312-50 EC-Council Exam Questions and Free Practice Test

Question 25

- (Topic 23)
Gerald is a Certified Ethical Hacker working for a large financial institution in Oklahoma City. Gerald is currently performing an annual security audit of the company's network. One of the company's primary concerns is how the corporate data is transferred back and forth from the banks all over the city to the data warehouse at the company's home office. To see what type of traffic is being passed back and forth and to see how secure that data really is, Gerald uses a session hijacking tool to intercept traffic between a server and a client. Gerald hijacks an HTML session between a client running a web application which connects to a SQL database at the home office. Gerald does not kill the client's session; he simply monitors the traffic that passes between it and the server.
What type of session attack is Gerald employing here?

A. He is utilizing a passive network level hijack to see the session traffic used to communicate between the two devices

B. Gerald is using a passive application level hijack to monitor the client and server traffic

C. This type of attack would be considered an active application attack since he is actively monitoring the traffic

D. This type of hijacking attack is called an active network attack

Correct Answer:C
Session Hijacking is an active attack

Question 26

- (Topic 19)
This IDS defeating technique works by splitting a datagram (or packet) into multiple
fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive tasks for an IDS to reassemble all fragments itself and on a busy system the packet will slip through the IDS onto the network.
What is this technique called?

A. IP Fragmentation or Session Splicing

B. IP Routing or Packet Dropping

C. IDS Spoofing or Session Assembly

D. IP Splicing or Packet Reassembly

Correct Answer:A
The basic premise behind session splicing, or IP Fragmentation, is to deliver the payload over multiple packets thus defeating simple pattern matching without session reconstruction. This payload can be delivered in many different manners and even spread out over a long period of time. Currently, Whisker and Nessus have session splicing capabilities, and other tools exist in the wild.

Question 27

- (Topic 11)
Kevin sends an email invite to Chris to visit a forum for security professionals. Chris clicks on the link in the email message and is taken to a web based bulletin board. Unknown to Chris, certain functions are executed on his local system under his privileges, which allow Kevin access to information used on the BBS. However, no executables are downloaded and run on the local system. What would you term this attack?

A. Phishing

B. Denial of Service

C. Cross Site Scripting

D. Backdoor installation

Correct Answer:C
This is a typical Type-1 Cross Site Scripting attack. This kind of cross-site scripting hole is also referred to as a non-persistent or reflected vulnerability, and is by far the most common type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.

Question 28

- (Topic 12)
Annie has just succeeded is stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is valid on the server. Why do you think this is possible?

A. Any Cookie can be replayed irrespective of the session status

B. The scenario is invalid as a secure cookie can’t be replayed

C. It works because encryption is performed at the network layer (layer 1 encryption)

D. It works because encryption is performed at the application layer (Single Encryption Key)

Correct Answer:D
Single key encryption (conventional cryptography) uses a single word or phrase as the key. The same key is used by the sender to encrypt and the receiver to decrypt. Sender and receiver initially need to have a secure way of passing the key from one to the other. With TLS or SSL this would not be possible.

Question 29

- (Topic 23)
The traditional traceroute sends out ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets take to reach the destination.
The problem is that with the widespread use of firewalls on the Internet today, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination.
312-50 dumps exhibit
How would you overcome the Firewall restriction on ICMP ECHO packets?

A. Firewalls will permit inbound TCP packets to specific ports that hosts sitting behind thefirewall are listening for connection

B. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

C. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connection

D. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

E. Firewalls will permit inbound UDP packets to specific ports that hosts sitting behind the firewall are listening for connection

F. By sending out TCP SYN packets instead of ICMP ECHO packets, traceroute can bypass the most common firewall filters.

G. Do not use traceroute command to determine the path packets take to reach the destination instead use the custom hacking tool JOHNTHETRACER and run with the command

H. \> JOHNTHETRACER www.eccouncil.org -F -evade

Correct Answer:A

Question 30

- (Topic 7)
How do you defend against ARP spoofing?

A. Place static ARP entries on servers, workstation and routers

B. True IDS Sensors to look for large amount of ARP traffic on local subnets

C. Use private VLANS

D. Use ARPWALL system and block ARP spoofing attacks

Correct Answer:ABC
ARPWALL is a opensource tools will give early warning when arp attack occurs. This tool is still under construction.

START 312-50 EXAM