Want to know Testking 312-50 Exam practice test features? Want to lear more about EC-Council Ethical Hacking and Countermeasures (CEHv6) certification experience? Study Certified EC-Council 312-50 answers to Improved 312-50 questions at Testking. Gat a success with an absolute guarantee to pass EC-Council 312-50 (Ethical Hacking and Countermeasures (CEHv6)) test on your first attempt.

2021 Sep 312-50 free exam

Q351. If an attacker's computer sends an IPID of 24333 to a zombie (Idle Scanning) computer on a closed port, what will be the response? 

A. The zombie computer will respond with an IPID of 24334. 

B. The zombie computer will respond with an IPID of 24333. 

C. The zombie computer will not send a response. 

D. The zombie computer will respond with an IPID of 24335. 

Answer: C


Q352. What happens when one experiences a ping of death? 

A. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the “type” field in the ICMP header is set to 18 (Address Mask Reply). 

B. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535. In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet. 

C. This is when an IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the source equal to destination address. 

D. This is when an the IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect). 

Answer: B

Explanation: A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset *8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and zero or more octets of optional information, with the rest of the packet being data. Ping of Death attacks can cause crashing, freezing, and rebooting. 


Q353. Bob, an Administrator at company was furious when he discovered that his buddy Trent, has launched a session hijack attack against his network, and sniffed on his communication, including administrative tasks suck as configuring routers, firewalls, IDS, via Telnet. 

Bob, being an unhappy administrator, seeks your help to assist him in ensuring that attackers such as Trent will not be able to launch a session hijack in company. 

Based on the above scenario, please choose which would be your corrective measurement actions (Choose two) 

A. Use encrypted protocols, like those found in the OpenSSH suite. 

B. Implement FAT32 filesystem for faster indexing and improved performance. 

C. Configure the appropriate spoof rules on gateways (internal and external). 

D. Monitor for CRP caches, by using IDS products. 

Answer: AC

Explanation: First you should encrypt the data passed between the parties; in particular the session key. This technique is widely relied-upon by web-based banks and other e-commerce services, because it completely prevents sniffing-style attacks. However, it could still be possible to perform some other kind of session hijack. By configuring the appropriate spoof rules you prevent the attacker from using the same IP address as the victim as thus you can implement secondary check to see that the IP does not change in the middle of the session. 


Q354. There are two types of honeypots- high and low interaction. Which of these describes a low interaction honeypot? 

Select the best answers. 

A. Emulators of vulnerable programs 

B. More likely to be penetrated 

C. Easier to deploy and maintain 

D. Tend to be used for production 

E. More detectable 

F. Tend to be used for research 

Answer: ACDE

Explanations: 

A low interaction honeypot would have emulators of vulnerable programs, not the real programs. 

A high interaction honeypot is more likely to be penetrated as it is running the real program and is more vulnerable than an emulator. 

Low interaction honeypots are easier to deploy and maintain. Usually you would just use a program that is already available for download and install it. Hackers don't usually crash or destroy these types of programs and it would require little maintenance. 

A low interaction honeypot tends to be used for production. 

Low interaction honeypots are more detectable because you are using emulators of the real programs. Many hackers will see this and realize that they are in a honeypot. 

A low interaction honeypot tends to be used for production. A high interaction honeypot tends to be used for research. 


Q355. You work as security technician at ABC.com. While doing web application testing, you might be required to look through multiple web pages online which can take a long time. Which of the processes listed below would be a more efficient way of doing this type of validation? 

A. Use mget to download all pages locally for further inspection. 

B. Use wget to download all pages locally for further inspection. 

C. Use get* to download all pages locally for further inspection. 

D. Use get() to download all pages locally for further inspection. 

Answer: B

Explanation: Wget is a utility used for mirroring websites, get* doesn’t work, as for the actual FTP command to work there needs to be a space between get and * (ie. get *), get(); is just bogus, that’s a C function that’s written 100% wrong. mget is a command used from “within” ftp itself, ruling out A. Which leaves B use wget, which is designed for mirroring and download files, especially web pages, if used with the –R option (ie. wget –R www.ABC.com) it could mirror a site, all expect protected portions of course. 

Note: GNU Wget is a free network utility to retrieve files from the World Wide Web using HTTP and FTP and can be used to make mirrors of archives and home pages thus enabling work in the background, after having logged off. 


312-50 free exam

Up to date 312-50 exam question:

Q356. Which of the following is not considered to be a part of active sniffing? 

A. MAC Flooding 

B. ARP Spoofing 

C. SMAC Fueling 

D. MAC Duplicating 

Answer: C


Q357. How do you defend against ARP spoofing? 

A. Place static ARP entries on servers, workstation and routers 

B. True IDS Sensors to look for large amount of ARP traffic on local subnets 

C. Use private VLANS 

D. Use ARPWALL system and block ARP spoofing attacks 

Answer: ABC 

Explanation: ARPWALL is a opensource tools will give early warning when arp attack occurs. 

This tool is still under construction. 


Q358. Michael is the security administrator for the for ABC company. Michael has been charged with strengthening the company’s security policies, including its password policies. Due to certain legacy applications. Michael was only able to enforce a password group policy in Active Directory with a minimum of 10 characters. He has informed the company’s employes, however that the new password policy requires that everyone must have complex passwords with at least 14 characters. Michael wants to ensure that everyone is using complex passwords that meet the new security policy requirements. Michael has just logged on to one of the network’s domain controllers and is about to run the following command: 

What will this command accomplish? 


A. Dumps SAM password hashes to pwd.txt 

B. Password history file is piped to pwd.txt 

C. Dumps Active Directory password hashes to pwd.txt 

D. Internet cache file is piped to pwd.txt 

Answer: A

Explanation: Pwdump is a hack tool that is used to grab Windows password hashes from a remote Windows computer. Pwdump > pwd.txt will redirect the output from pwdump to a text file named pwd.txt 


Q359. Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. 

What technique is Leonard trying to employ here to stop SPAM? 

A. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering 

B. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM 

C. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention 

D. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM 

Answer: D

Explanation: Teergrubing FAQ 

What does a UBE sender really need? What does he sell? 

A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail. 

How can anyone hit an UBE sender? 

By destroying his working tools. 

What? 

E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources. 

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts. 

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders. 

Incorrect answer: 

Sender Policy Framework (SPF) deals with allowing an organization to publish “Authorized” SMTP servers for their organization through DNS records. 


Q360. To what does “message repudiation” refer to what concept in the realm of email security? 

A. Message repudiation means a user can validate which mail server or servers a message was passed through. 

B. Message repudiation means a user can claim damages for a mail message that damaged their reputation. 

C. Message repudiation means a recipient can be sure that a message was sent from a particular person. 

D. Message repudiation means a recipient can be sure that a message was sent from a certain host. 

E. Message repudiation means a sender can claim they did not actually send a particular message. 

Answer: E

Explanation: A quality that prevents a third party from being able to prove that a communication between two other parties ever took place. This is a desirable quality if you do not want your communications to be traceable. Non-repudiation is the opposite quality—a third party can prove that a communication between two other parties took place. Non-repudiation is desirable if you want to be able to trace your communications and prove that they occurred. Repudiation – Denial of message submission or delivery.