %/system32/drivers/etc/services

C Explana ons: %windir %\system32\drivers\etcashservices is the correct place to look for this informa on.

783 Sally is a network admin for a small company. She was asked to install wireless accesspoints in the building. In looking at the specifica ons for the access-points, she sees that all of them oﬀer WEP. Which of these are true about WEP? Select the best answer. A. Stands for Wireless Encryp on Protocol B. It makes a WLAN as secure as a LAN C. Stands for Wired Equivalent Privacy D. It oﬀers end to end security

C Explana ons: WEP is intended to make a WLAN as secure as a LAN but because a WLAN is not constrained by wired,this makes access much easier. Also,WEP has flaws that make it less secure than was once thought.WEP does not oﬀer end-to-end security. It only a empts to protect the wireless por on of the network. 268

611 Joseph was the Web site administrator for the Mason Insurance in New York, who's main Web site was located at www.masonins.com. Joseph uses his laptop computer regularly to administer the Web site. One night, Joseph received an urgent phone call from his friend, Smith. According to Smith, the main Mason Insurance web site had been vandalized! All of its normal content was removed and replaced with an a acker's message "Hacker Message: You are dead! Freaks! From his oﬃce, which was directly connected to Mason Insurance's internal network, Joseph surfed to the Web site using his laptop. In his browser, the Web site looked completely intact. No changes were apparent. Joseph called a friend of his at his home to help troubleshoot the problem. The Web site appeared defaced when his friend visited using his DSL connec on. So, while Smith and his friend could see the defaced page, Joseph saw the intact Mason Insurance web site. To help make sense of this problem, Joseph decided to access the Web site using his dial-up ISP. He disconnected his laptop from the corporate internal network and used his modem to dial up the same ISP used by Smith. A er his modem connected, he quickly typed www.masonins.com in his browser to reveal the following web page: H@cker Mess@ge: Y0u @re De@d! Fre@ks! A er seeing the defaced Web site, he disconnected his dial-up line, reconnected to the internal network, and used Secure Shell (SSH) to log in directly to the Web server. He ran Tripwire against the en re Web site, and determined that every system file and all the Web content on the server were intact. 210 How did the a acker accomplish this hack? A. ARP spoofing B. SQL injec on C. DNS poisoning D. Rou ng table injec on

C External calls for the Web site has been redirected to another server by a successful DNS poisoning.

687 When Jason moves a file via NFS over the company's network, you want to grab a copy of it by sniﬃng. Which of the following tool accomplishes this? 237 A. macof B. webspy C. filesnarf D. nfscopy

C Filesnarf - sniﬀ files from NFS traﬃc OPTIONS -i interface Specify the interface to listen on. -v "Versus" mode. Invert thesenseofmatching,to select non-matching files. Pa ern Specify regular expression for filename matching. Expression Specifyatcpdump(8)filter expression to selec raﬃc to sniﬀ. SEE ALSO Dsniﬀ,nfsd

849 What is the tool Firewalk used for? A. To test the IDS for proper opera on B. To test a firewall for proper opera on C. To determine what rules are in place for a firewall D. To test the webserver configura on E. Firewalk is a firewall auto configura on tool

C Firewalk is an ac ve reconnaissance network security tool that a empts to determine what layer 4 protocols a given IP forwarding device "firewall" will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traﬃc,it will forward the packets to the next hop where they will expire and elicit an ICMP _TIME _EXCEEDED message. If the gateway host does not allow the traﬃc,it will likely drop the packets and no response will be returned.

748 Kevin has been asked to write a short program to gather user input for a web applica neat and simple. He chooses to use prin (str) where he should have ideally used prin program expose the web applica on to? on. He likes to keep his code (?s? str). What a ack will his A. Cross Site Scrip ng B. SQL injec on A ack C. Format String A ack D. Unicode Traversal A ack

C Format string a acks are a new class of so ware vulnerability discovered around 1999,previously thought harmless. Format string a acks can be used to crash a program or to execute harmful code. The problem stems from the use of 258 unfiltered user input as the format string parameter in certain C func ons that perform forma ng,such as prin (). A malicious user may use the %s and %x format tokens,among others,to print data from the stack or possibly other loca-ons in memory. One may also write arbitrary data to arbitrary loca ons using the %n format token,which commands prin () and similar func ons to write back the number of bytes forma ed to the same argument to prin (),assuming that the corresponding argument exists,and is of type int * .

725 On a default installa on of Microso IIS web server, under which privilege does the web server so ware execute? A. Everyone B. Guest C. System D. Administrator

C If not changed during the installa on,IIS will execute as Local System with way to high privileges.

721 You have successfully run a buﬀer overflow a ack against a default IIS installa on running on a Windows 2000 Server. The server allows you to spawn a shell. In order to perform the ac ons you intend to do, you need elevated permission. You need to know what your current privileges are within the shell. Which of the following op ons would be your current privileges? A. Administrator B. IUSR _COMPUTERNAME C. LOCAL _SYSTEM D. Whatever account IIS was installed with

C If you manage to get the system to start a shell for you,that shell will be running as LOCAL _SYSTEM.

778 266 Jacob would like your advice on using a wireless hacking tool that can save him me and get him be er results with lesser packets. You would like to recommend a tool that uses KoreK's implementa on. Which tool would you recom-mend from the list below? A. Kismet B. Shmoo C. Aircrack D. John the Ripper

C Implemen ng KoreK's a acks as well as improved FMS,aircrack provides the fastest and most eﬀec ve sta s cal at-tacks available.John the Ripper is a password cracker,Kismet is an 802.11 layer2 wireless network detector,sniﬀer,and intrusion detec on system,and

609 209 Let's imagine three companies (A, B and C), all compe ng in a challenging global environment. Company A and B are working together in developing a product that will generate a major compe ve advantage for them. Company A has a secure DNS server while company B has a DNS server vulnerable to spoofing. With a spoofing a ack on the DNS server of company B, company C gains access to outgoing e-mails from company B. How do you prevent DNS spoofing? (Select the Best Answer.) A. Install DNS logger and track vulnerable packets B. Disable DNS meouts C. Install DNS An -spoofing D. Disable DNS Zone Transfer

C Implement DNS Anit-Spoofing measures to prevent DNS Cache Pollu on to occur.

631 Which of the following algorithms can be used to guarantee the integrity of messages being sent, in transit, or stored? (Choose the best answer) A. symmetric algorithms 218 B. asymmetric algorithms C. hashing algorithms D. integrity algorithms

C In cryptography,a cryptographic hash func on is a hash func on with certain addi onal security proper es to make it suitable for use as a primi ve in various informa on security applica ons,such as authen ca on and message in-tegrity. A hash func on takes a long string (or 'message') of any length as input and produces a fixed length string as output,some mes termed a message digest or a digital fingerprint.

744 You have just received an assignment for an assessment at a company site. Company's management is concerned about external threat and wants to take appropriate steps to insure security is in place. Anyway the management is also worried about possible threats coming from inside the site, specifically from employees belonging to diﬀerent Departments. What kind of assessment will you be performing ? A. Black box tes ng B. Black hat tes ng C. Gray box tes ng D. Gray hat tes ng E. White box tes ng F. White hat tes ng

C Internal Tes ng is also referred to as Gray-box tes ng.

740 Bob is a very security conscious computer user. He plans to test a site that is known to have malicious applets, code, and more. Bob always make use of a basic Web Browser to perform such tes ng. Which of the following web browser can adequately fill this purpose? A. Internet Explorer B. Mozila C. Lynx D. Tiger

C Lynx is a program used to browse the World Wide Web,which works on simple text terminals,rather than requiring a graphical computer display terminal. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00243.jpg Latest ECCouncil 312-50v8 Real Exam Download 741-750 (2014-05-12 14:07)

653 In the context of Windows Security, what is a 'null' user? A. A user that has no skills B. An account that has been suspended by the admin C. A pseudo account that has no username and password D. A pseudo account that was created for security administra on purpose

C NULL sessions take advantage of pfeaturesq in the SMB (Server Message Block) protocol that exist primarily for trust rela onships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connec ons allows you to gather the following informa on from the host: * List of users and groups * List of machines * List of shares * Users and host SID' (Security Iden fiers) NULL sessions exist in windows networking to allow: * Trusted domains to enumerate resources * Computers outside the domain to authen cate and enumerate users * The SYSTEM account to authen cate and enumerate resources NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumera on of shares,but not SAM accounts.

566 Which of the following is an automated vulnerability assessment tool? A. Whack a Mole B. Nmap C. Nessus D. Kismet 194 E. Jill32

C Nessus is a vulnerability assessment tool.

567 John is using a special tool on his Linux pla orm that has a signature database and is therefore able to detect hundred of vulnerabili es in UNIX, Windows, and commonly-used web CGI scripts. Addi onally, the database detects DDoS zombies and Trojans. What would be the name of this mul func onal tool? A. nmap B. hping C. nessus D. make

C Nessus is the world's most popular vulnerability scanner,es mated to be used by over 75,000 organiza ons world- wide. Nmap is mostly used for scanning,not for detec ng vulnerabili es. Hping is a free packet generator and analyzer for the TCP/IP protocol and make is used to automa cally build large applica ons on the *nix pla orm.

753 Which of the following is the best way an a acker can passively learn about technologies used in an organiza on? A. By sending web bugs to key personnel B. By webcrawling the organiza on web site C. By searching regional newspapers and job databases for skill sets technology hires need to possess in the organiza-on D. By performing a port scan on the organiza on's web site

C Note: Sending web bugs,webcrawling their site and port scanning are considered "ac ve" a acks,the ques on asks "passive"

810 A er studying the following log entries, how many user IDs can you iden fy that the a acker has tampered with? 1. mkdir -p /etc/X11/applnk/Internet/.etc 2. mkdir -p /etc/X11/applnk/Internet/.etcpasswd 3. touch -acmr /etc/passwd /etc/X11/applnk/Internet/.etcpasswd 4. touch -acmr /etc /etc/X11/applnk/Internet/.etc 5. passwd nobody -d 6. /usr/sbin/adduser dns -d/bin -u 0 -g 0 -s/bin/bash 7. passwd dns -d 8. touch -acmr /etc/X11/applnk/Internet/.etcpasswd /etc/passwd 9. touch -acmr /etc/X11/applnk/Internet/.etc /etc A. IUSR _ B. acmr,dns C. nobody,dns D. nobody,IUSR _

C Passwd is the command used to modify a user password and it has been used together with the usernames nobody and dns. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00246.jpg 2. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00429.jpg Latest ECCouncil 312-50v8 Real Exam Download 811-820 (2014-05-12 14:28)

741 Clive has been hired to perform a Black-Box test by one of his clients. How much informa on will Clive obtain from the client before commencing his test? A. IP Range,OS,and patches installed. B. Only the IP address range. C. Nothing but corporate name. D. All that is available from the client site.

C Penetra on tests can be conducted in one of two ways: black-box (with no prior knowledge the infrastructure to be tested) or white-box (with complete knowledge of the infrastructure to be tested). As you might expect,there are conflic ng opinions about this choice and the value that either approach will bring to a project.

727 What are the three phases involved in security tes ng? A. Reconnaissance,Conduct,Report B. Reconnaissance,Scanning,Conclusion C. Prepara on,Conduct,Conclusion D. Prepara on,Conduct,Billing

C Prepara on phase - A formal contract is executed containing non-disclosure of the client's data and legal protec on for the tester. At a minimum,it also lists the IP addresses to be tested and me to test. Conduct phase - In this phase the penetra on test is executed,with the tester looking for poten al vulnerabili es. Conclusion phase - The results of the evalua on are communicated to the pre-defined organiza onal contact,and correc ve ac on is advised.

692 Tess King, the evil hacker, is purposely sending fragmented ICMP packets to a remote target. The total size of this ICMP packet once reconstructed is over 65, 536 bytes. From the informa on given, what type of a ack is Tess King a emp ng to perform? A. Syn flood B. Smurf C. Ping of death D. Fraggle

C Reference: h p://insecure.org/sploits/ping-o-death.html

782 Why do you need to capture five to ten million packets in order to crack WEP with AirSnort? A. All IVs are vulnerable to a ack B. Air Snort uses a cache of packets C. Air Snort implements the FMS a ack and only encrypted packets are counted D. A majority of weak IVs transmi ed by access points and wireless cards are not filtered by contemporary wireless manufacturers

C Since the summer of 2001,WEP cracking has been a trivial but me consuming process. A few tools,AirSnort perhaps the most famous,that implement the Fluhrer-Man n-Shamir (FMS) a ack were released to the security community — who un l then were aware of the problems with WEP but did not have prac cal penetra on tes ng tools. Although simple to use,these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site es mates the total number of packets at five to ten million,but the number actually required may be higher than you think.

803 You have just installed a new Linux file server at your oﬃce. This server is going to be used by several individuals in the organiza on, and unauthorized personnel must not be able to modify any data. 275 What kind of program can you use to track changes to files on the server? A. Network Based IDS (NIDS) B. Personal Firewall C. System Integrity Verifier (SIV) D. Linux IP Chains

C System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g.,daily) basis,Tripwire can no fy system administrators of corrupted or tampered files,so damage control measures can be taken in a mely manner.

685 Which tool/u lity can help you extract the applica on layer data from each TCP connec on from a log file into separate files? A. Snort B. argus C. TCPflow D. Tcpdump

C Tcpflow is a program that captures data transmi ed as part of TCP connec ons (flows),and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire,but usually doesn't store the data that's actually being transmi ed. In contrast,tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

761 Look at the following SQL query. SELECT * FROM product WHERE PCategory='computers' or 1=1-' What will it return? Select the best answer. A. All computers and all 1 s B. All computers C. All computers and everything else D. Everything except computers

C The 1=1 tells the SQL database to return everything,a simplified statement would be SELECT * FROM product WHERE 1=1 (which will always be true for all columns). Thus,this query will return all computers and everything else. The or 1=1 is a common test to see if a web applica on is vulnerable to a SQL a ack.

