Ucertify offers free demo for 312-50 exam. "Ethical Hacking and Countermeasures (CEHv6)", also known as 312-50 exam, is a EC-Council Certification. This set of posts, Passing the EC-Council 312-50 exam, will help you answer those questions. The 312-50 Questions & Answers covers all the knowledge points of the real exam. 100% real EC-Council 312-50 exams and revised by experts!

Q241. home/root # traceroute www.targetcorp.com <http://www.targetcorp.com> 

traceroute to www.targetcorp.com <http://www.targetcorp.com> (192.168.12.18), 64 hops may, 40 byte packets 1 router.anon.com (192.13.212.254) 1.373 ms 1.123 ms 1.280 ms 2 192.13.133.121 (192.13.133.121) 3.680 ms 3.506 ms 4.583 ms 3 firewall.anon.com (192.13.192.17) 127.189 ms 257.404 ms 208.484 ms 4 anon-gw.anon.com (192.93.144.89) 471.68 ms 376.875 ms 228.286 ms 5 fe5-0.lin.isp.com (192.162.231.225) 2.961 ms 3.852 ms 2.974 ms 6 fe0-0.lon0.isp.com (192.162.231.234) 3.979 ms 3.243 ms 4.370 ms 7 192.13.133.5 (192.13.133.5) 11.454 ms 4.221 ms 3.333 ms 6 * * * 7 * * * 8 www.targetcorp.com <http://www.targetcorp.com> (192.168.12.18) 5.392 ms 3.348 ms 3.199 ms 

Use the traceroute results shown above to answer the following question: 

The perimeter security at targetcorp.com does not permit ICMP TTL-expired packets out. 

A. True 

B. False 

Answer: A

Explanation: As seen in the exhibit there is 2 registrations with timeout, this tells us that the firewall filters packets where the TTL has reached 0, when you continue with higher starting values for TTL you will get an answer from the target of the traceroute. 


Q242. _____ ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. It secures information by assigning sensitivity labels on information and comparing this to the level of security a user is operating at. 

A. Mandatory Access Control 

B. Authorized Access Control 

C. Role-based Access Control 

D. Discretionary Access Control 

Answer: A

Explanation : In computer security, mandatory access control (MAC) is a kind of access control, defined by the TCSEC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity." 


Q243. Sniffing is considered an active attack. 

A. True 

B. False 

Answer:

Explanation: Sniffing is considered a passive attack. 


Q244. Attackers can potentially intercept and modify unsigned SMB packets, modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data. Which of the following is NOT a means that can be used to minimize or protect against such an attack? 

A. Timestamps 

B. SMB Signing 

C. File permissions 

D. Sequence numbers monitoring 

Answer: ABD


Q245. Lauren is performing a network audit for her entire company. The entire network is comprised of around 500 computers. Lauren starts an ICMP ping sweep by sending one IP packet to the broadcast address of the network, but only receives responses from around five hosts. Why did this ping sweep only produce a few responses? 

A. Only Windows systems will reply to this scan. 

B. A switched network will not respond to packets sent to the broadcast address. 

C. Only Linux and Unix-like (Non-Windows) systems will reply to this scan. 

D. Only servers will reply to this scan. 

Answer: C


Q246. Paula works as the primary help desk contact for her company. Paula has just received a call from a user reporting that his computer just displayed a Blue Screen of Death screen and he ca no longer work. Paula walks over to the user’s computer and sees the Blue Screen of Death screen. The user’s computer is running Windows XP, but the Blue screen looks like a familiar one that Paula had seen a Windows 2000 Computers periodically. 

The user said he stepped away from his computer for only 15 minutes and when he got back, the Blue Screen was there. Paula also noticed that the hard drive activity light was flashing meaning that the computer was processing some thing. Paula knew this should not be the case since the computer should be completely frozen during a Blue screen. She checks the network IDS live log entries and notices numerous nmap scan alerts. 

What is Paula seeing happen on this computer? 

A. Paula’s Network was scanned using FloppyScan 

B. Paula’s Netwrok was scanned using Dumpsec 

C. There was IRQ conflict in Paula’s PC 

D. Tool like Nessus will cause BSOD 

Answer: A

Explanation: Floppyscan is a dangerous hacking tool which can be used to portscan a system using a floppy disk Bootsup mini Linux Displays Blue screen of death screen Port scans the network using NMAP Send the results by e-mail to a remote server. 


Q247. In the context of Windows Security, what is a 'null' user? 

A. A user that has no skills 

B. An account that has been suspended by the admin 

C. A pseudo account that has no username and password 

D. A pseudo account that was created for security administration purpose 

Answer:

Explanation: NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:* List of users and groups 

* List of machines * List of shares * Users and host SID' (Security Identifiers) 

NULL sessions exist in windows networking to allow: * Trusted domains to enumerate resources * 

Computers outside the domain to authenticate and enumerate users * The SYSTEM account to authenticate and enumerate resources 

NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares, but not SAM accounts. 


Q248. A specific site received 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets had an ICMP ID:39612 and Seq:57072. 13 of the ICMP_ECHO packets had an ICMP ID:0 and Seq:0. What can you infer from this information? 

A. The packets were sent by a worm spoofing the IP addresses of 47 infected sites B. ICMP ID and Seq numbers were most likely set by a tool and not by the operating system 

C. All 77 packets came from the same LAN segment and hence had the same ICMP ID and Seq number 

D. 13 packets were from an external network and probably behind a NAT, as they had an ICMP ID 0 and Seq 0 

Answer: B


Q249. Study the snort rule given below and interpret the rule. 

alert tcp any any --> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";) 

A. An alert is generated when a TCP packet is originated from port 111 of any IP address to the 

192.168.1.0 subnet 

B. An alert is generated when any packet other than a TCP packet is seen on the network and destined for the 192.168.1.0 subnet 

C. An alert is generated when a TCP packet is generated from any IP on the 192.168.1.0 subnet and destined to any IP on port 111 

D. An alert is generated when a TCP packet originating from any IP address is seen on the network and destined for any IP address on the 192.168.1.0 subnet on port 111 

Answer: D

Explanation: Refer to the online documentation on creating Snort rules at http://snort.org/docs/snort_htmanuals/htmanual_261/node147.html 


Q250. How do you defend against MAC attacks on a switch? 

A. Disable SPAN port on the switch 

B. Enable SNMP Trap on the switch 

C. Configure IP security on the switch 

D. Enable Port Security on the switch 

Answer: D