Test Information:
Total Questions: 760
Test Number: 312-50
Vendor Name: Eccouncil
Cert Name: CEH
Test Name: ECCOUNCIL Ethical Hacking and Countermeasures(CEHv6)
Official Site: http://www.certsgrade.com
Version:8.3
Question:1
Bill has started to notice some slowness onhis
network when trying to update his company’s website while trying to accessthe
website from the Internet. Bill asks the help desk manager if he hasreceived
any calls about slowness from the end users, but the help desk managersays that
he has not. Bill receives a number of calls from customers that can’taccess the
company website and can’t purchase anything online. Bill logs on toa couple of
this routers and notices that the logs shows network traffic is atall time
high. He also notices that almost all the traffic is originating froma specific
address.
Bill decides to use Geotrace to find out
wherethe suspect IP is originates from. The Geotrace utility runs a traceroute
andfinds that IP is coming from Panama. Bill knows that none of his customers
arein Panama so he immediately thinks that his company is under a Denial
ofService attack. Now Bill needs to find out more about the originating
IPAddress.
What Internet registry should Bill look in
tofind the IP Address?
A.LACNIC
B.ARIN
C.RIPELACNIC
D.APNIC
Answer:A
Explanation:
Reference: LACNIC is theLatin American and Caribbean
InternetAddresses Registry that administers IP addresses, autonomous system
numbers,reverse DNS, and other network resources for that region.
Question:2
System Administrators sometimes post
questionsto newsgroups when they run into technical challenges. As an ethical
hacker,you could use the information in newsgroup posting to glean insight into
the makeupof a target network. How would you search for these posting using
Googlesearch?
A.Search in Google using the key
strings“the target company” and “newsgroups”
C.Use NNTP websites to search for
thesepostings
D.Search in Google using the key
searchstrings “the target company” and “forums”
Answer:B
Explanation:
Reference: Using http://groups.google.com
isthe easiest way to access various newsgroups today. Beforehttp://groups.google.com
you had to use special NNTP clients or subscribe tosome nntp to web services.
Question:3
Which of the following activities would not
beconsidered passive footprinting?
A.Search on financial site such as
YahooFinancial
B.Perform multiple queries through
asearch engine
C.Scan the range of IP address found in
their DNS database
D.Go through the rubbish to find out
anyinformation that might have been discarded
Answer:C
Explanation:
Reference:Passive footprintingis a method in which
the attacker never makes contact with the target. Scanningthe targets IP
addresses can be logged at the target and therefore contact hasbeen made.
Question:4
You are footprinting thewww.xsecurity.comdomain using the Google Search Engine.
Youwould like to determine what sites link to www.xsecurity .com at the
firstlevel of revelance.
Which of the following operator in
Googlesearch will you use to achieve this?
B.serch?l:www.xsecurity.com
C.level1.www.security.com
D.pagerank:www.xsecurity.com
Answer:A
Explanation:
Reference:The query [link:] will list webpages
that havelinks to the specified webpage. For instance, [link:www.google.com]
will listwebpages that have links pointing to the Google homepage. Note there
can be nospace between the "link:" and the web page url.
Doug isconducting
a port scan of a target network. He knows that his client targetnetwork has a
web server and that there is a mail server also which is up andrunning. Doug
has been sweeping the network but has not been able to elicit anyresponse from
the remote target. Which of the following could be the mostlikely cause behind
this lack of response? Select 4.
A.UDP is filtered by a gateway
B.The packet TTL value is too low and cannot reach the target
C.The host might be down
D.The destination network might be down
E.The TCP windows size does not match
F.ICMP is filtered by a gateway
Answer: A, B, C, F
Explanation:
Reference: If
thedestination host or the destination network is down there is no way to get
ananswer and if TTL (Time To Live) is set too low the UDP packets will
“die”before reaching the host because of too many hops between the scanning
computerand the target.The TCP receive windowsize
is the amount of received data (in bytes) that can be buffered during
aconnection. The sending host can send only that amount of data before it
mustwait for an acknowledgment and window update from the receiving host and
ICMPis mainly used for echo requests and not in port scans.
Question:6
Exhibit
Joe Hacker
runsthe hping2 hacking tool to predict the target host’s sequence numbers in
one ofthe hacking session.
What does
thefirst and second column mean? Select two.