779 In order to a ack a wireless network, you put up an access point and override the signal of the real access point. As users send authen ca on data, you are able to capture it. What kind of a ack is this? A. WEP a ack B. Drive by hacking C. Rogue access point a ack D. Unauthorized access point a ack

C The defini on of a Rogue access point is: 1. A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configura on,users have exposed their company's network to the outside world. 2. An access point (AP) set up by an a acker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that adver se its presence) from the company's legi mate AP and transmits iden cal beacons,which some client machines inside the building associate with.

582 An nmap command that includes the host specifica on of 202.176.56-57.* will scan _ _ _ _ _ _ _ number of hosts. A. 2 B. 256 C. 512 D. Over 10,000

C The hosts with IP address 202.176.56.0-255 & 202.176.56.0-255 will be scanned (256+256=512)

736 What are the diﬀerences between SSL and S-HTTP? A. SSL operates at the network layer and S-HTTP operates at the applica on layer 254 B. SSL operates at the applica on layer and S-HTTP operates at the network layer C. SSL operates at the transport layer and S-HTTP operates at the applica on layer D. SSL operates at the applica on layer and S-HTTP operates at the transport layer

C The main diﬀerence between the protocols is the layer at which they operate. SSL operates at the transport layer and mimics the "socket library," while S-HTTP operates at the applica on layer. Encryp on of the transport layer allows SSL to be applica on-independent,while S-HTTP is limited to the specific so ware implemen ng it. The protocols adopt diﬀerent philosophies towards encryp on as well,with SSL encryp ng the en re communica ons channel and S-HTTP encryp ng each message independently.

606 on. Hackers obtaining DNS informa on can discover a on can be used to further exploit the network. You have the SOA presented below in your Zone. Your secondary servers have not been able to contact your primary server to synchronize informa on. How long will the secondary servers a empt to contact the primary server before it considers that zone is dead and stops responding to queries? collegae.edu.SOA, cikkye.edu ipad.college.edu. (200302028 3600 3600 604800 3600) A. One day B. One hour C. One week D. One month

C The numbers represents the following values: 200302028; se = serial number 3600; ref = refresh = 1h 3600; ret = update retry = 1h 604800; ex = expiry = 1w 3600; min = minimum TTL = 1h

541 185 Which of the following would be the best reason for sending a single SMTP message to an address that does not exist within the target company? A. To create a denial of service a ack. B. To verify informa on about the mail administrator and his address. C. To gather informa on about internal hosts used in email treatment. D. To gather informa on about procedures that are in place to deal with such messages.

C The replay from the email server that states that there is no such recipient will also give you some informa on about the name of the email server, versions used and so on.

800 Windump is the windows port of the famous TCPDump packet sniﬀer available on a variety of pla orms. In order to use this tool on the Windows pla orm you must install a packet capture library. What is the name of this library? A. NTPCAP B. LibPCAP C. WinPCAP D. PCAP

C WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applica ons to capture and transmit network packets bypassing the protocol stack,and has addi onal useful features,including kernel-level packet filtering,a network sta s cs engine and support for remote packet capture. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00245.jpg Latest ECCouncil 312-50v8 Real Exam Download 801-810 (2014-05-12 14:23)

669 You have hidden a Trojan file virus.exe inside another file readme.txt using NTFS streaming. Which command would you execute to extract the Trojan to a standalone file? A. c:> type readme.txt:virus.exe > virus.exe B. c:> more readme.txt | virus.exe > virus.exe C. c:> cat readme.txt:virus.exe > virus.exe D. c:> list redme.txt $virus.exe > virus.exe

C cat will concatenate,or write,the alternate data stream to its own file named virus.exe

822 Why would an ethical hacker use the technique of firewalking? A. It is a technique used to discover wireless network on foot. B. It is a technique used to map routers on a network link. C. It is a technique used to discover the nature of rules configured on a gateway. D. It is a technique used to discover interfaces in promiscuous mode.

C 282 Firewalking uses a traceroute-like IP packet analysis to determine whether or not a par cular packet can pass from the a ackeros host to a des na on host through a packet-filtering device. This technique can be used to map nopeno or npass througho ports on a gateway. More over,it can determine whether packets with various control informa on can pass through a given gateway.

565 What flags are set in a X-MAS scan?(Choose all that apply. A. SYN B. ACK C. FIN D. PSH E. RST F. URG

C,D,F FIN,URG,and PSH are set high in the TCP packet for a X-MAS scan

510 Which of the following LM hashes represents a password of less than 8 characters? A. 0182BD0BD4444BF836077A718CCDF409 B. 44EFCE164AB921CQAAD3B435B51404EE C. BA810DBA98995F1817306D272A9441BB D. CEC52EB9C8E3455DC2265B23734E0DAC E. B757BF5C0D87772FAAD3B435B51404EE F. E52CAC67419A9A224A3B108F3FA6CB6D

C,E Latest ECCouncil 312-50v8 Real Exam Download 511-520 (2014-05-12 11:19)

561 What are the default passwords used by SNMP? (Choose two.) A. Password B. SA C. Private D. Administrator E. Public F. Blank

C,E Besides the fact that it passes informa on in clear text,SNMP also uses well-known passwords. Public and private are the default passwords used by SNMP.

139 You have successfully gained access to a vic m's computer using Windows 2003 Server SMB Vulnerability. Which command will you run to disable audi ng from the cmd? A. stoplog stoplog ? B. EnterPol /nolog C. EventViewer o service D. auditpol.exe /disable

147 NetBIOS over TCP/IP allows files and/or printers to be shared over the network. You are trying to intercept the traﬃc from a vic m machine to a corporate network printer. You are a emp ng to hijack the printer network connec on from your laptop by sniﬃng the wire. Which port does SMB over TCP/IP use? 63 A. 443 B. 139 C. 179 D. 445

154 What is the IV key size used in WPA2? A. 32 B. 24 C. 16 D. 48 E. 128

156 What is the default Password Hash Algorithm used by NTLMv2? A. MD4 B. DES C. SHA-1 66 D. MD5

176 Study the snort rule given below and interpret the rule. alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msG. "mountd access";) A. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and des ned to any IP on port 111 B. An alert is generated when any packet other than a TCP packet is seen on the network and des ned for the 192.168.1.0 subnet C. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 192.168.1.0 subnet D. An alert is generated when a TCP packet origina ng from any IP address is seen on the network and des ned for any IP address on the 192.168.1.0 subnet on port 111

193 Which of the following encryp on is NOT based on block cipher? A. DES B. Blowfish C. AES (Rijndael) D. RC4

201 To see how some of the hosts on your network react, Winston sends out SYN packets to an IP range. A number of IPs respond with a SYN/ACK response. Before the connec on is established he sends RST packets to those hosts to stop the session. Winston has done this to see how his intrusion detec on system will log the traﬃc. What type of scan is Winston a emp ng here? A. Winston is a emp ng to find live hosts on your company's network by using an XMAS scan. B. He is u lizing a SYN scan to find live hosts that are listening on your network. C. This type of scan he is using is called a NULL scan. D. He is using a half-open scan to find live hosts on your network.

210 Why a ackers use proxy servers? A. To ensure the exploits used in the a acks always flip reverse vectors B. Faster bandwidth performance and increase in a ack speed C. Interrupt the remote vic m's network traﬃc and reroute the packets to a ackers machine D. To hide the source IP address so that an a acker can hack without any legal corollary

216 Hayden is the network security administrator for her company, a large finance firm based in Miami. Hayden just returned from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company's network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network 103 react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connec on is established she sends RST packets to those hosts to stop the session. She does this to see how her intrusion detec on system will log the traﬃc. What type of scan is Hayden a emp ng here? A. Hayden is a emp ng to find live hosts on her company's network by using an XMAS scan B. She is u lizing a SYN scan to find live hosts that are listening on her network C. The type of scan,she is using is called a NULL scan D. Hayden is using a half-open scan to find live hosts on her network

221 Perimeter tes ng means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports. Which of the following command results in packets that will appear to originate from the system at 10.8.8.8? Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network. A. hping3 -T 10.8.8.8 -S netbios -c 2 -p 80 B. hping3 -Y 10.8.8.8 -S windows -c 2 -p 80 C. hping3 -O 10.8.8.8 -S server -c 2 -p 80 D. hping3 -a 10.8.8.8 -S springfield -c 2 -p 80

235 Blane is a security analyst for a law firm. One of the lawyers needs to send out an email to a client but he wants to know if the email is forwarded on to any other recipients. The client is explicitly asked not to re-send the email since that would be a viola on of the lawyer's and client's agreement for this par cular case. What can Blane use to accomplish this? A. He can use a split-DNS service to ensure the email is not forwarded on. B. A service such as HTTrack would accomplish this. C. Blane could use MetaGoofil tracking tool. D. Blane can use a service such as ReadNo fy tracking tool.

246 SSL has been seen as the solu on to a lot of common security problems. Administrator will o en me make use of SSL to encrypt communica ons from points A to point B. Why do you think this could be a bad idea if there is an Intrusion Detec on System deployed to monitor the traﬃc between point A and B? A. SSL is redundant if you already have IDS's in place B. SSL will trigger rules at regular interval and force the administrator to turn them oﬀ C. SSL will slow down the IDS while it is breaking the encryp on to see the packet content D. SSL will blind the content of the packet and Intrusion Detec on Systems will not be able to detect them 111

264 Which of the following is a common Service Oriented Architecture (SOA) vulnerability? A. Cross-site scrip ng B. SQL injec on C. VPath injec on D. XML denial of service issues

270 John the Ripper is a technical assessment tool used to test the weakness of which of the following? A. Usernames B. File permissions C. Firewall rulesets D. Passwords

279 Which of the following condi ons must be given to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vul-nerable web applica on? A. The vic m user must open the malicious link with an Internet Explorer prior to version 8. B. The session cookies generated by the applica on do not have the H pOnly flag set. C. The vic m user must open the malicious link with a Firefox prior to version 3. D. The web applica on should not use random tokens.

281 Which tool is used to automate SQL injec ons and exploit a database by forcing a given web applica on to connect to another database controlled by a hacker? A. DataThief B. NetCat C. Cain and Abel D. SQLInjector

285 Passive reconnaissance involves collec ng informa on through which of the following? A. Social engineering B. Network traﬃc sniﬃng C. Man in the middle a acks D. Publicly accessible sources

287 What is the main reason the use of a stored biometric is vulnerable to an a ack? A. The digital representa on of the biometric might not be unique,even if the physical characteris c is unique. B. Authen ca on using a stored biometric compares a copy to a copy instead of the original to a copy. C. A stored biometric is no longer "something you are" and instead becomes "something you have". D. A stored biometric can be stolen and used by an a acker to impersonate the individual iden fied by the biometric.

289 An a acker sniﬀs encrypted traﬃc from the network and is subsequently able to decrypt it. The a acker can now use which cryptanaly c technique to a empt to discover the encryp on key? A. Birthday a ack 122 B. Plaintext a ack C. Meet in the middle a ack D. Chosen ciphertext a ack

291 Which of the following describes a component of Public Key Infrastructure (PKI) where a copy of a private key is stored to provide third-party access and to facilitate recovery opera ons? A. Key registry B. Recovery agent C. Directory D. Key escrow

293 Which of the following processes evaluates the adherence of an organiza on to its stated security policy? A. Vulnerability assessment B. Penetra on tes ng C. Risk assessment D. Security audi ng 123

295 Some passwords are stored using specialized encryp on algorithms known as hashes. Why is this an appropriate method? A. It is impossible to crack hashed user passwords.unless the key used to encrypt them is obtained. B. If a user forgets the password,it can be easily retrieved using the hash key stored by administrators. C. Hashing is faster compared to more tradi onal encryp on algorithms. D. Passwords stored using hashes are non-reversible,making finding the password much more diﬃcult.

296 What is the main disadvantage of the scrip ng languages as opposed to compiled programming languages? A. Scrip ng languages are hard to learn. B. Scrip ng languages are not object-oriented. C. Scrip ng languages cannot be used to create graphical user interfaces. D. Scrip ng languages are slower because they require an interpreter to run the code.

303 Which of the following guidelines or standards is associated with the credit card industry? A. Control Objec ves for Informa on and Related Technology.(COBIT) B. Sarbanes-Oxley Act (SOX) C. Health Insurance Portability and Accountability Act (HIPAA) D. Payment Card Industry Data Security Standards (PCI DSS)

304 An a acker has captured.a target file that is encrypted with.public key cryptography. Which of the.a acks below is likely to be used to crack the target file? A. Timing a ack B. Replay a ack C. Memory trade-oﬀ a ack D. Chosen plain-text a ack

306 How can a rootkit bypass Windows 7 opera ng systemos kernel mode, code signing policy? A. Defea ng the scanner from detec ng any code change at the kernel B. Replacing patch system calls with its own version that hides the rootkit (a acker's) ac ons C. Performing common services for the applica on process and replacing real applica ons with fake ones D. A aching itself to the master boot record in a hard drive and changing the machine's boot sequence/op ons

311 127 A computer technician.is using a new version of a word processing so ware package when.it is.discovered that a special sequence of characters causes the en re computer to crash..The technician.researches the bug and discovers that no one else experienced the problem..What is the appropriate next step? A. Ignore the problem completely and let someone else deal with it. B. Create a document that will crash the computer when opened and send it to friends. C. Find an underground bulle n board and a empt to sell the bug to the highest bidder. D. No fy the vendor of the bug and.do not.disclose it un l the vendor.gets a chance to issue a fix.

314 A corpora on hired an ethical hacker to test if it is possible to obtain users' login creden als using methods other than social engineering. Access to oﬃces and to a network node is granted..Results from server scanning.indicate.all are adequately patched and.physical access is denied, thus, administrators have access only through Remote Desktop. Which technique.could be used to obtain login creden als? A. Capture every users' traﬃc with E ercap. B. Capture LANMAN Hashes and crack them with LC6. C. Guess passwords using Medusa or Hydra against a network service. D. Capture administrators RDP traﬃc and decode it with Cain.and Abel.

