Actualtests provides anyone the EC-Council certification exam questions along with answers in Pdf formats and Examination Engine formats. After downloading along with installing these on your PC, you are able to practise EC-Council ec0-350 test questions; assessment your questions & answers along with check your current score. If you knowledge some troubles, seek the EC-Council ec0-350 study guide for help. The particular distinctive feature is actually that our own EC-Council EC-Council ec0-350 on-line test powerplant creates a nearly real exam environment. Using EC-Council EC-Council online education is a quick and effective way to prepare the EC-Council certification exam. Youll be able to through absent the long EC-Council ec0-350 books or will not need to get other ec0-350 courses. Studying the particular EC-Council ec0-350 practice materials at your own pace and along with your own fashion because our own EC-Council test powerplant is flexible.The particular price of the EC-Council EC-Council certification exam dumps is affordable. We assure you that what you have got from Actualtests is actually more than useful. The EC-Council ec0-350 exam Pdf files is extremely convenient to suit your needs in that they may be a shortcut for the preparation of the ec0-350 certification exam. Our objective is to help the particular customers receive the EC-Council certification and create them satisfied.

2021 Sep ec0-350 free practice exam

Q31. A Company security System Administrator is reviewing the network system log files. He notes the following: 

-Network log files are at 5 MB at 12:00 noon. 

-At 14:00 hours, the log files at 3 MB. 

What should he assume has happened and what should he do about the situation? 

A. He should contact the attacker’s ISP as soon as possible and have the connection disconnected. 

B. He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy. 

C. He should log the file size, and archive the information, because the router crashed. 

D. He should run a file system check, because the Syslog server has a self correcting file system problem. 

E. He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place. 

Answer: B

Explanation: You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy. 


Q32. Jake works as a system administrator at Acme Corp. Jason, an accountant of the firm befriends him at the canteen and tags along with him on the pretext of appraising him about potential tax benefits. Jason waits for Jake to swipe his access card and follows him through the open door into the secure systems area. How would you describe Jason's behavior within a security context? 

A. Trailing 

B. Tailgating 

C. Swipe Gating 

D. Smooth Talking 

Answer: B

Explanation: Tailgating, in which an unauthorized person follows someone with a pass into an office, is a very simple social engineering attack. The intruder opens the door, which the authorized user walks through, and then engages them in conversation about the weather or weekend sport while they walk past the reception area together. 


Q33. Name two software tools used for OS guessing.(Choose two. 

A. Nmap 

B. Snadboy 

C. Queso 

D. UserInfo 

E. NetBus 

Answer: AC

Explanation: Nmap and Queso are the two best-known OS guessing programs. OS guessing software has the ability to look at peculiarities in the way that each vendor implements the RFC's. These differences are compared with its database of known OS fingerprints. Then a best guess of the OS is provided to the user. 


Q34. You suspect that your Windows machine has been compromised with a Trojan virus. When you run anti-virus software it does not pick of the Trojan. Next you run netstat command to look for open ports and you notice a strange port 6666 open. 

What is the next step you would do? 

A. Re-install the operating system. 

B. Re-run anti-virus software. 

C. Install and run Trojan removal software. 

D. Run utility fport and look for the application executable that listens on port 6666. 

Answer: D

Explanation: Fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. 


Q35. You are writing an antivirus bypassing Trojan using C++ code wrapped into chess.c to create an executable file chess.exe. This Trojan when executed on the victim machine, scans the entire system (c:\) for data with the following text “Credit Card” and “password”. It then zips all the scanned files and sends an email to a predefined hotmail address. 

You want to make this Trojan persistent so that it survives computer reboots. Which registry entry will you add a key to make it persistent? 

A. HKEY_LOCAL_MACHINE\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

B. HKEY_LOCAL_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

C. HKEY_LOCAL_SYSTEM\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

D. HKEY_CURRENT_USER\SOFTWARE\MICROOSFT\Windows\CurrentVersion\RunServices 

Answer: A 

Explanation: HKEY_LOCAL_MACHINE would be the natural place for a registry entry that starts services when the MACHINE is rebooted. 