A.The first column reports the sequence number
B.The second column reports the difference between the current
andlast sequence number
C.The second column reports the next sequence number
D.The first column reports the difference between current and
lastsequence number
Answer: A, B
Question:7
Whileperforming
a ping sweep of a subnet you receive an ICMP reply of Code 3/Type 13for all the
pings sent out.
What is
themost likely cause behind this response?
A.The firewall
is dropping the packets.
B.An in-line IDS
is dropping the packets.
C.A router is
blocking ICMP.
D.The host does
not respond to ICMP packets.
Answer: C
Explanation:
Reference:Type
3 message = Destination Unreachable [RFC792], Code 13 (cause) =Communication
Administratively Prohibited [RFC1812]
Question:8
The following excerpt is taken from a
honeyputlog. The log captures activities across three days. There are several
intrusionattempts; however, a few are successful. Study the log given below and
answerthe following question:
(Note: The objective of this questions is
totest whether the student has learnt about passive OS fingerprinting (whichshould
tell them the OS from log captures): can they tell a SQL injectionattack
signature; can they infer if a user ID has been created by an attackerand
whether they can read plain source – destination entries from log entries.)
What can you infer from the above log?
A.The system is a windows system whichis
being scanned unsuccessfully.
B.The system is a web application
servercompromised through SQL injection.
C.The system has been compromised andbackdooredby the attacker.
D.The actual IP of the
successfulattacker is 24.9.255.53.
Answer:A
Question:9
Bob has been hired to perform a
penetrationtest on ABC.com. He begins by looking at IP address ranges owned by
the companyand details of domain name registration. He then goes to News Groups
andfinancial web sites to see if they are leaking any sensitive information
ofhave any technical details online.
Within the context of penetration
testingmethodology, what phase is Bob involved with?
A.Passive information gathering
B.Active information gathering
C.Attack phase
D.Vulnerability Mapping
Answer:A
Explanation:
Reference: He is gathering information and
aslong as he doesn’t make contact with any of the targets systems he isconsidered
gathering this information in a passive mode.
Question:10
Which of the following would be the bestreason
for sending a single SMTP message to an address that does not existwithin the
target company?
A.To create a denial of service attack.
B.To verify information about the mailadministrator
and his address.
C.To gather information about
internalhosts used in email treatment.
D.To gather information about
proceduresthat are in place to deal with such messages.
Answer:C
Explanation:
Reference: The replay from the email
serverthat states that there is no such recipient will also give you some
informationabout the name of the email server, versions used and so on.
Question:11
You are conducting a port scan on a subnetthat
has ICMP blocked. You have discovered 23 live systems and after scanningeach of
them you notice that they all show port 21 in closed state.
What should be the next logical step
thatshould be performed?
A.Connect to open ports to
discoverapplications.
B.Perform a ping sweep to identify
anyadditional systems that might be up.
C.Perform a SYN scan on port 21
toidentify any additional systems that might be up.
D.Rescan every computer to verify
theresults.
Answer:C
Explanation:
Reference: As ICMP is blocked you’ll
havetrouble determining which computers are up and running by using a ping
sweep.As all the 23 computers that you had discovered earlier had port 21
closed,probably any additional, previously unknown, systems will also have port
21closed. By running a SYN scan on port 21 over the target network you might
getreplies from additional systems.
Question:12
Ann would like to perform areliable scanagainst a remote target.She
is not concerned about being stealth at this point.
Which of the following type of scans would
bethe most accurate and reliable option?
A.A half-scan
B.A UDP scan
C.A TCP Connect scan
D.A FIN scan
Answer:C
Explanation:
Reference: A TCP Connect scan,named after the Unix connect() system call is the
mostaccurate scanning method. If a port is open the operating system completes
theTCP three-way handshake, and the port scanner immediately closes
theconnection. Otherwise an error code is returned.
Example of a three-way
handshakefollowed by a reset:
Source Destination Summary
-------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.10] TCP: D=80
S=49389 SYN SEQ=3362197786 LEN=0WIN=5840
[192.168.0.10] [192.168.0.8] TCP: D=49389 S=80 SYN
ACK=3362197787SEQ=58695210 LEN=0 WIN=65535
[192.168.0.8] [192.168.0.10] TCP: D=80
S=49389 ACK=58695211WIN<<2=5840
[192.168.0.8] [192.168.0.10] TCP: D=80
S=49389 RST ACK=58695211WIN<<2=5840
Question:13
War dialing is a very old attack and
depictedin movies that were made years ago.