315 Which of the following scanning tools is specifically designed to find poten al exploits in Microso Windows products? A. Microso Security Baseline Analyzer 128 B. Re na C. Core Impact D. Microso Baseline Security Analyzer

316 Which of the statements concerning proxy firewalls is correct? A. Proxy firewalls increase the speed and func onality of a network. B. Firewall proxy servers decentralize all ac vity for an applica on. C. Proxy firewalls block network packets from passing to and from a protected network. D. Computers establish a connec on with a proxy firewall which ini ates a new network connec on for the client.

317 Which of the following is an example of two factor authen ca on? A. PIN Number and Birth Date B. Username and Password C. Digital Cer ficate and Hardware Token D. Fingerprint and Smartcard ID

321 For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. While using a digital signature, the message digest is encrypted with which key? A. Sender's public key B. Receiver's private key C. Receiver's public key D. Sender's private key 130

326 What is the main diﬀerence between a pNormalq SQL Injec on and a pBlindq SQL Injec on vulnerability? A. The request to the web server is not visible to the administrator of the vulnerable applica on. B. The a ack is called pBlindq because,although the applica on properly filters user input,it is s ll vulnerable to code injec on. 131 C. The successful a ack does not show an error message to the administrator of the aﬀected applica on. D. The vulnerable applica on does not display errors with informa on about the injec on results to the a acker.

331 When comparing the tes ng methodologies of Open Web Applica on Security Project (OWASP) and Open Source Security Tes ng Methodology Manual (OSSTMM) the main diﬀerence is A. OWASP is for web applica ons and OSSTMM does not include web applica ons. B. OSSTMM is gray box tes ng and.OWASP is black box tes ng. C. OWASP addresses controls and.OSSTMM does not. D. OSSTMM addresses controls and.OWASP does not.

338 The fundamental diﬀerence between symmetric and asymmetric key cryptographic systems is that symmetric key cryptography uses which of the following? A. Mul ple keys for non-repudia on of bulk data B. Diﬀerent keys on both ends of the transport medium C. Bulk encryp on for data transmission over fiber D. The same key on each end of the transmission medium

339 Which command lets a tester enumerate alive systems in a class C.network via ICMP using na ve Windows tools? 134 A. ping 192.168.2. B. ping 192.168.2.255 C. for %V in (1 1 255) do PING 192.168.2. %V D. for /L %V in (1 1 254) do PING -n 1 192.168.2. %V | FIND /I "Reply"

341 Which of the following problems can be solved by using Wireshark? A. Tracking version changes of source code B. Checking crea on dates on all webpages on a server C. Rese ng the administrator password on mul ple systems D. Troubleshoo ng communica on resets between two systems

344 A penetra on tester was hired to perform a penetra on test.for a.bank..The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news ar cles online about the bank, watching what mes the bank employees come into work and leave from work, searching the bank's job pos ngs (paying special a en on to IT related jobs), and visi ng the local dumpster for the bank's corporate oﬃce. What phase of the penetra on test is the tester currently in? A. Informa on repor ng B. Vulnerability assessment C. Ac ve informa on gathering D. Passive informa on gathering

345 Which of the following is an applica on that requires a host applica on for replica on? A. Micro B. Worm C. Trojan D. Virus

347 What statement is true regarding LM hashes? A. LM hashes consist in 48 hexadecimal characters. B. LM hashes are based on AES128 cryptographic standard. C. Uppercase characters in the password are converted to lowercase. D. LM hashes are not generated when the password length exceeds 15 characters.

348 What is a successful method for protec ng a router from poten al smurf a acks? A. Placing the router in broadcast mode 136 B. Enabling port forwarding on the router C. Installing the router outside of.the network's firewall D. Disabling the router from accep ng broadcast ping messages

357 Which command line switch would be used in.NMAP to perform opera ng system detec on? A. -OS B. -sO C. -sP D. -O

363 How do employers protect assets with security policies pertaining to employee surveillance ac vi es? A. Employers promote monitoring ac vi es of employees as long as the employees demonstrate trustworthiness. B. Employers use informal verbal communica on channels to explain employee monitoring ac vi es to employees. C. Employers use network surveillance to monitor employee email traﬃc,network access,and to record employee keystrokes. D. Employers provide employees wri en.statements that clearly.discuss the boundaries of monitoring ac vi es and consequences.

365 Which of the following parameters enables NMAP's opera ng system detec on feature? 140 A. NMAP -sV B. NMAP -oS C. NMAP -sR D. NMAP -O

368 What is the correct PCAP filter to capture all TCP traﬃc going to or from host 192.168.0.125 on port 25? A. tcp.src == 25 and ip.host == 192.168.0.125 B. host 192.168.0.125:25 C. port 25 and host 192.168.0.125 D. tcp.port == 25 and ip.host == 192.168.0.125

382 While tes ng the company's web applica ons, a tester a empts to insert the following test script into the search area on the company's web sitE. <script>alert(" Tes ng Tes ng Tes ng ")</script> A erwards, when the tester presses the search bu on, a pop-up box appears on the screen with the text: "Tes ng Tes ng Tes ng". Which vulnerability.has been.detected in the web applica on? A. Buﬀer overflow B. Cross-site request forgery C. Distributed denial of service D. Cross-site scrip ng

386 A.network administrator.received an administra ve alert at 3:00 a.m. from the intrusion detec on system. The alert was generated because a large number of packets were coming into the network.over ports 20 and 21. During analysis, there were no signs of a ack on the FTP servers. How should the administrator classify this situa on? A. True nega ves B. False nega ves C. True posi ves D. False posi ves

387 The following is part of a log file taken from the machine on the network with the IP address of 192.168.1.106: Time:Mar 13 17:30:15 Port:20 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:17 Port:21 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:19 Port:22 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:21 Port:23 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:22 Port:25 Source:192.168.1.103 Des na-on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:23 Port:80 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP Time:Mar 13 17:30:30 Port:443 Source:192.168.1.103 Des na on:192.168.1.106 Protocol:TCP What type of ac vity has been logged? A. Port scan targe ng 192.168.1.103 B. Teardrop a ack targe ng 192.168.1.106 C. Denial of service a ack targe ng 192.168.1.103 D. Port scan targe ng 192.168.1.106

389 Which of the following se ngs enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity? A. Netstat WMI Scan B. Silent Dependencies C. Consider unscanned ports as closed D. Reduce parallel connec ons on conges on

414 Which.cipher encrypts the plain text digit (bit or byte) one by one? A. Classical cipher B. Block cipher C. Modern cipher D. Stream cipher

417 Which of the following viruses tries to hide from an -virus programs by ac vely altering and corrup ng the chosen service call interrup ons when they are being run? A. Cavity virus B. Polymorphic virus C. Tunneling virus D. Stealth virus

419 Which of the following techniques does a vulnerability scanner.use in order to detect a vulnerability on a target ser-vice? A. Port scanning B. Banner grabbing C. Injec ng arbitrary data D. Analyzing service response

433 An NMAP scan of a server shows port 25.is open..What risk could this pose? A. Open printer sharing B. Web portal data leak C. Clear text authen ca on D. Ac ve mail relay

435 An.a acker uses a communica on channel within an opera ng system that is neither designed nor intended to trans-fer informa on. What is the name of the communica ons channel? A. Classified B. Overt C. Encrypted D. Covert

437 What is the primary drawback to using advanced encryp on standard (AES) algorithm with a 256 bit key to share sensi ve data? A. Due to the key size,the me it will take to encrypt and decrypt the message hinders eﬃcient communica on. 157 B. To get messaging programs to func on with this algorithm requires complex configura ons. C. It has.been proven to be a weak cipher; therefore,should not be trusted to protect sensi ve data. D. It.is a symmetric key algorithm,meaning each recipient must receive the key through a diﬀerent channel than the message.

442 A penetra on tester is hired to do a risk assessment of a company's DMZ..The rules of engagement states that the.penetra on test be done from an external IP address with no prior knowledge of the internal IT systems..What kind of test is being performed? A. white box B. grey box C. red box D. black box

445 An organiza on hires a tester to do a wireless penetra on test..Previous reports indicate that the last test did not contain management or control packets in the submi ed traces..Which of the following is the most likely reason for lack of management or control packets? A. The wireless card was not turned on. B. The wrong network card drivers were in use by Wireshark. C. On Linux and Mac OS X,only.802.11 headers are received in promiscuous mode. 159 D. Certain opera ng systems and adapters do not collect the management or control packets.

449 Which of the following descrip ons is true about a sta c NAT? A. A sta c NAT uses a many-to-many mapping. B. A sta c NAT uses a one-to-many mapping. C. A sta c NAT uses a many-to-one mapping. D. A sta c NAT uses a one-to-one mapping.

455 During a.penetra on test, a tester finds a target that is running MS SQL 2000 with default creden als..The tester assumes that the service is running with Local System account. How can.this weakness be exploited to access the system? A. Using the Metasploit psexec module se ng the SA / Admin creden al B. Invoking the stored procedure xp _shell to spawn a Windows command shell C. Invoking the stored procedure cmd _shell to spawn a Windows command shell D. Invoking the stored procedure xp _cmdshell to spawn a Windows command shell

473 Which technical characteris c do Ethereal/Wireshark, TCPDump, and Snort have in common? A. They are wri en in Java. B. They send alerts to security monitors. C. They use the same packet analysis engine. D. They use the same packet capture u lity.

479 What are the three types of compliance that the.Open Source Security Tes ng Methodology Manual (OSSTMM) rec-ognizes? A. Legal,performance,audit B. Audit,standards based,regulatory C. Contractual,regulatory,industry D. Legisla ve,contractual,standards based

481 Which of the following.business challenges.could be.solved by using a vulnerability scanner? A. Auditors want to discover if all systems are following a standard naming conven on. B. A web server was compromised and management needs to know if any further systems were compromised. C. There is an emergency need to remove administrator access from mul ple machines for an employee that quit. D. There is a monthly requirement to test corporate compliance with host applica on usage and security policies.

483 If an e-commerce site was put into a live environment and the programmers failed to remove the secret entry point that was used during the applica on development, what is this secret entry point known as? A. SDLC process B. Honey pot C. SQL injec on D. Trap door

498 A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metas-ploit? A. Issue the pivot exploit and set the meterpreter. B. Reconfigure the network se ngs in the meterpreter. C. Set the payload to propagate through the meterpreter. D. Create a route statement in the meterpreter.

499 A company has hired a security administrator to maintain.and administer Linux and Windows-based systems. Wri en in the nightly report file is the followinG. Firewall log files are at the expected value of 4 MB. The current me is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again. Which of the following ac ons should the security administrator take? A. Log the event as suspicious ac vity and report this behavior to the incident response team immediately. B. Log the event as suspicious ac vity,call a manager,and report this as soon as possible. C. Run an an -virus scan because it is likely the system is infected by malware. D. Log the event as suspicious ac vity,con nue to inves gate,and.act according to the site's security policy.

576 Sandra is the security administrator of XYZ.com. One day she no ces that the XYZ.com Oracle database server has been compromised and customer informa on along with financial data has been stolen. The financial loss will be es mated in millions of dollars if the database gets into the hands of compe tors. Sandra wants to report this crime to the law enforcement agencies immediately. Which organiza on coordinates computer crime inves ga ons throughout the United States? A. NDCA B. NICP C. CIRP D. NPC E. CIA

What type of session hijacking a ack is shown in the exhibit? A. Cross-site scrip ng A ack B. SQL Injec on A ack C. Token sniﬃng A ack D. Session Fixa on A ack

793 One of the be er features of NetWare is the use of packet signature that includes cryptographic signatures. The packet signature mechanism has four levels from 0 to 3. In the list below which of the choices represent the level that forces NetWare to sign all packets? A. 0 (zero) B. 1 C. 2 D. 3

D 0Server does not sign packets (regardless of the client level). 1Server signs packets if the client is capable of signing (client level is 2 or higher). 2Server signs packets if the client is capable of signing (client level is 1 or higher). 3Server signs packets and requires all clients to sign packets or logging in will fail.

715 Which is the right sequence of packets sent during the ini al TCP three way handshake? A. FIN,FIN-ACK,ACK B. SYN,URG,ACK C. SYN,ACK,SYN-ACK D. SYN,SYN-ACK,ACK

D A TCP connec on always starts with a request for synchroniza on,a SYN,the reply to that would be another SYN together with a ACK to acknowledge that the last package was delivered successfully and the last part of the three way handshake should be only an ACK to acknowledge that the SYN reply was recived.

813 Ron has configured his network to provide strong perimeter security. As part of his network architecture, he has included a host that is fully exposed to a ack. The system is on the public side of the demilitarized zone, unprotected by a firewall or filtering router. What would you call such a host? A. Honeypot B. DMZ host C. DWZ host D. Bas on Host

D A bas on host is a gateway between an inside network and an outside network. Used as a security measure,the bas on host is designed to defend against a acks aimed at the inside network. Depending on a network's complexity and configura on,a single bas on host may stand guard by itself,or be part of a larger security system with diﬀerent layers of protec on.

649 You have retrieved the raw hash values from a Windows 2000 Domain Controller. Using social engineering, you come to know that they are enforcing strong passwords. You understand that all users are required to use passwords that are at least 8 characters in length. All passwords must also use 3 of the 4 following categories: lower case le ers, capital le ers, numbers and special characters. With your exis ng knowledge of users, likely user account names and the possibility that they will choose the easiest passwords possible, what would be the fastest type of password cracking a ack you can run against these hash values and s ll get results? 224 A. Online A ack B. Dic onary A ack C. Brute Force A ack D. Hybrid A ack

D A dic onary a ack will not work as strong passwords are enforced,also the minimum length of 8 characters in the password makes a brute force a ack me consuming. A hybrid a ack where you take a word from a dic onary and exchange a number of le ers with numbers and special characters will probably be the fastest way to crack the passwords.

787 269 What is the best means of preven on against viruses? A. Assign read only permission to all files on your system. B. Remove any external devices such as floppy and USB connectors. C. Install a rootkit detec on tool. D. Install and update an -virus scanner.