Topic 7, Sniffers 

248. Exhibit: 

ettercap –NCLzs --quiet 

What does the command in the exhibit do in “Ettercap”? 

A. This command will provide you the entire list of hosts in the LAN 

B. This command will check if someone is poisoning you and will report its IP. 

C. This command will detach from console and log all the collected passwords from the network to a file. 

D. This command broadcasts ping to scan the LAN instead of ARP request of all the subnet IPs. 

Answer: C

Explanation: -N = NON interactive mode (without ncurses) 

-C = collect all users and passwords 

-L = if used with -C (collector) it creates a file with all the password sniffed in the session in the 

form "YYYYMMDD-collected-pass.log" 

-z = start in silent mode (no arp storm on start up) 

-s = IP BASED sniffing 

--quiet = "demonize" ettercap. Useful if you want to log all data in background. 


ec0-350 test question

Latest ec0-350 free download:

Q36. What is the command used to create a binary log file using tcpdump? 

A. tcpdump -r log 

B. tcpdump -w ./log 

C. tcpdump -vde -r log 

D. tcpdump -l /var/log/ 

Answer: B

Explanation: tcpdump [ -adeflnNOpqStvx ] [ -c count ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ expression ] 

-w Write the raw packets to file rather than parsing and printing them out. 


Q37. Which of these are phases of a reverse social engineering attack? 

Select the best answers. 

A. Sabotage 

B. Assisting 

C. Deceiving 

D. Advertising 

E. Manipulating 

Answer: ABD

Explanations: 

According to "Methods of Hacking: Social Engineering", by Rick Nelson, the three phases of reverse social engineering attacks are sabotage, advertising, and assisting. 


Q38. Exhibit 


Joe Hacker runs the hping2 hacking tool to predict the target host’s sequence numbers in one of the hacking session. 

What does the first and second column mean? Select two. 

A. The first column reports the sequence number 

B. The second column reports the difference between the current and last sequence number 

C. The second column reports the next sequence number 

D. The first column reports the difference between current and last sequence number 

Answer: AB


Q39. Which of the following nmap command in Linux procedures the above output? 


A. sudo nmap –sP 192.168.0.1/24 

B. root nmap –sA 192.168.0.1/24 

C. run nmap –TX 192.168.0.1/24 

D. launch nmap –PP 192.168.0.1/24 

Answer: A

Explanation: This is an output from a ping scan. The option –sP will give you a ping scan of the 192.168.0.1/24 network. 


Topic 4, Enumeration 

129. Sandra has been actively scanning the client network on which she is doing a vulnerability assessment test. While conducting a port scan she notices open ports in the range of 135 to 139. What protocol is most likely to be listening on those ports? 

A. Finger 

B. FTP 

C. Samba 

D. SMB 

Answer: D

Explanation: The SMB (Server Message Block) protocol is used among other things for file sharing in Windows NT / 2000. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NBT. For this they use TCP port 445. 


Q40. LAN Manager passwords are concatenated to 14 bytes and split in half. The two halves are hashed individually. If the password is 7 characters or less, than the second half of the hash is always: 

A. 0xAAD3B435B51404EE 

B. 0xAAD3B435B51404AA 

C. 0xAAD3B435B51404BB 

D. 0xAAD3B435B51404CC 

Answer: A

Explanation: A problem with LM stems from the total lack of salting or cipher block chaining in the hashing process. To hash a password the first 7 bytes of it are transformed into an 8 byte odd parity DES key. This key is used to encrypt the 8 byte string "KGS!@". Same thing happens with the second part of the password. This lack of salting creates two interesting consequences. Obviously this means the password is always stored in the same way, and just begs for a typical lookup table attack. The other consequence is that it is easy to tell if a password is bigger than 7 bytes in size. If not, the last 7 bytes will all be null and will result in a constant DES hash of 0xAAD3B435B51404EE.