Why would a modem security tester
considerusing such an old technique?
A.It is cool, and if it works in the
moviesit must work in real life.
B.It allows circumvention of
protectionmechanisms by being on the internal network.
C.It allows circumvention of the
companyPBX.
D.A good security tester would not
usesuch a derelict technique.
Answer:B
Explanation:
Reference: If you are lucky and find a
modemthat answers and is connected to the target network, it usually is lessprotected
(as only employees are supposed to know of its existence) and onceconnected you
don’t need to take evasive actions towards any firewalls or IDS.
Question:14
An attacker is attempting to telnet into
acorporation’s system in the DMZ. The attacker doesn’t want to get caught and
isspoofing his IP address. After numerous tries he remains unsuccessful in
connectingto the system. The attacker rechecks that the target system is
actuallylistening on Port 23 and he verifies it with both nmap and hping2. He
is stillunable to connect to the target system.
What is the most probable reason?
A.The firewall is blocking port 23
tothat system.
B.He cannot spoof his IP andsuccessfully
use TCP.
C.He needs to use an automated tool
totelnet in.
D.He is attacking an operating
systemthat does not reply to telnet even when open.
Answer:B
Explanation:
Reference: Spoofing your IP will only work ifyou
don’t need to get an answer from the target system. In this case the
answer(login prompt) from the telnet session will be sent to the “real”
location ofthe IP address that you are showing as the connection initiator.
Question:15
You are scanning into the target network
forthe first time. You find very few conventional ports open. When you attempt
toperform traditional service identification by connecting to the open ports,
ityields either unreliable or no results. You are unsure of which protocols
arebeing used. You need to discover as many different protocols as possible.
Which kind of scan would you use to
achievethis? (Choose the best answer)
A.Nessus scan with TCP based pings.
B.Nmap scan with the –sP (Ping
scan)switch.
C.Netcat scan with the –u –e switches.
D.Nmap with the –sO (Raw IP
packets)switch.
Answer:D
Explanation:
Reference: Running Nmap with the –sO
switchwill do a IP Protocol Scan.The IP protocol
scan isa bit different than the other nmap scans. The IP protocol scan is
searchingfor additional IP protocols in use by the remote station, such as
ICMP, TCP,and UDP. If a router is scanned, additional IP protocols such as EGP
or IGP maybe identified.
Question:16
What are twp types of ICMP code used whenusing
the ping command?
A.It uses types 0 and 8.
B.It uses types 13 and 14.
C.It uses types 15 and 17.
D.The ping command does not use ICMP
butuses UDP.
Answer:A
Explanation:
Reference: ICMP Type 0 = Echo Reply, ICMP
Type8 = Echo
Question:17
You are having problems while
retrievingresults after performing port scanning during internal testing. You
verify thatthere are no security devices between you and the target system.
When bothstealth and connect scanning do not work, you decide to perform a NULL
scanwith NMAP. The first few systems scanned shows all ports open.
Which one of the following statements
isprobably true?
A.The systems have all ports open.
B.The systems are running a host
basedIDS.
C.The systems are web servers.
D.The systems are running Windows.
Answer:D
Explanation:
Reference: The null scan turns off all
flags,creating a lack of TCP flags that should never occur in the real world.
If theport is closed, a RST frame should be returned and a null scan to an open
portresults in no response. Unfortunately Microsoft (like usual) decided tocompletely
ignore the standard and do things their own way. Thus this scan typewill not
work against systems running Windows as they choose not to response atall. This
is a good way to distinguish that the system being scanned is runningMicrosoft
Windows.
Question:18
John has scanned the web server with
NMAP.However, he could not gather enough information to help him identify
theoperating system running on the remote host accurately.
What would you suggest to John to helpidentify
the OS that is being used on the remote web server?
A.Connect to the web server with a
browserand look at the web page.
B.Connect to the web server with an
FTPclient.
C.Telnet to port 8080 on the web
serverand look at the default page code.
D.Telnet to an open port and grab
thebanner.
Answer:D
Explanation:
Reference: Most people don’t care
aboutchanging the banners presented by applications listening to open ports
andtherefore you should get fairly accurate information when grabbing banners
fromopen ports with, for example, a telnet application.
Question:19
An Nmap scan shows the following open
ports,and nmap also reports that the OS guessing results to match too many
signatureshence it cannot reliably be identified:
21
ftp
23
telnet
80
http
443
https
What does this suggest ?