D Although virus scanners only can find already known viruses this is s ll the best defense,together with users that are informed about risks with the internet.

659 Which of the following keyloggers cannot be detected by an -virus or an -spyware products? A. Covert keylogger B. Stealth keylogger C. So ware keylogger D. Hardware keylogger

D As the hardware keylogger never interacts with the Opera ng System it is undetectable by an -virus or an -spyware products.

704 A Buﬀer Overflow a ack involves: A. Using a trojan program to direct data traﬃc to the target host's memory stack B. Flooding the target network buﬀers with data traﬃc to reduce the bandwidth available to legi mate users C. Using a dic onary to crack password buﬀers by guessing user names and passwords D. Poorly wri en so ware that allows an a acker to execute arbitrary code on a target system

D B is a denial of service. By flooding the data buﬀer in an applica on with trash you could get access to write in the code segment in the applica on and that way insert your own code.

821 Which one of the following a acks will pass through a network layer intrusion detec on system undetected? A. A teardrop a ack B. A SYN flood a ack C. A DNS spoofing a ack D. A test.cgi a ack

D Because a network-based IDS reviews packets and headers,it can also detect denial of service (DoS) a acks Not A or B: The following sec ons discuss some of the possible DoS a acks available. Smurf Fraggle SYN Flood Teardrop DNS DoS A acksq

848 What is a primary advantage a hacker gains by using encryp on or programs such as Loki? A. It allows an easy way to gain administrator rights B. It is eﬀec ve against Windows computers C. It slows down the eﬀec ve response of an IDS D. IDS systems are unable to decrypt it E. Traﬃc will not be modified in transit

D Because the traﬃc is encrypted,an IDS cannot understand it or evaluate the payload.

781 Derek has stumbled upon a wireless network and wants to assess its security. However, he does not find enough traﬃc for a good capture. He intends to use AirSnort on the captured traﬃc to crack the WEP key and does not know the IP address range or the AP. How can he generate traﬃc on the network so that he can capture enough packets to crack the WEP key? A. Use any ARP requests found in the capture B. Derek can use a session replay on the packets captured C. Derek can use KisMAC as it needs two USB devices to generate traﬃc D. Use E ercap to discover the gateway and ICMP ping flood tool to generate traﬃc

D By forcing the network to answer to a lot of ICMP messages you can gather enough packets to crack the WEP key.

836 While examining a log report you find out that an intrusion has been a empted by a machine whose IP address is displayed as 0xde.0xad.0xbe.0xef. It looks to you like a hexadecimal number. You perform a ping 0xde.0xad.0xbe.0xef. Which of the following IP addresses will respond to the ping and hence will likely be responsible for the intrusion? A. 192.10.25.9 B. 10.0.3.4 C. 203.20.4.5 D. 222.273.290.239

D Convert the hex number to binary and then to decimal.

750 Ivan is audi ng a corporate website. Using Winhex, he alters a cookie as shown below. Before Altera on: Cookie: lang=en-us; ADMIN=no; y=1 ; me=10:30GMT ; A er Altera on: Cookie: lang=en-us; ADMIN=yes; y=1 ; me=12:30GMT ; What a ack is being depicted here? A. Cookie Stealing B. Session Hijacking C. Cross Site Scrip ng D. Parameter Manipula on

D Cookies are the preferred method to maintain state in the stateless HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies,secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any malicious user can modify cookie content to his advantage. There is a popular misconcep on that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit. Latest ECCouncil 312-50v8 Real Exam Download 751-760 (2014-05-12 14:11)

697 A denial of Service (DoS) a ack works on the following principle: A. MS-DOS and PC-DOS opera ng system u lize a weaknesses that can be compromised and permit them to launch an a ack easily. B. All CLIENT systems have TCP/IP stack implementa on weakness that can be compromised and permit them to lunch an a ack easily. C. Overloaded buﬀer systems can easily address error condi ons and respond appropriately. 241 D. Host systems cannot respond to real traﬃc,if they have an overwhelming number of incomplete connec ons (SYN/RCVD State). E. A server stops accep ng connec ons from certain networks one those network become flooded.

D Denial-of-service (o en abbreviated as DoS) is a class of a acks in which an a acker a empts to prevent legi mate users from accessing an Internet service,such as a web site.This can be done by exercising a so ware bug that causes the so ware running the service to fail (such as the pPing of Deathq a ack against Windows NT systems),sending enough data to consume all available network bandwidth (as in the May,2001 a acks against Gibson Research),or sending data in such a way as to consume a par cular resource needed by the service.

571 Des na on unreachable administra vely prohibited messages can inform the hacker to what? A. That a circuit level proxy has been installed and is filtering traﬃc B. That his/her scans are being blocked by a honeypot or jail C. That the packets are being malformed by the scanning so ware D. That a router or other packet-filtering device is blocking traﬃc E. That the network is func oning normally

D Des na on unreachable administra vely prohibited messages are a good way to discover that a router or other low-level packet device is filtering traﬃc. Analysis of the ICMP message will reveal the IP address of the blocking device and the filtered port. This further adds the to the network map and informa on being discovered about the network and hosts.

670 You suspect that your Windows machine has been compromised with a Trojan virus. When you run an -virus so ware it does not pick of the Trojan. Next you run netstat command to look for open ports and you no ce a strange port 6666 open. What is the next step you would do? A. Re-install the opera ng system. B. Re-run an -virus so ware. C. Install and run Trojan removal so ware. D. Run u lity fport and look for the applica on executable that listens on port 6666.

D Fport reports all open TCP/IP and UDP ports and maps them to the owning applica on. This is the same informa on you would see using the 'netstat -an' command,but it also maps those ports to running processes with the PID,process name and path. Fport can be used to quickly iden fy unknown open ports and their associated applica ons Latest ECCouncil 312-50v8 Real Exam Download 681-690 (2014-05-12 14:01)

726 You are gathering compe ve intelligence on XYZ.com. You no ce that they have jobs listed on a few Internet job-hun ng sites. There are two job pos ngs for network and system administrators. How can this help you in footprint the organiza on? 247 A. The IP range used by the target network B. An understanding of the number of employees in the company C. How strong the corporate security policy is D. The types of opera ng systems and applica ons being used.

D From job pos ng descrip ons one can see which is the set of skills,technical knowledge,system experience re-quired,hence it is possible to argue what kind of opera ng systems and applica ons the target organiza on is using.

673 Jason's Web server was a acked by a trojan virus. He runs protocol analyzer and no ces that the trojan communicates to a remote server on the Internet. Shown below is the standard "hexdump" representa on of the network packet, before being decoded. Jason wants to iden fy the trojan by looking at the des na on port number and mapping to a trojan-port number database on the Internet. Iden fy the remote server's port number by decoding the packet? A. Port 1890 (Net-Devil Trojan) B. Port 1786 (Net-Devil Trojan) C. Port 1909 (Net-Devil Trojan) D. Port 6667 (Net-Devil Trojan)

D From trace,0x1A0B is 6667,IRC Relay Chat,which is one port used. Other ports are in the 900 s.

532 NSLookup is a good tool to use to gain addi onal informa on about a target network. What does the following command accomplish? nslookup > server <ipaddress> > set type =any > ls -d <target.com> A. Enables DNS spoofing B. Loads bogus entries into the DNS table C. Verifies zone security D. Performs a zone transfer E. Resets the DNS cache

D If DNS has not been properly secured,the command sequence displayed above will perform a zone transfer.

550 An Nmap scan shows the following open ports, and nmap also reports that the OS guessing results to match too many signatures hence it cannot reliably be iden fied: 21 p 23 telnet 80 h p 443 h ps What does this suggest? A. This is a Windows Domain Controller B. The host is not firewalled C. The host is not a Linux or Solaris system D. The host is not properly patched

D If the answer was A nmap would guess it,it holds the MS signature database,the host not being firewalled makes no diﬀerence.The host is not linux or solaris,well it very well could be. The host is not properly patched? That is the closest; nmaps OS detec on architecture is based solely oﬀ the TCP ISN issued by the opera ng systems TCP/IP stack,if the stack is modified to show output from randomized ISN's or if your using a program to change the ISN then OS detec on will fail. If the TCP/IP IP ID's are modified then os detec on could also fail,because the machine would most likely come back as being down.

826 283 While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. What can you infer from this observa on? A. They are using Windows based web servers. B. They are using UNIX based web servers. C. They are not using an intrusion detec on system. D. They are not using a stateful inspec on firewall.

D If they used a stateful inspec on firewall this firewall would know if there has been a SYN-ACK before the ACK.

651 What is GINA? A. Gateway Interface Network Applica on B. GUI Installed Network Applica on CLASS C. Global Internet Na onal Authority (G-USA) D. Graphical Iden fica on and Authen ca on DLL

D In compu ng,GINA refers to the graphical iden fica on and authen ca on library,a component of some Microso Windows opera ng systems that provides secure authen ca on and interac ve logon services.

684 Bob wants to prevent a ackers from sniﬃng his passwords on the wired network. Which of the following lists the best op ons? A. RSA,LSA,POP B. SSID,WEP,Kerberos C. SMB,SMTP,Smart card D. Kerberos,Smart card,Stanford SRP

D Kerberos,Smart cards and Stanford SRP are techniques where the password never leaves the computer.

794 Which is the Novell Netware Packet signature level used to sign all packets ? A. 0 B. 1 C. 2 D. 3

D Level 0 is no signature,Level 3 is communica on using signature only.

808 John is discussing security with Jane. Jane had men oned to John earlier that she suspects an LKM has been installed on her server. She believes this is the reason that the server has been ac ng erra cally lately. LKM stands for Loadable Kernel Module. What does this mean in the context of Linux Security? A. Loadable Kernel Modules are a mechanism for adding func onality to a file system without requiring a kernel recompila on. B. Loadable Kernel Modules are a mechanism for adding func onality to an opera ng-system kernel a er it has been recompiled and the system rebooted. C. Loadable Kernel Modules are a mechanism for adding audi ng to an opera ng-system kernel without requiring a kernel recompila on. D. Loadable Kernel Modules are a mechanism for adding func onality to an opera ng-system kernel without requiring a kernel recompila on.

D Loadable Kernel Modules,or LKM,are object files that contain code to extend the running kernel,or so-called base kernel,without the need of a kernel recompila on. Opera ng systems other than Linux,such as BSD systems,also provide support for LKM's. However,theLinux kernel generally makes far greater and more versa le use of LKM's than 277 other systems. LKM's are typically used to add support for new hardware,filesystems or for adding system calls. When the func onality provided by an LKM is no longer required,it can be unloaded,freeing memory.

594 Which address transla on scheme would allow a single public IP address to always correspond to a single machine on an internal network, allowing "server publishing"? A. Overloading Port Address Transla on B. Dynamic Port Address Transla on C. Dynamic Network Address Transla on D. Sta c Network Address Transla on

D Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Par cularly useful when a device needs to be accessible from outside the network.

588 Why would an a acker want to perform a scan on port 137? A. To discover proxy servers on a network B. To disrupt the NetBIOS SMB service on the target host C. To check for file and print sharing on Windows systems D. To discover informa on about a target host using NBTSTAT

D Microso encapsulates netbios informa on withinTCP/Ip using ports 135-139.It is trivial for an a acker to issue the-following command: nbtstat -A (your Ip address) Fromtheir windows machine and collect informa on about your windowsmachine (if you are not blocking traﬃc to port 137 at your borders).

549 John has scanned the web server with NMAP. However, he could not gather enough informa on to help him iden fy the opera ng system running on the remote host accurately. What would you suggest to John to help iden fy the OS that is being used on the remote web server? 188 A. Connect to the web server with a browser and look at the web page. B. Connect to the web server with an FTP client. C. Telnet to port 8080 on the web server and look at the default page code. D. Telnet to an open port and grab the banner.

D Most people donot care about changing the banners presented by applica ons listening to open ports and there-fore you should get fairly accurate informa on when grabbing banners from open ports with,for example,a telnet applica on.

619 Null sessions are un-authen cated connec ons (not using a username or password.) to an NT or 2000 system. Which TCP and UDP ports must you filter to check null sessions on your network? A. 137 and 139 B. 137 and 443 C. 139 and 443 D. 139 and 445

D NULL sessions take advantage of pfeaturesq in the SMB (Server Message Block) protocol that exist primarily for trust rela onships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Primarily the following ports are vulnerable if they are accessible:

650 An a acker runs netcat tool to transfer a secret file between two hosts. Machine A: netcat -l -p 1234 < secre ile Machine B: netcat 192.168.3.4 > 1234 He is worried about informa on being sniﬀed on the network. How would the a acker use netcat to encrypt the informa on before transmi ng onto the wire? A. Machine A: netcat -l -p -s password 1234 < tes ile Machine B: netcat <machine A IP> 1234 B. Machine A: netcat -l -e magickey -p 1234 < tes ile Machine B: netcat <machine A IP> 1234 C. Machine A: netcat -l -p 1234 < tes ile -pw password Machine B: netcat <machine A IP> 1234 -pw password D. Use cryptcat instead of netcat

D Netcat cannot encrypt the file transfer itself but would need to use a third party applica on to encrypt/decrypt like openssl. Cryptcat is the standard netcat enhanced with twofish encryp on. Latest ECCouncil 312-50v8 Real Exam Download 651-660 (2014-05-12 13:58)

613 What did the following commands determine? C: user2sid earth guest S-1-5-21-343818398-789336058-1343024091-501 C:sid2user 5 21 343818398 789336058 1343024091 500 Name is Joe Domain is EARTH A. That the Joe account has a SID of 500 B. These commands demonstrate that the guest account has NOT been disabled C. These commands demonstrate that the guest account has been disabled D. That the true administrator is Joe E. Issued alone,these commands prove nothing

D One important goal of enumera on is to determine who the true administrator is. In the example above,the true administrator is Joe.

