Want to know Testking 312-50 Exam practice test features? Want to lear more about EC-Council Ethical Hacking and Countermeasures (CEHv6) certification experience? Study Simulation EC-Council 312-50 answers to Most up-to-date 312-50 questions at Testking. Gat a success with an absolute guarantee to pass EC-Council 312-50 (Ethical Hacking and Countermeasures (CEHv6)) test on your first attempt.

Q121. John runs a Web Server, IDS and firewall on his network. Recently his Web Server has been under constant hacking attacks. He looks up the IDS log files and sees no Intrusion attempts but the web server constantly locks up and needs rebooting due to various brute force and buffer overflow attacks but still the IDS alerts no intrusion whatsoever. 

John become suspicious and views he firewall logs and he notices huge SSL connections constantly hitting web server. 

Hackers have been using the encrypted HTTPS protocol to send exploits to the web server and that was the reason the IDS did not detect the intrusions. 

How would Jon protect his network form these types of attacks? 

A. Install a proxy server and terminate SSL at the proxy 

B. Install a hardware SSL “accelerator” and terminate SSL at this layer 

C. Enable the IDS to filter encrypted HTTPS traffic 

D. Enable the firewall to filter encrypted HTTPS traffic 

Answer: AB

Explanation: By terminating the SSL connection at a proxy or a SSL accelerator and then use clear text the distance between the proxy/accelerator and the server, you make it possible for the IDS to scan the traffic. 

Topic 20, Buffer Overflows 


Q122. Jackson discovers that the wireless AP transmits 128 bytes of plaintext, and the station responds by encrypting the plaintext. It then transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. What authentication mechanism is being followed here? 

A. no authentication 

B. single key authentication 

C. shared key authentication 

D. open system authentication 

Answer:

Explantion: The following picture shows how the WEP authentication procedure: 


Q123. While investigating a claim of a user downloading illegal material, the investigator goes through the files on the suspect’s workstation. He comes across a file that is called ‘file.txt’ but when he opens it, he find the following: 

What does this file contain? 

A. A picture that has been renamed with a .txt extension. 

B. An encrypted file. 

C. A uuencoded file. 

D. A buffer overflow. 

Answer:

Explanation: This is a buffer overflow exploit with its “payload” in hexadecimal format. 


Q124. Peter is a Linux network admin. As a knowledgeable security consultant, he turns to you to look for help on a firewall. He wants to use Linux as his firewall and use the latest freely available version that is offered. What do you recommend? 

Select the best answer. 

A. Ipchains 

B. Iptables 

C. Checkpoint FW for Linux 

D. Ipfwadm 

Answer:

Explanation:

Ipchains was improved over ipfwadm with its chaining mechanism so that it can have multiple rulesets. However, it isn't the latest version of a free Linux firewall. Iptables replaced ipchains and is the latest of the free Linux firewall tools. Any Checkpoint firewall is not going to meet Jason's desire to have a free firewall. Ipfwadm is used to build Linux firewall rules prior to 2.2.0. It is a outdated version. 


Q125. "Testing the network using the same methodologies and tools employed by attackers" Identify the correct terminology that defines the above statement. 

A. Vulnerability Scanning 

B. Penetration Testing 

C. Security Policy Implementation 

D. Designing Network Security 

Answer: B


Q126. Joe the Hacker breaks into company’s Linux system and plants a wiretap program in order to sniff passwords and user accounts off the wire. The wiretap program is embedded as a Trojan horse in one of the network utilities. Joe is worried that network administrator might detect the wiretap program by querying the interfaces to see if they are running in promiscuous mode. 

Running “ifconfig –a” will produce the following: 

# ifconfig –a 

1o0: flags=848<UP,LOOPBACK,RUNNING,MULTICAST> mtu 8232 

inet 127.0.0.1 netmask ff000000hme0: 

flags=863<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,MULTICAST> mtu inet 192.0.2.99 netmask ffffff00 broadcast 134.5.2.255 ether 

8:0:20:9c:a2:35 

What can Joe do to hide the wiretap program from being detected by ifconfig command? 

A. Block output to the console whenever the user runs ifconfig command by running screen capture utiliyu 

B. Run the wiretap program in stealth mode from being detected by the ifconfig command. 

C. Replace original ifconfig utility with the rootkit version of ifconfig hiding Promiscuous information being displayed on the console. 

D. You cannot disable Promiscuous mode detection on Linux systems. 

Answer: C

Explanation: The normal way to hide these rogue programs running on systems is the use crafted commands like ifconfig and ls. 


Q127. A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. 

What do you think is the most likely reason behind this? 

A. There is a NIDS present on that segment. 

B. Kerberos is preventing it. 

C. Windows logons cannot be sniffed. 

D. L0phtcrack only sniffs logons to web servers. 

Answer: B

Explanation: In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed. 


Q128. Which type of Nmap scan is the most reliable, but also the most visible, and likely to be picked up by and IDS? 

A. SYN scan 

B. ACK scan 

C. RST scan 

D. Connect scan 

E. FIN scan 

Answer:

Explanation: The TCP full connect (-sT) scan is the most reliable. 


Q129. Attacking well-known system defaults is one of the most common hacker attacks. Most software is shipped with a default configuration that makes it easy to install and setup the application. You should change the default settings to secure the system. 

Which of the following is NOT an example of default installation? 

A. Many systems come with default user accounts with well-known passwords that administrators forget to change 

B. Often, the default location of installation files can be exploited which allows a hacker to retrieve a file from the system 

C. Many software packages come with "samples" that can be exploited, such as the sample programs on IIS web services 

D. Enabling firewall and anti-virus software on the local system 

Answer: D


Q130. One of your junior administrator is concerned with Windows LM hashes and password cracking. In your discussion with them, which of the following are true statements that you would point out? 

Select the best answers. 

A. John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. 

B. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. 

C. SYSKEY is an effective countermeasure. 

D. If a Windows LM password is 7 characters or less, the hash will be passed with the following characters, in HEX- 00112233445566778899. 

E. Enforcing Windows complex passwords is an effective countermeasure. 

Answer: ACE

Explanations: 

John the Ripper can be used to crack a variety of passwords, but one limitation is that the output doesn't show if the password is upper or lower case. John the Ripper is a very effective password cracker. It can crack passwords for many different types of operating systems. However, one limitation is that the output doesn't show if the password is upper or lower case. BY using NTLMV1, you have implemented an effective countermeasure to password cracking. NTLM Version 2 (NTLMV2) is a good countermeasure to LM password cracking (and therefore a correct answer). To do this, set Windows 9x and NT systems to "send NTLMv2 responses only". SYSKEY is an effective countermeasure. It uses 128 bit encryption on the local copy of the Windows SAM. If a Windows LM password is 7 characters or less, the has will be passed with the following characters: 0xAAD3B435B51404EE Enforcing Windows complex passwords is an effective countermeasure to password cracking. Complex passwords are- greater than 6 characters and have any 3 of the following 4 items: upper case, lower case, special characters, and numbers.