A.This is a Windows Domain Controller
B.The host is not firewalled
C.The host is not a Linux or
Solarissystem
D.The host is not properly patched
Answer:D
Explanation:
Reference: If the answer was A nmap would
guess it, it holds the MS signaturedatabase, the host not being firewalled
makes no difference. The host is not linux or solaris, well itvery well could
be. The host is not properly patched? That is the closest;nmaps OS detection
architecture is based solely off the TCP ISN issued by theoperating systems
TCP/IP stack, if the stack is modified to show output fromrandomized ISN's or
if your using a program to change the ISN then OS detectionwill fail. If the
TCP/IP IP ID's are modified then os detection could alsofail, because the
machine would most likely come back as being down.
Question:20
What port scanning
methodis the most reliable but also the most detectable?
A.Null Scanning
B.Connect Scanning
C.ICMP Scanning
D.Idlescan Scanning
E.Half Scanning
F.Verbose Scanning
Answer:B
Explanation:
Reference: A TCP Connect scan,named after the Unix connect() system call is the
mostaccurate scanning method. If a port is open the operating system completes
theTCP three-way handshake, and the port scanner immediately closes
theconnection.
D - Typ4 4
Question:21
Because UDP is a
connectionlessprotocol: (Select 2)
A.UDP recvfrom() and write()scanning will yield reliable
results
B.It can only be used forConnect scans
C.It can only be used forSYN scans
D.There is no guarantee thatthe UDP packets will arrive
at their destination
E.ICMP port unreachablemessages may not be returned
successfully
Answer:D,
E
Explanation:
Reference:NeitherUDP
packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners mustalso
implement retransmission of packets that appear to be lost (or you willget a
bunch of false positives).
Question:22
You are scanning into
thetarget network for the first time. You find very few conventional ports
open.When you attempt to perform traditional service identification by
connecting tothe open ports, it yields either unreliable or no results. You are
unsure ofwhat protocols are being used. You need to discover as many different
protocolsas possible. Which kind of scan would you use to do this?
A.Nmap with the –sO (Raw IPpackets) switch
B.Nessus scan with TCP basedpings
C.Nmap scan with the –sP(Ping scan) switch
D.Netcat scan with the –u –eswitches
Answer:A
Explanation:
Reference: Running Nmap with the –sO
switchwill do a IP Protocol Scan.The IP protocol
scan isa bit different than the other nmap scans. The IP protocol scan is
searchingfor additional IP protocols in use by the remote station, such as
ICMP, TCP,and UDP. If a router is scanned, additional IP protocols such as EGP
or IGP maybe identified.
Question:23
What ICMP message typesare
used by the ping command?
A.Timestamp request (13) andtimestamp reply (14)
B.Echo request (8) and Echoreply (0)
C.Echo request (0) and Echoreply (1)
D.Ping request (1) and Pingreply (2)
Answer:B
Explanation:
Reference: ICMP Type 0 = Echo Reply, ICMP
Type8 = Echo
Question:24
Which of the
followingsystems would not respond correctly to an nmap XMAS scan?
A.Windows 2000 Serverrunning IIS 5
B.Any Solaris versionrunning SAMBA Server
C.Any version of IRIX
D.RedHat Linux 8.0 runningApache Web Server
Answer:A
Explanation:
Reference: When running a XMAS Scan, if a
RSTpacket is received, the port is considered
closed, while no response
meansit isopen|filtered.The
big downside is that not all systems follow RFC 793 to the letter. A numberof
systems send RST responses to the probes regardless of whether the port isopen
or not. This causes all of the ports to be labeledclosed. Major operatingsystems
that do this are Microsoft Windows, many Cisco devices, BSDI, and IBMOS/400.
What is the essential difference between
an‘Ethical Hacker’ and a ‘Cracker’?
A.The ethical hacker does not use
thesame techniques or skills as a cracker.
B.The ethical hacker does it strictlyfor
financial motives unlike a cracker.
C.The ethical hacker has
authorizationfrom the owner of the target.
D.The ethical hacker is just a
crackerwho is getting paid.
Answer:C
Explanation:
Reference: The ethical hacker uses the
sametechniques and skills as a cracker and the motive is to find the securitybreaches
before a cracker does. There is nothing that says that a cracker doesnot get
paid for the work he does, a ethical hacker has the owners authorizationand
will get paid even if he does not succeed to penetrate the target.