580 Neil no ces that a single address is genera ng traﬃc from its port 500 to port 500 of several other machines on the network. This scan is ea ng up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan? A. It is a network fault and the origina ng machine is in a network loop B. It is a worm that is malfunc oning or hardcoded to scan on port 500 C. The a acker is trying to detect machines on the network which have SSL enabled D. The a acker is trying to determine the type of VPN implementa on and checking for IPSec

D Port 500 is used by IKE (Internet Key Exchange). This is typically used for IPSEC-based VPN so ware,such as Freeswan,PGPnet,and various vendors of in-a-box VPN solu ons such as Cisco. IKE is used to set up the session keys. The actual session is usually sent with ESP (Encapsulated Security Payload) packets,IP protocol 50 (but some in-a-box VPN's such as Cisco are capable of nego a ng to send the encrypted tunnel over a UDP channel,which is useful for use across firewalls that block IP protocols other than TCP or UDP). 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00235.jpg 2. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00426.jpg 3. 199 Latest ECCouncil 312-50v8 Real Exam Download 581-590 (2014-05-12 13:49)

718 How would you prevent session hijacking a acks? A. Using biometrics access tokens secures sessions against hijacking B. Using non-Internet protocols like h p secures sessions against hijacking C. Using hardware-based authen ca on secures sessions against hijacking D. Using unpredictable sequence numbers secures sessions against hijacking

D Protec on of a session needs to focus on the unique session iden fier because it is the only thing that dis nguishes users. If the session ID is compromised,a ackers canimpersonate other users on the system. The first thing is to ensure that the sequence of iden fica on numbers issued by the session management system is unpredictable; otherwise,it's trivial to hijack another user's session. Having a large number of possible session IDs (meaning that they should be very long) means that there are a lot more permuta ons for an a acker to try.

546 You are scanning into the target network for the first me. You find very few conven onal ports open. When you a empt to perform tradi onal service iden fica on by connec ng to the open ports, it yields either unreliable or 187 no results. You are unsure of which protocols are being used. You need to discover as many diﬀerent protocols as possible. Which kind of scan would you use to achieve this? (Choose the best answer) A. Nessus scan with TCP based pings. B. Nmap scan with the ɃsP (Ping scan) switch. C. Netcat scan with the Ƀu Ƀe switches. D. Nmap with the ɃsO (Raw IP packets) switch.

D Running Nmap with the ɃsO switch will do a IP Protocol Scan. The IP protocol scan is a bit diﬀerent than the other nmap scans. The IP protocol scan is searching for addi onal IP protocols in use by the remote sta on,such as ICMP,TCP,and UDP. If a router is scanned,addi onal IP protocols such as EGP or IGP may be iden fied.

624 Why would you consider sending an email to an address that you know does not exist within the company you are performing a Penetra on Test for? A. To determine who is the holder of the root account B. To perform a DoS C. To create needless SPAM D. To illicit a response back that will reveal informa on about email servers and how they treat undeliverable mail E. To test for virus protec on

D Sending a bogus email is one way to find out more about internal servers. Also, to gather addi onal IP addresses and learn how they treat mail.

677 Erik no ces a big increase in UDP packets sent to port 1026 and 1027 occasionally. He enters the following at the command prompt. $ nc -l -p 1026 -u -v In response, he sees the following message. cell(?(c)????STOPALERT77STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found 47 Cri cal Errors. To fix the errors please do the following: 1. Download Registry Repair from: www.reg-patch.com 2. Install Registry Repair 3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION! What would you infer from this alert? A. The machine is redirec ng traﬃc to www.reg-patch.com using adware B. It is a genuine fault of windows registry and the registry needs to be backed up C. An a acker has compromised the machine and backdoored ports 1026 and 1027 D. It is a messenger spam. Windows creates a listener on one of the low dynamic ports from 1026 to 1029 and the message usually promotes malware disguised as legi mate u li es 230

D The "net send" Messenger service can be used by unauthorized users of your computer,without gaining any kind of privileged access,to cause a pop-up window to appear on your computer. Lately,this feature has been used by unsolicited commercial adver sers to inform many campus users about a "university diploma service"...

788 Melissa is a virus that a acks Microso Windows pla orms. To which category does this virus belong? A. Polymorphic B. Boot Sector infector C. System D. Macro

D The Melissa macro virus propagates in the form of an email message containing an infected Word document as an a achment.

590 Sandra has been ac vely scanning the client network on which she is doing a vulnerability assessment test. While conduc ng a port scan she no ces open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports? A. Finger B. FTP C. Samba D. SMB

D The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP),which used the famous ports 137,138 (UDP) and 139 (TCP). In Windows 2000,Microso added the possibility to run SMB directly over TCP/IP,without the extra layer of NBT. For this they use TCP port 445. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00236.jpg 2. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00427.jpg 3. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00618.jpg 4. 203 Latest ECCouncil 312-50v8 Real Exam Download 591-600 (2014-05-12 13:51)

597 One of your team members has asked you to analyze the following SOA record. What is the TTL? Rutgers.edu.SOA NS1.Rutgers.edu ipad.college.edu (200302028 3600 3600 604800 2400. A. 200303028 B. 3600 C. 604800 D. 2400 E. 60 F. 4800

D The SOA includes a meout value. This value can tell an a acker how long any DNS "poisoning" would last. It is the last set of numbers in the record.

743 Jim is having no luck performing a penetra on test in XYZos network. He is running the tests from home and has downloaded every security scanner that he could lay his hands on. Despite knowing the IP range of all the systems, and the exact network configura on, Jim is unable to get any useful results. Why is Jim having these problems? A. Security scanners are not designed to do tes ng through a firewall. B. Security scanners cannot perform vulnerability linkage. C. Security scanners are only as smart as their database and cannot find unpublished vulnerabili es. D. All of the above.

D The Security scanners available online are o en to poutdatedq to perform a live pentest against a vic m.

574 Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS? A. SYN scan B. ACK scan C. RST scan D. Connect scan E. FIN scan

D The TCP full connect (-sT) scan is the most reliable.

772 While probing an organiza on you discover that they have a wireless network. From your a empts to connect to the WLAN you determine that they have deployed MAC filtering by using ACL on the access points. What would be the easiest way to circumvent and communicate on the WLAN? A. A empt to crack the WEP key using Airsnort. B. A empt to brute force the access point and update or delete the MAC ACL. C. Steel a client computer and use it to access the wireless network. D. Sniﬀ traﬃc if the WLAN and spoof your MAC address to one that you captured.

D The easiest way to gain access to the WLAN would be to spoof your MAC address to one that already exists on the network.

548 You are having problems while retrieving results a er performing port scanning during internal tes ng. You verify that there are no security devices between you and the target system. When both stealth and connect scanning do not work, you decide to perform a NULL scan with NMAP. The first few systems scanned shows all ports open. Which one of the following statements is probably true? A. The systems have all ports open. B. The systems are running a host based IDS. C. The systems are web servers. D. The systems are running Windows.

D The null scan turns oﬀ all flags,crea ng a lack of TCP flags that should never occur in the real world. If the port is closed,a RST frame should be returned and a null scan to an open port results in no response. Unfortunately Microso (like usual) decided to completelyignore the standard and do things their own way. Thus this scan type will not work against systems running Windows as they choose not to response at all. This is a good way to dis nguish that the system being scanned is running Microso Windows.

595 What is the following command used for? net use targe pc $ "" /u:"" A. Grabbing the etc/passwd file B. Grabbing the SAM C. Connec ng to a Linux computer through Samba. D. This command is used to connect as a null session E. Enumera on of Cisco routers

D The null session is one of the most debilita ng vulnerabili es faced by Windows. 205 Null sessions can be established through port 135,139,and 445.

674 Which of the following Netcat commands would be used to perform a UDP scan of the lower 1024 ports? A. Netcat -h -U B. Netcat -hU <host(s.> C. Netcat -sU -p 1-1024 <host(s.> D. Netcat -u -v -w2 <host> 1-1024 E. Netcat -sS -O target/1024

D The proper syntax for a UDP scan using Netcat is "Netcat -u -v -w2 <host> 1-1024". Netcat is considered the Swiss-army knife of hacking tools because it is so versa le. 229

809 Which of the following snort rules look for FTP root login a empts? A. alert tcp -> any port 21 (msg:"user root";) B. alert tcp -> any port 21 (message:"user root";) C. alert p -> p (content:"user password root";) D. alert tcp any any -> any any 21 (content:"user root";)

D The snort rule header is built by defining ac on (alert),protocol (tcp),from IP subnet port (any any),to IP subnet port (any any 21),Payload Detec on Rule Op ons (content:quser rootq;)

608 A zone file consists of which of the following Resource Records (RRs)? A. DNS,NS,AXFR,and MX records B. DNS,NS,PTR,and MX records C. SOA,NS,AXFR,and MX records D. SOA,NS,A,and MX records

D The zone file typically contains the following records: SOA Ƀ Start Of Authority NS Ƀ Name Server record MX Ƀ Mail eXchange record A Ƀ Address record

581 A distributed port scan operates by: A. Blocking access to the scanning clients by the targeted host B. Using denial-of-service so ware against a range of TCP ports C. Blocking access to the targeted host by each of the distributed scanning clients D. Having mul ple computers each scan a small number of ports,then correla ng the results

D Think of dDoS (distributed Denial of Service) where you use a large number of computers to create simultaneous traﬃc against a vic m in order to shut them down.

625 What tool can crack Windows SMB passwords simply by listening to network traﬃc? Select the best answer. A. This is not possible B. Netbus C. NTFSDOS D. L0phtcrack

D This is possible with a SMB packet capture module for L0phtcrack and a known weaknesses in the LM hash algorithm.

758 Your boss Tess King is a emp ng to modify the parameters of a Web-based applica on in order to alter the SQL statements that are parsed to retrieve data from the database. What would you call such an a ack? A. SQL Input a ack B. SQL Piggybacking a ack C. SQL Select a ack D. SQL Injec on a ack

D This technique is known as SQL injec on a ack

834 Sta s cs from cert.org and other leading security organiza ons has clearly showed a steady rise in the number of hacking incidents perpetrated against companies. 286 What do you think is the main reason behind the significant increase in hacking a empts over the past years? A. It is ge ng more challenging and harder to hack for non technical people. B. There is a phenomenal increase in processing power. C. New TCP/IP stack features are constantly being added. D. The ease with which hacker tools are available on the Internet.

D Today you donot need to be a good hacker in order to break in to various systems,all you need is the knowledge to use search engines on the internet.

676 A file integrity program such as Tripwire protects against Trojan horse a acks by: A. Automa cally dele ng Trojan horse programs B. Rejec ng packets generated by Trojan horse programs C. Using programming hooks to inform the kernel of Trojan horse behavior D. Helping you catch unexpected changes to a system u lity file that might indicate it had been replaced by a Trojan horse

D Tripwire generates a database of the most common files and directories on your system. Once it is generated,you can then check the current state of your system against the original database and get a report of all the files that have been modified,deleted or added. This comes in handy if you allow other people access to your machine and even if you don't,if someone else does get access,you'll know if they tried to modify files such as /bin/login etc.

699 What is the term 8 to describe an a ack that falsifies a broadcast ICMP echo request and includes a primary and secondary vic m? A. Fraggle A ack B. Man in the Middle A ack C. Trojan Horse A ack D. Smurf A ack E. Back Orifice A ack

D Trojan and Back orifice are Trojan horse a acks.Man in the middle spoofs the Ip and redirects the victems packets to the cracker The infamous Smurf a ack. preys on ICMP's capability to send traﬃc to the broadcast address. Many 242 hosts can listen and respond to a single ICMP echo request sent to a broadcast address. Network Intrusion Detec on third Edi on by Stephen Northcu and Judy Novak pg 70 The "smurf" a ack's cousin is called "fraggle",which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".

703 What would best be defined as a security test on services against a known vulnerability database using an automated tool? A. A penetra on test B. A privacy review C. A server audit D. A vulnerability assessment

D Vulnerability assessment is the process of iden fying and quan fying vulnerabili es in a system. The system being studied could be a physical facility like a nuclear power plant,a computer system,or a larger system (for example the communica ons infrastructure or water infrastructure of a region).

652 Fingerprin ng an Opera ng System helps a cracker because: A. It defines exactly what so ware you have installed 225 B. It opens a security-delayed window based on the port being scanned C. It doesn't depend on the patches that have been applied to fix exis ng security holes D. It informs the cracker of which vulnerabili es he may be able to exploit on your system

D When a cracker knows what OS and Services you use he also knows which exploits might work on your system. If he would have to try all possible exploits for all possible Opera ng Systems and Services it would take too long me and the possibility of being detected increases.

827 You are the security administrator for a large network. You want to prevent a ackers from running any sort of tracer-oute into your DMZ and discover the internal structure of publicly accessible areas of the network. How can you achieve this? A. Block ICMP at the firewall. B. Block UDP at the firewall. C. Both A and B. D. There is no way to completely block doing a trace route into this area.

D When you run a traceroute to a target network address,you send a UDP packet with one me to live (TTL) to the target address. The first router this packet hits decreases the TTL to 0 and rejects the packet. Now the TTL for the packet is expired. The router sends back an ICMP message type 11 (Exceeded) code 0 (TTL-Exceeded) packet to your system with a source address. Your system displays the round-trip me for that first hop and sends out the next UDP packet with a TTL of 2. This process con nues un l you receive an ICMP message type 3 (Unreachable) code 3 (Port-Unreachable) from the des na on system. Traceroute is completed when your machine receives a Port-Unreachable message. If you receive a message with three asterisks [* * *] during the traceroute,a router in the path doesn't return ICMP messages. Traceroute will con nue to send UDP packets un l the des na on is reached or the maximum number of hops is exceeded.

797 Pandora is used to a ack _ _ _ _ _ _ _ _ _ _ network opera ng systems. A. Windows B. UNIX C. Linux D. Netware E. MAC OS

D While there are not lots of tools available to a ack Netware,Pandora is one that can be used.

