312-50 EC-Council Exam Questions and Free Practice Test

Question 61

- (Topic 4)
What is a NULL scan?

A. A scan in which all flags are turned off

B. A scan in which certain flags are off

C. A scan in which all flags are on

D. A scan in which the packet size is set to zero

E. A scan with a illegal packet size

Correct Answer:A
A null scan has all flags turned off.

Question 62

- (Topic 19)
Network Intrusion Detection systems can monitor traffic in real time on networks.
Which one of the following techniques can be very effective at avoiding proper detection?

A. Fragmentation of packets.

B. Use of only TCP based protocols.

C. Use of only UDP based protocols.

D. Use of fragmented ICMP traffic only.

Correct Answer:A
If the default fragmentation reassembly timeout is set to higher on the client than on the IDS then the it is possible to send an attack in fragments that will never be reassembled in the IDS but they will be reassembled and read on the client computer acting victim.

Question 63

- (Topic 20)
Study the following exploit code taken from a Linux machine and answer the questions below:
echo “ingreslock stream tcp nowait root /bin/sh sh –I" > /tmp/x;
/usr/sbin/inetd –s /tmp/x; sleep 10;
/bin/ rm –f /tmp/x AAAA…AAA
In the above exploit code, the command “/bin/sh sh –I" is given. What is the purpose, and why is ‘sh’ shown twice?

A. The command /bin/sh sh –i appearing in the exploit code is actually part of an inetd configuration file.

B. The length of such a buffer overflow exploit makes it prohibitive for user to enter manually.The second ‘sh’ automates this function.

C. It checks for the presence of a codeword (setting the environment variable) among the environment variables.

D. It is a giveaway by the attacker that he is a script kiddy.

Correct Answer:A
What's going on in the above question is the attacker is trying to write to the unix filed /tm/x (his inetd.conf replacement config) -- he is attempting to add a service called ingresslock (which doesnt exist), which is "apparently" suppose to spawn a shell the given port specified by /etc/services for the service "ingresslock", ingresslock is a non- existant service, and if an attempt were made to respawn inetd, the service would error out on that line. (he would have to add the service to /etc/services to suppress the error). Now the question is asking about /bin/sh sh -i which produces an error that should read "sh:
/bin/sh: cannot execute binary file", the -i option places the shell in interactive mode and cannot be used to respawn itself.

Question 64

- (Topic 23)
What are the limitations of Vulnerability scanners? (Select 2 answers)

A. There are often better at detecting well-known vulnerabilities than more esoteric ones

B. The scanning speed of their scanners are extremely high

C. It is impossible for any, one scanning product to incorporate all known vulnerabilities in a timely manner

D. The more vulnerabilities detected, the more tests required

E. They are highly expensive and require per host scan license

Correct Answer:AC

Question 65

- (Topic 8)
Peter has been monitoring his IDS and sees that there are a huge number of ICMP Echo Reply packets that are being received on the External Gateway interface. Further inspection reveals they are not responses from internal hosts request but simply responses coming from the Internet. What could be the likely cause of this?

A. Someone Spoofed Peter’s IP Address while doing a land attack

B. Someone Spoofed Peter’s IP Address while doing a DoS attack

C. Someone Spoofed Peter’s IP Address while doing a smurf Attack

D. Someone Spoofed Peter’s IP address while doing a fraggle attack

Correct Answer:C
An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks with forged source address pointing to the target (victim) of the attack. All the systems on these networks reply to the victim with ICMP echo replies. This rapidly exhausts the bandwidth available to the target.

Question 66

- (Topic 4)
Eric has discovered a fantastic package of tools named Dsniff on the Internet. He has learnt to use these tools in his lab and is now ready for real world exploitation. He was able to effectively intercept communications between the two entities and establish credentials with both sides of the connections. The two remote ends of the communication never notice that Eric is relaying the information between the two.
What would you call this attack?

A. Interceptor

B. Man-in-the-middle

C. ARP Proxy

D. Poisoning Attack

Correct Answer:B
A man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.

START 312-50 EXAM