Question:26
What does the term “Ethical Hacking” mean?
A.Someone who is hacking for ethicalreasons.
B.Someone who is using his/her skillsfor
ethical reasons.
C.Someone who is using his/her skillsfor
defensive purposes.
D.Someone who is using his/her skillsfor
offensive purposes.
Answer:C
Explanation:
Reference: Ethical hacking is only
aboutdefending your self or your employer against malicious persons by using
thesame techniques and skills.
Question:27
Who is an Ethical Hacker?
A.A person who hacks for ethical reasons
B.A person who hacks for an ethicalcause
C.A person who hacks for
defensivepurposes
D.A person who hacks for
offensivepurposes
Answer:C
Explanation:
Reference: The Ethical hacker is a
securityprofessional who applies his hacking skills for defensive purposes.
Question:28
What is "Hacktivism"?
A.Hacking for a cause
B.Hacking ruthlessly
C.An association which groups activists
D.None of the above
Answer:A
Explanation:
Reference: The term was coined byauthor/critic
Jason Logan King Sack in an article about media artist Shu LeaCheang. Acts of
hacktivism are carried out in the belief that proper use ofcode will have
leveraged effects similar to regular activism or civildisobedience.
Question:29
Where should a
securitytester be looking for information that could be used by an attacker
against anorganization? (Select all that apply)
A.CHAT rooms
B.WHOIS database
C.News groups
D.Web sites
E.Search engines
F.Organization’s own website
Answer:A,
B, C, D, E, F
Explanation:
Reference: A Security tester should search
forinformation everywhere that he/she can access. You never know where you
findthat small piece of information that could penetrate a strong defense.
Question:30
What are the two basic types ofattacks?(Choose
two.
A.DoS
B.Passive
C.Sniffing
D.Active
E.Cracking
Answer:B,
D
Explanation:
Reference: Passive and active attacks are
thetwo basic types of attacks.
Question:31
The United Kingdom (UK) he passed a law
thatmakes hacking into an unauthorized network a felony.
The law states:
Section1 of the Act refers to
unauthorizedaccess to computer material. This states that a person commits an
offence if hecauses a computer to perform any function with intent to secure
unauthorizedaccess to any program or data held in any computer. For a
successful convictionunder this part of the Act, the prosecution must prove
that the access securedis unauthorized and that the suspectknew that this was
the case. This section is designed to deal withcommon-or-graden hacking.
Section 2 of the deals with unauthorizedaccess
with intent to commit or facilitate the commission of further offences.An
offence is committed under Section 2 if a Section 1 offence has beencommitted
and there is the intention of committing or facilitating a furtheroffense (any
offence which attacks a custodial sentence of more than fiveyears, not
necessarily one covered but theAct). Even if it is not possible toprove the
intent to commit the further offence, the Section 1 offence is stillcommitted.
Section 3 Offences cover
unauthorizedmodification of computer material, which generally means the
creation anddistribution of viruses. For convictionto succeed there must have
been the intent to cause the modifications andknowledge that the modification
had not been authorized
What is the law called?
A.Computer Misuse Act 1990
B.Computer incident Act 2000
C.Cyber Crime Law Act 2003
D.Cyber Space Crime Act 1995
Answer:A
Explanation:
Reference: Computer Misuse Act (1990)
createsthree criminal offences:
1.Unauthorisedaccess to computer material
2.Unauthorisedaccess to a computer system with intent
to commit or facilitate the commissionof afurther offence
3.Unauthorisedmodification of computer material
Question:32
Which of the following best
describesVulnerability?
A.The loss potential of a threat
B.An action or event that mightprejudice
security
C.An agent that could take advantage ofa
weakness
D.A weakness or error that can lead
tocompromise
Answer:D
Explanation:
Reference: A vulnerability isa flaw or weaknessin system security procedures, design
orimplementation that could be exercised (accidentally triggered or
intentionallyexploited) and result in a harm to an IT system or activity.
Question:33
Which of the following act in the unitedstates
specifically criminalizes the transmission of unsolicited
commerciale-mail(SPAM) without an existing business relationship.