466 What results will the following command yielD. 'NMAP -sS -O -p 123-153 192.168.100.3 ? A. A stealth scan,opening port 123 and 153 B. A stealth scan,checking open ports 123 to 153 C. A stealth scan,checking all open ports excluding ports 123 to 153 D. A stealth scan,determine opera ng system,and scanning ports 123 to 153

D 164

831 Bill has successfully executed a buﬀer overflow against a Windows IIS web server. He has been able to spawn an interac ve shell and plans to deface the main web page. He first a empts to use the pEchoq command to simply overwrite index.html and remains unsuccessful. He then a empts to delete the page and achieves no progress. Finally, he tries to overwrite it with another page again in vain. What is the probable cause of Billos problem? A. The system is a honeypot. B. There is a problem with the shell and he needs to run the a ack again. C. You cannot use a buﬀer overflow to deface a web page. D. The HTML file has permissions of ready only.

D The ques on states that Bill had been able to spawn an interac ve shell.By this statement we can tell that the buﬀer overflow and its corresponding code was enough to spawn a shell. Any shell should make it possible to change the webpage.So we either donot have suﬃcient privilege to change the webpage (answer D) or itos a honeypot (answer A). We think the preferred answer is D

665 Assuring two systems that are using IPSec to protect traﬃc over the internet, what type of general a ack could com-promise the data? A. Spoof A ack B. Smurf A ack C. Man inthe Middle A ack D. Trojan Horse A ack 233 E. Back Orifice A ack

D,E To compromise the data,the a ack would need to be executed before the encryp on takes place at either end of the tunnel. Trojan Horse and Back Orifice a acks both allow for poten al data manipula on on host computers. In both cases,the data would be compromised either before encryp on or a er decryp on,so IPsec is not preven ng the a ack.

525 To what does pmessage repudia onq refer to what concept in the realm of email security? A. Message repudia on means a user can validate which mail server or servers a message was passed through. B. Message repudia on means a user can claim damages for a mail message that damaged their reputa on. C. Message repudia on means a recipient can be sure that a message was sent from a par cular person. D. Message repudia on means a recipient can be sure that a message was sent from a certain host. E. Message repudia on means a sender can claim they did not actually send a par cular message.

232 Which of the following represent weak password? (Select 2 answers) A. Passwords that contain le ers,special characters,and numbers ExamplE. ap1 $ % # #f@52 B. Passwords that contain only numbers ExamplE. 23698217 C. Passwords that contain only special characters ExamplE. &* #@!( %) D. Passwords that contain le ers and numbers ExamplE. meerdfget123 E. Passwords that contain only le ers ExamplE. QWERTYKLRTY F. Passwords that contain only special characters and numbers ExamplE. 123@ $45 G. Passwords that contain only le ers and special characters ExamplE. bob@ &ba H. Passwords that contain Uppercase/Lowercase from a dic onary list ExamplE. OrAnGe

E,H

604 What is the proper response for a NULL scan if the port is open? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

F A NULL scan will have no response if the port is open.

373 A er gaining access to the password hashes used to protect access to a web based applica on, knowledge of which cryptographic algorithms would be useful to gain access to the applica on? A. SHA1 B. Diﬃe-Helman C. RSA D. AES

467 Which of the following network a acks takes advantage of weaknesses in the fragment reassembly func onality of the TCP/IP protocol stack? A. Teardrop B. SYN flood C. Smurf a ack D. Ping of death

57 Annie has just succeeded in stealing a secure cookie via a XSS a ack. She is able to replay the cookie even while the session is invalid on the server. Why do you think this is possible? A. It works because encryp on is performed at the applica on layer (single encryp on key) B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryp on is performed at the network layer (layer 1 encryp on) D. Any cookie can be replayed irrespec ve of the session status

6 Joel and her team have been going through tons of garbage, recycled paper, and other rubbish in order to find some informa on about the target they are a emp ng to penetrate. How would you call this type of ac vity? A. Dumpster Diving 8 B. Scanning C. CI Gathering D. Garbage Scooping

734 Bubba has just accessed he preferred ecommerce web site and has spo ed an item that he would like to buy. Bubba considers the price a bit too steep. He looks at the source code of the webpage and decides to save the page locally, so that he can modify the page variables. In the context of web applica on security, what do you think Bubba has changes? A. A hidden form field value. B. A hidden price value. C. An integer variable. D. A page cannot be changed locally,as it is served by a web server.

762 Sandra is conduc ng a penetra on test for XYZ.com. She knows that XYZ.com is using wireless networking for some of the oﬃces in the building right down the street. Through social engineering she discovers that they are using 802.11g. Sandra knows that 802.11g uses the same 2.4GHz frequency range as 802.11b. Using NetStumbler and her 802.11b wireless NIC, Sandra drives over to the building to map the wireless networks. However, even though she reposi ons herself around the building several mes, Sandra is not able to detect a single AP. What do you think is the reason behind this? A. Netstumbler does not work against 802.11g. B. You can only pick up 802.11g signals with 802.11a wireless cards. C. The access points probably have WEP enabled so they cannot be detected. D. The access points probably have disabled broadcas ng of the SSID so they cannot be detected. E. 802.11g uses OFDM while 802.11b uses DSSS so despite the same frequency and 802.11b card cannot see an 802.11g signal. F. Sandra must be doing something wrong,as there is no reason for her to not see the signals.

556 Which of the following systems would not respond correctly to an nmap XMAS scan? A. Windows 2000 Server running IIS 5 B. Any Solaris version running SAMBA Server C. Any version of IRIX D. RedHat Linux 8.0 running Apache Web Server

A When running a XMAS Scan,if a RST packet is received,the port is considered closed,while no response means it is open|filtered. The big downside is that not all systems follow RFC 793 to the le er. A number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major opera ng systems that do this are Microso Windows,many Cisco devices,BSDI,and IBM OS/400.

636 220 E-mail scams and mail fraud are regulated by which of the following? A. 18 U.S.C. par. 1030 Fraud and Related ac vity in connec on with Computers B. 18 U.S.C. par. 1029 Fraud and Related ac vity in connec on with Access Devices C. 18 U.S.C. par. 1362 Communica on Lines,Sta ons,or Systems D. 18 U.S.C. par. 2510 Wire and Electronic Communica ons Intercep on and Intercep on of Oral Communica on

A h p://www.law.cornell.edu/uscode/html/uscode18/usc _sec _18 _00001030—-000-.html

804 Jimos organiza on has just completed a major Linux roll out and now all of the organiza onos systems are running the Linux 2.5 kernel. The roll out expenses has posed constraints on purchasing other essen al security equipment and so ware. The organiza on requires an op on to control network traﬃc and also perform stateful inspec on of traﬃc going into and out of the DMZ. Which built-in func onality of Linux can achieve this? A. IP Tables B. IP Chains C. IP Sniﬀer D. IP ICMP

A iptables is a user space applica on program that allows a system administrator to configure the ne ilter ta-bles,chains,and rules (described above). Because iptables requireselevated privileges to operate,it must be executed by user root,otherwise it fails to func on. On most Linux systems,iptables is installed as /sbin/iptables. IP Tables performs stateful inspec on while the older IP Chains only performs stateless inspec on.

118 What techniques would you use to evade IDS during a Port Scan? (Select 4 answers) A. Use fragmented IP packets B. Spoof your IP address when launching a acks and sniﬀ responses from the server C. Overload the IDS with Junk traﬃc to mask your scan D. Use source rou ng (if possible) E. Connect to proxy servers or compromised Trojaned machines to launch a acks

A,B,D,E

337 Which.types of detec on methods are employed by Network Intrusion Detec on Systems (NIDS)? (Choose two.) A. Signature B. Anomaly C. Passive D. Reac ve

A,B

679 A remote user tries to login to a secure network using Telnet, but accidently types in an invalid user name or password. Which responses would NOT be preferred by an experienced Security Manager? (mul ple answer) A. Invalid Username B. Invalid Password C. Authen ca on Failure D. Login A empt Failed E. Access Denied

A,B As li le informa on as possible should be given about a failed login a empt. Invalid username or password is not desirable.

823 What makes web applica on vulnerabili es so aggrava ng? (Choose two) A. They can be launched through an authorized port. B. A firewall will not stop them. C. They exist only on the Linux pla orm. D. They are detectable by most leading an virus so ware.

A,B As the vulnerabili es exists on a web server,incoming traﬃc on port 80 will probably be allowed and no firewall rules will stop the a ack.

724 Which of the following buﬀer overflow exploits are related to Microso IIS web server? (Choose three) A. Internet Prin ng Protocol (IPP) buﬀer overflow B. Code Red Worm C. Indexing services ISAPI extension buﬀer overflow D. NeXT buﬀer overflow

A,B,C Both the buﬀer overflow in the Internet Prin ng Protocol and the ISAPI extension buﬀer overflow is explained in Microso Security Bulle n MS01-023. The Code Red worm was a computer worm released on the Internet on July 13,2001. It a acked computers running Microso 's IIS web server.

530 Which of the following tools are used for footprin ng? (Choose four) A. Sam Spade B. NSLookup C. Traceroute D. Neotrace E. Cheops

A,B,C,D Latest ECCouncil 312-50v8 Real Exam Download 531-540 (2014-05-12 11:21)

519 Where should a security tester be looking for informa on that could be used by an a acker against an organiza on? (Select all that apply) A. CHAT rooms B. WHOIS database C. News groups D. Web sites E. Search engines F. Organiza onos own web site

A,B,C,D,E,F

14 How do you defend against Privilege Escala on? A. Use encryp on to protect sensi ve data B. Restrict the interac ve logon privileges C. Run services as unprivileged accounts D. Allow security se ngs of IE to zero or Low E. Run users and applica ons on the least privileges

A,B,C,E

536 Doug is conduc ng a port scan of a target network. He knows that his client target network has a web server and that there is a mail server also which is up and running. Doug has been sweeping the network but has not been able to elicit any response from the remote target. Which of the following could be the most likely cause behind this lack of response? Select 4. A. UDP is filtered by a gateway B. The packet TTL value is too low and cannot reach the target C. The host might be down D. The des na on network might be down E. The TCP windows size does not match F. ICMP is filtered by a gateway

A,B,C,F

657 A ackers can poten ally intercept and modify unsigned SMB packets, modify the traﬃc and forward it so that the server might perform undesirable ac ons. Alterna vely, the a acker could pose as the server or client a er a legi - mate authen ca on and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an a ack? A. Timestamps B. SMB Signing C. File permissions D. Sequence numbers monitoring

A,B,D

626 A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers. A. Use port security on his switches. B. Use a tool like ARPwatch to monitor for strange ARP ac vity. C. Use a firewall between all LAN segments. D. If you have a small network,use sta c ARP entries. 216 E. Use only sta c IP addresses on all PC's.

A,B,D By using port security on his switches,the switches will only allow the first MAC address that is connected to the switch to use that port,thus preven ng ARP spoofing.ARPWatch is a tool that monitors for strange ARP ac vity. This may help iden fy ARP spoofing when it happens. Using firewalls between all LAN segments is possible and may help,but is usually pre y unrealis c.On a very small network,sta c ARP entries are a possibility. However,on a large network,this is not an realis c op on. ARP spoofing doesn't have anything to do with sta c or dynamic IP addresses. Thus,this op on won't help you.

627 Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumera on he is looking for? Select the best answers. A. SNMPU l B. SNScan C. SNMPScan D. Solarwinds IP Network Browser E. NMap

A,B,D SNMPU l is a SNMP enumera on u lity that is a part of the Windows 2000 resource kit. With SNMPU l,you can retrieve all sort of valuable informa on through SNMP. SNScan is a SNMP network scanner by Foundstone. It does SNMP scanning to find open SNMP ports. Solarwinds IP Network Browser is a SNMPenumera on tool with a graphical tree-view of the remote machine's SNMP data.

648 Windows LAN Manager (LM) hashes are known to be weak. Which of the following are known weaknesses of LM? (Choose three) A. Converts passwords to uppercase. B. Hashes are sent in clear text over the network. C. Makes use of only 32 bit encryp on. D. Eﬀec ve length is 7 characters.

A,B,D The LM hash is computed as follows. 1. The useros password as an OEM string is converted to uppercase. 2. This password is either null-padded or truncated to 14 bytes. 3. The pfixed-lengthq password is split into two 7-byte halves. 4. These values are used to create two DES keys,one from each 7-byte half. 5. Each of these keys is used to DES-encrypt the constant ASCII string pKGS!@ # $ %q,resul ng in two 8-byte ciphertext values. 6. These two ciphertext values are concatenated to form a 16-byte value,which is the LM hash. The hashes them self are sent in clear text over the network instead of sending the password in clear text.

202 John runs a Web server, IDS and firewall on his network. Recently his Web server has been under constant hacking a acks. He looks up the IDS log files and sees no intrusion a empts but the Web server constantly locks up and needs reboo ng due to various brute force and buﬀer overflow a acks but s ll the IDS alerts no intrusion whatsoever. John becomes suspicious and views the Firewall logs and he no ces huge SSL connec ons constantly hi ng his Web server. Hackers have been using the encrypted HTTPS protocol to send exploits to the Web server and that was the reason the IDS did not detect the intrusions. How would John protect his network from these types of a acks? A. Install a proxy server and terminate SSL at the proxy B. Enable the IDS to filter encrypted HTTPS traﬃc C. Install a hardware SSL "accelerator" and terminate SSL at this layer D. Enable the Firewall to filter encrypted HTTPS traﬃc

A,C

792 Which are true statements concerning the BugBear and Pre y Park worms? 271 Select the best answers. A. Both programs use email to do their work. B. Pre y Park propagates via network shares and email C. BugBear propagates via network shares and email D. Pre y Park tries to connect to an IRC server to send your personal passwords. E. Pre y Park can terminate an -virus applica ons that might be running to bypass them.

A,C,D Explana ons: Both Pre y Park and BugBear use email to spread. Pre y Park cannot propagate via network shares,only email. BugBear propagates via network shares and email. It also terminates an -virus applica ons and acts as a backdoor server for someone to get into the infected machine. Pre y Park tries to connect to an IRC server to send your personal passwords and all sorts of other informa on it retrieves from your PC. Pre y Park cannot terminate an -virus applica ons. However,BugBear can terminate AV so ware so that it can bypass them.