A.2004 CANSPAM Act
B.2003 SPAM Preventing Act
C.2005 US-SPAM 1030 Act
D.1990 Computer Misuse Act
Answer:A
Explanation:
Reference:The
CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornographyand
Marketing Act) establishes requirements for those who send commercialemail,
spells out penalties for spammers and companies whose products areadvertised in
spam if they violate the law, and gives consumers the right toask emailers to
stop spamming them. The law, which became effective January 1,2004, covers
email whose primary purpose is advertising or promoting acommercial product or
service, including content on a Web site. A"transactional or relationship
message" – email that facilitates anagreed-upon transaction or updates a
customer in an existing businessrelationship – may not contain false or
misleading routing information, butotherwise is exempt from most provisions of
the CAN-SPAM Act.
You
arefootprinting Acme.com to gather competitive intelligence. You visit
theacme.com websire for contact information and telephone number numbers but
donot find it listed there. You know that they had the entire staff directorylisted
on their website 12 months ago but now it is not there. How would it bepossible
for you to retrieve information from the website that is outdated?
A.Visit google search engine and view the cached copy.
B.Visit Archive.org site to retrieve the Internet archive of theacme
website.
C.Crawl the entire website and store them into your computer.
D.Visit the company’s partners and customers website for
thisinformation.
Answer: B
Explanation:
Reference:TheInternet Archive(IA)is
a non-profit organization dedicated to maintaining an archive of Web andmultimedia
resources. Located at the Presidio in San Francisco, California,this archive
includes "snapshots of the World Wide Web" (archivedcopies of pages,
taken at various points in time), software, movies, books, andaudio recordings
(including recordings of live concerts from bands that allowit). This site is
found at www.archive.org.
Question:35
User
whichFederal Statutes does FBI investigate for computer crimes involving
e-mailscams and mail fraud?
A.18 U.S.C 1029
Possession of Access Devices
B.18 U.S.C 1030
Fraud and related activity in connectionwith computers
C.18 U.S.C 1343
Fraud by wire, radio or television
D.18 U.S.C 1361 Injury
to Government Property
E.18 U.S.C 1362
Government communication systems
F.18 U.S.C 1831
Economic Espionage Act
G.18 U.S.C 1832
Trade Secrets Act
Answer: B
Explanation:
Reference:http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
Question:36
Which of
thefollowing activities will NOT be considered as passive footprinting?
A.Go through the
rubbish to find out any informationthat might have been discarded.
B.Search on
financial site such as Yahoo Financial toidentify assets.
C.Scan the range
of IP address found in the target DNSdatabase.
D.Perform
multiples queries using a search engine.
Answer: C
Explanation:
Reference:Passive
footprinting is a method in which the attacker never makes contact withthe
target systems. Scanning the range of IP addresses found in the target DNSis
considered making contact to the systems behind the IP addresses that
istargeted by the scan.
Question:37
Which one of the following is defined as
theprocess of distributing incorrect Internet Protocol (IP) addresses/names
withthe intent of diverting traffic?
A.Networkaliasing
B.Domain Name Server(DNS) poisoning
C.ReverseAddress Resolution Protocol (ARP)
D.Portscanning
Answer:B
Explanation:
Reference:
Thisreference
is close to the one listed DNS poisoning is the correct answer.
This is how DNS
DOSattack can occur. If the actual DNSrecords are unattainable to the attacker
for him to alter in this fashion,which they should be, the attacker can insert
this data into the cache of thereserver instead of replacing the actual
records, which is referred to as cachepoisoning.
Question:38
You are footprinting an organization to
gathercompetitive intelligence. You visit the company’s website for contactinformation
and telephone numbers but do not find it listed there. You knowthat they had
the entire staff directory listed on their website 12 months agobut not it is
not there.
How would it be possible for you to
retrieveinformation from the website that is outdated?
A.Visit google’s search engine and
viewthe cached copy.
B.Visit Archive.org web site to
retrievethe Internet archive of the company’s website.
C.Crawl the entire website and storethem
into your computer.
D.Visit the company’s partners
andcustomers website for this information.
Answer:B
Explanation:
Reference: Archive.org mirrors websites
andcategorizes them by date and month depending on the crawl time. Archive.orgdates
back to 1996, Google is incorrectbecause the cache is only as recent as the
latest crawl, the cache isover-written on each subsequent crawl. Download the
website is incorrectbecause that's the same as what you seeonline. Visiting
customer partners websites is just bogus. The answer is thenFirmly, C,
archive.org
Question:39
A Company
securitySystem Administrator is reviewing the network system log files. He
notes thefollowing:
-Network logfiles are at 5 MB at 12:00 noon.
-At 14:00hours, the log files at 3 MB.
What should heassume
has happened and what should he do about the situation?
A.He should contact the attacker’s ISPas
soon as possible and have the connection disconnected.
B.He should log the event as
suspiciousactivity, continue to investigate, and take further steps according
to sitesecurity policy.
C.He should log the file size,
andarchive the information, because the router crashed.
D.He should run a file system
check,because the Syslog server has a self correcting file system problem.
E.He should disconnect from the
Internetdiscontinue any further unauthorized use, because an attack has taken
place.
Answer: B
Explanation:
Reference:You should never assume a host has been
compromisedwithout verification. Typically, disconnecting a server is an
extreme measureand should only be done when it is confirmed there is a
compromise or theserver contains such sensitive data that the loss of service
outweighs therisk. Never assume that anyadministrator or automatic process is
making changes to a system. Alwaysinvestigate the root cause of the change on
the system and follow yourorganizations security policy.
Question:40
To what does“message
repudiation” refer to what concept in the realm of email security?
A.Message repudiation means a user
canvalidate which mail server or servers a message was passed through.
B.Message repudiation means a user
canclaim damages for a mail message that damaged their reputation.
C.Message repudiation means a
recipientcan be sure that a message was sent from a particular person.
D.Message repudiation means a
recipientcan be sure that a message was sent from a certain host.
E.Message repudiation means a sender
canclaim they did not actually send a particular message.
Answer: E
Explanation:
Reference:A quality that prevents a third party from being
ableto prove that a communication between two other parties ever took place.
Thisis a desirable quality if you do not want your communications to be
traceable.
Non-repudiation is
theopposite quality—a third party can prove that a communication between two
otherparties took place. Non-repudiation is desirable if you want to be able
totrace your communications and prove that they occurred. Repudiation – Denial
ofmessage submission or delivery.
Question:41
How doesTraceroutemap
the route that a packet travels from point A to point B?
A.It uses a TCP Timestamp packet
thatwill elicit a time exceed in transit message.
B.It uses a protocol that will
berejected at the gateways on its way to its destination.
C.It manipulates the value of time
tolive (TTL) parameter packet to elicit a time exceeded in transit message.
D.It manipulated flags within packets
toforce gateways into generating error messages.
Answer:C
Explanation:
Reference:Tracerouteworks
by increasing the "time-to-live" value of each successive batchof
packets sent. The first three packets have a time-to-live (TTL) value of
one(implying that they make a single hop). The next three packets have a TTL
valueof 2, and so on. When a packet passes through a host, normally the
hostdecrements the TTL value by one, and forwards the packet to the next host.
Whena packet with a TTL of one reaches a host, the host discards the packet andsends
an ICMP time exceeded (type 11) packet to the sender. The tracerouteutility
uses these returning packets to produce a list of hosts that thepackets have
traversed en route to the destination.
Question:42
Snort has been used to capture packets on
thenetwork. On studying the packets, the penetration tester finds it to beabnormal.
If you were the penetration tester, why would you find this abnormal?
(Note: The student is being tested on
conceptlearnt during passive OS fingerprinting, basic TCP/IP connection concepts
andthe ability to read packet signatures from a sniff dumo.)
05/20-17:06:45.061034 192.160.13.4:31337
->172.16.1.101:1
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seq: 0XA1D95 Ack: 0x53 Win: 0x400
.
.
.
05/20-17:06:58.685879 192.160.13.4:31337
->172.16.1.101:1024
TCP TTL:44 TOS:0x10 ID:242
***FRP** Seg: 0XA1D95 Ack: 0x53 Win: 0x400
What is odd about this attack? (Choose themost
appropriate statement)
A.This is not a spoofed packet as the
IPstack has increasing numbers for the three flags.
B.This is back orifice activity as
thescan comes from port 31337.
C.The attacker wants to avoid creating
asub-carrier connection that is not normally valid.
D.There packets were created by a
tool;they were not created by a standard IP stack.
Answer:B
Explanation:
Reference: Port 31337 is normally used by
BackOrifice. Note that 31337 is hackers spelling of ‘elite’, meaning ‘elitehackers’.
Question:43
Your company trainee Sandra asks you which
arethe four existing Regional Internet Registry (RIR's)?