806 Several of your co-workers are having a discussion over the etc/passwd file. They are at odds over what types of encryp on are used to secure Linux passwords.(Choose all that apply. A. Linux passwords can be encrypted with MD5 276 B. Linux passwords can be encrypted with SHA C. Linux passwords can be encrypted with DES D. Linux passwords can be encrypted with Blowfish E. Linux passwords are encrypted with asymmetric algrothims

A,C,D Linux passwords are enrcypted using MD5,DES,and the NEW addi on Blowfish. The default on most linux systems is dependant on the distribu on,RedHat uses MD5,while slackware uses DES. The blowfish op on is there for those who wish to use it. The encryp on algorithm in use can be determined by authconfig on RedHat-based systems,or by reviewing one of two loca ons,on PAM-based systems (Pluggable Authen ca on Module) it can be found in /etc/pam.d/,the system-auth file or authconfig files. In other systems it can be found in /etc/security/ directory.

298 Which of the following techniques can be used to mi gate the risk of an on-site a acker from connec ng to an unused network port and gaining full access to.the network? (Choose three.) A. Port Security 124 B. IPSec Encryp on C. Network Admission Control (NAC) D. 802.1q Port Based Authen ca on E. 802.1x Port Based Authen ca on F. Intrusion Detec on System (IDS)

A,C,E

142 File extensions provide informa on regarding the underlying server technology. A ackers can use this informa on to search vulnerabili es and launch a acks. How would you disable file extensions in Apache servers? A. Use disable-eXchange B. Use mod _nego a on C. Use Stop _Files D. Use Lib _exchanges

150 What type of encryp on does WPA2 use? A. DES 64 bit B. AES-CCMP 128 bit C. MD5 48 bit 64 D. SHA 160 bit

11 TCP SYN Flood a ack uses the three-way handshake mechanism. 1. An a acker at system A sends a SYN packet to vic m at system B. 2. System B sends a SYN/ACK packet to vic m A. 3. As a normal three-way handshake mechanism system A should send an ACK packet to system B, however, system A does not send an ACK packet to system B. In this case client B is wai ng for an ACK packet from client A. This status of client B is called _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ A. "half-closed" B. "half open" C. "full-open" 10 D. "xmas-open"

32 What type of port scan is shown below? A. Idle Scan B. FIN Scan C. XMAS Scan D. Windows Scan

484 A Cer ficate Authority (CA) generates a key pair.that will be used for encryp on and decryp on of email. The integrity of the encrypted email is dependent on the security of which of the following? A. Public key B. Private key C. Modulus length D. Email server cer ficate

513 Which Windows system tool checks integrity of cri cal files that has been digitally signed by Microso ? 176 A. signverif.exe B. sigverif.exe C. msverif.exe D. verifier.exe

58 This a ack technique is used when a Web applica on is vulnerable to an SQL Injec on but the results of the Injec on are not visible to the a acker. A. Unique SQL Injec on B. Blind SQL Injec on C. Generic SQL Injec on D. Double SQL Injec on

583 A specific site received 91 ICMP _ECHO packets within 90 minutes from 47 diﬀerent sites. 77 of the ICMP _ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP _ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this informa on? A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites B. ICMP ID and Seq numbers were most likely set by a tool and not by the opera ng system C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number D. 13 packets were from an external network and probably behind a NAT,as they had an ICMP ID 0 and Seq 0

675 Sniﬃng is considered an ac ve a ack. A. True B. False

B Sniﬃng is considered a passive a ack.

805 WinDump is a popular sniﬀer which results from the por ng to Windows of TcpDump for Linux. What library does it use? A. LibPcap B. WinPcap C. Wincap D. None of the above

B WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applica ons to capture and transmit network packets bypassing the protocol stack,and has addi onal useful features,including kernel-level packet filtering,a network sta s cs engine and support for remote packet capture.

820 Once an intruder has gained access to a remote system with a valid username and password, the a acker will a empt to increase his privileges by escala ng the used account to one that has increased privileges. such as that of an administrator. What would be the best countermeasure to protect against escala on of priveges? A. Give users tokens B. Give user the least amount of privileges C. Give users two passwords D. Give users a strong policy document

B With less privileges it is harder to increase the privileges. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00247.jpg Latest ECCouncil 312-50v8 Real Exam Download 821-830 (2014-05-12 14:31)

807 Rebecca has noted mul ple entries in her logs about users a emp ng to connect on ports that are either not opened or ports that are not for public usage. How can she restrict this type of abuse by limi ng access to only specific IP addresses that are trusted by using one of the built-in Linux Opera ng System tools? A. Ensure all files have at least a 755 or more restric ve permissions. B. Configure rules using ipchains. C. Configure and enable portsentry on his server. D. Install an intrusion detec on system on her computer such as Snort.

B ipchains is a free so ware based firewall for Linux. It is a rewrite of Linux's previous IPv4 firewalling code,ipfwadm. In Linux 2.2,ipchains is required to administer the IP packet filters. ipchains was wri en because the older IPv4 fire-wall code used in Linux 2.0 did not work with IP fragments and didn't allow for specifica on of protocols other than TCP,UDP,and ICMP.

623 As a securing consultant, what are some of the things you would recommend to a company to ensure DNS security? Select the best answers. A. Use the same machines for DNS and other applica ons 215 B. Harden DNS servers C. Use split-horizon opera on for DNS servers D. Restrict Zone transfers E. Have subnet diversity between DNS servers

B,C,D,E A is not a correct answer as it is never recommended to use a DNS server for any other applica on. Hardening of the DNS servers makes them less vulnerable to a ack. It is recommended to split internal and external DNS servers (called split-horizon opera on). Zone transfers should only be accepted from authorized DNS servers. By having DNS servers on diﬀerent subnets,you may prevent both from going down,even if one of your networks goes down.

847 Which of the following are poten al a acks on cryptography? (Select 3) A. One-Time-Pad A ack B. Chosen-Ciphertext A ack C. Man-in-the-Middle A ack D. Known-Ciphertext A ack 291 E. Replay A ack

B,C,E A chosen-ciphertext a ack (CCA) is an a ack model for cryptanalysis in which the cryptanalyst chooses a ciphertext and causes it to be decrypted with an unknown key. Specific forms of this a ack are some mes termed "lunch me" or "midnight" a acks,referring to a scenario in which an a acker gains access to an una ended decryp on machine. In cryptography,a man-in-the-middle a ack (MITM) is an a ack in which an a acker is able to read,insert and modify at will,messages between two par es without either party knowing that the link between them has been compromised. The a acker must be able to observe and intercept messages going between the two vic ms. A replay a ack is a form of network a ack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it,possibly as part of a masquerade a ack by IP packet subs tu on (such as stream cipher a ack).

439 Informa on gathered from social networking websites such as Facebook, Twi er and LinkedIn can be used to launch which of the following types of a acks? (Choose two.) A. Smurf a ack B. Social engineering a ack C. SQL injec on a ack D. Phishing a ack E. Fraggle a ack F. Distributed denial of service a ack

B,D

520 What are the two basic types of a acks? (Choose two. A. DoS B. Passive C. Sniﬃng D. Ac ve E. Cracking

B,D

591 SNMP is a protocol used to query hosts, servers, and devices about performance or health status data. This protocol has long been used by hackers to gather great amount of informa on about remote hosts. Which of the following features makes this possible? (Choose two) A. It used TCP as the underlying protocol. B. It uses community string that is transmi ed in clear text. C. It is suscep ble to sniﬃng. D. It is used by all network devices on the market.

B,D Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE). If an a acker is able to guess a PUBLIC community string,they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This informa on might include system me,IP addresses,interfaces,processes running,etc. Version 1 of SNMP has been cri cized for its poor security. Authen ca on of clients is performed only by a "community string",in eﬀect a type of password,which is transmi ed in cleartext.

570 What does a type 3 code 13 represent?(Choose two. 195 A. Echo request B. Des na on unreachable C. Network unreachable D. Administra vely prohibited E. Port unreachable F. Time exceeded

B,D Type 3 code 13 is des na on unreachable administra vely prohibited. This type of message is typically returned from a device blocking a port. Latest ECCouncil 312-50v8 Real Exam Download 571-580 (2014-05-12 11:26)

538 While performing a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13 for all the pings sent out. What is the most likely cause behind this response? A. The firewall is dropping the packets. B. An in-line IDS is dropping the packets. C. A router is blocking ICMP. D. The host does not respond to ICMP packets.

543 Ann would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following type of scans would be the most accurate and reliable op on? A. A half-scan B. A UDP scan C. A TCP Connect scan D. A FIN scan

701 What do you call a system where users need to remember only one username and password, and be authen cated for mul ple services? A. Simple Sign-on B. Unique Sign-on C. Single Sign-on D. Digital Cer ficate

C Single sign-on (SSO) is a specialized form of so ware authen ca on that enables a user to authen cate once and gain access to the resources of mul ple so ware systems.

737 Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulle n board. Unknown to Chris, certain func ons are executed on his local system under his privileges, which allow Kevin access to informa on used on the BBS. However, no executables are downloaded and run on the local system. What would you term this a ack? A. Phishing B. Denial of Service C. Cross Site Scrip ng D. Backdoor installa on

C This is a typical Type-1 Cross Site Scrip ng a ack. This kind of cross-site scrip ng hole is also referred to as a non-persistent or reflected vulnerability,and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resul ng page without HTML encoding,this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters,o en the search string will be redisplayed on the result page to indicate what was searched for,or will at least include the search terms in the text box for easier edi ng. If all occurrences of the search terms are not HTML en ty encoded,an XSS hole will result.

658 LM authen ca on is not as strong as Windows NT authen ca on so you may want to disable its use, because an a acker eavesdropping on network traﬃc will a ack the weaker protocol. A successful a ack can compromise the user's password. How do you disable LM authen ca on in Windows XP? A. Stop the LM service in Windows XP B. Disable LSASS service in Windows XP 227 C. Disable LM authen ca on in the registry D. Download and install LMSHUT.EXE tool from Microso website

C h p://support.microso .com/kb/299656

243 An a acker is a emp ng to telnet into a corpora on's system in the DMZ. The a acker doesn't want to get caught and is spoofing his IP address. A er numerous tries he remains unsuccessful in connec ng to the system. The a acker rechecks that the target system is actually listening on Port 23 and he verifies it with both nmap and hping2. He is s ll unable to connect to the target system. What could be the reason? A. The firewall is blocking port 23 to that system B. He needs to use an automated tool to telnet in C. He cannot spoof his IP and successfully use TCP D. He is a acking an opera ng system that does not reply to telnet even when open

C 110

489 Advanced encryp on standard is an algorithm used for which of the following? A. Data integrity B. Key discovery C. Bulk data encryp on D. Key recovery

C 172

517 Who is an Ethical Hacker? A. A person who hacks for ethical reasons B. A person who hacks for an ethical cause C. A person who hacks for defensive purposes D. A person who hacks for oﬀensive purposes

C 177

722 You wish to determine the opera ng system and type of web server being used. At the same me you wish to arouse no suspicion within the target organiza on. While some of the methods listed below work, which holds the least risk of detec on? A. Make some phone calls and a empt to retrieve the informa on using social engineering. B. Use nmap in paranoid mode and scan the web server. C. Telnet to the web server and issue commands to illicit a response. D. Use the netcra web site look for the target organiza onos web site.

D 246 Netcra is providing research data and analysis on many aspects of the Internet. Netcra has explored the In-ternet since 1995 and is a respected authority on the market share of web servers,opera ng systems,hos ng providers,ISPs,encrypted transac ons,electronic commerce,scrip ng languages and content technologies on the in-ternet.

178 Fred is the network administrator for his company. Fred is tes ng an internal switch. From an external IP address, Fred wants to try and trick this switch into thinking it already has established a session with his computer. How can Fred accomplish this? A. Fred can accomplish this by sending an IP packet with the RST/SIN bit and the source address of his computer. B. He can send an IP packet with the SYN bit and the source address of his computer. C. Fred can send an IP packet with the ACK bit set to zero and the source address of the switch. D. Fred can send an IP packet to the switch with the ACK bit and the source address of his machine.

D 78

203 Jane wishes to forward X-Windows traﬃc to a remote host as well as POP3 traﬃc. She is worried that adversaries might be monitoring the communica on link and could inspect captured traﬃc. She would like to tunnel the informa on to the remote end but does not have VPN capabili es to do so. Which of the following tools can she use to protect the link? A. MD5 B. PGP C. RSA D. SSH

D 85

197 Joseph has just been hired on to a contractor company of the Department of Defense as their Senior Security Analyst. Joseph has been instructed on the company's strict security policies that have been implemented, and the policies that have yet to be put in place. Per the Department of Defense, all DoD users and the users of their contractors must use two-factor authen ca on to access their networks. Joseph has been delegated the task of researching and implemen ng the best two-factor authen ca on method for his company. Joseph's supervisor has told him that they would like to use some type of hardware device in tandem with a security or iden fying pin number. Joseph's company has already researched using smart cards and all the resources needed to implement them, but found the smart cards to not be cost eﬀec ve. What type of device should Joseph use for two-factor authen ca on? A. Biometric device B. OTP C. Proximity cards D. Security token

D 90

554 Because UDP is a connec onless protocol: (Select 2) A. UDP recvfrom() and write() scanning will yield reliable results B. It can only be used for Connect scans C. It can only be used for SYN scans D. There is no guarantee that the UDP packets will arrive at their des na on E. ICMP port unreachable messages may not be returned successfully 190

D,E Neither UDP packets,nor the ICMP errors are guaranteed to arrive,so UDP scanners must also implement retransmis-sion of packets that appear to be lost (or you will get a bunch of false posi ves).

62 In what stage of Virus life does a stealth virus gets ac vated with the user performing certain ac ons such as running an infected program? A. Design B. Elimina on C. Incorpora on D. Replica on E. Launch F. Detec on

647 223 While examining audit logs, you discover that people are able to telnet into the SMTP server on port 25. You would like to block this, though you do not see any evidence of an a ack or other wrong doing. However, you are concerned about aﬀec ng the normal func onality of the email server. From the following op ons choose how best you can achieve this objec ve? A. Block port 25 at the firewall. B. Shut oﬀ the SMTP service on the server. C. Force all connec ons to use a username and password. D. Switch from Windows Exchange to UNIX Sendmail. E. None of the above.

E Blocking port 25 in the firewall or forcing all connec ons to use username and password would have the consequences that the server is unable to communicate with other SMTP servers. Turning of the SMTP service would disable the email func on completely. All email servers use SMTP to communicate with other email servers and therefore chang-ing email server will not help.

563 What is the proper response for a FIN scan if the port is closed? A. SYN B. ACK C. FIN D. PSH E. RST

E Closed ports respond to a FIN scan with a RST.

596 What is the proper response for a NULL scan if the port is closed? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

E Closed ports respond to a NULL scan with a reset.

564 What is the proper response for a X-MAS scan if the port is closed? A. SYN B. ACK C. FIN D. PSH E. RST F. No response

E Closed ports respond to a X-MAS scan with a RST.

664 In the following example, which of these is the "exploit"? Today, Microso Corpora on released a security no ce. It detailed how a person could bring down the Windows 2003 Server opera ng system, by sending malformed packets to it. They detailed how this malicious process had been automated using basic scrip ng. Even worse, the new automated method for bringing down the server has already been used to perform denial of service a acks on many large commercial websites. Select the best answer. A. Microso Corpora on is the exploit. B. The security "hole" in the product is the exploit. C. Windows 2003 Server D. The exploit is the hacker that would use this vulnerability. E. The documented method of how to use the vulnerability to gain unprivileged access.

E Explana ons: Microso is not the exploit,but if Microso documents how the vulnerability can be used to gain un-privileged access,they are crea ng the exploit. If they just say that there is a hole in the product,then it is only a vul-nerability. The security "hole" in the product is called the "vulnerability". It is documented in a way that shows how to use the vulnerability to gain unprivileged access,and it then becomes an "exploit". In the example given,Windows 2003 Server is the TOE (Target of Evalua on). A TOE is an IT System,product or component that requires security evalua on or is being iden fied. The hacker that would use this vulnerability is exploi ng it,but the hacker is not the exploit. The documented method of how to use the vulnerability to gain unprivileged access is the correct answer.

711 Peter is a Network Admin. He is concerned that his network is vulnerable to a smurf a ack. What should Peter do to prevent a smurf a ack? Select the best answer. A. He should disable unicast on all routers B. Disable mul cast on the router C. Turn oﬀ fragmenta on on his router D. Make sure all an -virus protec on is updated on all systems E. Make sure his router won't take a directed broadcast

E Explana ons: Unicasts are one-to-one IP transmissions,by disabling this he would disable most network transmissions but s ll not prevent the smurf a ack. Turning of mul cast or fragmenta on on the router has nothing to do with Pe-teros concerns as a smurf a ack uses broadcast,not mul cast and has nothing to do with fragmenta on. An -virus protec on will not help prevent a smurf a ack. A smurf a ack is a broadcast from a spoofed source. If directed broad-casts are enabled on the des na on all the computers at the des na on will respond to the spoofed source,which is really the vic m. Disabling directed broadcasts on a router can prevent the a ack.

641 What is the BEST alterna ve if you discover that a rootkit has been installed on one of your computers? A. Copy the system files from a known good system B. Perform a trap and trace C. Delete the files and try to determine the source D. Reload from a previous backup E. Reload from known good media

E If a rootkit is discovered,you will need to reload from known good media. This typically means performing a complete reinstall.

560 _ _ _ _ _ _ _ _ _ is one of the programs used to wardial. A. DialIT B. Netstumbler C. TooPac D. Kismet E. ToneLoc

E ToneLoc is one of the programs used to wardial. While this is considered an "old school" technique,it is s ll eﬀec ve at finding backdoors and out of band network entry points. 1. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00234.jpg 2. http://www.pass-exams.com/wp-content/uploads/2013/11/clip_image00425.jpg Latest ECCouncil 312-50v8 Real Exam Download 561-570 (2014-05-12 11:25)

212 You are wri ng security policy that hardens and prevents Footprin ng a empt by Hackers. Which of the following countermeasures will NOT be eﬀec ve against this a ack? A. Configure routers to restrict the responses to Footprin ng requests B. Configure Web Servers to avoid informa on leakage and disable unwanted protocols C. Lock the ports with suitable Firewall configura on D. Use an IDS that can be configured to refuse suspicious traﬃc and pick up Footprin ng pa erns E. Evaluate the informa on before publishing it on the Website/Intranet F. Monitor every employee computer with Spy cameras,keyloggers and spy on them G. Perform Footprin ng techniques and remove any sensi ve informa on found on DMZ sites H. Prevent search engines from caching a Webpage and use anonymous registra on services I. Disable directory and use split-DNS

102 Steve scans the network for SNMP enabled devices. Which port number Steve should scan? A. 150 B. 161 C. 169 49 D. 69

31 18 The SYN flood a ack sends TCP connec ons requests faster than a machine can process them. -A acker creates a random source address for each packet -SYN flag set in each packet is a request to open a new con-nec on to the server from the spoofed IP address -Vic m responds to spoofed IP address,then waits for confirma on that never arrives ( meout wait is about 3 minutes) -Vic m's connec on table fills up wai ng for replies and ignores new connec ons -Legi mate users are ignored and will not be able to access the server How do you protect your network against SYN Flood a acks? A. SYN cookies. Instead of alloca ng a record,send a SYN-ACK with a carefully constructed sequence number gener-ated as a hash of the clients IP address,port number,and other informa on. When the client responds with a normal ACK,that special sequence number will beincluded,which the server then verifies. Thus,the server first allocates mem-ory on the third packet of the handshake,not the first. B. RST cookies - The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point,the server knows the client is valid and will now accept incoming connec ons from that client normally C. Check the incoming packet's IP address with the SPAM database on the Internet and enable the filter using ACLs at the Firewall D. Stack Tweaking. TCP stacks can be tweaked in order to reduce the eﬀect of SYN floods. Reduce the meout before a stack frees up the memory allocated for a connec on E. Micro Blocks. Instead of alloca ng a complete connec on,simply allocate a micro record of 16-bytes for the incom-ing SYN object

A,B,D,E

21 What are the limita ons of Vulnerability scanners? (Select 2 answers) A. There are o en be er at detec ng well-known vulnerabili es than more esoteric ones B. The scanning speed of their scanners are extremely high C. It is impossible for any,one scanning product to incorporate all known vulnerabili es in a mely manner D. The more vulnerabili es detected,the more tests required E. They are highly expensive and require per host scan license

A,C

10 How do you defend against ARP Spoofing? Select three. A. Use ARPWALL system and block ARP spoofing a acks B. Tune IDS Sensors to look for large amount of ARP traﬃc on local subnets C. Use private VLANS D. Place sta c ARP entries on servers,worksta on and routers

A,C,D

50 You just purchased the latest DELL computer, which comes pre-installed with Windows 7, McAfee an virus so ware and a host of other applica ons. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box, and there are a few things that you must do before you use it. A. New installa on of Windows should be patched by installing the latest service packs and ho ixes B. Key applica ons such as Adobe Acrobat,Macromedia Flash,Java,Winzip etc.,must have the latest security patches installed C. Install a personal firewall and lock down unused ports from connec ng to your computer D. Install the latest signatures for An virus so ware E. Configure "Windows Update" to automa c F. Create a non-admin user with a complex password and logon to this account 26 G. You can start using your computer as vendors such as DELL,HP and IBM would have already installed the latest service packs.

A,C,D,E,F

12 Lori is a Cer fied Ethical Hacker as well as a Cer fied Hacking Forensics Inves gator working as an IT security consul-tant. Lori has been hired on by Kiley Innovators, a large marke ng firm that recently underwent a string of the s and corporate espionage incidents. Lori is told that a rival marke ng company came out with an exact duplicate product right before Kiley Innovators was about to release it. The execu ve team believes that an employee is leaking infor-ma on to the rival company. Lori ques ons all employees, reviews server logs, and firewall logs; a er which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marke ng company. She finds one employee that appears to be sending very large email to this other marke ng company, even though they should have no reason to be communica ng with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files a ached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special so ware to further examine the pictures and finds that each one had hidden text that was stored in each picture. What technique was used by the Kiley Innovators employee to send informa on to the rival marke ng company? A. The Kiley Innovators employee used cryptography to hide the informa on in the emails sent B. The method used by the employee to hide the informa on was logical watermarking C. The employee used steganography to hide informa on in the picture a achments D. By using the pictures to hide informa on,the employee u lized picture fuzzing

133 Which of the following Trojans would be considered 'Botnet Command Control Center'? A. YouKill DOOM B. Damen Rock C. Poison Ivy D. Ma en Kit

15 What does ICMP (type 11, code 0) denote? A. Source Quench B. Des na on Unreachable C. Time Exceeded D. Unknown Type

22 Stephanie works as senior security analyst for a manufacturing company in Detroit. Stephanie manages network security throughout the organiza on. Her colleague Jason told her in confidence that he was able to see confiden al corporate informa on posted on the external website h p://www.jeansclothesman.com. He tries random URLs on the company's website and finds confiden al informa on leaked over the web. Jason says this happened about a month ago. Stephanie visits the said URLs, but she finds nothing. She is very concerned about this, since someone should be held accountable if there was sensi ve informa on posted on the website. Where can Stephanie go to see past versions and pages of a website? A. She should go to the web page Samspade.org to see web pages that might no longer be on the website B. If Stephanie navigates to Search.com; she will see old versions of the company website C. Stephanie can go to Archive.org to see past versions of the company website D. AddressPast.com would have any web pages that are no longer hosted on the company's website

23 Dan is conduc ng penetra on tes ng and has found a vulnerability in a Web Applica on which gave him the sessionID token via a cross site scrip ng vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the origina ng IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interac ve session? 14 A. Dan cannot spoof his IP address over TCP network B. The scenario is incorrect as Dan can spoof his IP and get responses C. The server will send replies back to the spoofed IP address D. Dan can establish an interac ve session only if he uses a NAT

76 Samuel is the network administrator of DataX Communica ons, Inc. He is trying to configure his firewall to block password brute force a empts on his network. He enables blocking the intruder's IP address for a period of 24 hours' me a er more than three unsuccessful a empts. He is confident that this rule will secure his network from hackers on the Internet. But he s ll receives hundreds of thousands brute-force a empts generated from various IP addresses around the world. A er some inves ga on he realizes that the intruders are using a proxy somewhere else on the Internet which has been scripted to enable the random usage of various proxies on each request so as not to get caught by the firewall rule. Later he adds another rule to his firewall and enables small sleep on the password a empt so that if the password is incorrect, it would take 45 seconds to return to the user to begin another a empt. Since an intruder may use mul ple machines to brute force the password, he also thro les the number of connec ons that will be prepared to accept from a par cular IP address. This ac on will slow the intruder's a empts. Samuel wants to completely block hackers brute force a empts on his network. What are the alterna ves to defending against possible brute-force password a acks on his site? A. Enforce a password policy and use account lockouts a er three wrong logon a empts even though this might lock out legit users B. Enable the IDS to monitor the intrusion a empts and alert you by e-mail about the IP address of the intruder so that you can block them at the Firewall manually C. Enforce complex password policy on your network so that passwords are more diﬃcult to brute force D. You cannot completely block the intruders a empt if they constantly switch proxies

78 Maintaining a secure Web server requires constant eﬀort, resources, and vigilance from an organiza on. Securely administering a Web server on a daily basis is an essen al aspect of Web server security. Maintaining the security of a Web server will usually involve the following steps: 1. Configuring, protec ng, and analyzing log files 2. Backing up cri cal informa on frequently 3. Maintaining a protected authorita ve copy of the organiza on's Web content 4. Establishing and following procedures for recovering from compromise 5. Tes ng and applying patches in a mely manner 6. Tes ng security periodically. In which step would you engage a forensic inves gator? A. 1 B. 2 C. 3 D. 4 38 E. 5 F. 6

81 An a acker has successfully compromised a remote computer. Which of the following comes as one of the last steps that should be taken to ensure that the compromise cannot be traced back to the source of the problem? A. Install patches B. Setup a backdoor C. Install a zombie for DDOS D. Cover your tracks

88 A acking well-known system defaults is one of the most common hacker a acks. Most so ware is shipped with a default configura on that makes it easy to install and setup the applica on. You should change the default se ngs to secure the system. Which of the following is NOT an example of default installa on? A. Many systems come with default user accounts with well-known passwords that administrators forget to change B. O en,the default loca on of installa on files can be exploited which allows a hacker to retrieve a file from the system C. Many so ware packages come with "samples" that can be exploited,such as the sample programs on IIS web ser-vices D. Enabling firewall and an -virus so ware on the local system

93 Choose one of the following pseudo codes to describe this statement: "If we have wri en 200 characters to the buﬀer variable, the stack should stop because it cannot hold any more data." A. If (I > 200) then exit (1) B. If (I < 200) then exit (1) C. If (I <= 200) then exit (1) D. If (I >= 200) then exit (1)

96 46 Which of the following tool would be considered as Signature Integrity Verifier (SIV)? A. Nmap B. SNORT C. VirusSCAN D. Tripwire

Question CEH EXAM

Related study sets

CMN 557-Unit 3

ACCT 203 Chapter 8

Encounters with Reality scenarios

NASDAQ Market / OTC Market

Marketing ALL

Engineering Materials

Academic dishonesty

Chapter 8 - Assessing Achievement and Aptitude

Texas Life Insurance exam

CDP Module 1

PHYSICS 1210 FINAL EXAM

HSC Self Test

APUSH Ch. 11

MyProgrammingLab - Chapter 2: Java Fundamentals (Tony Gaddis)

Nutrition Chapter 2 (Nutrient Recommendations

LIT47 Final Review

Education Requirements

Series 6: Variable Products (Variable Annuity Taxation)

Linguistics Categorization

A&P II - Exam #2