A.APNIC, PICNIC, ARIN, LACNIC
B.RIPE NCC, LACNIC, ARIN, APNIC
C.RIPE NCC, NANIC, ARIN, APNIC
D.RIPE NCC, ARIN, APNIC, LATNIC
Answer:B
Explanation:
Reference: All other answers include
nonexisting organizations (PICNIC, NANIC, LATNIC). Seehttp://www.arin.net/library/internet_info/ripe.html
Question:44
A very useful resource
forpassively gathering information about a target company is:
A.Host scanning
B.Whois search
C.Traceroute
D.Ping sweep
Answer:B
Explanation:
Reference: A, C&D are
"Active"scans, the question says: "Passively"
Question:45
Which of the following tools are used
forfootprinting?(Choose four.
A.Sam Spade
B.NSLookup
C.Traceroute
D.Neotrace
E.Cheops
Answer:A,
B, C, D
Explanation:
Reference: All of the tools listed are usedfor
footprinting except Cheops.
Question:46
According to the CEH methodology, what is
thenext step to be performed after footprinting?
A.Enumeration
B.Scanning
C.System Hacking
D.Social Engineering
E.Expanding Influence
Answer:B
Explanation:
Reference: Once footprinting has
beencompleted, scanning should be attempted next. Scanning should take place on
twodistinct levels: network and host.
Question:47
NSLookup is a good tool to use to
gainadditional information about a target network. What does the following
commandaccomplish?
nslookup
>server<ipaddress>
>set type =any
>ls -d<target.com>
A.Enables DNS spoofing
B.Loads bogus entries into the DNS table
C.Verifies zone security
D.Performs a zone transfer
E.Resets the DNS cache
Answer:D
Explanation:
Reference: If DNS has not been
properlysecured, the command sequence displayed above will perform a zone
transfer.
Question:48
While footprinting a network, whatport/service
should you look for to attempt a zone transfer?
A.53 UDP
B.53 TCP
C.25 UDP
D.25 TCP
E.161 UDP
F.22 TCP
G.60 TCP
Answer:B
Explanation:
Reference: IF TCP port 53 is detected,
theopportunity to attempt a zone transfer is there.
Question:49
Your lab partner is trying to find out
moreinformation about a competitors web site. The site has a .com extension.
Shehas decided to use some online whois tools and look in one of the
regionalInternet registrys. Which one would you suggest she looks in first?
A.LACNIC
B.ARIN
C.APNIC
D.RIPE
E.AfriNIC
Answer:B
Explanation:
Reference: Regional registries maintainrecords
from the areas from which they govern. ARIN is responsible for domainsserved
within North and South America and therefore, would be a good startingpoint for
a .com domain.
Question:50
Network Administrator Patricia is doing
anaudit of the network. Below are some of her findings concerning DNS. Which
ofthese would be a cause for alarm?
Select the best answer.
A. There are two external DNS
Serversfor Internet domains. Both are AD integrated.
B. All external DNS is done by an ISP.
C. Internal AD Integrated DNS
serversare using private DNS names that are
A. unregistered.
D. Private IP addresses are used onthe
internal network and are registered with the internal AD integrated DNSserver.
Answer: A
Explanation:
Reference:
A. There are two external DNS
Serversfor Internet domains. Both are AD integrated. This is the correct
answer.Having an AD integrated DNS external server is a serious cause for
alarm. Thereis no need for this and it causes vulnerability on the network.
B. All external DNS is done by an ISP.
This is not the correct answer.
Thiswould not be a cause for alarm. This would actually reduce the
company'snetwork risk as it is offloaded onto the ISP.
C. Internal AD Integrated DNS
serversare using private DNS names that are
unregistered. This is not the
correctanswer. This would not be a cause for alarm. This would actually reduce
thecompany's network risk.
D. Private IP addresses are used onthe
internal network and are registered with the internal AD integrated DNSserver.
This is not the correct answer.
Thiswould not be a cause for alarm. This would actually reduce the
company'snetwork risk.
Test Information:
Total Questions: 760
Test Number: 312-50
Vendor Name: Eccouncil
Cert Name: CEH
Test Name: ECCOUNCIL Ethical Hacking and Countermeasures(CEHv6)
Official Site: http://www.certsgrade.com
For More Details: http://www.certsgrade.com/pdf/312-50/ Get20%
Immediate Discount on Full Training Mater
Discount
Coupon Code: 20off2016
I was suggested to download study material from DumpsFactory and I am thankful for that. I could not have aced my certification so easily if I had not made 312-50 Dumps my choice. I went through the study stuff and prepared all the topics within short time.
ReplyDelete